Online Privacy Policy (English Language)

POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

1.PURPOSE

Securitas has strong values. We carry a great sense of responsibility towards our customers, employees, and the communities in which we operate – HELPING TO MAKE YOUR WORLD SAFER. Securitas has adopted privacy and data protection strategy as part of its stated principle.

At this point, all Technology Companies operating in Turkey under Securitas are aware of the need to act in accordance with the applicable legal regulations concerning the protection of personal data, including the Constitution of the Republic of Turkey ("Constitution"), International Agreements, the European Data Protection Law ("GDPR"), and the Personal Data Protection Law No. 6698 ("KVKK"). As Securitas Technology Companies, we continuously conduct and update necessary work to protect personal data, making compliance with these legal regulations an integral part of our operations to ensure the protection of privacy and data security.

In accordance with the Personal Data Protection Law and Securitas Group Policies, Securitas Technology Companies ensure that:

All personal data is processed lawfully, fairly, and transparently concerning individuals,
Individuals are informed about the existence, purposes, and possible consequences of processing activities,
Collected and otherwise processed personal data is limited to what is adequate, relevant, and necessary concerning the purposes for which they are processed,
All reasonable measures are taken to ensure individuals can exercise their valid rights in a timely manner (e.g., by creating and implementing internal procedures and policies),
All personal data is destroyed or anonymized depending on the purposes of processing.

With the Policy on the Protection and Processing of Personal Data, Securitas Technology Services Trade Inc. and Securitas Seguridad Security Services Inc. (hereinafter referred to collectively and separately as "Securitas Technology") aim to take all necessary steps for the protection of personal data within the scope of company internal operations, procedures, and policies, decisions and regulations of the Personal Data Protection Board, finalized court decisions, and other relevant legislation, and strive to make all processes sustainable.

For all these reasons, we follow this Policy to create every legal ground necessary to ensure the rights provided to individuals by legal regulations are secured and to enable data subjects to benefit from these rights.

2.DEFINITIONS

In the Policy:

Company refers to Securitas Technology Services Trade Inc. and Securitas Seguridad Security Services Inc., collectively and/or separately.

Explicit consent refers to consent given freely, based on information, and expressed concerning a specific subject. Since the burden of proof that the data subject has been informed and enlightened lies with the data controller, the storage and protection of the data subject's explicit consent and information records will be carried out according to our company's internal procedures.

Revision: v4.19.06.2025

Anonymization refers to making personal data unidentifiable or unable to be associated with an identifiable person, even when matched with other data.

Personal data refers to any information relating to an identified or identifiable natural person. All information that makes a person identifiable is regulated as personal data, and examples include the Turkish ID number, name-surname, email address, phone number, address, date of birth, bank account number. Within our company, these data are subject to classification, and the Personal Data Processing Inventory regulates matters such as how, by whom, for what purpose, and for how long different personal data in separate categories can be processed.

Processing of personal data refers to any operation performed on data, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, whether fully or partially automated or non-automated, provided that it is part of any data recording system.

Special categories of personal data refer to data related to individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data.

Data processor refers to a natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller. The internal procedures determine who has access to personal data, to what extent, for what purpose, and for how long they can access the data, and what operations they can perform on the data.

Data subject refers to the natural person whose personal data is processed.

Data controller refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

Law refers to the Personal Data Protection Law No. 6698.

Legislation refers to the Personal Data Protection Law No. 6698, secondary legislation, the Turkish Penal Code, and other relevant legislation.

Policy refers to this Policy on the Protection and Processing of Personal Data.

3.PROCESSING OF PERSONAL DATA

3.1. General Principles Regarding the Processing of Personal Data

Our company acts in accordance with the general principles determined by the Law and other relevant legislation concerning the protection and processing of personal data obtained in compliance with the Law.

Revision: v3.01.08.2024

Securitas Technology declares and undertakes to act in accordance with the following principles during the protection and processing of these data, in compliance with Article 4 of the Law:

Securitas Technology will act in accordance with the law and the rules of honesty in every personal data processing process and will observe the requirements of the principle of proportionality.
Securitas Technology will ensure that every personal data processed as a data controller is accurate and up-to-date and will take all necessary measures in this regard.
Securitas Technology will limit its data processing activities to specific, clear, and legitimate purposes as a data controller.
Securitas Technology will process personal data obtained as a data controller only in connection with, limited to, and proportionate to the purposes for which they are processed. In this context, personal data will only be processed if they are suitable for achieving the determined purposes, and these purposes will not be expanded to meet potential needs that may arise later.
Securitas Technology will retain every personal data processed as a data controller for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed. In this regard, Securitas Technology will act in accordance with Article 138 of the Turkish Penal Code and Articles 4 and 7 of the KVK Law.

3.2. Conditions for Processing Personal Data

Personal data obtained by Securitas Technology in compliance with the Law and relevant legislation can be processed, in whole or in part, automatically or non-automatically, in accordance with the principles explained above, without seeking explicit consent, if one or more of the conditions specified in Article 5, Paragraph 2 of the Law are present.

Data containing individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data, constitute "special categories of personal data" under the KVK Law. In addition to the obligations mentioned above, special requirements required by the law are applicable for the processing and transfer of special categories of personal data to third parties and abroad. Securitas Technology declares and undertakes to act in accordance with the special provisions regulated in the Law in cases of processing special categories of personal data.

4.IDENTIFICATION OF PERSONAL DATA AND DATA SUBJECTS

According to Article 10 of the Personal Data Protection Law, we have an obligation to inform the relevant individuals as a Data Controller. In line with this obligation, we inform and enlighten data subjects about which personal data will be processed, the purpose of processing, the legal reason, the method, to whom and for what purpose they can be transferred, and the rights of the data subject. The personal data processed by our company and the target audiences of these data are categorized in the tables below.

4.1. Identification of Personal Data to be Processed

Personal data categorized in the table below can be included in any processing process in the presence of one or more of the personal data processing conditions explained in Article 4.2 of the Policy and in accordance with the principles explained in Article 1 of the Policy.

Table 1: Personal Data Identification Table

Processed Personal Data	Description
Identity Information	Information related to the identity of a specific or identifiable natural person. Examples include name-surname, Turkish ID number, place of birth, date of birth, mother's and father's name, identity card information.
Contact Information	Information related to the contact details of a specific or identifiable natural person. Examples include phone number, email information, address information, fax number.
Location Information	Information that determines the location of specific or identifiable natural persons within the scope of activities conducted by Securitas Technology. Examples include GPS location, travel data, etc.
Physical Space Security Information	Any information related to the entry, exit, and stay of a specific or identifiable natural person in physical areas owned by or serviced by our Company. Examples include work entry-exit log records, visitor records, camera recordings, and records taken at security points.
Financial Information	Any information acquired according to the nature of the legal relationship between a specific or identifiable natural person and our Company, used to finance this relationship or show the financial outcome of this relationship. Examples include bank name, bank account number, tax ID number, IBAN number, credit card information, asset data, income information, Findeks Report, etc.
Visual/Audio Information	Any photos, camera recordings, audio recordings, etc., excluding records acquired within the scope of physical space security information related to a specific or identifiable natural person.
Legal Transaction Information	Information obtained within the scope of legal transactions related to a specific or identifiable natural person, including correspondence with judicial authorities and/or information in case files.
Criminal Conviction and Security Measures Information	Information related to criminal convictions and security measures concerning a specific or identifiable natural person. Examples include information about criminal convictions and security measures.
Association/Foundation Membership Information	Information about association and/or foundation membership belonging to a specific or identifiable natural person.
Customer Transaction Information	Records related to the use of our products and services by a specific or identifiable natural person, including instructions and requests necessary for the customer to use the products and services. Examples include call center records, invoice, promissory note, check information, order information, request information, etc.
Marketing Information	Information showing the habits of a specific or identifiable natural person regarding the use of products and services. Examples include shopping history, surveys, cookie records, information obtained through campaign activities.
Personnel Information	Information related to a specific or identifiable natural person that constitutes their personnel rights under the employment contract with Securitas Technology. Examples include payroll information, bank statements, attendance records, social security information, fringe benefits, annual leave-excuse notes, job change forms, declaration and consent documents, employment contracts, information security commitments, performance evaluation reports, title and position information, and any information and documents legally required to be included in the personnel file.
Professional Experience Information	Information related to the professional experience of a specific or identifiable natural person. Examples include diplomas, courses attended, in-service training, certificates, transcript information, etc.
Health Information	Any information related to the physical and mental health of a specific or identifiable natural person, including information about health services provided to the person. Examples include information about disability status, blood type information, past illnesses, medications used, medical reports, test results, information about devices and prosthetics used.
Biometric Information	Information expressing measurable biological traces belonging to a specific or identifiable natural person. Examples include palm print, fingerprint, retina scan, facial recognition information.
Transaction Security Information	Information obtained within the scope of information technologies related to a specific or identifiable natural person, including IP address, website entry-exit logs, passwords, etc.
Other Information	Other information related to a specific or identifiable natural person, not included in the listed categories, determined by the user. Examples include signature, vehicle license plate, marriage date information, etc.

4.2. Identification of Data Subjects

The data subjects (relevant individuals) involved in our company's personal data processing process are categorized in the table below:

Personal Data Subjects	Descriptions
Employees	Natural persons employed within Securitas Technology under an employment contract with our Company.
Employee Relatives	Natural persons who are relatives of employees within Securitas Technology under an employment contract with our Company.
Employee Candidates	Natural persons who have applied for a job at Securitas Technology or have sent their resume to our Company by any means.
Interns	Natural persons working as interns at Securitas Technology companies.
Real Service Recipients (Customers)	Natural persons who receive services from Securitas Technology in any way, based on or not based on a service contract within the scope of Securitas Technology's commercial activities.
Potential Real Service Recipients (Customers)	Natural persons who request services from Securitas Technology or to whom Securitas Technology offers services in any way within the scope of its commercial activities.
Real Suppliers	Natural persons who provide services to Securitas Technology in any way, based on a service contract within the scope of Securitas Technology's commercial activities.
Potential Real Suppliers	Natural persons who offer to provide services to Securitas Technology or from whom Securitas Technology requests services in any way within the scope of its commercial activities.
Company Shareholder	Legal and natural persons holding shares in Securitas Technology.
Company Officials	CEO, board members, and other natural persons authorized in management within Securitas Technology Companies.
Visitor	Natural persons who visit the offices, buildings, or websites of Securitas Technology for any purpose.
Customer Officials and Employees	Natural persons authorized and/or employed on the side receiving services from Securitas Technology, based on a service contract within the scope of Securitas Technology's commercial activities.
Supplier Officials and Employees	Natural persons authorized and/or employed on the side providing services to Securitas Technology, based on a service contract within the scope of Securitas Technology's commercial activities.
Third Party	Any natural person not included among the categorized persons. Examples include potential customer employees, customer supplier employees, customer supplier officials, etc.

5.PURPOSES OF COLLECTING AND PROCESSING PERSONAL DATA

The personal data of data subjects defined in Article 4.2 of the Policy can be processed for the following purposes:

Conducting and tracking business activities related to the execution of service and distance sales contracts signed with customers and business partners, conducting necessary audits and notifications within the scope of legal regulations that must be complied with in accordance with company activities, executing and tracking all necessary operations related to services, conducting risk assessments and reporting, conducting contract processes, conducting emergency management processes, planning and executing operational processes related to services,
Ensuring the security of all internal and external spaces, creating records related to alarm monitoring systems and remote monitoring,
Fulfilling obligations arising from the execution of the contract, determining damage or accident processes, and conducting and tracking other processes,
Conducting financial, accounting, and financial transactions, including invoicing activities related to the service provided under the contract,
Conducting evaluation, analysis, and risk management processes within legal limits related to the service to be provided to customers,
Conducting relationships with customers and company employees and tracking corporate governance activities,
Managing and tracking customer, company employee, and third-party requests and complaints,
Improving, developing, determining, and implementing business processes within the scope of services provided by our company,
Ensuring the continuity of business and operational processes, conducting company business and audit activities and procedures, receiving and evaluating suggestions for improving business processes,
Planning and conducting information security processes, creating corporate communication tools, conducting communication activities, creating information technology infrastructure and managing access rights, ensuring the legal and commercial security of our company and individuals with whom our company has business relationships,
Planning and tracking work conducted with customers, subsidiaries, and affiliates or suppliers,
Tracking and executing legal processes and communication processes with official institutions, providing information to authorized institutions and organizations,
Conducting performance evaluation and reporting processes to make the service more efficient,
Managing and tracking training, events, and organizations to be conducted for customers and/or employees,
Conducting training and talent/career development activities,
Fulfilling obligations arising from employment contracts and legislation for employees, managing employee satisfaction and loyalty, side benefits and interests processes, managing wage policies, planning human resources processes, conducting application, selection, and placement processes for employee candidates, conducting occupational health and safety processes,
Conducting supply chain management and service procurement processes and logistics activities,
Conducting sales processes of goods and/or services and after-sales support activities,
Conducting customer relationship management processes and activities aimed at customer satisfaction,
Ensuring the security of movable goods and resources,
Conducting marketing analysis studies, advertising, and promotion processes,
Conducting all these activities in compliance with legislation

Personal data is processed within the conditions specified in Articles 5 and 6 of the Law No. 6698 for these purposes.

In the processing of personal data considered special under the Law, the conditions specified in Article 6 of the Law are observed, and explicit consent of the relevant individuals is obtained for the processing of these data.

TRANSFER OF PERSONAL DATA

Personal data of data subjects defined in Article 4.2 of the Policy may need to be transferred/shared with the data subject and/or third parties indicated by the data subject within the scope of data processing to ensure the realization of the purposes listed above and to enable the Company to serve the data subject properly.

Personal data may be shared with Securitas affiliates and subsidiaries, shareholders, product and service recipients (customers), suppliers, and authorized public institutions and private persons and institutions within the framework of the conditions specified in Articles 8 and 9 of the Law No. 6698 and may be transferred abroad based on the consent of the relevant person.

Third Parties to Whom Personal Data is Transferred by Our Company and Purposes of Transfer

According to Article 10 of the KVK Law, we have an obligation to inform, and in line with this obligation, we inform and enlighten data subjects about which groups of people personal data is transferred to by our company. The groups of people to whom personal data is transferred by our company and the purposes for which they are transferred are categorized in the table below:

Groups to Which Data Can Be Transferred	Description of Groups	Purpose of Data Transfer
Affiliates and Subsidiaries	All companies directly or indirectly operating in Turkey under Securitas.	Conducting business activities, managing company administration, managing human resources processes, conducting contract processes, tracking legal affairs, conducting finance and accounting operations, managing information security processes, managing risk management processes.
Product/Service Recipient (Customer)	Parties receiving goods and/or services from Securitas Technology based on the service within the scope of Securitas Technology's commercial activities.	Conducting contract processes, conducting business and audit activities, conducting occupational health and safety activities, fulfilling legal obligations, conducting finance and accounting operations, fulfilling contract obligations.
Potential Product/Service Recipient (Customer)	Natural persons requesting services from Securitas Technology or to whom Securitas Technology offers services in any way within the scope of its commercial activities.	Conducting business development activities, conducting communication activities, conducting goods and/or service sales processes, conducting activities aimed at customer satisfaction.
Supplier	Parties providing goods and/or services to Securitas Technology based on a service contract within the scope of Securitas Technology's commercial activities.	Conducting business development activities, conducting communication, conducting contract processes, conducting goods and/or service purchasing processes, conducting finance and accounting operations, conducting business activities, tracking legal affairs, conducting litigation processes, fulfilling obligations arising from employment contracts and legislation for employees, conducting processes for employee fringe benefits and interests, conducting training, event, and organization activities, conducting insurance processes, establishing corporate communication means, conducting storage and archiving activities.
Shareholders	Legal and natural persons holding shares in Securitas Technology.	Conducting business development activities, conducting communication, conducting company management activities and performing necessary audits in accordance with relevant legislation, conducting budget and reporting processes, conducting training activities, conducting communication activities.
Authorized Public Institutions and Organizations	Public institutions and organizations authorized to request information and documents from Securitas Technology in accordance with relevant legislation.	Conducting business development activities, conducting communication, providing information to authorized persons, institutions, and organizations, fulfilling legal obligations, conducting emergency management activities, conducting audit processes, conducting litigation processes, conducting legal affairs.

7.DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

Real and legal persons, including representatives authorized by Securitas Technology, retain personal data processed in accordance with Articles 5 and 6 of the Personal Data Protection Law for the period stipulated in the relevant legislation or required for the purposes specified in this policy, unless longer retention is permitted or required by relevant legislation. If the purpose of processing personal data disappears, these data are deleted, destroyed, or anonymized by Securitas Technology, either ex officio or upon the request of the data subject.

8.OUR OBLIGATIONS AND YOUR RIGHTS

8.1. Our Obligations as a Data Controller

As a data controller under the Personal Data Protection Law, we have obligations arising from Article 12 of the Law and other relevant legislation. In line with these obligations, we take all necessary technical and administrative measures within our technological capabilities to prevent unlawful processing of personal data, prevent unlawful access to these data, and ensure the preservation of data, and we conduct and have conducted necessary audits in this regard. In the event that personal data processed by our company is unlawfully obtained by third parties, our company declares and undertakes to notify the data subject and the KVK Board as soon as possible, and necessary arrangements have been made within the company's internal structure in this regard.

8.2. Rights of the Personal Data Owner and Use of the Right to Apply

The rights of data subjects under Article 11 of the KVKK are as follows:

To learn whether personal data is processed,
To request information if personal data has been processed,
To learn the purpose of processing and whether they are used in accordance with the purpose,
To know the third parties to whom personal data is transferred,
To request correction of personal data in case of incomplete or incorrect processing and to request notification of these corrections to third parties,
To object to the emergence of a result against oneself by analyzing processed data exclusively through automated systems,
To request compensation for damages in case of unlawful processing of personal data.

Article 28, Paragraph 2 of the Law lists the cases where data subjects do not have the right to request, and within this scope:

Processing of personal data is necessary for the prevention of crime or for criminal investigation,
Processing of personal data made public by the relevant person,
Processing of personal data is necessary for the execution of supervisory or regulatory duties by authorized and competent public institutions and organizations and professional organizations with public institution status, based on the authority granted by the law, or for disciplinary investigation or prosecution,
Processing of personal data is necessary for the protection of the economic and financial interests of the State concerning budget, tax, and financial matters,

In these cases, except for the right to request compensation for damages, the rights specified above cannot be exercised.

Data subjects can submit their requests regarding the rights granted to them under Article 11 of the Law in writing or in accordance with the provisions of the Communiqué on the Procedures and Principles of Application to the Data Controller published by the KVK Board, by sending them to Securitas Technology. If a request is made by a third party on behalf of the personal data owner, a power of attorney issued through a notary on behalf of the person making the request must also be submitted; otherwise, the request will not be processed. Securitas Technology declares and undertakes that the necessary procedure has been established and will be effectively operated to ensure that data subjects benefit from these rights arising from the legislation.

If you submit your requests regarding your rights within the framework of the Personal Data Protection legislation, your request will be concluded as soon as possible and within 30 (thirty) days at the latest, free of charge, by providing a written response, as stipulated in Article 13 of the Law. However, if the transaction requires an additional cost, Securitas Technology reserves the right to request the fee specified in the tariff determined by the Board. Securitas Technology may accept or reject the applications of data subjects regarding the rights they have under Article 11 of the KVK Law, provided that the reason is explained. In cases where the application is rejected, the response is found insufficient, or the application is not responded to within the time limit, the data subject is informed that they have the right to file a complaint with the KVK Board within thirty days from the date they learn of the response and within sixty days from the date of application, in accordance with Article 14 of the Law.

The application methods you can use to exercise your rights are listed below:

By filling out the Securitas Technology Companies Data Subject Application Form in accordance with the instructions provided,

By sending your securely electronically signed requests to [email protected],
By sending your wet-signed requests via notary or with documents that prove your identity to the address Rüzgarlıbahçe Mah. Çam Pınarı Sokak. Smart Plaza No:4/2 Beykoz - Istanbul by mail or in person,
By sending an email to [email protected] using the electronic mail addresses previously notified to Securitas Technology and registered in the Securitas Technology system.

9.IMPLEMENTATION AND RESPONSIBILITIES OF THE POLICY

Securitas Technology is responsible for the organization, implementation, and control of all operations and processes of the Policy as a Data Controller. The Personal Data Protection Committee will take all necessary steps to ensure the implementation of all procedures, guidelines, training activities, and other applications regulated and to be regulated within the scope of the Policy by our company. All employees of our company, business partners, guests, and all other relevant third parties are obliged to act in accordance with the Policy and relevant legislation provisions and to cooperate with our company to prevent legal liabilities and risks that have arisen or may arise. The Policy will always be accessible and open by being announced within our company and uploaded to all web-based systems, applications, websites, and information processing systems used by our company. All operations will be carried out to ensure sensitivity to the protection of personal data, compliance with the law and operations, and changes in the Policy will be revised on all relevant platforms and information processing systems. In this way, Securitas Technology believes that it will ensure that data subjects always reach and obtain information about the goals and responsibilities intended by our Policy in a healthy and transparent manner.

10.ENFORCEMENT AND UPDATES

The Policy enters into force on the date it is approved and published by the authorized persons of our company. Securitas Technology will implement necessary changes in the Policy and the enforcement of these changes with the approval of company officials in line with changes in relevant legislation, actions or decisions of the Personal Data Protection Board, and court decisions. Our company reserves the right to review this Policy and update, change, or abolish it and create a new policy when necessary. In case of a conflict between the mandatory provisions of the legislation in force and this Policy, the provisions of the legislation will apply.

SECURITAS TECHNOLOGY COMPANIES