As Senem Buse Albay (“MEA CULPA”) we attach importance to the privacy and security of your personal data. In this context, we would like to inform you about how we process the personal data we obtain from our customers, suppliers, subcontractors, business partners, their employees and officials and all other third parties while conducting our business relations, for what purposes we use it and how we protect this information.

shall express the meaning ascribed to them in the Personal Data Protection Law No. 6698 (“ KVKK ”) and other legislation. The term “you” in this Notice refers to you personally. The term personal data is used to include special personal data. The meanings of the terms and abbreviations in the Policy are included in the ANNEX – Abbreviations section.

We would like to remind you that if you do not accept the Notice , you should not transmit your personal data to us. If you choose not to transmit your personal data to us, in some cases we will not be able to provide you with our services, respond to your requests or ensure the full functionality of our services.

We would like to remind you that it is your responsibility to ensure that the personal data you transmit to our company is accurate, complete and up-to-date, to the best of your knowledge. Beyond this, if you share other people’s data with us, it will be your responsibility to collect such data in compliance with local legal requirements. In this case, it will mean that you have received all necessary permissions from the third party in question for us to collect, process, use and disclose their information, and our Company cannot be held responsible in this context.

ABOUT MEA CULPA

 

MEA CULPA, is a company that produces jewelry.

References to “we” or “Company” or “MEA CULPA” in the Notice refer to Senem Buse Albay, registered to Istanbul Chamber of Jewelers with the registration number 17543, operating at Nisbetiye mah. Nisbetiye cad. no:24/17 Beşiktaş/İstanbul. It relates to the personal data processing activities carried out as the Data Controller by Senem Buse Albay(” MEA CULPA “), registered with the number .

OUR PRINCIPLES FOR PROCESSING PERSONAL DATA

All personal data processed by our company is processed in accordance with KVKK and relevant legislation. In accordance with Article 4 of the KVKK, the basic principles and principles we pay attention to when processing your personal data are explained below:

• Processing in accordance with the Law and the Rules of Honesty : Our Company; It acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, our Company takes into account the proportionality requirements in the processing of personal data and does not use personal data for purposes other than what is required.
• Ensuring that Personal Data is Accurate and Up to Date when Necessary : Our Company; It ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and their own legitimate interests.
• Processing for Specific, Clear and Legitimate Purposes : Our company clearly and precisely determines the legitimate and lawful purpose of processing personal data. Our company processes personal data in connection with the products and services it offers and as much as is necessary for them.
• Being Relevant, Limited and Proportionate to the Purpose for which they are Processed : Our company processes personal data in a manner suitable for the achievement of the specified purposes and avoids the processing of personal data that is not relevant or needed to achieve the purpose.
• Preservation for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose for which they are Processed : Our Company retains personal data only for the period specified in the relevant legislation or for the period required for the purpose for which they are processed. In this context, our Company first determines whether a period of time is stipulated in the relevant legislation for the storage of personal data, if a period is determined, it acts in accordance with this period, and if a period is not determined, it stores personal data for the period necessary for the purpose for which they are processed. If the period expires or the reasons requiring processing disappear, personal data is deleted, destroyed or anonymized by our Company.

DATA SUBJECT CATEGORIES

 

The categories of data owners whose personal data are processed by our company are listed in the table below. Persons outside the following categories may also submit their requests to our Company within the scope of KVKK; The requests of these people will also be taken into consideration.

CONTACT CATEGORY	EXPLANATION
Customer	Real or legal persons purchasing products
Potential Customer	Natural or legal persons who have requested or are interested in purchasing our products or who have been evaluated in accordance with the rules of custom and honesty as they may have this interest
Visitor	Real persons who have entered the physical facilities where our company organizes an event for various purposes or who visit our websites
Third Party	e.g. guarantors, companions, family members and relatives) who are related to these persons or, although not expressly stated within the scope of the Policy, may collect personal data of our Company. All real persons who need to be processed for a specific purpose
Employees, Shareholders and Officials of the Institutions We Collaborate With	Real persons working in institutions (including but not limited to business partners, suppliers, etc.) with which our company has all kinds of business relations, including the shareholders and officials of these institutions

WHEN DO WE COLLECT PERSONAL DATA ABOUT YOU?

 

We mainly collect your personal data in the following cases:

• When you purchase a product,
• When you sell products or provide services to us,
• When you subscribe to our newsletters or choose to receive our marketing communications,
• When you contact us to submit a complaint or feedback via means such as e-mail or telephone,
• When you contact our Company by participating in events and organizations in which our Company is involved ,
• When you contact us for any purpose as a potential customer/supplier/business partner/subcontractor.

personal data we obtain in the above cases only in accordance with this Notice .

WHAT PERSONAL DATA DO WE PROCESS ABOUT YOU?

 

The personal data we process about you varies depending on the type of business relationship between us ( e.g. customer, supplier, business partner, etc.) and your method of contacting us ( e.g. telephone, e-mail, printed documents, etc.).

are when you participate in our surveys or otherwise interact with us, whether by telephone or email . In this context, the personal data we process about you may be disclosed under the following categories:

Data categories	Examples
ID information	Information included in identity documents such as name, surname, title, date of birth
Contact information	Email, phone number, address
Images and/or videos that can identify you	Photographs, video images and audio data processed for security reasons when you visit our Company or when you participate in events organized by our Company
Financial data	Bank account data, billing information
Any other information you voluntarily decide to share with MEA CULPA	Personal data you share on your own initiative, feedback, opinions, requests and complaints, evaluations, comments and our evaluations regarding them, uploaded files, areas of interest, information provided for our detailed review process before establishing a business relationship with you.
Electronic data collected automatically	e.g. device hardware model, IP address), in addition to the information you directly transmit to us. , operating system version and settings, time and duration of your use of our digital channel or product, your actual location, which may be collected when you enable location-based products or features, links you click, motion sensor data, etc.)
Legal action and compliance information	Your personal data, audit and inspection data processed within the scope of determining and pursuing our legal receivables and rights and fulfilling our debts, as well as compliance with our legal obligations and our Company’s policies.
Corporate customer/ Supplier data	As a result of the operations carried out by our business units within the scope of our product sales, information obtained about the data owner, such as the customer/supplier or the employee or authorized signatory within the customer/supplier.
Personal data collected from other sources	To the extent permitted by applicable laws and regulations, we may also collect your personal data through public databases and methods and platforms where our business partners we work with collect personal data on our behalf. For example, before establishing a business relationship with you, we may conduct research about you from publicly available sources to ensure the technical, administrative and legal security of our commercial activities and transactions. In addition, it may be possible for you to transmit to us some personal data of third parties ( e.g. personal data of guarantors, companions, family members, etc.). In order to manage our technical and administrative risks, we may process your personal data through methods used in accordance with generally accepted legal, commercial practices and honesty rules in these areas.

FOR WHAT PURPOSES DO WE USE YOUR PERSONAL DATA?

 

Our basic purposes for processing your personal data are listed below. Personal data processing activities regarding Employee Candidates are explained under the “Processing of Personal Data of Employee Candidates” section above.

Our Personal Data Processing Purposes	Examples
Evaluating potential suppliers/business partners	Conducting our review and conflict of interest process in accordance with our risk rules
Customer establishment and management of relations, execution and conclusion of the contract process with our suppliers/business partners	Performing sales transactions of the products offered by our company, submitting offers, product supply, invoicing, establishing and executing contracts, ensuring post-contract legal transaction security, ensuring the shipment of goods and samples, managing logistics processes, developing products, evaluating new technologies and applications, and ensuring our Company’s commercial and determining and implementing business strategies, managing operations (request, offer, evaluation, order, budgeting, contract), product/manufacturing/investment quality processes, managing financial affairs, offering alternatives to legal/real persons with whom it has commercial relations,
Execution of direct marketing processes	To make marketing notifications regarding our services by e-mail and telephone, to conduct satisfaction surveys or to evaluate and respond to your opinions, complaints and comments via social media, online platforms or other channels, to inform our customers about company innovations and campaigns, to carry out campaigns .
Communication and support (on your request)	Responding to requests for information about our products, providing support for requests received through our communication channels, and updating our records and database.
Compliance with legal obligations	Carrying out tax and insurance processes, fulfilling our legal obligations arising from relevant legislation, especially Law No. 5651 and other legislation, Law No. 6563 on the Regulation of Electronic Commerce and other legislation, Turkish Penal Code No. 5237 and Personal Data Protection Law No. 6698, official institutions Carrying out the necessary processes within the scope of compliance with the laws and regulations to which we are subject, such as carrying out the processes before us, record keeping and information obligations, compliance and auditing, audits and inspections of the official authorities, monitoring and finalizing our legal rights and cases, disclosing data upon the request of the official authorities, and communicating with the regulatory and supervisory authorities. , within the scope of the requirements and obligations determined to ensure the fulfillment of the legal obligations specified in the KVKK , as required or required by legal regulations ,
Protecting company interests and ensuring security
Planning and execution of company commercial activities	In line with the aim of determining, planning and implementing the Company’s short, medium and long term commercial policies, and determining and implementing commercial and business strategies; Communication, market research and social responsibility activities carried out by our company, purchasing, customs clearance, organization of transportation of goods in free circulation in import and export operations,
Protection of rights and interests	Lawsuits, investigations, etc. filed against our company. defense against legal claims

HOW DO WE USE YOUR PERSONAL DATA FOR MARKETING PURPOSES?

 

Marketing activities KVKK art. 5/2 and m. As a rule, we always obtain your consent to process your personal data within the scope of marketing activities, as it is not considered within the scope of the exceptions set out in Article 6/3. Our company may periodically send you promotional communications about its products, events and promotions. Such promotional communications may be sent to you through different channels, such as email, telephone, SMS text messages, postal mail and third-party social networks.

To provide you with the best personalized experience, sometimes these communications may be adapted to your preferences (for example, as you indicate them to us, based on what we infer from your website visits, or based on the links you click in our emails).

Based on your consent, processing for the purpose of offering you opportunities for special products such as internet advertising, targeting , re- targeting , cross-selling, campaigns, opportunities and product advertisements, using Cookies for this purpose, and taking into account your preferences and recent purchases, based on your previous records when making commercial offers. Keeping track of your usage habits and offering you special products; Processing for the purpose of presenting you special advertisements, campaigns, advantages and other benefits for sales and marketing activities and carrying out other marketing and CRM studies, processing for the creation of new product models, sending of electronic commercial messages (such as campaigns, customer satisfaction surveys, product advertisements). ; sending gifts and promotions; We can carry out marketing activities for the purpose of corporate communication and organizing other events and invitations and providing information about them.

Where required by applicable legislation, we will ask for your consent before engaging in the above activities. You will also be given the opportunity to withdraw (stop) your consent at any time. In particular, you can stop being sent marketing-related communications at any time by following the unsubscribe instructions included in every email and SMS message.

If you log in to the MEA CULPA account, you may be given the option to change your communication preferences under the relevant section of our website. You can contact us at any time to stop marketing communications being sent to you (you can find contact details in the “What Are Your Rights Regarding Your Personal Data?” section below).

FOR WHAT LEGAL REASONS DO WE PROCESS YOUR PERSONAL DATA?

 

Your personal data is subject to the Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098, Tax Procedure Law No. 213, electronic commerce legislation and KVKK art. We process it within the framework of the following legal reasons set out in Article 5:

Legal Reason	Examples
We process based on your consent in cases where we are required to obtain your explicit consent in accordance with KVKK and other legislation (In this case, we would like to remind you that you can withdraw your consent at any time)	We obtain your consent to carry out our marketing activities.
In any case permitted by applicable legislation	Tax Procedure Law art. Including the name of the relevant person on the invoice within the scope of Article 230
Where we need to enter into a contract with you, perform the contract and fulfill our obligations under a contract	Obtaining the customer’s bank account information within the scope of the contractual relationship with the customer
Fulfilling our legal obligations,	Fulfilling our tax obligations, submitting the information requested by court decision to the court
If your personal data has been made public by you	Using the personal data you have made public through means such as sending us an e-mail to contact you or social media channels for the purpose of making them public.
It is necessary for us to process data to establish or protect a right, to exercise our legal rights and to defend against legal claims filed against us.	Keeping documents that serve as proof/evidence and using them when necessary
In cases where our legitimate interests require it, provided that it does not harm your fundamental rights and freedoms.	To ensure the security of our company communication networks and information, to carry out our company activities, to detect suspicious transactions and conduct research to comply with our risk rules, to benefit from storage, hosting, maintenance and support services in order to provide technical and security IT services, to ensure the efficiency of our company activities and to benefit from the opportunities of technology. Take advantage of cloud technology for

We would like to emphasize that in cases where your Personal Data is processed with explicit consent, if you withdraw your express consent, you will be removed from the commercial membership program where processing based on such explicit consent is required and you will not be able to benefit from the advantages you benefit from such processing as of the relevant date.

WHEN DO WE SHARE YOUR PERSONAL DATA?

 

 

Transfer of Personal Data Domestically

Our company is primarily in compliance with KVKK art. regarding the transfer of personal data. 8. It is the responsibility of acting in accordance with the decisions and relevant regulations stipulated in the KVKK and taken by the Board. As a rule, our Company cannot transfer personal data and sensitive data belonging to data owners to other natural persons or legal entities without the express consent of the relevant person.

In addition, transfer is possible without the consent of the person concerned in cases stipulated in Articles 5 and 6 of the KVKK . Our company processes personal data in accordance with the conditions stipulated in the KVKK and other relevant legislation and by taking the security measures specified in the legislation; (If there is an existing contract signed with the data owner, in the contract in question) Unless otherwise regulated by the Law or other relevant legislation, it may be transferred to third parties in Turkey.

Transfer of Personal Data Abroad

 

Our company may transfer personal data to third parties in Turkey, or send it abroad to be processed in Turkey or processed and stored outside Turkey, including outsourcing, as stated above, in accordance with the conditions stipulated in the Law and other relevant legislation and by taking the security measures specified in the legislation. is also transferred. In order to carry out our company activities in the most efficient way and to benefit from the opportunities of technology, we transfer your personal data abroad via cloud computing technology by taking the necessary technical and administrative measures.

KVKK m. In accordance with Article 9, as a rule, we seek the explicit consent of data owners for the transfer of personal data abroad. However, KVKK m. In accordance with Article 9 of the KVKK. 5/2 or m. Existence of one of the conditions set out in Article 6/3 and in the foreign country to which personal data will be transferred

1. a) Availability of adequate protection,
2. b) In case there is no adequate protection, the data controllers in Turkey and the relevant foreign country must undertake in writing to provide adequate protection and have the permission of the Board.

Provided that data may be transferred abroad without the explicit consent of the data owner.

requires that in exceptional cases where explicit consent is not required for the transfer of personal data mentioned above, in addition to the conditions for processing and transfer without consent, there is sufficient protection in the country to which the data will be transferred in accordance with KVKK . The Personal Data Protection Board will determine whether adequate protection is provided; In case there is no adequate protection, data controllers both in Turkey and the relevant foreign country must undertake adequate protection in writing and have the permission of the Personal Data Protection Board.

Parties with whom information is shared domestically and abroad

 

We only share your personal data for the following necessary purposes. We pay special attention not to sharing your personal data except in these cases. The parties with whom we share personal data are listed below:

• Service providers and business partners : It defines the parties with whom our Company establishes business partnerships for purposes such as sales, promotion and marketing of its products, and after-sales support, while carrying out its commercial activities. Like many businesses, we may work with reliable third parties, such as information and communication technology providers, suppliers, subcontractors, consultancy services providers, cargo companies, travel agencies, to carry out functions and services in the most efficient way and in accordance with current technologies within the scope of some data processing activities. We may share data to carry out our activities within this scope. This sharing is done on a limited basis to ensure that the purposes of establishing and fulfilling the business partnership are fulfilled. We use cloud computing technologies to carry out our company’s activities in the most efficient way and to benefit from the opportunities of technology at the maximum level, and in this context, we can process your personal data at home and abroad through companies that provide cloud computing services. The marketing services support company we share may be established abroad and in this context, KVKK m. 8 and m. In accordance with Article 9, data is shared abroad in accordance with the provisions regarding data sharing abroad.

• Official authorities : When required by law or when we need to protect our rights, we may share your personal data with the relevant official, judicial and administrative authorities ( e.g. tax offices, law enforcement forces, courts and enforcement offices).

• Private law persons: Personal data can be shared limited to the purpose requested by private law persons who are authorized to receive information and documents from our Company in accordance with the relevant legislation provisions (e.g. Occupational Health and Safety Company) within their legal authority.

• Professional advisors : We may share your personal data with professional advisors such as banks, insurance companies, auditors, lawyers, financial advisors and other advisors.

• Other persons in connection with corporate transactions : Personal persons from time to time for the conduct of corporate transactions, such as the sale of a business owned by our company, reorganization, merger, joint venture or other disposition of our business, assets or stock (including in connection with any bankruptcy or similar proceeding). We may share your data.

HOW LONG DO WE STORE YOUR PERSONAL DATA?

 

We retain your personal data only for the period necessary to fulfill the purpose for which it was collected. We determine these periods separately for each business process, and at the end of the relevant periods, we destroy your personal data in accordance with the KVKK , unless there is another reason why we need to keep your personal data.

We take the following criteria into consideration when determining the destruction times for your personal data:

• The period accepted as a general practice in the sector in which the data controller operates, within the scope of the purpose of processing the relevant data category,
• The period that requires the processing of personal data in the relevant data category and during which the legal relationship established with the relevant person will continue,
• The period during which the legitimate interest to be obtained by the data controller, depending on the purpose of processing the relevant data category, will be valid in accordance with the law and the rules of honesty,
• The period during which the risks, costs and responsibilities that will arise from storing the relevant data category depending on the purpose of processing will continue legally,
• Whether the maximum period to be determined is suitable for keeping the relevant data category accurate and updated when necessary,
• The period during which the data controller is obliged to retain personal data in the relevant data category in accordance with its legal obligation,
• The limitation period determined by the data controller for asserting a right based on personal data in the relevant data category.

HOW DO WE DESTROY YOUR PERSONAL DATA?

 

Although personal data has been processed in accordance with the provisions of the relevant law in accordance with Article 138 of the Turkish Penal Code and Article 7 of the KVKK, it will be deleted based on our Company’s own decision or if the personal data owner requests this, in case the reasons requiring processing are eliminated . is destroyed or made anonymous.

Our company reserves the right not to fulfill the data owner’s request in cases where it has the right and/or obligation to preserve personal data in accordance with the relevant legislation. When personal data is processed by non-automatic means, provided that it is a part of any data recording system, a system of physical destruction of personal data in a way that cannot be used later is applied while the data is deleted/destroyed. When our company agrees with a person or organization to process personal data on its behalf, personal data is securely deleted by these people or organizations so that it cannot be recovered again. Our company can anonymize personal data when the reasons requiring the processing of personal data processed in accordance with the law are eliminated.

METHODS OF PERSONAL DATA

Deletion of Personal Data

Even though it has been processed in accordance with the provisions of the relevant law, our company may delete personal data based on its own decision or upon the request of the personal data owner, if the reasons requiring processing are eliminated. Deletion of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way. Our company takes all necessary technical and administrative measures to ensure that deleted personal data are inaccessible and unusable for relevant users.

Personal Data Deletion Process

The process to be followed for deleting personal data is as follows:

• Determining the personal data that will be subject to deletion.
• Identifying relevant users for each personal data using an access authorization and control matrix or a similar system.
• Determining the authorizations and methods of relevant users such as access, retrieval and reuse.
• Closing and eliminating the relevant users’ access, retrieval and reuse authorizations and methods within the scope of personal data.

Methods for Deleting Personal Data

Data Recording Environment	Explanation
Located on Servers     Personal Data	For       personal data stored on the servers        whose period of storage has expired , the system administrator removes the access authorization of the relevant users and deletes them.
Location in Electronic             Media Field Personal Data	are made inaccessible and unusable in any way for other employees (relevant users)             except the database administrator .
Portable          Media Personal Data Found	Among the personal data kept in Flash- based storage media , those that have expired are stored in secure environments with encryption keys, by being encrypted by the system administrator and access authorization is given only to the system administrator .

Since personal data can be stored in various recording media, they must be deleted by methods appropriate to the recording media. Examples of this are given below:

Office Files Located on the Central Server: The file must be deleted with the delete command in the operating system or the access rights of the relevant user on the file or the directory where the file is located must be removed. When performing the mentioned operation, it should be noted that the relevant user is not also the system administrator.

Personal Data on Portable Media: Personal data on Flash-based storage media should be stored encrypted and deleted using software suitable for these media.

Databases: The relevant lines containing personal data must be deleted with database commands (DELETE, etc.). When performing the mentioned operation, it should be noted that the relevant user is not also the database administrator.

Destruction of Personal Data

Our company may destroy personal data based on its own decision or upon the request of the personal data owner, in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the relevant legal provisions. Destruction of personal data is the process of making personal data inaccessible, irretrievable and unusable by anyone. The data controller is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.

Data Recording Environment	Explanation
Personal Data in Physical Environment	Personal data stored on paper that have expired are irreversibly destroyed in paper shredding machines.
Personal Data Contained in Optical / Magnetic Media	Personal data in optical media and magnetic media The physical destruction of data            that has expired, such as melting, burning or turning it into powder, is applied. In addition, the data on the magnetic media is rendered unreadable by passing it through a special device and exposing it to a high magnetic field.

Physical Destruction : Personal data can also be processed by non-automatic means, provided that it is part of any data recording system. When such data is deleted/destroyed, a system of physical destruction of personal data in such a way that it cannot be used later is applied.

Secure Deletion from Software : While data processed completely or partially automatically and stored in digital environments is deleted/destroyed; Methods are used to delete the data from the relevant software so that it cannot be recovered again.

Secure Deletion by an Expert : In some cases, the company may contract with an expert to delete personal data on its behalf. In this case, personal data is securely deleted/destroyed by an expert in this field so that it cannot be recovered again.

Blackout : Making personal data physically unreadable.

Personal Data Destruction Methods

In order to destroy personal data, all copies of the data must be identified and destroyed one by one using one or more of the following methods, depending on the type of systems where the data is located:

Local Systems: One or more of the following methods can be used to destroy the data on the systems in question. i) De-magnetization: It is the process of passing the magnetic media through a special device and exposing it to a very high magnetic field, thus corrupting the data on it in an unreadable way. ii) Physical Destruction: It is the process of physically destroying optical media and magnetic media, such as melting, burning or pulverizing them. Data is rendered inaccessible by processes such as melting optical or magnetic media, burning them, pulverizing them, or passing them through a metal grinder. For solid state disks, if overwriting or demagnetizing is not successful, this media must also be physically destroyed. iii) Overwriting: It is the process of preventing the recovery of old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media. This process is done using special software.

Environmental Systems: Destruction methods that can be used depending on the type of environment are listed below: İ) Network devices ( switch , router , etc.): The storage media in these devices are fixed. Products often have a delete command but no destroy feature. It must be destroyed by using one or more of the appropriate methods specified in (a). ii) Flash-based media: Flash-based hard disks with ATA (SATA, PATA, etc.), SCSI (SCSI Express, etc.) interface, < block if supported It must be destroyed by using the erase > command, if not supported, by using the manufacturer’s recommended destruction method, or by using one or more of the appropriate methods specified in (a) . iii) Magnetic tape: These are media that store data with the help of micro magnet pieces on flexible tape. It must be destroyed by demagnetizing it by exposing it to very strong magnetic environments or by physical destruction methods such as burning or melting. iv) Units such as magnetic disks: These are media that store data with the help of micro magnet pieces on flexible (plate) or fixed media. It must be destroyed by demagnetizing it by exposing it to very strong magnetic environments or by physical destruction methods such as burning or melting. v) Mobile phones (Sim card and fixed memory areas): There is a delete command in the fixed memory areas of portable smartphones, but most of them do not have a destroy command. It must be destroyed by using one or more of the appropriate methods specified in (a). vi) Optical discs: These are data storage media such as CDs and DVDs. It must be destroyed by physical destruction methods such as burning, breaking into small pieces, and melting. vii) Peripheral units such as printers and fingerprint door access systems with removable data recording media: It must be verified that all data recording media have been removed and destroyed by using one or more of the appropriate methods specified in (a), depending on their characteristics. viii) Peripheral units such as printers and fingerprint door access systems with fixed data recording media: Most of the systems in question have a delete command, but there is no destroy command. It must be destroyed by using one or more of the appropriate methods specified in (a).

Paper and Microfiche Media: Since the personal data in these media is permanently and physically written on the medium, the main medium must be destroyed. While performing this process, it is necessary to divide the environment into small pieces of incomprehensible size, horizontally and vertically if possible, so that they cannot be put back together, using paper shredding or clipping machines. Personal data transferred from the original paper format to the electronic environment by scanning must be destroyed by using one or more of the appropriate methods specified in (a), depending on the electronic environment in which they are located.

Cloud Environment: During the storage and use of personal data in the systems in question, it should be encrypted with cryptographic methods and, where possible, separate encryption keys should be used for personal data, especially for each cloud solution from which service is received. When the cloud computing service relationship ends; All copies of the encryption keys necessary to make personal data usable must be destroyed. In addition to the above environments, the destruction of personal data contained in devices that malfunction or are sent for maintenance is carried out as follows: Destruction by using one or more of the appropriate methods specified in ., ii) In cases where destruction is not possible or appropriate, dismantling and storing the data storage medium, sending other defective parts to third institutions such as manufacturer, dealer service, iii) For purposes such as external maintenance and repair. Necessary precautions must be taken to prevent incoming personnel from copying personal data and taking them out of the institution.

Anonymization of Personal Data

Anonymization of personal data means making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data. Our company can anonymize personal data when the reasons requiring the processing of personal data processed in accordance with the law are eliminated. In order for personal data to be anonymized; Personal data must be returned by the data controller or recipient groups and/or made impossible to associate with an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording environment and relevant field of activity, such as matching the data with other data. Our company takes all necessary technical and administrative measures to anonymize personal data.

In accordance with Article 28 of the KVK Law; Anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the Personal Data Protection Law and the express consent of the personal data owner will not be required.

Methods of Anonymization of Personal Data

Anonymization of personal data means making it impossible to associate personal data with an identified or identifiable natural person in any way, even if it is matched with other data.

In order for personal data to be anonymized; Personal data must be returned by the data controller or third parties and/or made impossible to associate with an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording environment and relevant field of activity, such as matching the data with other data.

Anonymization is the removal or modification of all direct and/or indirect identifiers in a data set, preventing the relevant person from being identified or losing the feature of being distinguishable in a group or crowd in a way that cannot be associated with a natural person. Data that does not point to a specific person as a result of blocking or losing these features is considered anonymized data. In other words, while anonymised data was information that identified a real person before this process, after this process it cannot be associated with the relevant person and its connection with the person is severed. The purpose of anonymization is to break the connection between the data and the person identified by this data. All disconnection processes carried out by methods such as automatic or non-automatic grouping, masking, derivation, generalization and randomization applied to the records in the data recording system where personal data are kept are called anonymization methods. The data obtained as a result of the application of these methods must not be able to identify a specific person.

Anonymization methods that can be taken as examples are explained below:

Anonymization Methods That Do Not Provide Value Irregularity: In methods that do not provide value irregularity, no changes, additions or subtractions are made to the values of the data in the set, instead changes are made in all rows or columns in the set. Thus, while the overall data changes, the values in the fields maintain their original state.

Subtracting Variables

It is an anonymization method achieved by completely deleting one or more of the variables from the table. In such a case, the entire column in the table will be completely removed. This method can be used for reasons such as the variable is a high-order identifier, a more suitable solution does not exist, the variable is too sensitive data to be disclosed to the public, or does not serve analytical purposes.

Removing Records

In this method, by removing a line containing a singularity in the data set, anonymity is strengthened and the possibility of making assumptions about the data set is reduced. Generally, the extracted records are those that do not have a common value with other records and that people who have an idea about the data set can easily make guesses. For example, in a dataset containing survey results, let’s say only one person from any sector is included in the survey. In such a case, it may be preferable to remove only the record of this person rather than removing the “sector” variable from all survey results.

Regional Hiding

The purpose of the regional hiding method is to make the dataset more secure and reduce the risk of predictability. If the combination of values of a particular record creates a situation that is very rare and this situation has a high probability of causing that person to become distinguishable in the relevant community, the value that creates the exceptional situation is changed to “unknown”.

1. Generalization

It is the process of converting relevant personal data from a specific value to a more general value. It is the most commonly used method when producing cumulative reports and operations carried out on total figures. The resulting new values show the total values or statistics of a group, making it impossible to reach a real person. For example, let’s say a person with TR ID Number 12345678901 buys diapers from the e-commerce platform and then also buys wet wipes. By using the generalization method in the anonymization process, it can be concluded that xx % of people who buy diapers from the e-commerce platform also buy wet wipes.

Lower and Upper Limit Coding

The upper and lower nerve coding method is achieved by defining a category for a certain variable and combining the values within the grouping created by this category. Generally, the low or high values of a certain variable are grouped together and a new definition is made for these values.

Global Coding

The global coding method is a grouping method used in data sets where it is not possible to apply lower and upper bound coding, do not contain numerical values, or have values that cannot be sorted numerically. It is generally used when clustering certain values makes it easier to make predictions and assumptions. A common new group is created for the selected values and all records in the dataset are replaced with this new definition.

Sampling

In the sampling method, instead of the entire data set, a subset taken from the set is described or shared. In this way, the risk of making accurate predictions about individuals is reduced, as it is not known whether a person known to be included in the entire data set is included in the disclosed or shared sample subset. Simple statistical methods are used to determine the subset to be sampled. For example; If a data set regarding the demographic information, occupations and health status of women living in Istanbul is anonymized and disclosed or shared, it may be meaningful to scan and make predictions in the relevant data set of a woman known to live in Istanbul. However, only the records of women whose population registration is in Istanbul are left in the relevant data set and anonymization is applied by removing those whose population registration is in other provinces from the data set and the data is disclosed or shared. Since he cannot predict whether the person he knows is present or not, he will not be able to make a reliable guess as to whether the information about this person he knows is included in the data he has.

Anonymization Methods that Provide Value Irregularity : Unlike the methods mentioned above, methods that provide value irregularity; distortion is created in the values of the data set by changing the existing values. In this case, since the values carried by the records are changing, the benefit planned to be obtained from the data set must be calculated correctly. Even if the values in the data set are changing, you can still benefit from the data by ensuring that the total statistics are not distorted.

Micro Joining

With this method, all records in the data set are first arranged in a meaningful order and then the whole set is divided into a certain number of subsets. Then, the value of each subset of the specified variable is averaged and the value of that variable of the subset is replaced with the average value. Thus, the average value of that variable valid for the entire data set will not change.

Data Exchange

The data exchange method is the record changes obtained by exchanging the values of a variable subset between selected pairs of records. This method is mainly used for variables that can be categorized, and the main idea is to transform the database by changing the values of the variables among the records of individuals.

Adding Noise

With this method, additions and subtractions are made to create distortions to a specified extent in a selected variable. This method is mostly applied on data sets containing numerical values. Distortion applies equally at each value.

Statistical Methods to Strengthen Anonymization

In anonymized data sets, as a result of the combination of some values in the records with singular scenarios, the possibility of identifying the identities of the people in the records or deriving assumptions about their personal data may arise.

For this reason, anonymity can be strengthened by minimizing the uniqueness of the records in the dataset by using various statistical methods in anonymized datasets. The main purpose of these methods is to minimize the risk of anonymity while keeping the benefit from the dataset at a certain level.

K-Anonymity

In anonymized data sets, if indirect identifiers come together in the right combinations, the identities of the people in the records can be determined or the information about a particular person can be easily predicted, which has shaken the trust in the anonymization processes. Based on this, it was necessary to make the data sets anonymized by various statistical methods more reliable. K-anonymity was developed to prevent the disclosure of information specific to individuals showing unique characteristics in certain combinations, by enabling the identification of more than one person with certain fields in a data set. If there is more than one record belonging to the combinations created by combining some of the variables in a data set, the probability of identifying the people corresponding to this combination decreases.

L-Diversity

The L-diversity method, which was created by studies on the shortcomings of K-anonymity, takes into account the diversity created by sensitive variables corresponding to the same variable combinations.

T-Proximity

Although the L-diversity method provides diversity in personal data, there are situations where it cannot provide adequate protection because the method in question does not deal with the content and sensitivity of personal data. In this form, the process of calculating the degree of closeness of personal data and values to each other and anonymizing the data set by dividing it into subclasses according to these degrees of closeness is called the T-closeness method.

Choosing the Anonymization Method

Our company decides which of the above methods will be applied by looking at the data it has and taking into account the following features of the data set;

The nature of the data,

The size of the data,

The structure of data in physical environments,

diversity of data,

The benefit intended to be obtained from the data / purpose of processing,

Data processing frequency,

Reliability of the party to whom the data will be transferred,

The effort to be made to anonymise the data is meaningful,

The magnitude of the damage that may occur if the anonymity of the data is compromised, its impact area,

Distribution /centrality ratio of the data ,

User authorization control and access to relevant data

The possibility that the effort it will take to devise and implement an attack that will disrupt anonymity will be meaningful.

While a data is anonymized, our Company checks whether the data in question can re-identify a person by using publicly available information or known to be within the other institutions and organizations to which it transfers personal data, through contracts and risk analyses.

Anonymity Assurance

When deciding to anonymise a personal data instead of deleting or destroying it, our company ensures that the anonymity cannot be compromised by combining the anonymized data set with a thousand other data sets, that a thousand or more values cannot be created as a meaningful whole that can make a record singular, that the anonymised data set must not be anonymized, We pay attention to the points that the values in the data set do not combine and cause an assumption or result to be produced, and our Company carries out checks on the data sets they anonymize as the features listed in this article change and ensures that anonymity is protected.

Risks Regarding De-Anonymization of Anonymized Data by Reverse Processing

Since anonymization is a process applied to personal data and destroying the distinctive and identifying features of the data set, there is a risk that these processes may be reversed through various interventions and the anonymized data will again become identifying and distinguishing real persons. This situation is referred to as disruption of anonymity. Anonymization processes can be achieved only through manual processes or automatically developed processes or through hybrid processes consisting of a combination of both types of processes. However, what is important is that measures are taken to prevent anonymity from being compromised by new users who can access or possess the data after the anonymized data is shared or disclosed. Actions carried out consciously to disrupt anonymity are called “attacks aimed at disrupting anonymity”. In this context, our Company investigates whether there is a risk of anonymized personal data being reversed through various interventions and the anonymized data becoming identifying and distinguishing real persons again, and action is taken accordingly.

YOUR PERSONAL DATA ?

 

In order to protect your personal data and prevent unlawful access, our Company takes the necessary administrative and technical measures in line with the Personal Data Security Guide published by the KVK Authority, procedures are organized within the Company, clarification and explicit consent texts are prepared, and KVKK art. In accordance with 12/3, the necessary audits are carried out to ensure the implementation of the provisions of the KVKK or are outsourced. These audit results are evaluated within the scope of the internal functioning of the Company and the necessary activities are carried out to improve the measures taken.

Your above-mentioned personal data can be transferred to the physical archives and information systems of our Company and/or our suppliers and kept in both digital and physical environments. The technical and administrative measures taken to ensure the security of personal data are explained in detail under two headings below.

Technical Measures

 

Secure to protect the personal information collected socket We use generally accepted standard technologies and operational security methods, including the standard technology called Layer (SSL). However, due to the nature of the Internet, information can be accessed by unauthorized persons over networks without the necessary security measures. Depending on the current state of technology, the cost of technological application and the nature of the data to be protected, we take technical and administrative measures to protect your data from risks such as destruction, loss, tampering, unauthorized disclosure or unauthorized access. In this context, we conclude contracts regarding data security with the service providers we work with.

 

• Ensuring Cyber Security : We use cyber security products to ensure personal data security, but the technical measures we take are not limited to this. Measures such as firewall and intrusion prevention form the first line of defense against attacks coming from environments such as the internet. Security records are monitored 24/7 by receiving professional service and early precautions are taken against potential attacks. However, almost every software and hardware is subject to some installation and configuration processes. Considering that some widely used software, especially older versions, may have documented security vulnerabilities, unused software and services are removed from the devices. For this reason, deleting unused software and services rather than keeping them updated is preferred due to its convenience. Patch management and software updates ensure that software and hardware operate properly and that the security measures taken for the systems are regularly checked to ensure that they are sufficient.

• Access Restrictions : Access authorizations to systems containing personal data are limited and reviewed regularly. In this context, employees are granted access to the extent necessary for their work and duties, as well as their authority and responsibilities, and access to the relevant systems is provided by using a username and password. When creating passwords and passwords, complex combinations of upper and lower case letters, numbers and symbols are preferred instead of easily guessed numbers or letter sequences associated with personal information. Accordingly, an access authorization and control matrix is created.

• Encryption : In addition to using strong passwords and passwords, limiting the number of password entry attempts to protect against common attacks such as the use of brute force algorithm (BFA), ensuring that passwords and passwords are changed at regular intervals, opening the administrator account and admin authority to be used only when needed, and For employees whose relations with their supervisors have been terminated, access is limited without delay by methods such as deleting the account or closing the logins.

• Anti Virus Software : In order to be protected from malware, products such as antivirus and antispam are used, which regularly scan the information system network and detect threats, and they are also kept up to date and the necessary files are scanned regularly. If personal data is to be obtained from different websites and/or mobile application channels, connections are made via SSL or a more secure method.

• Ensuring the Security of Environments Containing Personal Data : If personal data is stored on devices located on the premises of data controllers or on paper, physical security measures are taken against threats such as theft or loss of these devices and papers. The physical environments where personal data are stored are protected against external risks (fire, flood, etc.) with appropriate methods and entrances / exits to these environments are controlled.

If personal data is in electronic form, access between network components can be limited or the components can be separated to prevent personal data security breach.

The same level of precautions are also taken for paper media, electronic media and devices located outside the Company campus and containing personal data belonging to the Company. As a matter of fact, although personal data security violations often occur due to reasons such as theft and loss of devices containing personal data (laptop, mobile phone, flash disk , etc.), personal data to be transferred by e-mail or post is sent carefully and by taking adequate precautions. If employees access the information system network with their personal electronic devices, adequate security measures are taken for these.

Access control authorization and/or encryption methods are used against situations such as loss or theft of devices containing personal data. In this context, the password key is stored in an environment that can only be accessed by authorized persons and unauthorized access is prevented.

Paper documents containing personal data are kept locked and in environments accessible only to authorized persons, preventing unauthorized access to such documents.

Our company, KVKK m. In accordance with Article 12, if personal data is obtained by others through illegal means, this situation is reported to the KVK Board and data owners as soon as possible. If deemed necessary, the KVK Board may announce this situation on its website or through another method.

• Information Technology Systems Procurement, Development and Maintenance : Security requirements are taken into consideration by the Company when determining the needs for the supply, development of new systems or improvement of existing systems.

• Backup of Personal Data : In cases where personal data is damaged, destroyed, stolen or lost for any reason, the Company uses the backed up data to take action as soon as possible. Backed up personal data can only be accessed by the system administrator, and data set backups are kept outside the network.

Administrative Measures

• All activities carried out by our company have been analyzed in detail for all business units, and as a result of this analysis, a process-based personal data processing inventory has been prepared. Risky areas in this inventory are identified and necessary legal and technical measures are constantly taken. ( For example , the documents required to be prepared within the scope of KVKK have been prepared by taking into account the risks in this inventory)
• Personal data processing activities carried out by our company are audited by information security systems, technical systems and legal methods. Policies and procedures regarding personal data security are determined and regular checks are carried out in this context.
• Our company may occasionally receive services from external service providers to meet its information technology needs. In this case, action is taken by ensuring that the external service providers that Process the Data in question provide at least the security measures provided by our Company. In this case, a written agreement is signed with the Data Processor and this agreement includes at least the following:
  • The Data Processor acts only in accordance with the instructions of the Data Controller , in accordance with the purpose and scope of data processing specified in the contract and in accordance with KVKK and other legislation,
  • Acting in accordance with the Personal Data Storage and Destruction Policy ,
  • Data Processor is subject to an indefinite confidentiality obligation regarding the personal data it processes ,
  • In case of any data breach, the Data Processor is obliged to immediately notify the Data Controller ,
  • Our Company will carry out the necessary audits on the Data Processor’s systems containing personal data or have them performed, and can examine the reports resulting from the audit and the service provider company on-site,
  • measures for the security of personal data ; And
  • In addition, as the nature of the relationship between us and the Data Processor allows, the categories and types of personal data transferred to the Data Processor are also specified in a separate article.

• personal data that is unnecessary, outdated and does not serve a purpose is not collected, and if it was collected in the period before KVKK , it is processed in accordance with the Personal Data Storage and Destruction Policy . is being destroyed.
• Our company has determined provisions regarding confidentiality and data security in the Employment Agreements to be signed during the recruitment process of its employees and requests employees to comply with these provisions. Employees are regularly informed and trained about personal data protection law and taking necessary precautions in accordance with this law. The roles and responsibilities of employees have been reviewed in this context and job descriptions have been revised.
• Technical measures are taken in accordance with technological developments, and the measures taken are periodically checked, updated and renewed.
• Access authorizations are limited and authorizations are reviewed regularly.
• The technical measures taken are regularly reported to the authorized person, risk-posing issues are reviewed and efforts are made to produce the necessary technological solutions.
• Software and hardware including virus protection systems and firewalls are installed.
• Backup programs are used to ensure that personal data is stored safely.
• Security systems for storage areas are used, technical measures taken are periodically reported to the relevant person in accordance with internal controls, risky issues are re-evaluated and necessary technological solutions are produced. Files/printouts stored in physical environment are stored through the supplier companies we work with and are subsequently destroyed in accordance with the determined procedures.
• The issue of Personal Data Protection is also embraced by the senior management, and a special Committee on this subject has been established (KVK Committee) and started to work. A management policy regulating the working rules of the Company KVK Committee has been put into effect within the Company and the duties of the KVK Committee have been explained in detail.

WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?

 

KVKK m. According to Art. 11, as data subjects you have the following rights regarding your personal data:

• Learning whether your personal data is processed by our Company,
• Requesting information if your personal data has been processed,
• Learning the purpose of processing your personal data and whether they are used for their intended purpose,
• Knowing the third parties to whom your personal data is transferred at home or abroad,
• Requesting correction of your personal data if it has been processed incorrectly or incompletely, and requesting that the action taken in this context be notified to third parties to whom your personal data has been transferred,
• Requesting the deletion or destruction of your personal data in case the reasons requiring processing no longer exist, even though it has been processed in accordance with the provisions of KVKK and other relevant laws, and requesting that the action taken in this context be notified to third parties to whom your personal data has been transferred,
• Object to the emergence of a result against you by analyzing the processed data exclusively through automatic systems,
• Request compensation for the damage you have suffered in case you suffer damage due to unlawful processing of your personal data.

In accordance with the Application Communiqué, you can submit these requests to our Company free of charge using the following method:

• After completing the form at the www.meaculpajewels.com address and signing it with wet signature, it should be sent personally to Nisbetiye mah. Nisbetiye cad. no:24/17 Beşiktaş/İstanbul (we would like to remind you that your ID will need to be presented).
• After completing the form at the www.meaculpajewels.com address and signing it with a wet signature, it should be sent to Nisbetiye mah. Nisbetiye cad. no:24/17 Beşiktaş/İstanbul address via a notary public.
• Sending an email to info@meaculpajewels.com with an e -mail address previously notified to our Company and registered in our Company’s system .

In the application;

Name, surname and signature if the application is in writing, TR Identity Number for citizens of the Republic of Turkey, nationality for foreigners, passport number or identification number if any, residence or workplace address for notification, e-mail address for notification if any, telephone and fax number, request. The subject is mandatory. Information and documents regarding the subject are also added to the application.

It is not possible for third parties to make requests on behalf of personal data owners. In order for a person other than the personal data owner to make a request, there must be a signed and notarized copy of the special power of attorney issued by the personal data owner on behalf of the person making the application. In your application containing your explanations regarding the right you have as a personal data owner and which you request to exercise, in order to exercise your above-mentioned rights; The matter you are requesting must be clear and understandable, the matter you are requesting must be personally related to you, or if you are acting on behalf of someone else, you must be specifically authorized in this matter and your authority must be documented, the application must include identity and address information, and documents proving your identity must be attached to the application.

In this context, your applications will be finalized as soon as possible and within 30 days at most. These applications are free of charge. However, if the transaction requires an additional cost, the fee in the tariff determined by the KVK Board may be charged.

If the personal data owner submits his request to our Company in accordance with the prescribed procedure, our Company will finalize the relevant request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, our Company will charge the applicant the fee in the tariff determined by the KVK Board. Our company may request information from the relevant person in order to determine whether the applicant is the owner of personal data. Our company may ask questions to the personal data owner regarding his application in order to clarify the issues included in the personal data owner’s application.

KVKK m. In cases where your application is rejected by our Company in accordance with Article 14, you find our response inadequate, or we do not respond to your application in time; You can file a complaint with the KVK Board within thirty days from the date you learned our company’s response, and in any case within sixty days from the date of application.

WHAT ARE THE SITUATIONS WHERE DATA OWNERS CANNOT ASSERVE THEIR RIGHTS?

 

of the KVKK , personal data owners cannot assert their rights listed above, as the following situations are excluded from the scope of the KVKK:

• Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime .
• intelligence activities carried out by public institutions and organizations authorized by law to ensure national defence, national security, public safety, public order or economic security.
• Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial or enforcement proceedings.

of KVKK ; In the cases listed below, personal data owners cannot assert their other rights, except for the right to demand compensation for damages:

• Processing of personal data is necessary for the prevention of crime or criminal investigation.
• Processing of personal data made public by the personal data owner.
• Processing of personal data is necessary for the execution of auditing or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations that are public institutions, based on the authority granted by the law.
• Processing of personal data is necessary to protect the economic and financial interests of the State regarding budget, tax and financial matters.

OTHER MATTERS

 

As explained in detail above, your personal data may be stored and maintained, classified as required by market research, financial and operational processes and marketing activities (those with explicit consent), updated at different periods and to the extent permitted by the legislation, within the framework of the law and confidentiality principles, and to third parties and/or third parties required by the service. It can be transferred to suppliers and/or service providers and/or our foreign shareholders with whom we are affiliated, provided that explicit consent is obtained, information can be transferred, stored, processed by reporting, in accordance with the policies we adhere to and for the reasons foreseen by other authorities, and records and documents can be prepared as a basis for the transaction in electronic or paper media.

In case of incompatibility between the provisions of KVKK and other relevant legislation and this Policy, the provisions of KVKK and other relevant legislation will first apply.

This Policy prepared by our Company has entered into force in accordance with the decision taken by the MEA CULPA Board of Directors.

We would like to remind you that we may make updates to this notice due to legislative provisions that may change over time and changes in our company policies. We will post the most current version of the Notice on our website .

Policy before entering the website , that they will comply with all the matters specified herein, that the contents of the website and all electronic media and computer records belonging to our Company are in accordance with the Code of Civil Procedure, Art. They have irrevocably accepted, declared and undertaken that it will be considered as conclusive evidence in accordance with Article 193.

Effective date:

Version: 01

 

 

APPENDIX – ABBREVIATIONS

 

ABBREVIATIONS
Law No. 5651	Law on Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications , which came into force after being published in the Official Gazette No. 26530 dated 23 May 2007.
Constitution	Constitution of the Republic of Turkey No. 2709, dated 7 November 1982, published in the Official Gazette No. 17863, dated 9 November 1982
Application Notification	Communiqué on the Procedures and Principles of Application to the Data Controller, which came into force after being published in the Official Gazette No. 30356 dated 10 March 2018.
Relevant Person/Relevant Persons or Data Owner	MEA CULPA refers to the natural person whose personal data is processed, such as its customers, corporate customers with whom it has commercial relations, business partners, shareholders, officials, suppliers, employees of the institutions it cooperates with, third parties and other persons, but not limited to those listed here.
Regulation on Deletion, Destruction or Anonymization of Personal Data	Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette No. 30224 dated 28 October 2017 and entered into force as of 1 January 2018.
KVKK	Personal Data Protection Law, which came into force after being published in the Official Gazette No. 29677 dated 7 April 2016.
KVK Board	Personal Data Protection Board
KVK Institution	Personal Data Protection Authority
m.	Article
Ex .	Example
Policy	This MEA CULPA Personal Data Protection and Privacy Policy
Company/ MEA CULPA	Senem Buse Albay
Turkish Penal Code	Published in the Official Gazette dated 12 October 2004 and numbered 25611 ; Turkish Penal Code No. 5237 dated 26 September 2004