Imprint

Digital Art Yapay Zeka Teknolojileri Ltd. Şti.

Maslak, Bilim Sk. No:5, Kat:13-15 34398 Sarıyer/İstanbul

Maslak V.D. / 2950956557

E-Mail: support@gizmorilla.com.tr
Website: www.digital-art.de

Protection and Processing of Personal Data and Privacy Policy

I.INTRODUCTION

Law No. 6698 on the Protection of Personal Data (“Law”) entered into force on April 7, 2016. The Law defines personal data and sets out the principles regarding the protection of personal data and the conditions to be complied with by those acting as data controllers in the processing of such data. According to the Law, personal data is “any information relating to an identified or identifiable natural person”. Processing of personal data, on the other hand, refers to “all kinds of operations performed on personal data, including the acquisition, recording, storage, alteration, sharing with third parties and transfer abroad of personal data by automatic means or by non-automatic means provided that it is a part of any data recording system”.

Digital art artificial intelligence technologies Ltd. Sti. Şti. takes the necessary administrative and technical measures by adopting the principles regarding the protection and processing of personal data in the relevant legislation in order to ensure compliance with the Law. For the scope of this Personal Data Protection and Processing (“Policy”) of the Company, see VI. DATA OWNER AND PERSONAL DATA CLASSIFICATION. The relevant legal regulations in force regarding the processing and protection of personal data will be applied primarily. In case of any incompatibility between the legislation in force and the Policy, Gizmorilla agrees that the legislation in force shall apply. In the event that all or certain articles of the Policy are renewed, the effective date of the Policy will be updated. The Policy is published on Gizmorilla’s website (www.gizmorilla.com.tr) and made accessible to personal data owners. In order to adapt to changing conditions and legislation, changes and updates may be made in the Policy and may be made available to personal data owners through the relevant website.

II. PROCESSING OF PERSONAL DATA

II.I. PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

Pursuant to Article 20/III of the Constitution, the protection of personal data is guaranteed by stating that personal data can only be processed in cases stipulated by law or with the explicit consent of the person. In line with this right granted to personal data owners, Gizmorilla processes personal data in accordance with the relevant legislation, especially the Constitution, and in accordance with these principles or in accordance with the following principles in cases where the person has explicit consent:

Processing in accordance with the Law and Good Faith
Ensuring that Personal Data is Accurate and Up-to-Date When Necessary
Processing for Specific, Explicit and Legitimate Purposes
Being relevant, limited and proportionate to the purpose for which they are processed
Preservation for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed

II.II. CONDITIONS AND PURPOSES OF PROCESSING PERSONAL DATA

In principle, personal data can only be processed with the explicit consent of the personal data subject. Article 5 of the Law sets forth the conditions for the processing of personal data and Article 6 sets forth the conditions for the processing of special categories of personal data. The Law defines personal data that has the risk of causing victimization or discrimination when processed unlawfully as “special categories of personal data”. Article 6 of Law No. 6698 provides a limited list of special categories of personal data and these include data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

We do not process special categories of personal data such as customer/user etc. as stated above within the scope of the policy. The explicit consent of the data owner must be related to a specific subject, based on information and free will. In the presence of one or more of the following conditions, personal data may be processed without the explicit consent of the owner. Gizmorilla processes personal data in accordance with the general principles set out in Article 4 of the Law in accordance with the purposes and conditions presented below. Regarding personal data of general nature; – It is clearly stipulated in the Laws for Gizmorilla to carry out the relevant activity regarding the processing of your personal data – It is mandatory for Gizmorilla to carry out personal data processing activities for the protection of the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to disclose his consent due to actual or legal invalidity – The processing of your personal data by Gizmorilla is directly related and necessary for the establishment or performance of a contract – The processing of your personal data is mandatory for Gizmorilla to fulfill its legal obligation – Provided that your personal data has been made public by you; The processing of your personal data by Gizmorilla is mandatory for the establishment, use or protection of the rights of Gizmorilla or you or third parties – It is mandatory to carry out personal data processing activities for the legitimate interests of Gizmorilla, provided that it does not harm your fundamental rights and freedoms In this context, personal data is processed by Gizmorilla for the following purposes:

Planning, auditing and implementation of information security processes
Establishment and management of information technology infrastructure
Planning and implementation of employee authorizations to access user information
Follow-up of financial and/or accounting affairs
Follow-up of legal affairs
Planning and/or implementation of activities for conducting effectiveness/efficiency and/or relevance analysis of business activities
Planning and execution of business activities – Planning and execution of authorizations for access to information for restaurants and business partners and/or suppliers
Management of relationships with business partners
Planning and/or execution of business continuity activities
Planning and execution of corporate communication activities
Planning and execution of user relationship management processes
Planning and/or execution of user satisfaction activities
Follow-up of user requests and/or complaints
Conducting activities to identify the financial risks of users
Planning and/or execution of after-sales support services activities
Planning and execution of company audit activities
Planning and execution of the necessary activities to ensure that the Company’s activities are carried out in accordance with company procedures and/or relevant legislation
Ensuring the security of company operations
Planning and execution of relevant processes in order to obtain the highest benefit from the services provided by the Company
Follow-up of contract processes and/or legal requests
Execution of strategic planning activities
Planning and execution of market research activities for sales and marketing of services
Planning and execution of marketing processes of services
Planning and execution of sales processes of services
Ensuring that data is accurate and up-to-date
Providing information to authorized institutions due to legislation

III. TRANSFER OF PERSONAL DATA

III.I. GENERAL PRINCIPLES REGARDING THE TRANSFER OF PERSONAL DATA

Articles 8 and 9 of the Law include issues regarding the transfer of personal data domestically and abroad. Gizmorilla may transfer the personal data/special quality personal data of the data owner to third parties by taking the necessary security measures in line with the purposes of processing the personal data obtained in accordance with the law. In this direction, Gizmorilla may transfer personal data to third parties in the presence of one of the processing conditions specified in Section II and the following conditions:

If there is explicit consent of the personal data subject,
If there is a clear regulation in the laws regarding the transfer of personal data,
If it is mandatory for the protection of the life or physical integrity of the personal data subject or someone else and the personal data subject is unable to disclose his/her consent due to actual impossibility or his/her consent is not legally valid;
If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
If personal data transfer is mandatory for Gizmorilla to fulfill its legal obligation,
If the personal data has been made public by the personal data subject,
If personal data transfer is mandatory for the establishment, exercise or protection of a right,
If personal data transfer is mandatory for the legitimate interests of Gizmorilla, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

III.II. TRANSFER OF PERSONAL DATA ABROAD

Gizmorilla may transfer the personal data of the personal data owner abroad in the following cases in line with legitimate and lawful personal data processing purposes:

In case of explicit consent of the data subject or
In the absence of explicit consent of the data subject, but in the presence of one or more of the other conditions mentioned above;
(i) There is adequate protection in the country where the data is transferred; and
(ii) In the event that there is no adequate protection in the country where the data is transferred, Gizmorilla undertakes adequate protection in writing with the data controller in the relevant foreign country and provided that the permission of the KVK Board is obtained

III.III. THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED

Gizmorilla may transfer the personal data of the data subjects governed by the Policy to the following parties in line with the above-mentioned conditions and in accordance with Articles 8 and 9 of the Law:

To business partners anonymously in order to ensure the fulfillment of the purposes of the establishment of the business partnership, (if further data transfer is required, explicit consent is also obtained).
Gizmorilla is a structure based on technology and utilizes outsourced service providers for the installation, operation and healthy operation of this technological infrastructure. For this reason, Gizmorilla’s commercial activities are limited to suppliers in order to ensure that the necessary services are provided to Gizmorilla,
To subsidiaries, limited to ensuring the conduct of its business activities that require the participation of Gizmorilla subsidiaries,
To shareholders limited to the purposes of designing strategies regarding Gizmorilla’s commercial activities, providing information in accordance with company procedures and auditing in accordance with the provisions of the relevant legislation,
With Digital Art Company in order to ensure the execution of commercial and operational activities that require the participation of Digital Art Company, which we are affiliated with,
To the relevant public institutions and organizations and private law persons limited to the purpose they request within their legal authority

IV. PROTECTION OF PERSONAL DATA

Gizmorilla ensures that personal data is processed and protected in accordance with the law by taking other administrative and technical measures stipulated in accordance with the relevant legislation and to be notified by the PDP Board in order to ensure the security of the personal data it processes. In this context, Gizmorilla takes reasonable technical and administrative measures, including technological possibilities and implementation cost, in order to process personal data in accordance with the law, to store them in secure environments, to prevent unauthorized access risks and any other unlawful access, to prevent incidental data loss, to prevent deliberate damage and deletion of data. These are as follows

Supervision of Gizmorilla’s personal data processing activities with established technical systems,
Periodic reporting on the technical measures taken,
Informing and training employees who process personal data within Gizmorilla about the law on the protection of personal data and the processing of personal data in accordance with the law,
In order to ensure the legal compliance requirements determined on a business unit basis, raising awareness and determining the implementation rules specific to the relevant business units, organizing internal policies and trainings to ensure the supervision and sustainability of these issues,
Creation of records in the contracts and documents governing the legal relationship between Gizmorilla and employees, which impose an obligation not to process, disclose and use personal data, except for Gizmorilla’s instructions and exceptions imposed by law, and the awareness of employees on this issue,
Making access and authorizations in accordance with the legal compliance requirements determined on a business unit basis and limiting access authorizations accordingly,
Installation and operation of software and hardware including virus protection systems and firewalls,
Adding provisions to the contracts concluded with the persons to whom personal data are transferred in accordance with the law, including the parties to whom Gizmorilla receives an external service due to technical requirements for the storage of personal data; that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations, Establishment of technical security systems for storage areas by using legal backup programs, Gizmorilla carries out the system that ensures that if the personal data processed in accordance with Article 12 of the Law is obtained by others illegally, this situation is notified to the relevant personal data owner and the PDP Board as soon as possible. If deemed necessary by the PDP Board, this situation may be announced on the website of the PDP Board or by another method.

V. CLARIFICATION, RIGHTS AND INFORMATION OF THE PERSONAL DATA SUBJECT

V.I. DISCLOSURE OF PERSONAL DATA SUBJECT

Article 10 of the Law states that personal data subjects should be informed during the acquisition of personal data. In this direction, Gizmorilla, in accordance with the general principles of other personal data processing activities specified in the relevant legislation, during the acquisition of personal data; (i) the identity of the representative, if any, (ii) the purpose for which personal data will be processed, (iii) to whom and for what purpose it can be transferred, (iv) the method and legal reason for collecting personal data, (v) the rights of the personal data owner.

V.II. RIGHTS OF PERSONAL DATA SUBJECTS

Article 11 of the Law lists the rights of the personal data subject. Namely, the data subject has the right to; – To learn whether his/her personal data has been processed, – To request information if his/her personal data has been processed, – To learn the purpose of processing his/her personal data and whether they are used in accordance with their purpose, – To know the third parties to whom personal data is transferred domestically or abroad, – To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred, – Although it has been processed in accordance with the provisions of the Law and other relevant laws, in the event that the reasons requiring its processing disappear, to request the deletion or destruction of personal data and to request notification of the transaction made within this scope to third parties to whom personal data is transferred, – Object to the occurrence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems, – In case of damage due to unlawful processing of personal data, it has the right to demand the compensation of the damage.

However, pursuant to Article 28 of the Law, the above-mentioned rights cannot be asserted in the following cases:

Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings. Pursuant to Article 28/2 of the Law; in the following cases, personal data owners cannot assert their other rights mentioned above, except for the right to claim compensation for the damage:
Processing of personal data is necessary for the prevention of crime or criminal investigation. – Processing of personal data made public by the personal data subject himself/herself.
Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.
Processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters.

V.III. INFORMING PERSONAL DATA SUBJECTS

The information requests made by personal data owners in accordance with the right to have information about personal data about them in accordance with Article 20 of the Constitution and the right to “request information” listed among the rights mentioned above are met by Gizmorilla in accordance with the Law. Gizmorilla carries out the necessary channels, internal operation, administrative and technical arrangements in accordance with Article 13 of the Law in order to provide the necessary information to the personal data owners. In this direction, if personal data owners submit their requests regarding their above-mentioned rights to Gizmorilla, Gizmorilla notifies its reasoned positive / negative response to the request free of charge within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, Gizmorilla may charge the fee in the tariff determined by the PDP Board. Personal data owners will be realized by one of the following methods regarding their rights mentioned above:

Sending a request to the e-mail address support@gizmorilla.com.tr, (In this case, in order to determine whether the applicant is the personal data owner who is actually the right holder of the applicant through the channel that the applicant has applied; the relevant person will be contacted via registered telephone to identify the identity and to determine whether the requester has actually made this application. In this context, if the last order information of the applicant is confirmed and the data owner and the person making the request are matched, the application will be evaluated).
Following a method prescribed by the Personal Data Protection Board.

In order for third parties to make an application request on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the person who will make the application.

Gizmorilla may request information from the relevant person in order to determine whether the applicant is a personal data owner or not, and may ask questions to the personal data owner about his/her application in order to clarify the issues specified in the application. In cases where the personal data owner rejects the application in accordance with Article 14 of the Law, finds the answer insufficient or does not respond to the application in due time; It can apply to the KVK Board within thirty days from the date of learning Gizmorilla’s response and in any case within sixty days from the date of application.

VI. DATA SUBJECT AND PERSONAL DATA CATEGORIZATION

VI.I. DATA SUBJECT CATEGORIZATION

Gizmorilla has categorized the owners of the personal data it processes within its own organization as follows. The data owner categorization created within the scope of this Policy is associated with the following personal data owners. Data owners outside this scope may also direct their requests to Gizmorilla in accordance with the Policy.

Personal Data Subject Category

User/Customer or Service Recipient: Natural persons who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with Gizmorilla

Potential Customer: Real persons who have made a request or interest in using our products and services or who have been evaluated in accordance with the rules of commercial practice and honesty that they may have this interest

Third Parties: Other natural persons not covered by this Policy and Gizmorilla Employees Personal Data Protection and Processing Policy

Business Partner Shareholder, Officer, Employee: Natural persons, including employees, shareholders and officers of the organizations with which Gizmorilla has any kind of business relationship

Supplier Shareholder, Officer, Employee: Natural persons, including employees, shareholders and officers of the organizations with which Gizmorilla provides products or services and with which it has a business relationship

Business Partner Candidate: Natural persons who are employees, shareholders and officials of natural persons or legal entities with whom Gizmorilla envisages to establish any business relationship Visitors Natural persons who have entered the physical premises owned by Gizmorilla for various purposes or who visit our websites

VI.II. PERSONAL DATA CATEGORIZATION

Within the scope of this Policy, personal data processed by Gizmorilla are categorized. The personal data of the personal data owners in the above-mentioned data owner categories are associated with the personal data categories specified below.

Personal Data Categorization

Profile Information: Profile-specific information such as username.

Contact Information: Information such as telephone number, address, e-mail address, fax number, IP address, which clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system

Location Data: Information that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; information that determines the location of the personal data owner’s location within the framework of the operations carried out by Gizmorilla business units, the location of the employees of the institutions that Gizmorilla cooperates with while using Gizmorilla vehicles

Customer Transaction Information: Information that clearly belongs to an identified or identifiable natural person and is included in the data recording system; records for the use of our services and information such as the customer’s instructions and requests required for the use of products and services

Transaction Security Information: Personal data such as IP address, (system login information) log in credentials, logging of resources accessed by suppliers while providing support services, user movements (such as password reset, password creation) specific to the wallet system, which are processed in order to ensure our technical, administrative, legal and commercial security while conducting our commercial activities, which clearly belong to an identified or identifiable natural person and are included in the data recording system

Financial Information: Personal data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship Gizmorilla has established with the personal data owner and data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information

Legal Transaction Information: Personal data that clearly belongs to an identified or identifiable natural person and is included in the data recording system; personal data processed within the scope of determination, follow-up and fulfillment of our legal receivables and rights and compliance with our legal obligations and our company’s policies

Marketing Information: Personal data that clearly belongs to an identified or identifiable natural person and is included in the data recording system; personal data processed for the marketing of our products and services by customizing them in line with the usage habits, tastes and needs of the personal data owner, and the reports and evaluations created as a result of these processing results

Risk Management Information: Information associated with the person and collected for the purpose of protecting our company’s commercial reputation (for example, information from the Şikayetvar website, information collected from Twitter and Facebook about posts made against our company, senior executives and shareholders, evaluation reports created in relation to this, and information about the actions taken in this regard.

VII. PRINCIPLES REGARDING THE RETENTION PERIODS OF PERSONAL DATA

Personal data are stored by Gizmorilla for the periods stipulated in the relevant legislation and in line with its legal obligations. If a period of time is not regulated in the legislation regarding how long personal data should be stored, personal data is processed for the period required to be processed in accordance with Gizmorilla’s practices and commercial practices in connection with the activity carried out by Gizmorilla while processing that data, and then deleted, destroyed or anonymized. Personal data whose purpose of processing has expired and personal data whose deletion/anonymization has been requested by the personal data owners, if the retention periods determined by the relevant legislation and Gizmorilla have come to an end; It can only be stored in order to constitute evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. While determining the retention periods of personal data, Gizmorilla is based on the statute of limitations stipulated in the relevant legislation. Personal data stored for this purpose is accessed only by limited persons when it is required to be used in the relevant legal dispute and is not accessed for any other purpose other than this purpose. At the end of this period, personal data are deleted, destroyed or anonymized.

VIII. CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Although it has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the Law, personal data shall be deleted, destroyed or anonymized upon the decision of Gizmorilla or upon the request of the personal data owner if the reasons requiring its processing disappear.

IX. GİZMORİLLA MANAGEMENT STRUCTURE REGARDING THE PROTECTION AND PROCESSING OF PERSONAL DATA

A Personal Data Protection Committee (“Committee”) has been established within Gizmorilla in order to manage this Policy, related policies and other outputs, to monitor and ensure the continuity of the compliance process with the Law. The duties of this Committee are; – To create, update and put into effect the basic policies regarding the protection and processing of personal data. – To take actions regarding the implementation and supervision of policies on the protection and processing of personal data, to ensure coordination by making internal assignments in this regard. – Ensuring compliance with the law and relevant legislation and following the developments regarding the protection and processing of personal data and ensuring that necessary actions are taken within this framework. – To raise awareness about the protection and processing of personal data within Gizmorilla and before the institutions with which Gizmorilla cooperates. – To evaluate the applications of personal data owners and to resolve them in accordance with the law. – To ensure that necessary measures are taken by identifying the risks that may occur in Gizmorilla’s personal data processing activities. – To carry out relations with the KVK Board and the Authority.