MIN EDUCATION AND CONSULTING SERVICES

PROTECTION OF PERSONAL DATA AND PRIVACY POLICY

A. SCOPE

The Personal Data Protection and Privacy Policy ("Policy") has been prepared to explain the rules for processing personal data and provide the necessary information and has been approved by the Board of Directors of IEYP TURKEY ("Company") and put into effect.

B. DEFINITIONS

Personal data:	Any information that identifies or can identify a person and contains concrete content expressing the person's physical, economic, cultural, social, or psychological identity or all cases that enable the identification of a person as a result of being associated with any record such as identity, tax, or insurance number.
Sensitive personal data:	Racial or ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, membership of an association, foundation or trade union, health, sex life, data related to convictions and security measures, biometric and genetic data.
Explicit consent:	The consent that is based on information and freely declared regarding a specific subject.
Anonymization:	Rendering personal data unable to be associated with a real person in any way, even if it is matched with other data.
Personal data inventory:	An inventory prepared by the Company by associating the personal data processing activities carried out depending on the Company's business processes with the personal data processing purposes, data categories, recipient groups to whom the data is transferred, data subject group, and by detailing the maximum period necessary for the processing of personal data, personal data to be transferred to foreign countries, and measures taken for data security.
Processing of personal data:	Any kind of transaction performed on the data such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, either completely or partially, through automatic or non-automatic means, provided that it is part of any data recording system. All types of transactions performed on data starting from the first acquisition of the data fall within the scope of this definition.
Personal data owner:	The real person whose personal data is processed.
Data recording system:	The system in which personal data is structured and processed according to certain criteria.
Data controller:	The real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data processor:	The real or legal person who processes personal data on behalf of the data controller based on the authorization given by the data controller.
Law of Protection of Personal Data ("KVKK"):	The Law No. 6698 published in the Official Gazette No. 29677 dated 7 April 2016, which is subject to this Policy.
Board:	The Personal Data Protection Board
Agency:	The Personal Data Protection Agency
Policy:	The Personal Data Protection and Privacy Policy.

C. CHANGES

With the entry into force of additional regulations within the scope of the law or at various times, changes to this Policy can be followed on the Company's corporate website, and the current version of this Policy can also be accessed from this corporate site.

1. PURPOSE

In order to carry out its activities of offering products and services and to ensure the uninterrupted progress of its services, the Company processes personal data obtained verbally, in writing, or electronically as the Data Controller, in a lawful manner. The purpose of this Policy is to inform relevant individuals by providing an explanation of the processing activities carried out by the Company and the systems related to personal data, thereby ensuring transparency in personal data matters.

In this context, the Company has detailed the processing of personal data under the KVKK, the data subjects subject to this processing, and the rights of these individuals, together with the use of cookies and similar technologies in this Policy.

Bu bağlamda Şirket, KVKK kapsamında kişisel verilerin işlenmesini, bu işlemeye konu alınan veri sahiplerini ve bu kişilerin haklarını, çerez ve benzeri teknolojilerinin kullanımı ile birlikte işbu Politikada detaylandırarak açıklamış bulunmaktadır.

2. PERSONAL DATA

2.1 General Principles for Processing Personal Data

The Company processes personal data in accordance with the following principles, in line with the purposes specified in the "Purposes of Processing Personal Data" section of this Policy, which are exemplified under Article 4, paragraph 2 of the KVKK:

Compliance with the law and honesty principles
Being accurate and up to date when necessary
Processing for specific, clear, and legitimate purposes
Being related to the purpose for which they were processed, limited and proportionate.
Being kept for the period required by the relevant legislation or the purpose for which they were processed.

2.2. Personal Data Processed by the Company, Processing Purposes, Transfer, Collection Channels, Storage Periods, and Data Subject Rights

In the processing of personal data, in line with the KVKK, which aims to protect individuals' fundamental rights and freedoms, especially the privacy of private life, the "Data Controller's Disclosure Obligation" in Article 10 and the "Principles and Procedures to be Followed in Fulfillment of Disclosure Obligation" published in the Official Gazette No. 30356 on March 10, 2018, the Disclosure Text regarding personal data processed within the Company as the data controller is available on our corporate website at the following link: __________ [MTD1].

3. MEASURES REGARDING PERSONAL DATA SECURITY

Administrative Measures for Personal Data Security
1. Identification of Existing Risks and Threats

The Company utilizes its "Personal Data Inventory" to identify the risks and threats related to the personal data it processes. Processes involving personal data will be kept up-to-date by the Company within this inventory.

When determining such risks, the Company considers whether the personal data being processed is of a special nature, the level of confidentiality required, and the potential harm that could arise in the event of a security breach.

1. Employee Training and Awareness Campaigns

The Company provides its employees with training on the protection of personal data and cybersecurity and conducts awareness campaigns on these topics.

Unauthorized disclosure or sharing of personal data is one of the most common breaches. To prevent such breaches, the Company:

provides awareness training to everyone who works with personal data,
clearly defines roles and responsibilities regarding personal data in employees' job descriptions,
ensures that the principle of "everything is prohibited except what is allowed" is followed regarding personal data, and
ensures that employees comply with this Policy and other relevant policies and procedures, with disciplinary processes initiated if they fail to do so.

1. Minimizing Personal Data

In order to fulfill the requirements, set by the law and related legislation, such as maintaining personal data accurately and keeping them up to date when necessary, and retaining them for as long as required by the purpose, the Company:

Regularly scans the personal data under its responsibility, updates necessary information from outdated and non-relevant data, deletes, destroys, or anonymizes the remaining data.
Ensures that personal data that require less frequent access are kept in more secure environments.
Controls authorizations to ensure that only those who need to see personal data can access them.
Ensures that all policies and procedures related to deletion, destruction, and anonymization are up to date and systematically implemented."

1. Management of Relationships with Data Processors

The Company ensures that the data processors with whom it has contracted for information technology-related services value information security as much as it does and act with the awareness of joint responsibility, and it ensures this by contractual means.

Data processors, in parallel with the definition in the legislation, process personal data only in accordance with the instructions of the Company and within the framework of the contract concluded with the Company, and in compliance with the legislation. Data processors are subject to an indefinite obligation to maintain confidentiality.

In the event of any data breach, the situation is immediately reported to the Company, and this situation is also recorded contractually. The Company will report such data breaches to the relevant data subjects and to the Authority, as required by the legislation.

In the contracts to be concluded between the Company and the data processors, the categories and types of data transferred to the data processor are specified as a separate article to the extent that the nature of the contract allows.

As the "Data Controller," the Company conducts or arranges for necessary audits on the systems containing the data of the data processor and can inspect the reports and service provider on-site as a result of the audit. This situation is also mutually agreed upon in the contract.

1. Technical Measures for Personal Data Security."

1. Ensuring Cybersecurity

The company develops necessary software and procures services and products when needed for cybersecurity purposes.

The company regularly scans existing products to ensure outdated and unnecessary products are removed from devices. For necessary products, the company regularly checks their updates and ensures they are up to date. If necessary, the company makes improvements to the patch management or procures new products.

To control access to personal data containing systems, the company keeps access and authorization management up-to-date and educates its employees on secure password usage. The company creates an "access and authorization control matrix" and related policies and procedures for access management purposes.

The company makes necessary improvements or procures products related to password management. The company ensures that more than a certain number of password entry attempts are prevented, passwords are regularly changed, passwords are chosen with high level security complexity, and the authorization of former employees is promptly removed.

The company regularly scans networks and computers to ensure the use of antivirus software that detects hazards and maintains their updates.

When obtaining personal data from websites outside the company network, the company should ensure that the connections with those websites are made with SSL or a more secure method.

1. Monitoring Personal Data Security

In order to monitor personal data security, the Company:

Ensures control over which software and services are running on their networks.
Takes necessary measures to detect any unauthorized access or suspicious activity on their networks.
Manages logs.
Ensures employee awareness of security and creates a "reporting procedure" for the rapid reporting of security breaches. These reports can be automatically generated by the system and presented to the relevant department when consolidated by the systemadministrator.
Ensures regular monitoring and consideration of warnings related to the systemic security of personal data.
Conducts regular vulnerability scans and penetration testing, either on their own or through third-party providers.
Ensures that all evidence is collected and securely stored in the event of a cyber attack.

1. Ensuring the Security of Environments Containing Personal Data

The company takes the necessary internal and external physical security measures to keep personal data that it holds physically and logically in the General Directorate, Archives, branches, and other locations.

Within the scope of these measures, the company ensures that structures containing personal data are protected against disasters such as earthquakes, fires, and floods. In terms of the security of personal data held in physical environments, the company ensures that entry and exit to these places are controlled and that employees who process this type of personal data are made aware of potential loss and theft situations.

The company operates with the awareness that a large portion of personal data breaches occur as a result of the theft or loss of devices containing personal data, and takes the necessary precautions to minimize this situation. Access control authorizations and encryption methods may be used as part of these precautions.

When using encryption methods, the company benefits from internationally recognized solutions, and takes necessary precautions in terms of key management processes when asymmetric encryption methods are used.

1. Procurement, Development, and Maintenance of Information Technology Systems

The company strives to prioritize the security factor in the procurement, development, and maintenance of IT systems. For this purpose, the company ensures that there are control mechanisms to ensure that personal data entries made through application systems work without compromising the data integrity of the entered personal data.

In cases where devices containing personal data will go to a third-party supplier for maintenance, malfunction, etc., the company ensures that the data storage environments of those devices are not sent to the third-party supplier. If an external supplier company employee has come to the company, the necessary precautions are taken to ensure that no data is taken outside the institution.

1. Backup of Personal Data

The company keeps backups of personal data within its responsibility to ensure their security.

The company develops data backup strategies against ransomware by encrypting files and takes necessary precautions.

The company ensures that only the system administrator can access the backed-up personal data and stores them outside of the network.

The company takes necessary measures to ensure the physical security of the backups

4. COOKIES AND SIMILAR TECHNOLOGIES

4.1. General

Small data files sent by the Internet server to users' devices via the Internet browser used are called cookies, and Internet sites recognize users through these cookies, and the lifespan of cookies varies depending on browser settings.

Although these cookies are created through the systems managed by the Company, some service providers authorized by the Company can place similar technologies on users' devices to obtain IP address, unique identifiers, and device identifiers. In addition, links to third-party sites in the Company's systems are subject to the privacy policies of these third parties, and the responsibility for privacy practices does not belong to the Company. Therefore, it is recommended to read the privacy policy of the site when visiting the relevant link.

4.2. Types of Cookies

Cookies, whose main purpose is to provide convenience to users, are primarily grouped into 4 main categories:

Session Cookies: These cookies allow for the transfer of information between internet pages and the system to remember information entered by the user, enabling various features, and are necessary for the proper functioning of the functions on the Company's website.
Performance Cookies: These cookies collect information on page visit frequency, possible error messages, the total time users spend on the relevant page, and site usage patterns to improve the performance of the Company's website.
Functional Cookies: These cookies remind users of pre-selected options for ease of use and aim to provide advanced internet features to users on the Company's website.
Advertising and Third-Party Cookies: These cookies belong to third-party providers and allow for the use of certain functions and the tracking of advertising on the Company's website.

4.3. Purposes of Cookie Use

The purposes of the cookies used by the company are as follows:

Operational uses: The company can use cookies that enable the use of functions on this site and detect irregular behavior to ensure the administration and security of its systems.
Functional uses: The company can use cookies that remember user information and past choices to facilitate the use of its systems and provide usage features specific to the user.
Performance-related uses: The company can use cookies that evaluate and analyze user behavior and interactions with sent messages to enhance and measure the performance of its systems.
Advertising-related uses: The company can use cookies that measure the effectiveness or analyze the click-through status of advertisements to deliver advertising and similar content based on user interests through its own or third-party systems.

4.4. Disabling Cookies

Cookie usage is pre-defined in many browsers and users can change this selection through their browser settings, thereby deleting existing cookies and rejecting future cookie usage. However, if cookie usage is canceled, some features of the Company's systems may not be available.

The method of changing the cookie usage selection varies depending on the type of browser and can be learned from the relevant service provider upon request.

4.5. Information and Materials on the Website

The copyrights of the information, materials, and their arrangements on the Company's website belong to the Company. All copyrights, registered trademarks, patents, intellectual property, and other proprietary rights of the information and materials on the website, except for materials belonging to third parties, are reserved by the Company.

1. EFFECTIVE DATE AND UPDATES

This Policy will enter into force on the date it is approved by the Company's Board of Directors. The Policy is reviewed and updated annually as a routine practice. However, the Company reserves the right to review, update, modify, or abolish this Policy and create a new policy if necessary, in accordance with changes in legislation, changes in a referenced technical standard, decisions of the Personal Data Protection Board and/or court decisions. The decision-making authority regarding the revocation of the Policy belongs to the Company's Board of Directors.