Leros-Kalimnos-Patnos-Samos Biletleri İçin Tıklayın!

Important Info


Policy of Protecting and Processing Personal Data


1. PURPOSE

As a part of legal and social responsibility; İSTANBUL DENİZ OTOBÜSLERİ SAN. ve TİC. A.Ş. (""İDO"") is obliged to act according to current legal regulations particularly Republic of Turkey Constitution (""Constitution"") and 6698 numbered Law of Protecting Personal Data (""PPD Law"") also İDO is conducting required studies regarding protection of personal data by making concordance to legal regulation in question, as a life cycle. Within the scope of these studies Policies of Protecting Personal Data, Processing, Saving and Terminating are prepared by İDO. As a part of legal and social responsibility İDO undertakes to comply with national personal data protection regulations. Institution is intending to inform customers, potential customers, working candidates, Company shareholders, Institution authority, visitors, employees, shareholders, authority of institutions which are cooperated with and third parties about processes of protecting and processing, deleting, terminating and anonymizing of personal data. In addition to legal liabilities, İDO collects personal data particularly for the loyalty program called HEPİDO in order to give better service. Collected data allows İDO to make informative announcements about advantageous transportation opportunities, personal special advantageous suggestions and future events. In addition, gathered data allows us to take most efficient feedback about our services and servitudes while being in information exchange with personal data holders. In according with PPD Law and legal regulations, İDO the data responsible, from procedures and principles regarding basic principles adopted for processing and protecting of personal data, administrative and technical precautions taken for protecting personal data and designating maximum period of time for the purpose that they are processed. In this Policy detailed explanations are given by İDO regarding which data is personal data, which personal data is kept, administrative and technical precautions for protecting personal data, processing, securing personal data, illuminating and informing personal data holders, transferring to third parties and protection of data.

2. SCOPE

This Policy relates to all personal data processed by non-automatic means provided that the customers, potential customers, employee candidates, shareholders of the Institution, the authorities of the Institution, the visitors, the employees, shareholders and authorities of the companies and the third parties, or any part of any data recording system. In accordance with the PPD Law and the relevant legislation, İDO, that is responsible for the data, determines the principles and procedures of personal data processing and protection, the administrative and technical measures taken for the protection of personal data, and the procedures and principles for determining, deleting, disposal and anonymizing the maximum period required for the purpose for which they are processed. The following assets which process and store personal data within İDO and all processes relating to these assets are covered by this Policy;

• All printed or written documents containing personal data, documents, files

• All applications including personal data

• All databases containing personal data

In this context, these are related to the personal data collected with the consent of İDO's customers, potential customers, employees, employee candidates, İDO shareholders, officials, our guests who get tickets via our İDO website, our İDO mobile application, İDO agencies and İDO tolls, institution employees, shareholders and authorities and third parties that have business partnership which are completely or partially automated or as part of any data recording system, processed by non-automatic means. Anonymized and unidentified data, such as data that does not contain personal data obtained for statistical evaluations or studies and the data on legal entities are not considered as personal data and are not subject to this Policy. This Policy applies to real person customers of İDO and its affiliated companies, as well as to affiliates under the control of İDO and other real persons who do not have a specific framework agreement. The İDO statements included in this Policy shall also include the subsidiaries of the Institution under its control.

3. EFFECTIVENESS AND UPDATES

The policy was published by the Company on the website and released to the public. The provisions of the legislation shall be applied in case of contradiction with the legislation in force and Law No 6698, and the regulations that are in force in this Policy. The Company reserves the right to make changes in this Policy in parallel with the legal regulations. The current version of the policy is available on the İDO's website (www.ido.com.tr).

4. DEFINITIONS


Explicit Consent    
Consent on a particular subject which is based on information and which is expressed by free will.

Personal Data

Any information relating to an identifiable or identified real person. For example; name-surname, T.R ID Number, e-mail address, phone number, address, date of birth, credit card number and so on.

Customized Personal Data

Data on race, ethnicity, political thought, philosophical belief, religion, denomination or other beliefs, attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Personal data holder

Real person whose data is processed

Anonymization

Is changing personal data to lose it personal data quality and never to reverse this status back.

Employee

İDO employees

Employee Candidate

Real people who applied to institution to work via any way or people who opened their cv and related information for the inspection of institution

Constitution

Constitution of Republic of Turkey

PPD Law

6698 numbered Protecting Personal Data Law

PPD Board

Board of Protecting Personal Data

PPD Institution

Institution of Protecting Personal Data

Processing of Personal Data

All kinds of transactions made on data as obtaining, recording, storing, keeping, changing, rearranging, announcing, transferring, taking over, making it obtainable, classifying or preventing usage of personal data in non-automatic ways on condition that they are part of completely, partially automatic or any data recording system.

Customer

Real persons who have used or are using the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company or not.

Data Processor

It is the natural and legal person who processes personal data on behalf of the authority based on the authorization granted by the data officer. For example, call center etc. searching within the framework of instructions

Data Recording System

Registration system where personal data is configured and processed according to certain criteria

Data Holder

Real person whose data is processed

Data Supervisor

The real or legal person data supervisor who establishes and manages the system where data is kept systematically (data recording system) and determining the purpose and means of processing personal data.

Data Supervisors Registry

It is the Data Supervisors Registry maintained by the PPD Law Corporation Governance under the supervision of PPD Law Board and open to the public.

Visitor

Real persons who have entered the physical premises of the Institution for various purposes or visited their websites

Employees, shareholders, and authorities of the institutions that we cooperate

Real persons who have employees, shareholders and authorities (including, but not limited to, the execution assistants, business partner, supplier, a program partner, etc.) of the companies that are involved in the business relationship with İDO

İDO Suppliers

Third parties from whom the contractual İDO receives product and/or service

Potential Customer

Real persons who have been evaluated in accordance with the commercial custom and honesty rules and who have requested or will request to purchase or use our products and services,

Policy

İstanbul Deniz Otobüsleri San. ve Tic. A.Ş. Personal Data Protection, Processing, Storage and Disposal Policy

Company/İDO

İstanbul Deniz Otobüsleri San. ve Tic. A.Ş.

Company Shareholders

İDO shareholder real persons

Company Authoritative

İDO board member and other authorized real persons

İDO Data Supervisor's Application Form

Application form for data supervisors to benefit when using applications related to the rights under Article 11 of PPD Law

Third Party

The third real persons who are in contact with the parties to ensure the security of the commercial transaction between the parties defined above and İDO or to protect the rights of the parties involved and to obtain the benefit.

Policy

İstanbul Deniz Otobüsleri San. ve Tic. A.Ş. Personal Data Protection, Processing, Storage and Disposal Policy  

5. CATEGORIZATION OF PERSONAL DATA

Within the scope of data processing activities carried out by İDO, the following are the categories and explanations of the personal data that are partially and fully automated or processed automatically as part of the data logging system, the person to whom the person is identified and/or identifiable:


CATEGORIZATION OF PERSONAL DATA    
CATEGORIZATION OF PERSONAL DATA DESCRIPTION

ID Information

All information such as TR ID Number, nationality information, mother's name, father's name, place of birth and date of birth, SSI Number, signature information, vehicle plate, etc. that are included in documents such as license, birth certificate, residence, passport, legal identity, marriage certificate

Contact Information

Information such as phone number, address, e-mail, fax number that is open to the real persons

Qualified Private Information

These are data that are biometric and genetic such as race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, costumes and attire, association, foundation or union membership information, data on health and sexual life, criminal conviction and security measures that are specified as special qualified personal data specified in Article 6 of PPD Law.

Location Information

Location data acquired during the use of company vehicles

Physical Space Safety Information

To be kept in the data recording system, the camera and sound recordings, fingerprint records, records taken at the security point, physical space entrance, records taken during the stay in the physical space, etc. personal data to ensure our safety in all aspects of our commercial activities

Customer information

Information obtained and produced by real person customers as a result of our commercial activities and the operations of the related units within the scope of these activities

Customer Transaction Information

Records for the purchase of our services belonging to our customer in the data recording system and the information obtained under the instructions for purchase and personal data on personalization and marketing of usage and purchasing habits in accordance with the tastes and needs of the personal data holder who buys and / or uses our products and services and the reports and evaluations generated as a result of this process

Claim / Complaint Management Information

Personal data on evaluating and receiving any kind of requests and complaints that have been directed to the communication channels of İDO by real persons that are the customers of İDO or non-customers of İDO.

Reputation and Event Management Information

- Personal data collected from social media and similar media and evaluations related to the events that have a potential to affect İDO employees, shareholders in order to protect the commercial reputation of İDO and to ensure that the public is informed correctly (Shares related to İDO and etc.)

Financial Information

IBAN number, credit card information, financial profile and similar personal data processed under the records of all kinds of financial results within the framework of the legal relationship which has been established with İDO's personal data holder

Marketing Information

Personal data processed for the customization and marketing of our products and services according to the usage habits, taste, and needs of the personal data holder and reports and evaluations created as a result of this process

Risk Management Information

Personal data processed through the methods that are used in accordance with the generally accepted legal, commercial and honesty rules in order to manage our commercial, technical and administrative risks.

6. PROCESSING OF PERSONAL DATA

Technical and administrative measures are taken by the Institution according to the technological opportunities and application costs in order to ensure that the personal data is processed in accordance with the Law. Employees are informed about that they shall not be able to disclose the personal data they obtained to anyone else in contradiction with the provisions of the law on PPD and shall not be able to use them other than the purpose of the transaction and they shall continue after the dismissal of such liability. Under no restrictions, İDO's personal data processing activity includes any actions performed for the data using automatic, semi-automatic or non-automated means. During the period in which the services are used, İDO shall have the right to process the data of a data holder in accordance with the following principles after the termination of the relationship. İDO can process the personal data of the data holder or the third party specified by the data holder for a variety of purposes including, but not limited to, the following:

• İDO increases its awareness of data processing institutions, such as business partners and suppliers to prevent unlawful access to data and to ensure the proper storage of data, from whom it transfers personal data to prevent unlawful processing of personal data.

• Obligations of İDO to comply with the obligations of personal data and the legal, administrative and technical measures it has developed is installed in accordance with the nature of the activities carried out by the institution for the data processing institutions.

• İDO takes necessary technical and administrative measures according to the technological opportunities and implementation cost in order to prevent personal data are being disposed, lost or changed for preventing unlawful purposes.

• In accordance with Article 12 of the PPD Law, İDO carries out or undertakes the necessary inspections within the scope of itself. These audit results are reported and the necessary activities are conducted to improve the measures that have been taken.

• In case of personal data processed in accordance with Article 12 of the Law on PPD are obtained by others by unlawful means, İDO carries out the system which provides information to the relevant personal data holder and PPD Board as soon as possible.

6.1. Scope of Processing Personal Data

During the use of the Institution's services and after the end of the relationship, the institution shall have the right to process the data of a data holder by complying with the principles set out in Article 6.3 of this Policy.

Under no restrictions, İDO's personal data processing activity includes any actions performed for the data using automatic, semi-automatic or non-automated means. In other words, personal data processing refers to transferring, disseminating or presenting in different ways, grouping or merging, blocking, deleting or disposing data, collecting, recording, photographing, recording voice, taking video recording, organizing, storing, changing, reinstatement, retrieval or disclosure, data to be acquired by non-automated means, whether fully or partially automated or as part of any recording system, storage, preservation, replacement, reorganization, disclosure, transfer, export, import, acquisition, retrieval, classification or prevention of use.

6.2 Purposes of Processing Personal Data

İDO can process the personal data of the data holder or the third party specified by the data holder for a variety of purposes including, but not limited to, the following:

During the period in which the services are used, İDO shall have the right to process the data of a data holder in accordance with the following principles after the termination of the relationship.

İDO can process the personal data of the data holder or the third party specified by the data holder for a variety of purposes including, but not limited to, the following:

• The proper and correct performance of İDO's services;

• Fulfillment of obligations under legal legislation,

• To make our web site and applications easier to use,

• To provide information storage, reporting, information and information to the audit companies, the related agent or proxy, the regulatory and supervisory authorities,

• Planning, auditing and executing information security processes,

• To make preparation and submission of various reports, research and/or presentations,

• Collecting, evaluating and meeting the complaints, questions, requests and suggestions of the Data Holder,

• Planning and execution of customer relationship management processes,

• Planning and/or execution of customer satisfaction activities,

• Performing promotion, marketing, advertising and campaign activities for the services,

• Planning and executing the sales processes of products and/or services,

• Fulfilling the requirements of the contracts concluded with the client,

• Follow-up of Legal Affairs,

• Follow-up of the contract processes and/or legal requirements,

• Knowing our members and improving our communication skills,

• To provide better and more reliable service to the customer, to develop more appropriate services and products and to sustain them continuously,

• Recommending the products and services offered by İDO according to customers' tastes, usage habits and requirements,

• Management of relations with business partners and/or suppliers,

• Ensuring the security of the Company Headquarters, terminals, warehouses and similar facilities,

• Planning and execution of emergency management processes,

• Planning and execution of personnel processes related to subcontractors

• Follow-up of financing and/or accounting procedures,

• Planning and follow-up of building and/or construction works,

• Planning the company recruitment and employee processes, planning and execution of market research activities for sales and marketing of services,

• Planning and execution of corporate communication activities

6.3. Processing Personal Data Accordant with Principles Predicted at Ragulations

Pursuant to Article 5 of the Law on PPD, personal data may only be processed in accordance with the procedures and principles set forth in the Law on PPD and other relevant legislation. As İDO, personal data are processed in accordance with the procedures and principles specified in the PPD Law and other relevant legislation and under the PPD Law, it is clearly defined that the following principles should be observed in the processing of personal data.

• Processing Personal Data in accordance with the Law and Integrity Rules,

İDO carries out the process of processing personal data in accordance with the legal regulations and trustworthiness principle, mainly with PPD Law and other relevant legal regulations with the Constitution of the Republic of Turkey.

• Ensuring the Accuracy and Actuality of Processed Personal Data

While conducting personal data processing, İDO has set up systems and processes to ensure the accuracy and actuality of the personal data it processes. In this context, İDO takes the necessary measures to correct personal data holders' personal data and to verify their accuracy.

• Specific, clear and legitimate processing of personal data The IDO shall provide for the purpose of processing personal data clearly and conclusively with the purpose of processing the personal data, and operates within the scope of open and lawful purposes under the scope of lighting obligation set out in Article 10 of the PPD Law.

• Processing of Personal Data as related to purpose, as limited and measured

İDO processes personal data in a timely manner and in accordance with the purpose of determining the service that it has defined before the commencement of processing. İDO does not carry out personal data processing activities, which are not related to the realization of the objective or are presumed to be needed in the future. The processing of personal data is limited to İDO's activities and legal obligations.

• Storage of Personal Data as Required for the Purpose foreseen in the Related Legislation or for the Purpose of Processing İDO stores personal data as limited by the time required for the purpose for which it was committed, in accordance with the PPD Law. In this regard, İDO keeps the personal data for a period of time required for the purpose for which it was committed and if it is not provided for a period of time, it is kept for a period of time necessary for the purpose for which they were processed. İDO does not store any personal data with the possibility of future use. İDO deletes, disposes or anonymizes personal data if the reasons for the expiration or processing of data disappear.

6.4. Conditions of Processing Personal Data

İDO processes personal data only with the explicit consent of the person or in the cases provided for in the law. Except for explicit consent, personal data may also be processed in the presence of one of the other conditions listed below. The basis of personal data processing can be only one of the following conditions, and more than one of these conditions may be the basis of the same personal data processing activity. In the event that the processed data is personal data, the following conditions apply.

In accordance with the regulation laid down in Article 5 of the PPD Law, İDO operates in the event that the person has explicit consent as a rule. However, in accordance with Article 2, paragraph 2 of the Law on PPD, the Legislator has enabled the processing of personal data in cases where there is no explicit consent. Accordingly; personal data can be processed by İDO in the presence of one and/or a few of the other conditions written in the clauses ''Obviously seen in the Law'' and ''Data Processing for the Legitimate Benefit of İDO with the Registration of Not Damaging the Fundamental Rights and Freedoms of the Related Person'' which are as follows. Although the existence of one of the following conditions is sufficient for personal data processing, more than one of these conditions may be the basis of the same personal data processing activity. In the event that the processed data is specially qualified personal data, the conditions to be applied are addressed separately in Section 7.1 of the Policy.

Personal Data Holder's Explicit Consent

One of the conditions of processing personal data is the explicit consent of the personal data holder. The personal data holder should disclose that he or she is sufficiently informed on a particular subject and has the consent to the processing of personal data in such a manner that it will not hesitate on the basis of this information.

Clearly Foreseen by Law

The personal data of the data holder may be processed by İDO without the explicit consent of the data holder in accordance with the law if it is expressly foreseen by law. For example, personal data is processed while keeping the workplace file of the employees within the framework of Labor Law and related legislation.

The obligation for the protection of the life or body integrity of the person or someone else who is unable to disclose his consent due to the actual impossibility or whose legal consent is not given to his consent

In case of the obligation for the protection of the life or body integrity of the person or someone else who is unable to disclose his consent due to the actual impossibility or whose legal consent is not given to his consent, personal data of the data holder can be processed. If the personal data holder cannot reveal his consent or if his validity cannot be validated, the personal data of the data holder can be processed if it is necessary to process personal data in order to protect the life of the person or another person's integrity. For example, these personal data are processed in the event that the health information of our guest who has an accident on the IDO terminal or ships is given to the terminal authorities by the family. The requirement to process personal data of the parties of the Contract provided that it is directly related to the establishment or performance of an Agreement.

If there is a requirement to process personal data of the parties of the Contract provided that it is directly related to the establishment or performance of an Agreement, the personal data can be processed by İDO.

The obligation of Data Processing for the fulfillment of the legal obligation of İDO

If there is an obligation of Data Processing for the fulfillment of the legal obligation of İDO, personal data of the data holder can be processed. For example, in accordance with the complaints made to the Public Prosecutor regarding the expenditures made on credit cards without the knowledge of the credit card holders, the presentation of the data in case of requesting personal data from İDO by the decision of the Prosecutor's Office.

Having the Personal Data Personalized by the Personal Data Holder

In the event that the data holder has personally clarified his personal data (he has publicly disclosed it in any way and in any way such as social media, etc.), the relevant personal data shall be processed by İDO without explicit consent. For example, this data of the person who wrote down the phone number on the main page of the İDO social media account and who called for work can now be processed without the explicit consent of it but limited to this scope.

The Obligation of Data Processing for the Establishment or Protection of a Rights

If there is an obligation of Data Processing for the Establishment or Protection of a Rights, the personal data of the data holder can be processed.

The obligation to process data for the legitimate interest of İDO, without prejudice to the fundamental rights and freedoms of the relevant person

If there is an obligation to process data for the legitimate interest of İDO, without prejudice to the fundamental rights and freedoms of the relevant person, the personal data of the data holder can be processed. For example, personal data processing activities in the financial affairs department.

7. PROCESSING OF SPECIAL QUALITY PERSONAL DATA

7.1. Processing of Special Quality Personal Data

Personal Data, defined as ""Special Quality Personal Data"" within the scope of Law on Protection of Personal Data due to the risk of causing victimization or discrimination of people when processed illegally have been separately stated in this Policy for this sensitivity.

It is prohibited to process Special Quality Personal Data, defined in Law on Protection of Personal Data Article 6 Paragraph 1, without the consent of the data holder as specified in Law on Protection of Personal Data, Article 6, Paragraph 2. Law on Protection of Personal Data, Article 6, Paragraph 3 regulates the exceptions of this rule.

Special quality personal data are processed by İDO in compliance with the aforementioned article of the law, provided that adequate measures to be determined by Board of Law on Protection of Personal Data have been taken.

7.2. Protection of Special Quality Personal Data

The Personal Data Protection Act stipulates that personal data are separately specified in this Policy because of the risk that they may result in discrimination or victimization of persons when they are unlawfully committed. The processing of Special Personal Data is clearly specified in Article 7.1 of the Policy.

For the employees involved in the processing of special personal data, necessary measures are taken for providing regular trainings on law and related regulations as well as special personal data security issues, making confidentiality agreements, identifying users with access to data, clarifying the scope and duration of their authorization, periodically performing authorization checks, immediate abolition of authority in the field and in this context, the inventory assigned to him by the data holder shall be returned.

If the media, where special personal data are processed, stored and/or accessed, is electronic media, necessary measures are taken for keeping the data using cryptographic methods, keeping the cryptographic keys in safe and different environments, safe logging of transaction records of all transactions performed on the data, continuous monitoring of security updates for the environments where the data is located, performing necessary security tests regularly, recording the test results, user authorization of this software if the data is accessed through a software, performing regular security tests of this software, recording of test results, providing at least two-level authentication system if remote access to data is required.

If the media, where special personal data are processed, stored and/or accessed, is physical media, necessary measures are taken to ensure that adequate security measures are taken (according to the nature of the environment where special qualified personal data is located) and that the physical security of these environments is ensured by preventing the unauthorized entrances.

8. TRANSFERRING OF PERSONAL DATA

It is necessary to transfer/share data related to the data holder and/or the third parties pointed out by the data holder in accordance with the purpose of serving the data holder as required by the İDO.

Personal data can be transferred to the business partners, suppliers, Institution authorities, shareholders, subsidiaries, subsidiaries, public institutions and private individuals authorized by law, within the framework of the personal data processing requirements and purposes set forth in Articles 8 and 9 of the PPD Law for supplying the work done by the business units to benefit from the products and services offered by İDO, the offer of products and services offered by the institution according to the tastes, usage habits and needs of the customers, the legal and commercial security of the persons who have business relations with İDO and İDO's administrative operations for communication, physical security and control of the locations of the institution, processes of evaluation of the partner/customer/supplier (authorized or employee), reputation research processes, legal compliance process, audit, financial affairs etc.), İDO's commercial and business implementation of human resources policies of the organization with the determination and implementation of strategies.

İDO can transfer the personal data of the personal data holder and the special personal data to the third parties (third party companies, group companies, real third parties) by taking the necessary security measures in accordance with the law for personal data processing purposes. Accordingly, the Institution complies with the regulations stipulated in Article 8 of the Law on PPD.

İDO applies the exceptions to the transfer procedure specified in this Policy article, as set out in Article 8, paragraph 2 of the Law on PPD.

The provisions of other laws relating to the transfer of personal data are reserved.

8.1. Transfer of Personal Data Domestically

Within the scope of data processing activity, it may be necessary to transfer/share data related to the data holder and/or to third parties that the data holder points for the purposes to provide better service to the personal data holder, to meet their demands more accurately, to improve their service and communication, to be able to make customer satisfaction applications, information and to eliminate technical problems and for such purposes. In this regard, İDO acts in accordance with the regulations stipulated in Article 8 of the PPD Law and the regulations in this Policy under the mentioned article. Namely;

• Personal data may be transferred to business partners, suppliers, İDO authorities, shareholders, subsidiaries, public authorities and private individuals authorized by law for the purposes of making the necessary works for the utilization of the services offered by İDO by business units, suggesting the products and services offered by İDO as customized according to customers' tastes, usage habits and needs and

• ensuring the legal and commercial security of persons in business relationship with İDO and İDO (Administrative operations for communication carried out by İDO, ensuring physical security and control of İDO locations, evaluation processes of business partner/customer/supplier

• (authorized or employees), reputation research processes, legal compliance process, audit, financial affairs etc.) and for establishment and implementation of İDO's commercial and business strategies and ensuring the implementation of the Company's human resources policies within the framework of the personal data processing requirements and purposes set forth in Articles 8 and 9 of PPD Law.

8.1.1. Transfer of Special Personal Data Domestically

İDO can take the necessary precautions and take the necessary security measures to take the necessary security measures and transfer the private data of the personal data holder to the third parties taking into account the conditions set forth in Section 7 of this Policy in accordance with the legitimate and lawful purposes.

8.2. Transferring Personal Data Abroad

İDO can transfer the personal data of the data holder and the special personal data to third parties by taking the necessary security measures in accordance with the law. The personal data processed by İDO can be transferred pursuant to Article 9 of the Law on PPD and provided that adequate measures are taken with the paragraph 2 of Article 5 of the Law on PPD in the event that one of the conditions laid down in Article 6, paragraph 3 of the Law on PPD and if the foreign country where the personal data will be transferred has been declared as one of the countries with sufficient protection by the PPD Board or if there is not enough protection provided that those responsible for the data in the relevant foreign country and Turkey commits adequate protection by written consent and if there is an approval of PPD Board.

8.2.1. Transfer of Special Personal Data Abroad

In accordance with the legitimate and lawful personal data processing purposes, İDO may transfer the special personal data of the data holder to the countries that have sufficient protection or committed to adequate protection by the data responsible in the foreign country, taking into account the conditions set out in Section 7 of this Policy by taking the necessary security measures and taking adequate measures prescribed by the Board of PPD.

If the special qualified personal data should be transferred via e-mail or if it must be encrypted using a corporate e-mail address or a Registered Electronic Mail (REM) account or if they should be transferred via media such as portable memory, CD, DVD or if they should be transferred via paper data or if the data transmission should be performed via establishing VPN among servers or via SFTP, necessary measures and precautions are taken to take necessary measures against the risks such as theft, loss or unauthorized viewing of the documents and to send the documents in the form of ''confidential documents''.

8.3 Third Parties Transferring Personal Data and Their Purposes of Transferring

In accordance with PPD Law's 8th and 9th articles, İDO shall transfer it's customer's personal data to the person categories as follows:

(i) To İDO business partners,

(ii) To İDO suppliers,

(iii) To İDO subsidiaries,

(iv) To İDO Shareholders,

(v) To legally authorized public institutions and organizations,

(vi) To legally authorized private law persons,

(vii) To other third parties according to the data transfer requirements,

The scope of the persons mentioned above and the purposes of the data transfer are stated below and transactions carried out by İDO are in compliance with the provisions of Section 10 of the Policy.


People Who Can Make Data Transfer    
Definition

Purpose of Data Transfer

Business Partner

İDO defines the parties to which İDO establishes business partnerships for the purposes of sales, promotion and marketing of İDO services, after-sales support and execution of joint customer loyalty programs.

As being limited in order to ensure the fulfillment of the objectives of the business partnership

Supplier

While carrying out the commercial activities of İDO, it defines the parties providing services to our Company based on the contract in accordance with the orders and instructions of our Company.

As being limited in order to ensure that İDO provides outsourced services from the supplier and that İDO provides the services required to carry out the commercial activities of İDO.

Our subsidiaries

Companies that are the shareholder of İDO

Limited to ensuring the execution of commercial activities requiring the participation of İDO's subsidiaries;

Our shareholders

Our shareholders who are authorized to design the strategies and audit activities of İDO in accordance with the provisions of the relevant legislation

As being limited to design strategies for İDO's commercial activities and for audit purposes according to the provisions of the relevant legislation

Legally authorized public institutions and organizations

Public institutions and organizations that are authorized to obtain information and documents from İDO according to the provisions of the relevant legislation

As being limited to the purpose requested by the relevant public institutions and organizations within the legal capacity of them

Legally authorized private law persons,

Legally authorized private law persons that are authorized to obtain information and documents from İDO according to the provisions of the relevant legislation

As being limited to the purpose requested by the relevant legally authorized private law persons within the legal capacity of them

9. PERSONAL DATA RIGHTS AND OBLIGATIONS

9.1. The Obligation to Clarify Personal Data Holders by İDO

Pursuant to Article 10 of the Law on PPD; İDO is obliged to clarify personal data holders during the acquisition of personal data.

In this context, İDO announces rights of data holder in accordant PPD Law's 11th article with the method and legal reasons that personal data shall be processed by İstanbul Deniz Otobüsleri San. ve Tic. A.Ş. during collecting of personal data, in which purpose that these data shall be processed, to whom and in which purpose these processed data shall be transferred and takes direct consent.

9.2. Personal Data Holder's Rights and Application Method

The personal data holder may apply to İDO pursuant to Article 11 of the Law on PPD and make the following requests:

1. To learn whether personal data has been processed or not,

2. To request personal information if personal data is processed,

3. To learn the purpose of processing of the personal data and whether data are used in accordance with their purpose or not,

4. To know the third parties in the country or abroad to whom personal data have been transferred,

5. To request a correction of personal data if it is incomplete or incorrectly processed,

6. Within the scope of Article 7 of the Law on PPD, To request the deletion or destruction of personal data in case the reasons that require processing have been completed and requesting that the transaction made within this scope be notified to the third parties where the personal data is transferred, although it has been processed in accordance with the provisions of the Law on PPD and other relevant law,

7. To request the notification of the transactions made in accordance with the above mentioned paragraphs (d) and (e) to the third parties where the personal data is transferred,

8. To object to the emergence of a result against the analysis of the processed personal data solely by automated systems; and

9. To request compensation for the damages in case the person incurs damages due to unlawful processing of personal data.

Pursuant to paragraph 1 of Article 13 of the PPD Law of Personal Data Holders, they must fill the ''written'' Data Holders Application Form of İstanbul Deniz Otobüsleri San. ve Tic. A.Ş or submit the requests for using the above-mentioned rights to the Institution by other methods determined by the PPD Board. Contact addresses are as follows;

Address: Kennedy Cad. Yenikapı Hızlı Feribot İskelesi 34480 Fatih / İstanbul

9.3. Conditions Excluded from Rights of Personal Data Holder

In the case of the existence of the conditions specified in the 1st paragraph of Article 28 of the Law on PPD, the provisions of the Law on PPD are not applied and and in this context, it is not possible for personal data holders to assert their rights, which are listed in the Law on PPD, regarding personal data processed by İDO.

In the cases specified in the Article 28 (2) of the Law on PPD, personal data holders cannot claim other rights mentioned in the Law on PPD except for the right to demand the remedy of the damages.

9.4 The right of the personal data holder to apply to İDO

Personal data holders are required to fill in the application form on the İDO's website www.ido.com.tr and submit their requests for the use of the rights granted to them by law to “Kennedy Cad. Yenikapı Hızlı Feribot İskelesi 34480 Fatih / İstanbul” address with wet signed or secure electronic signature.

It is not possible for third parties to make requests on behalf of the personal data holders, and a third party must be authorized by a special power of attorney for the third party to apply for the request of the third party.

9.5. Responding to Applications of Personal Data Holders by İDO

Pursuant to Article 13 of the Law on PPD; the requests contained in the application submitted by the personal data holder in accordance with the above procedure shall be concluded by İDO in the shortest time according to the nature of the request and within 30 days at the latest.

In the event that the transaction requires an additional cost, the İDO may charge a fee in the tariff determined by the PPD Board from the applicant. If the application is caused by the fault of İDO, the fee will be returned to the relevant person.

İDO may request information from the relevant person to determine whether the applicant is a personal data holder and to clarify the requests contained in the application.

It is not possible to mention the responsibility of İDO in the event that the claims that are not communicated in accordance with the procedure mentioned in Section 9.4 of the Policy and/or that are not communicated with İDO.

İDO may reject the application of the person referred to in Article 28 of the Law on PPD and the person listed below, by explaining the reasons:

(1) The request of the personal data holder may prevent the rights and freedoms of others.

(2) Requests for disproportionate effort have been made.

(3) The requested information is publicly available.

9.6. The right of Personal Data Holder to complain to the PPD Board

The personal data holder may lodge a complaint with the board as specified in Article 14 of the Law on PPD.

The personal data holder cannot lodge a complaint with the PPD Board without using the right to apply under Article 13 of the Law on PPD and Section 9.4 of this Policy.

10. Technical and Administrative Measures Taken to Prevent the Access to and Processing of Personal Data as Lawfully and Confidentially

The İDO takes all necessary technical and administrative measures to ensure the security level and carries out the necessary audits or contracts within the framework of the agreements made with third parties in accordance with Article 12 of the PPD Law.

10.1. Privacy in Processing Personal Data

Personal data processed by the İDO in accordance with the law are subject to data security. İDO takes all necessary technical and organizational measures to ensure the confidentiality and security of your personal data collected through our personalized personal data and our web sites and/or other applications.

It is forbidden for any employee of İDO to access this data unauthorized, to process this data or to use it for private or commercial purposes, to share this data with unauthorized persons or to make this data available to any other means. Employees of İDO may only have access to personal data in accordance with the type and scope of their respective duties. Therefore, roles and responsibilities are elaborated and separated. Any employee who is not authorized under the legitimate duty of İDO to process this data means unauthorized action.

Managers should inform employees about the obligation to protect data confidentiality at the beginning of the employment relationship. This obligation will continue after the termination of employment.

10.2. Security in Processing Personal Data

Personal data is protected by İDO against unauthorized access, illegal data processing or disclosure and accidental loss, alteration or destruction of data. Your personal data is kept in a safe working environment that is not public and only authorized İDO employees (under the Privacy Policy with our employees) can be accessed by our intermediaries and contractors.

Before accessing personal data, verification of the credentials of the data holder whose personal data is stored, through the website or the application.

This provision shall be valid whether the data are processed electronically or on paper. The following technical and administrative measures are defined and implemented to protect personal data until new data processing methods, especially new information technology systems, emerge. These measures are designed taking into account the most advanced technology available, the risks of data processing and the need to protect data.

10.3. Technical Precautions

Within İDO; Personal data processing activities and keeping them in secure environment are conducted via technical systems and technical solution applications are applied. Concordant technical precautions are taken and they are periodically updated and renewed.

The technical precautions are periodically reported to the related persons by the internal audit mechanism and the risk factors are re-evaluated and the necessary technological solutions are produced.

Knowledgeable staff on technical issues are employed on technical issues.

Software and hardware including virus protection systems and firewalls are used. Secure Sockets Layer (SSL) encryption is used on all web pages where personal data is collected through online services such as İDO site and İDO mobile application. To take advantage of these services, an SSL-supported browser such as Safari, Firefox, Chrome or Internet Explorer is required. In this way, the confidentiality of personal data transmitted over the Internet can be protected.

The İDO complies with the PCI DSS (Payment Card Industry Data Security Standard) regulations designed to ensure data security in card payment systems, and provides secure data transmission and operation in card payment systems. The credit card number is encrypted by İDO's online credit card application and transmitted to the bank and never shared with third parties. Credit card information is not kept by İDO.

To ensure that personal data is securely stored, backup programs are used in accordance with the law.

In addition, the data classification system used within the organization is integrated with the data leakage prevention (DLP) system. Thus, all electronic documents containing personal data within the İDO have to be classified and taken out of the institution is kept under control by the DLP system.

10.4 Administrative Measures

Employees are informed and trained about the protection of personal data and the lawful processing of personal data in accordance with the law, which cannot be disclosed to anyone other than the legislation and cannot be used outside the process.

The agreements and documents between İDO and its employees are accompanied by the records and commitments that impose an obligation not to process, disclose and not use personal data, except for the exemptions issued by the İDO directives and the law.

Necessary administrative measures are taken to ensure that the compliance of the employees with the non-disclosure, non-disclosure and non-use obligations and to ensure the continuity of the application.

In cases where technical service is received from third parties for the storage of personal data and personal data of the İDO, provisions regarding the prevention of unlawful processing of personal data, prevention of unlawful access to the data and taking necessary measures to ensure that the data are kept in compliance with the law and ensuring that these measures are observed in their own organizations are added to the contracts with these persons.

İDO provides training and seminars related to maintaining the data storage and to prevent unlawful access to data and to prevent unlawful processing of personal data for business partners.

10.5. Conducting Audit Activities

In accordance with Article 12 of the PPD Law, İDO carries out the necessary audits within its own and business partners or makes the contracts within the framework of the agreements made with third parties. These audit results are reported to the relevant department within the scope of the company's internal operation and the necessary activities are carried out to improve all measures that have been taken.

10.6. Measures to be taken in case of unlawful disclosure of personal data

The IDO is obliged to make the said provisions in accordance with Article 5 paragraph 5 of the Law on PPD and the necessary system is established in order to provide the necessary determination and notification if personal data obtained in accordance with the Law on PPD and the relevant legislation are obtained by others by unlawful means.

Following the notification made to the PPD Board, the PPD Board may declare this situation as set out in Article 12, paragraph 5, of the Law on PPD.

11. DELETING, DISPOSING, ANONYMIZING OF PERSONAL DATA

11.1. Principles Regarding the Legal Disposal of Personal Data

All transactions relating to the deletion, destruction and anonymization of personal data shall be recorded and such records shall be kept for at least three years, with the exception of other legal obligations.

İDO complies with the following principles when storing and disposing of personal data.

a) Compliance with the rules of law and integrity.

b) Being accurate and up-to-date if necessary.

c) Processing for specific, clear and legitimate purposes.

ç) Being connected, limited and measured according to the processing purpose.

d) To be kept for the period stipulated in the relevant legislation or for the purpose for which they were processed.

İDO shall dispose of personal data for the following reasons;

• Expiration of the deadlines set by the law on the storage of personal data

• End of destruction period determined by İDO

• End of periodic destruction period determined by İDO

• Amendment or annulment of the provisions of the relevant legislation which constitute the basis for processing personal data

• The fact that the contract has never been established, the contract is not valid, the contract is terminated automatically, the contract is terminated or the contract is returned,

• Eliminating the purpose of processing personal data

• Processing of personal data is against the law or integrity rule

• Where the processing of personal data only occurs on the basis of the express consent, the relevant person shall withdraw his consent.

• Acceptance of the application by the İDO regarding the activity of processing the personal data within the framework of the rights of the relevant person,

• Complaint to the PPD Board and the approval of this request by the Board, in case the İDO refuses the application made by the person with the request of deletion or destruction of his personal data, the answer is insufficient or he does not respond within the period stipulated in the law;

• The fact that there is no requirement to justify the retention of personal data for a longer period of time, although the maximum period of time that requires the storage of personal data

• The elimination of conditions requiring the processing of personal data in Articles 5 and 6 of the Personal Data Protection Act.

11.2. Personal Data Deletion, Disposal Techniques

The deletion or disposal of personal data is the process of making personal data inaccessible and unavailable to users in any way.

İDO erases or disposes of personal data using the techniques listed below.

• The İDO shall take all necessary technical and administrative measures to ensure that the deleted personal data is not accessible and accessible to the concerned users.

• If the deletion of personal data results in the inability to access and use other data within the system, the İDO shall apply the following rules;

o Archiving personal data so that it cannot be associated with the person,

o Being closed to any other institution, organization and/or person

o Taking all necessary technical and administrative measures to ensure that personal data is only accessible to authorized persons

o Deletion of personal data from İDO systems in case of direct request for deletion by natural persons

• Deleting personal data that is part of any data logging system and processed by non-automatic means;

o Dimming of personal data that is not necessary,

o It is carried out by masking personal data which is not necessary as paper, which is transferred to electronic media by scanning or digitizing. The above mentioned deleting conditions are provided by the following methods;

11.2.1. Physically Disposal

Personal data can also be processed in non-automated ways, as part of any data logging system. When such data is deleted/disposed of a system of physical destruction of personal data which cannot be used after being implemented.

11.2.2. Safely Deleting from Software

When deleting/disposing of data that are processed in fully or partially automated ways and stored in digital media, methods for deleting the data from the respective software are used so that they cannot be recovered anymore.

11.2.3. Safely Deleting by Expert

In some case İDO might come into terms with an expert to delete personal data on behalf of itself. In this case, personal data shall be deleted/erased safely never to recover anymore by an expert.

11.3. Techniques of Anonymization of Personal Data

Anonymization of personal data is that personal data can never be associated with a particular or identifiable real person, even if personal data is paired with other data. İDO can anonymize personal data if the conditions for processing personal data processed in accordance with the law are eliminated. Thus, anonymized personal data can be processed for purposes such as research, planning and statistics in accordance with Article 28 of the Law on PPD. Such processing shall be outside the scope of the Law on PPD and the express consent of the personal data holder shall not be sought. As the personal data processed by anonymity will be outside the scope of the Law on PPD, the rights set out in Section 9 of this Policy shall not apply to these data.

İDO uses the following techniques to anonymize personal data.

11.3.1. Masking

It is a method of anonymizing personal data by removing data from the data set by using data masking. For example, removing the name, surname, TR ID number, and so on, enabling the identification of the personal data holder.

11.3.2. Consolidation

The data consolidation method is used to consolidate many data and personal data cannot be associated with any other person. For example, specifying how many customers are there as Y at X age without specifying their ages

11.3.3. Data Derivation

With the data derivation method, a more general content is created from the content of personal data and personal data is rendered inconceivable with any person. For example, specifying age instead of date of birth

11.3.4. Data Blending

With data blending method, the values are mixed in the personal data set and it is ensured that the link between the values and the people is removed.

11.4. Storage and Disposal of Personal Data and Periodic Disposal Periods

İDO deletes, erases or anonymizes personal data in the first periodic destruction following the date of the obligation to delete, dispose or anonymize personal data. The period of periodic destruction is six months. Regarding personal data, the retention periods have been determined in accordance with the PPD Law and business processes.

The Board of PPD may shorten the time limits set forth in this article, in the event of irregularities or irregular damages.

The real person who owns the data requests the deletion or disposal of his personal data by applying to İDO, pursuant to Article 13 of the Law on PPD.

a) If all the processing conditions for personal data have been eliminated, İDO deletes, disposes or anonymizes personal data subject to the request. İDO shall finalize the request of the real person of the data within 30 days and inform the real person of the data.

b) If all personal data processing conditions have been eliminated and the personal data subject to the request has been transferred to third parties, İDO shall inform the third party of this fact and shall ensure that necessary actions are taken by the third party.

c) If the conditions for processing the personal data have not been completely eliminated, this request may be rejected by the İDO in accordance with Article 3, Paragraph 3 of the Law on PPD and the rejection shall be notified to the person concerned in writing or electronically within thirty days at the latest.

Periods of Deleting, Disposal, or Anonymization of Personal Data

İDO takes into account the following periods within the scope of the obligation to delete, dispose or anonymize personal data:

• In the first periodic disposal process following the date of the occurrence of the obligation,

• the period of periodic disposal may not be longer than 180 days.

11.4.2. Periods for Deleting and Disposal of Personal Data when requested by the relevant person

When the person has requested the deletion or disposal of his personal data by contacting İDO;

• If all the conditions for processing personal data have been eliminated, İDO may delete, dispose or anonymize personal data subject to the request. Deletion or disposal requests of the relevant persons shall be finalized by İDO at the latest within thirty days.

• If the conditions for processing the personal data have not been completely eliminated, this request may be rejected by İDO and the rejection shall be notified to the person in writing or electronically within thirty days at the latest.

11.5. In-house Management of Processing, Storage and Disposal of Personal Data

İDO conducts this Policy and the management of processes linked to this Policy in the process of compliance with the provisions of the PPD Law and the relevant legislation, and in any transaction related to the personal data to be realized following the completion of the harmonization process, as follows:

A customer who asks for their personal data to be deleted from İDO systems may request the deletion of his/her personal data by contacting him personally or through the Corporate Web Page. The request received from all channels is stored in the paging system and the customer is called back by the call center for verification. After clarifying the data of the customer of the İDO system, the deletion process in the relevant systems will be executed and the customer data will be deleted.

12. REGISTRATION MEDIA

In accordance with the procedures and principles set forth in the PPD Law and other laws, İDO records and stores the personal data that is completely or partially automated or processed in non-automatic ways as part of any data recording system in the İDO data warehouse.

12.1. Registration at the entrance of the Terminal, Head Office and similar buildings and their monitoring

Personal data processing is carried out by monitoring with security camera at terminals, toll booths and facilities for purposes such as increasing the quality of service provided by İDO, ensuring its reliability, ensuring the security of the company, its guests and other persons and protecting the interests of the guests. The monitoring activity carried out by our company is carried out in accordance with the Law on Private Security Services and related legislation. It is not subject to monitoring in areas where the privacy of the person may result in an intervention that exceeds the safety objectives (eg toilets).

In accordance with article 10 of the PPD Law, the personal data holder is clarified by İDO both in terms of the publication of the Privacy and Data Security Policy on the website and the notification of the monitoring of the entrances to the areas where the monitoring is made and the personal data that have been obtained are protected by the administrative and technical measures referred to in this Policy.

12.2. Monitoring Guest Entry/Exit in Terminal, Head Office Building and etc.

İDO carries out personal data processing by obtaining the identity of the visitors and logging into the Visitor Program for the purpose of ensuring security and following the visitors' entrance and exits at İDO buildings and terminals for the purposes stated in this Policy.

12.3. Ensuring Institution's Facility Security and Website Visitors

In order to provide security by the Institution, personal data processing activities are carried out in the premises of premises and facilities for monitoring the visitors' entrance and exits through the surveillance camera.

Within the scope of monitoring activities with the security camera, the Institution has the purpose of increasing the quality of the service provided, ensuring its reliability, ensuring the security of the Institution, customers and other persons and protecting the interests of the customers regarding the services they receive.

Necessary technical and administrative measures are taken by the Institution in accordance with Article 12 of the PPD Law to ensure the security of the personal data obtained by monitoring the camera.

Log records related to internet access are recorded in accordance with the provisions of Law No. 5651 and the legislation regulated in accordance with this Law and these records are processed only for the request of the authorized public institutions and organizations or for the fulfillment of the related legal obligations in the audit processes to be performed within the Institution.

İDO, on the websites it owns, is able to record internet activity within the site by technical means (eg cookies) in order to ensure that the visitors of these sites perform their visits on the sites in accordance with the purpose of their visit, to show them customized content and to perform online advertising activities.

Detailed information on the protection and processing of personal data related to these activities are available in texts of ''İstanbul Deniz Otobüsleri San. ve Tic. A.Ş Privacy and Data Security Policy'' of the related websites.

IN-HOUSE GOVERNANCE UNDER THE PROTECTION AND PROCESSING OF PERSONAL DATA

Within the structure of İDO, in order to follow and manage the necessary actions for compliance with the Law No. 6698, Personal Data Protection Committee (""Committee"") was established. The main duties of the Committee are specified below:

Duties of the Committee:

• To present the basic policies related to the protection and processing of personal data and, when necessary, to prepare for the approval and enforcement of the changes,

• To decide on how to implement and control the policies related to the protection and processing of personal data and to make the necessary task distribution and coordination within this framework,

• To determine the issues to be taken in order to ensure compliance with the relevant legislation and to submit to the approval of the senior management, to ensure the implementation and coordination,

• To raise awareness in the Company and in the Company's business partners about the protection and processing of personal data,

• To identify the risks that may occur in the personal data processing activities of İDO and to ensure that the necessary measures are taken; to submit proposals for improvement to the approval of senior management,

• To follow the relevant legislation regarding the protection of personal data, in prepared texts, to make updates in policies,

• Designing training on the protection of personal data and the implementation of policies and carrying out the training following the necessary approvals,

• To make a decision by establishing a mechanism to meet the requests of personal data owners quickly,

• Coordinating the execution of information and training activities to ensure that personal data owners are informed about their personal data processing activities and legal rights,

• To follow the developments and regulations regarding the protection of personal data, and to advise the senior management about what needs to be done in accordance with these developments and regulations,

• Coordinating the relations with the PPD Board and PPD Authority,

• To carry out other duties assigned by senior management to the protection of personal data.

• To identify the risks that may occur in the Company's personal data processing activities and to ensure that the necessary measures are taken and presenting suggestions for improvement,