KVKK (Personal Data Protection Law) Clarification Text

This Clarification Text has been prepared in accordance with Article 10 titled "Disclosure Obligation of the Data Controller" of the Personal Data Protection Law No. 6698 ("Law"), which aims to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data, and the "Communiqué on the Procedures and Principles to be Followed in the Fulfillment of the Obligation to Inform". Adnet Internet and Communication Services Trade. Co. Ltd. ("Myfi", as the data controller, takes the necessary technical and administrative measures by using its technological and infrastructure facilities in order to ensure that personal data is securely stored and processed in accordance with the law within the framework of the Law and the relevant legislation.

Personal data is processed by Myfi in accordance with the Law and relevant legislation within the scope of this Clarification Text. Real persons whose personal data are processed within the scope of the Law can obtain information about the personal data that can be processed by Myfi, the purposes of processing this data, the recipient groups to which it can be transferred, the method of collection and the legal reason for data processing, and their rights under the Law regarding the personal data in question, by examining the text below.

1. PROCESSED PERSONAL DATA

Personal data refers to any information relating to an identified or identifiable natural person. The following personal data may vary from person to person within the scope of the demands of the relevant persons and / or the products / services they benefit from, and your personal data that can be processed by Myfi are given below:

• Identity Information: Name, surname, Turkish Identity No, place and date of birth, marital status, gender, ID serial no and sequence no, nationality, passport number, parents' name, mother's maiden name, photograph and ID sample obtained through our institutional applications
• Contact Information: Telephone/fax number, e-mail address and address information
• Subscription Information: Subscriber identity and contact information, contract number, customer number, service numbers, subscription type, subscription status (cancellation, active, line freeze, etc.), subscription channel, sales and cancellation dates, tariff and package information, quota and speed information, segment information and profession information specific to tariff usage
• Device Information: Device identity information, brand and model information, device change dates, modem type used and modem change dates,
• Traffic Information: : Traffic data used for communication transmission and billing purposes (date, time, duration and parties of calls made / messages sent or received / internet roaming), IP address
• Usage Information: Traffic information, behaviour and tendency information and cookies on Myfi websites and mobile applications, content usage such as movies/music etc., information on value-added service/product/service subscriptions and their usage, over limit information, billing information, social media id and order/shopping history
• Financial Information and Risk Information: Invoice preference, invoice and information contained in the invoice, debt information, TL balance / loading frequency / number of loading for prepaid customers, payment instruction, credit rating and risk status, payment information, account number, credit card and bank information, tax identity number
• Transaction Security Information: Username, password, security question and certificate information used in verifying user identity
• Visual /Audio Recordings: Call centre call recordings, audio and/or video call recordings made in offices and dealers
• Special Categories of Personal Data: Health information indicating your disability status specific to tariff usage, foundation and association membership information

2. PURPOSES OF PROCESSING PERSONAL DATA

Your personal data may be processed for the following purposes in accordance with the processing conditions specified in Articles 5 and 6 of the Law and secondary regulations:

• Ensuring the establishment, provision and continuity of our Company's services,
• Subscription establishment and realisation of invoicing/charging/refund/collection transactions made during the subscription period, termination of the subscription,
• Checking the accuracy of your identity information and documents you have declared, keeping your identity card and other information that must be kept in addition to your subscription contract in accordance with the relevant legislation,
• Providing customer services, meeting customer complaints/demands,
• Conducting surveys/analyses/statistics studies focused on measuring customer satisfaction, researching customer trends and improving service quality,
• Providing award/ sweepstakes/ competition /gift/thanking / celebration/reminder practices with a focus on ensuring customer satisfaction,
• Preparing, presenting, introducing, following up, reporting campaigns and offers regarding products and services according to the usage of our customers and informing them about the campaign content,
• Informing our customers about new products/services, campaigns/tariffs and other innovations, informing and customer recovery activities, creating sales opportunities,
• Credit-income assurance and risk review, credit scoring, management of risk for collection and detection and prevention of all kinds of malicious use such as irregularity /abuse / fraud,
• Compliance with the information storage, reporting and information obligations stipulated by the legislation and official authorities within the scope of national and international principles and fundamentals regarding customer recognition,
• Development of products, services and business in conventional and digital media within the scope of network and technological advances/improvements for better and innovative service delivery,
• Foundation of brand collaborations touching different sectors within the scope of increasing product and service diversity and enabling customers to benefit from various opportunities,
• Conducting network improvement/optimisation works,
• Proactive/reactive detection of malfunctions that may occur during service delivery, finding and resolving the root cause of the problem and trying to prevent recurrence,
• Sharing the information and documents demanded by regulatory and supervisory bodies and official authorities, fulfilling the legal obligations in the relevant legislation, carrying out audit activities, legal proceedings and legal processes,

3. TRANSFER OF PERSONAL DATA

Your personal data may be transferred to the following third parties in accordance with the provisions of the Law regarding the transfer of personal data domestically and abroad within the scope of the following legislation and purposes:

In case you give your explicit consent, your personal data may be shared with the companies, our representatives and dealers that we have authorised, companies operating on behalf and account of our Company, our representatives and dealers in order to carry out your subscription, location and usage data before and after subscription in order to provide you with appropriate offers within the scope of Myfi's services.

Myfi may transfer your Personal Data to the following real or legal, private or public legal persons:

• Persons and institutions and other third parties from whom we receive services, cooperate, with whom we are/will be a programme partner in order to carry out the activities of our company
• All suppliers and business partners with whom we cooperate for the performance of the products or services offered to you,
• Your attorneys and representatives authorised by you,
• All kinds of administrative, judicial and other official institutions ordered by law, including but not limited to regulatory and supervisory bodies, courts, prosecutor's offices, executive offices, in accordance with the demand or legal obligations,
• Lawyers, tax consultants, auditors and other third parties from whom services are received for reasons such as following our legal rights regarding the products or services we offer, fulfilling legal requirements.

In order to meet the demands of the regulatory supervisory authority, it can be shared with the regulatory and supervisory institutions, the competent authorities that will determine your location in case of an emergency call, and the public institutions or organizations that are expressly authorized to demand your personal data in the laws to which they are subject.

In order to carry out your financial transactions and ensure the security of your mobile financial transactions, your subscription, finance and device information can be shared with payment and e-money institutions, banks, credit risk and financial institutions.

In order to provide legal and critical information and to prevent cases such as forgery and fraud, your phone number registered in the Myfi directory can be shared with banks and financial institutions, asset management companies, law firms, municipalities, business partners and suppliers that have your T.R. ID number..

In order to manage the risk of collection and prevent malicious use, your invoice amount and payment information can be shared with other operators within the scope of the Electronic Communications Law.

Your personal data required for the execution of legal transactions can be shared with law firms, courts, consumer arbitration committees.

4. METHODS OF COLLECTING PERSONAL DATA AND LEGAL REASONS

Your personal data; According to the nature of the service, product and activity, it may be processed through companies operating on behalf and account of our company, our representatives, dealers, our website, call centre and mobile applications that we have authorised.

Your personal data, during the establishment of your legal relationship with Myfi and during the continuation of such relationship:

• physical, written, verbal and electronic media
• the above-mentioned purposes, and
• Within the framework stipulated in the provisions of Articles 5, 6 and 8 of the Law

It is collected fully/partially by automatic or non-automatic means. Your personal data is processed on the following legal grounds:

• Having your explicit consent
• Being clearly stipulated in the Electronic Communications Law No. 5809 and other legislation to which our Company is subject
• Provided that it is directly related to the establishment or performance of a contract, it is necessary to process the personal data of the parties to the contract, to provide the demanded products and services and to fulfil the requirements of the contracts you have concluded,
• That it is obligatory for the fulfilment of our legal obligations,
• That it has been publicised by the person concerned,
• That data processing is obligatory for the establishment, exercise or protection of a right,
• Provided that it does not harm the fundamental rights and freedoms of the person concerned, that data processing is compulsory for the legitimate interests of our company,
• In case of actual impossibility, if you are unable to explain your consent or the data processing is compulsory for the protection of the life or physical integrity of the person whose consent is not legally valid or of another person.

Your sensitive personal data:

• In case you have your explicit consent,
• Your sensitive personal data other than health can be processed without seeking your explicit consent in cases stipulated by law.

5. PROCESSING TRAFFIC AND LOCATION DATA

Your traffic and location data stated in the first section can be processed for the following purposes and after being stored for the period specified in the regulations and laws, they are destroyed in accordance with the relevant regulations of the Personal Data Protection Institution and our Company's Retention and Destruction Policy:

• Establishing, providing and ensuring the continuity of our company's services,
• Conducting infrastructure/serviceability inquiries, subscription establishment and realisation of invoicing/charging/refund/collection transactions made during the subscription period, termination of the subscription,,
• Providing customer services, meeting customer complaints/demands,
• Proactive/reactive detection of malfunctions that may occur during service delivery, finding and solving the root cause of the problem and trying to prevent recurrence,
• Sharing information/documents demanded by regulatory and supervisory bodies, official authorities, fulfilment of legal obligations in the relevant legislation, audit activities, legal follow-up and legal processes,
• To be able to communicate suitable opportunities to you with your explicit consent.

6. YOUR RIGHTS FOR THE PROTECTION OF YOUR PERSONAL DATA

In accordance with Article 11 of the Law titled “Rights of the relevant person” regulating the rights of the relevant person:

• Learning whether your personal data is processed or not,
• Demanding information if your personal data has been processed,
• Learning the purpose of processing personal data and whether they are used in accordance with their purpose,
• Knowing the third parties to whom personal data are transferred domestically or abroad,
• Demanding correction of personal data in case of incomplete or incorrect processing, and demanding information to be given to third parties to whom the data is transferred in case of correction,
• Demanding the deletion or destruction of personal data within the framework of Article 7 of the Law, and demanding that third parties to whom the data is transferred be informed in case of deletion or destruction,
• Objection in the event that a result arises against you as a result of the analysis of the processed data exclusively by automated systems,
• You have the right to demand the compensation of the damage in case of damage due to unlawful processing of personal data.

If you wish to exercise your above-mentioned rights, you may submit your application within this scope in accordance with the conditions specified in the Communiqué on the Procedures and Principles of Application to the Data Controller (‘Communiqué’) in order to determine whether the application belongs to you and thus to protect your rights:

• You can send it to our addresses given below by post (identity confirmation will be required) or through a notary public or
• You can send your verified e-mail address registered in our systems to our e-mail / e-mail addresses specified below by using a registered electronic mail (KEP) address, secure electronic signature or mobile signature.

The applications to be made within this scope will be accepted following the identity verification to be made by us, and your demands will be finalised as soon as possible and within 30 days at the latest, depending on the nature of the demand

Applying to legal or administrative follow-up procedures.

Your Rights as Personal Data Owner Relevant Person

In accordance with Article 11 of the Law, you have the following rights regarding the protection of your personal data:

• Learning whether your personal data is processed or not,
• Demanding information if your personal data has been processed,
• Learning the purpose of processing personal data and whether they are used in accordance with their purpose,
• Knowing the third parties to whom personal data are transferred domestically or abroad,
• Demanding correction of personal data in case of incomplete or incorrect processing,
• Demanding the deletion or destruction of personal data within the framework of Article 7 of the Law,
• Objection in the event that a result arises against you as a result of the analysis of the processed data exclusively by automated systems,
• Demanding the compensation of the damage in case of damage due to unlawful processing of personal data.

You can send us your petition (This petition should include: your name, surname, Turkish ID Number, address from which you want to receive a reply, e-mail address or fax number, application date, detailed explanations regarding your demand) in order to use your rights and make a demand regarding personal data within the scope of the above-mentioned Law by the following methods:

By using your e-mail address previously notified to Myfi and registered in the company system, by e-mail to the myfi@myfi.com.tr address prepared in accordance with the Communiqué on the Procedures and Principles of Application to the Data Controller,

Please hand-deliver the application form with wet signature and send it to “Adnet Internet and Communication Services Trade. Co. Ltd. Yeni Mah. Sakarya Cad. No:325 Erenler/SAKARYA” address by mail or via notary public by attaching the documents proving your identity information to your application.

In order for us to finalise your application, the information and documents you have submitted to us must be accurate and up-to-date, and additional information may be demanded from you if deficiencies are detected regarding your application. We would like to inform you that if the information and documents we will provide you as a result of your application require an additional cost, you may be required to pay the fee determined by the Personal Data Protection Board.

For detailed information, you can review the law on the official website of the Grand National Assembly of Turkey.

We wish you a good day.