This Protocol on the Protection of Personal Data (the "Protocol") is executed between Idenfit Bilişim Hizmetleri Sanayi ve Dış Ticaret Anonim Şirketi (hereinafter referred to as "IDENFIT") and the user who completely fills out the registration form on the website and electronically approves this Agreement (hereinafter referred to as "CUSTOMER"). Under this Agreement, IDENFIT and the CUSTOMER shall each be referred to individually as a "Party" and together as the "Parties".

This Protocol is concluded for the protection of personal data that the Parties transfer to each other or that one of the Parties obtains by other means on behalf of the other Party within the scope of the execution and performance of the Idenfit Timeware License Agreement (the "Agreement") and/or the negotiation and conduct of any other agreement, arrangement, memorandum, transaction and other commercial relationship between the Parties (together with the Agreement, the "Commercial Relationship").

Within the scope of this Protocol, IDENFIT and the CUSTOMER shall each be referred to as a "Party" and together as the "Parties".

1. Subject

This Protocol sets forth the rights and obligations of the Parties regarding the transfer of personal data within the scope of the Commercial Relationship. This Protocol forms an integral part of the Commercial Relationship.

2. Definitions

Terms capitalized but not otherwise defined in this Protocol shall have the meanings ascribed to them under Law No. 6698 on the Protection of Personal Data (the "Law"), applicable international agreements, relevant laws and regulations, decisions of the Personal Data Protection Board, guidelines of the Personal Data Protection Authority, and other decisions/instructions of regulatory and supervisory authorities, courts and other official bodies, as well as all future regulations in the field of personal data protection and any amendments thereto (collectively, the "PDPL Regulations"). Any changes in the meanings of the relevant terms under the PDPL Regulations shall also apply under this Protocol.

3. Rights and Obligations of the Parties

1. The CUSTOMER agrees, declares and undertakes to process and transfer to IDENFIT all Personal Data, including Sensitive Personal Data, in accordance with the provisions of this Protocol and the PDPL Regulations.
2. With respect to the Personal Data, including Sensitive Personal Data, that the CUSTOMER will transfer to IDENFIT in accordance with this Protocol, the CUSTOMER agrees, declares and undertakes to act in compliance with all obligations attributed to it under the PDPL Regulations in its capacity as Data Controller, and to inform Data Subjects in accordance with the PDPL Regulations and obtain their explicit consents where necessary so as to enable IDENFIT to process the Sensitive Personal Data, including those to be transferred to IDENFIT within the scope of this Protocol and the Commercial Relationship. In this context, upon IDENFIT’s request, the CUSTOMER shall promptly provide IDENFIT with all information and documents evidencing the fulfillment of such obligations and shall make the necessary revisions to explicit consent and information texts in accordance with the PDPL Regulations and put such revised texts into effect to allow IDENFIT to process said Personal Data in compliance with the PDPL Regulations within the scope of the Commercial Relationship.
3. The CUSTOMER may use many of the capabilities of the IDENFIT program or may choose not to use some of them; this depends on the CUSTOMER’s choice and request. The CUSTOMER agrees, declares and undertakes to obtain the consents of its own employees for the Sensitive and General Personal Data that it will upload to these areas.
4. Due to the technology it uses, IDENFIT utilizes storage located abroad, as there are no equivalent technologies available in Türkiye. However, the databases used are preserved by hashing/ encrypting; no processing activity other than storage is carried out. The CUSTOMER agrees, declares and undertakes to obtain the explicit consents of its employees under the law with respect to this storage activity.
5. The CUSTOMER agrees, declares and undertakes to take all necessary technical and administrative measures to ensure that the transfer of Personal Data to be transferred to IDENFIT is carried out in compliance with the PDPL Regulations. If Sensitive Personal Data are among the Personal Data to be transferred by the CUSTOMER to IDENFIT, the CUSTOMER agrees, declares and undertakes to transfer such Sensitive Personal Data to IDENFIT in compliance with the PDPL Regulations, in particular Articles 6, 8 and 9 of the Law and the decisions of the Personal Data Protection Board, subject to additional security measures and authorizations.
6. Without prejudice to regulations under the applicable legislation requiring IDENFIT to retain the Personal Data, including Sensitive Personal Data, transferred by the CUSTOMER for a longer period, if all conditions for processing the said Personal Data cease to exist or if there are other reasons arising from the PDPL Regulations necessitating the deletion of Personal Data, the CUSTOMER agrees, declares and undertakes to notify IDENFIT of this situation in writing within a reasonable time in advance.
7. In the event of a potential dispute concerning the processing of Personal Data to be transferred by the CUSTOMER to IDENFIT, or in the event of any Data Subject requests or applications that directly or indirectly reach the CUSTOMER and concern IDENFIT, the CUSTOMER agrees, declares and undertakes to promptly (within 2 (two) business days at the latest) forward these to IDENFIT and to fully cooperate with IDENFIT, including sharing any and all information and documents.
8. IDENFIT expressly agrees, declares and undertakes that all Personal Data, including Sensitive Personal Data, processed within the scope of this Protocol are and shall remain under the CUSTOMER’s control, and that, without prejudice to the PDPL Regulations, it is subject to confidentiality obligations limited to the term of the Agreement with respect to such Personal Data.
9. Personal Data, including Sensitive Personal Data, which are necessary for the conduct of the Commercial Relationship and compliant with the PDPL Regulations may be requested by IDENFIT from the CUSTOMER. The CUSTOMER has the right to assess and reject requests that are not compliant with the PDPL Regulations or are not legitimate with respect to the Personal Data, including Sensitive Personal Data, that IDENFIT may request the CUSTOMER to transfer or that IDENFIT may obtain on behalf of the CUSTOMER by other means based on the CUSTOMER’s written approval within the scope of the Commercial Relationship.
10. In any case, while processing all Personal Data, including Sensitive Personal Data, to be transferred to it by the CUSTOMER or to be obtained by IDENFIT on behalf of the CUSTOMER by other means based on the CUSTOMER’s written approval, IDENFIT agrees, declares and undertakes to act in accordance with the PDPL Regulations.
11. IDENFIT guarantees that all information and documents containing Personal Data, including Sensitive Personal Data, that the CUSTOMER will transfer to IDENFIT within the scope of the Commercial Relationship or that IDENFIT will obtain on behalf of the CUSTOMER by other means based on the CUSTOMER’s written approval, will be accessed only by IDENFIT employees on the payroll of IDENFIT who must absolutely have access to such information and documents in order to fulfill their obligations for the purposes regulated under the scope of the Commercial Relationship, and that they will act in accordance with this Protocol. In this context, IDENFIT agrees, declares and undertakes to carry out all kinds of works, transactions and actions, including administrative and technical measures.
12. IDENFIT agrees, declares and undertakes to take the necessary administrative and technical measures, including the measures recommended by the Personal Data Protection Board to ensure data security, regarding the security of Personal Data, including Sensitive Personal Data, that the CUSTOMER will transfer to IDENFIT within the scope of the Commercial Relationship or that IDENFIT will obtain on behalf of the CUSTOMER by other means based on the CUSTOMER’s written approval.
13. In the event that Sensitive Personal Data are transferred by the CUSTOMER to IDENFIT or obtained by IDENFIT on behalf of the CUSTOMER by other means based on the CUSTOMER’s written approval, IDENFIT agrees, declares and undertakes to take additional security measures specific to Sensitive Personal Data in accordance with the PDPL Regulations, in particular Article 6 of the Law and the decisions of the Personal Data Protection Board.
14. In the event that any unauthorized access to Personal Data, including by IDENFIT’s own employees, occurs; or Personal Data are made accessible to third parties in violation of the PDPL Regulations and/or this Protocol; or Personal Data are processed in violation of the PDPL Regulations and/or this Protocol; or any data breach is likely to occur with respect to Personal Data, including Sensitive Personal Data, that the CUSTOMER will transfer to IDENFIT within the scope of the Commercial Relationship or that IDENFIT will obtain on behalf of the CUSTOMER by other means based on the CUSTOMER’s written approval; IDENFIT agrees, declares and undertakes to notify the CUSTOMER of this situation within 72 (seventy-two) hours at the latest and to promptly provide any information, documents, measures and support requested by the CUSTOMER in order to minimize the damage arising from this situation.
15. The CUSTOMER agrees, declares and undertakes that in the event that Personal Data, including Sensitive Personal Data, that the CUSTOMER will transfer to IDENFIT or that IDENFIT will obtain by other means based on the CUSTOMER’s written approval are requested from IDENFIT by courts or any official institution or organization (including primarily courts), IDENFIT is obliged to fulfill the relevant official institution or organization’s request; and that the CUSTOMER hereby approves the transfer of personal data to the relevant official institution or organization; and that the CUSTOMER will provide information to the relevant persons for this transfer and obtain explicit consent where necessary.
16. Without prejudice to regulations under the applicable legislation that require IDENFIT to retain the Personal Data, including Sensitive Personal Data, transferred by the CUSTOMER or obtained by IDENFIT on behalf of the CUSTOMER by other means based on the CUSTOMER’s written approval for a longer period, IDENFIT agrees, declares and undertakes that, with respect to all Personal Data, including Sensitive Personal Data, that the CUSTOMER has transferred to IDENFIT or that IDENFIT has obtained on behalf of the CUSTOMER by other means based on the CUSTOMER’s written approval:

    (a) upon the cessation of the reason for processing, the termination of this Protocol or the Commercial Relationship for any reason, or upon a request to that effect by the CUSTOMER, IDENFIT shall promptly deliver to the CUSTOMER, against signature, all media and environments in which the relevant Personal Data are recorded, without demanding any additional fee and by methods and measures that will not harm the integrity of the Personal Data;

    (b) upon receipt of requests from the CUSTOMER regarding the deletion, destruction, alteration, etc. of Personal Data in accordance with the PDPL Regulations, IDENFIT shall promptly fulfill the relevant requests.

17. IDENFIT agrees, declares and undertakes to promptly (within 5 (five) business days at the latest) notify the CUSTOMER in writing of Data Subject applications, requests and any other disputes concerning the CUSTOMER that are directly or indirectly communicated to IDENFIT; to provide the CUSTOMER with all necessary information, documents and support in this context; not to take any action regarding requests addressed to it without fulfilling its information obligation towards the CUSTOMER under this Protocol; to carry out the necessary actions in accordance with the instructions communicated by the CUSTOMER regarding the relevant requests or the potential administrative or legal proceedings or disputes arising from the requests; and, in the event that the CUSTOMER is subject to an audit by a competent authority/body, to act in full cooperation with the CUSTOMER upon the CUSTOMER’s request.

4. Obligations Regarding Personal Data for Which Both Parties Are Data Controllers

1. The Parties agree, declare and undertake to process, in accordance with the PDPL Regulations, all Personal Data, including Sensitive Personal Data, that they may transfer to each other via physical or electronic media by sharing, granting access authorization or by other means within the scope of the Commercial Relationship and/or that they may process pursuant to this Protocol and the Commercial Relationship.
2. When acting in their capacity as Data Controllers, the Parties agree, declare and undertake to inform Data Subjects in accordance with the PDPL Regulations regarding their own obligations and, if necessary, to process the Personal Data of such persons by obtaining their Explicit Consents, and furthermore, where necessary in this context, to determine in good faith and in cooperation the processes to fulfill the Information and Explicit Consent obligations.
3. The Parties agree, declare and undertake to prevent unauthorized access by their own employees or third parties to Personal Data, including Sensitive Personal Data, that they may transfer to each other via physical or electronic media by sharing, granting access authorization or by other means within the scope of the Commercial Relationship and/or that they may process pursuant to this Protocol and the Commercial Relationship; to prevent processing in violation of the PDPL Regulations and/or this Protocol; and to take all necessary technical and administrative measures, including those recommended by the Personal Data Protection Board to ensure an appropriate level of security to safeguard the preservation of Personal Data.
4. In the event that any unauthorized access to Personal Data, including Sensitive Personal Data, that the Parties may transfer to each other via physical or electronic media by sharing, granting access authorization or by other means within the scope of the Commercial Relationship and/or that they may process pursuant to this Protocol and the Commercial Relationship occurs; or Personal Data are made accessible to third parties in violation of the PDPL Regulations and/or this Protocol; or Personal Data are processed in violation of the PDPL Regulations and/or this Protocol; or any data breach is likely to occur, the Parties agree, declare and undertake to notify the other Party of this situation immediately (within 72 (seventy-two) hours at the latest) and to promptly provide any information, documents and support requested by the other Party in order to minimize the damage arising from this situation.
5. The Parties agree, declare and undertake to promptly (within 2 (two) business days at the latest) notify the other Party in writing of Data Subject applications, requests and any other disputes concerning the other Party that are directly or indirectly communicated to them; to provide the other Party with all necessary information, documents and support in this context; not to take any action regarding requests addressed to them without fulfilling their information obligation towards the other Party under this Protocol; to carry out the necessary actions in accordance with the instructions communicated by the other Party regarding the relevant requests or the potential administrative or legal proceedings or disputes arising from the requests; and, in the event that the other Party is subject to an audit by a competent authority, to act in full cooperation with the other Party upon the other Party’s request.

5. Compensation

1. IDENFIT reserves the right of recourse against the CUSTOMER for any direct or indirect damages suffered by IDENFIT, any legal, administrative and criminal sanctions it may face, and any compensation it may be obliged to pay, due to the CUSTOMER’s violation of this Protocol or the PDPL Regulations, or due to the acts of the CUSTOMER’s employees, if any, the employees of its service providers/business partners, or third parties to whom Personal Data are transferred by the CUSTOMER under this Protocol. For these reasons, upon IDENFIT’s request, the CUSTOMER agrees, declares and undertakes to immediately, in cash and in full, pay to IDENFIT the direct and indirect damages suffered by IDENFIT, and that, in this context, IDENFIT has the right to set off such amounts against payments, if any, to be made by IDENFIT to the CUSTOMER.
2. The compensation obligation shall continue to apply indefinitely even if the commercial relationship between the Parties ends.

6. Implementation of the Protocol

1. In the event of any conflict/inconsistency between the provisions of this Protocol and the agreements/arrangements, if any, entered into within the scope of the Commercial Relationship with respect to Personal Data, the provisions of this Protocol shall prevail with respect to Personal Data. However, the Parties’ obligations under confidentiality agreements or other agreements regarding confidentiality with respect to any other data, including Personal Data, shall remain reserved.
2. If either Party breaches any of its obligations set forth in this Protocol, the other Party shall have the right to unilaterally terminate the Commercial Relationship, without prejudice to any compensation rights.

7. Term

This Protocol shall remain in force for the term of the Agreement.

8. Severability

The invalidity, voidability, illegality or unenforceability of any provision, term or condition contained in this Protocol shall not affect the validity of the other provisions of the Protocol.

9. Waiver

1. The fact that any right arising from this Protocol is not used in whole or in part within its term shall not be construed as a waiver of such right.
2. The failure of either Party to perform or to fully perform any of its obligations under this Protocol shall not be construed as an acceptance of such situation by the other Party or as a waiver of the performance of such obligations.
3. The one-time or partial exercise of any right under this Protocol shall not prevent the subsequent exercise of that right or the exercise of any other right.

10. Amendments

Any amendment to this Protocol shall be valid only if the Parties mutually agree in writing.

11. Non-Assignment

The Parties may not assign or transfer in part or in whole their rights and obligations arising from this Protocol to any third party without the other Party’s prior written consent.

12. Governing Law and Jurisdiction

This Protocol is subject to and shall be governed by and construed in accordance with the substantive laws of Türkiye. The Istanbul (Çağlayan) Courts and Enforcement Offices shall have jurisdiction over any dispute arising from or in connection with this Protocol.

13. Notices