KVKK CLARIFICATION TEXT

EKO MMI Fuarcılık Ltd. Sti. (“Eurasia”) ensures the security of your personal data with great sensitivity. Eurasia has the title of "data controller" within the scope of the Law on Protection of Personal Data No. 6698 (“KVKK”). As a Data Controller, as well as within the scope of contracts and services provided, within the scope of KVKK and relevant legislation, your personal data can be processed within the scope of the information and purposes listed below in accordance with the legislation. In this context, Eurasia takes technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of your personal data, to prevent unlawful access and to ensure its preservation, in accordance with the principles stipulated by the KVKK.

Scope and Purpose of the Clarification Text

This Illumination Text explains the methods and legal reasons for collecting personal data; the purposes for which such personal data is used; to whom and for what purposes personal data may be transferred; deletion, destruction and anonymization of personal data; and the rights of the Relevant Persons over their personal data and how these rights can be exercised.  

Collection Methods, Legal Reasons and Purposes of Your Personal Data

Your personal data stated below are collected electronically or in writing; when you visit our company and our website, when you participate in fairs and organizations, through the Visitor Registration Form, Participant Registration form, the website of the event, cookies and other documents declared by you, and stored in electronic media.

Your personal data are collected by the methods mentioned above, by Eurasia for the purposes listed below, as specified in Article 5 of the KVKK, provided that;

1. It is clearly stipulated in the law,
2. It is mandatory for the data controller to fulfill its legal obligation,
3. Data processing is mandatory for the establishment, exercise or protection of a right, and
4. Provided that it does not harm the fundamental rights and freedoms of the data subject, on the basis of legal reasons that data processing is mandatory for the legitimate interests of the data controller.

Your Processed Personal Data and Purposes of Processing Your Personal Data

Eurasia needs the processing of Personal data when it is required to fulfill its legal obligations directly and indirectly required by the services provided.

• Identity Information (name and surname information, etc.)
• Contact Information (e-mail, address, fixed phone and mobile phone information)
• Professional Experience Information (professional group and job/title information)
• Transaction Security Information (Password Information, IP Address, Online Traffic Data and Event Entry and Exit Information and password information)
• Marketing Information (Purpose of Participation in the Event, SMS and e-mail messages for marketing purposes sent based on the commercial electronic message permission given by the Relevant Person)
• Legal Transaction Information (Commercial Electronic Message Permission of the Related Person and Explicit Consent of the Related Person)

In this sense, your personal data are processed always in a connection with and only limited to the purposes such as answering Information Requests and Fulfilling Legal Obligations, managing the fair service process, inviting to and informing about the fair, carrying out the marketing and sales processes, managing the customer service process, completing the data registration process of the customer and potential customer, completing the data registration process of the customer and potential customer, performing the registration for the event, Improving the Services Offered Through the Event and Developing New Services, Ensuring Communication between the Participants of the Event, Executing Information and Transaction Security Processes, Creating the Visitor Portfolio, Executing the Activities in Compliance with the Legislation and Compliance, Answering Information Requests from Administrative and Judicial Authorities, Up-to-Date and Accurate Processed Data Providing Commercial Electronic Message Approval, Promotion and Marketing of Services to Existing Visitors, Processing of Visitors' Data within the Scope of Law No. 5651, Administrative and Judicial Authorities.

Persons to Whom Your Personal Data to be Transferred and Purposes of Transfer

Eurasia transfers your personal data only for the purposes specified in this Clarification Text and in accordance with Articles 8 and 9 of the KVKK.

In order to carry out commercial activities and ensure continuity, your personal data can be transferred to the commercial electronic message tool service provider within the framework of the conditions stipulated in the KVKK, to domestic and foreign business partnerships or affiliates, domestic and foreign third parties to whom support services are provided or received, service providers who provide support to us in data processing activities, in accordance with the provisions of the relevant legislation for the purpose of auditing commercial activities, to audit firms within the scope of relevant contracts, to legally authorized public institutions and organizations within the scope of the legal authority of the relevant public institutions and organizations, to public institutions and organizations determined to ensure the fulfillment of the legal obligations specified in the KVKK, for promotion and advertisement purposes.

The personal data subject to domestic and international transfer, which we mentioned above, is transferred and preserved by Eurasia and the third parties to whom the transfer is carried out, by taking all necessary security and technical measures. In addition, your personal data is legally protected by data processing agreements concluded with third parties to whom Eurasia, as the data controller, transfers your personal data.

Deletion, Destruction and Anonymization of Your Personal Data

Your personal data collected in line with the purposes and means described above will be processed by EURASIA with care and confidentiality in accordance with KVKK. Your personal data is processed for the period required by our company for the purpose of processing data and for the period stipulated in the relevant legislation, and then deleted, destroyed or anonymized. During the processing of your personal data, only authorized persons within our company will be able to access your personal data in accordance with the requirements of the job.

Upon the expiry of the stipulated period, your personal data will be destroyed immediately in accordance with the relevant provisions of the KVKK and the Turkish Penal Code, the "Regulation on the Deletion, Destruction or Anonymization of Personal Data" and our company policies.

Rights of the Relevant Person

As the "Relevant Person" whose personal data is processed, you have the following rights specified in Article 11 of the KVKK:

• Learning whether personal data about them is being processed, requesting information if their personal data has been processed,
• Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
• Knowing the third parties to whom personal data is transferred at home or abroad,
• Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to third parties to whom the personal data has been transferred,
• Requesting the deletion or destruction of personal data in the event that the reasons requiring the processing of personal data no longer exist, even though it has been processed in accordance with the provisions of the KVKK and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
• It has the right to object to the emergence of a result against the person by analyzing the processed data exclusively through automatic systems and to demand the compensation of the damage in case of damage due to the unlawful processing of personal data.

After filling in the "Request KVK Information" form on our website for all your requests regarding the above-mentioned rights, you can send a wet-signed copy to the address of "EKO MMI Fuarcılık Ltd. Şti., Biracılar Sokak No:10/1 Mecidiyeköy, 34387 Şişli - İstanbul - Türkiye” in written form or the wet-signed form to .....@hs01.kep.tr with secure electronic signature.

Your requests will be concluded free of charge as soon as possible and within 30 days at the latest, depending on the nature of your request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board may be charged.  In your application request, the details of your right that you request to use and the subject of your application should be clear and understandable. In addition, your request must be related to yourself, if you are acting on behalf of someone else, the document that you are specially authorized in this regard and other documents confirming your identity must be attached to your application.

COOKIE CLARIFICATION TEXT

Cookies are used by EKO MMI Fuarcılık Ltd Şti (“Eurasia”) to improve the experience of site users/members/visitors when visiting our online channels. The use of these technologies is carried out in accordance with the Law on the Protection of Personal Data No. 6698 (“KVKK”) and the legislation that Eurasia is subject to.

The purpose of this Clarification Text is to inform the Data Owners regarding the processing of personal data to be obtained by the use of cookies by the site users/members/visitors (“Data Owner”) during the operation of the “www.ifat-eurasia.com” website. In this context, information is provided on the type of cookies, the purpose of use and the ability to control the cookies in question.

Change the types or functions of cookies used on our website; new cookies can be added or the use of these cookies can be waived. In this respect, the right to amend the provisions of this Clarification Text is reserved, and any amendment that has been done on the Clarification Text (this clarification text will be updated with any changes) will come into force once it is published on our website or in any public media.

Cookies are small text files that are stored in the Internet browser or hard disk of the device in use, allowing the device in question to be identified. The text files in question can be interpreted by browsers and servers that can access them, and various information can be obtained about the device on which the visit to the website is made, and therefore the relevant user.

Cookies Used and Purposes of Use

Cookies are used for various purposes on our site and personal data is processed through these cookies. Personal data is used for the following purposes:

• To perform the basic functions necessary for the operation of the website
• Analyzing the website and increasing performance
• Increasing the functionality of the website and establishing ease of use
• Measuring the effectiveness of the website's product promotion and advertising campaigns

Cookies Used on the Website

Below are the different types of cookies used on the website. 1st party cookies (placed by the site you visit) and 3rd party cookies (placed by servers other than the site you visit) are used on the website.

Controlling the Use of Cookies

To change your preferences for the use of cookies or to block or delete cookies, simply change your browser settings. Many browsers give you the option to accept or reject cookies, to only accept certain types of cookies, or to be alerted by the browser when a website requests to store cookies on your device so you can control cookies. It is also possible to delete cookies previously saved in your browser. The process of controlling or deleting cookies may vary depending on the browser you use. You can visit the links in the table below for instructions for some popular browsers to allow or block or delete cookies:

EKO MMI FUARCILIK LTD. ŞTİ.
PERSONAL DATA STORAGE, DISPOSAL AND ANONIMIZATION POLICY

A-SCOPE

1. This Personal Data Retention and Disposal Policy (“Policy”) comprises all departments, employees and 3rd parties involved in any process where personal data is processed by EKO MMI Fuarcılık Ltd. Şti. (“Eurasia”).
2. This Policy will cover all destruction activities that Eurasia will implement on personal data and will be implemented as a result of any destruction requirement.
3. This Policy will not be applied to data that does not qualify as "personal data".

Law
It is the Law on Protection of Personal Data No. 6698.

Regulation
It is the Regulation on the Deletion, Destruction or Anonymization of Personal Data.

Board                                      
It is the Personal Data Protection Board.

Recording Media                          
It is the name given to any environment where personal data is processed wholly or partially automatically or by non-automatic means provided that it is a part of any data recording system.

Personal Data Processing Inventory
It is the inventory created and detailed by data controllers by associating the personal data processing activities they carry out and personal data processing purposes depending on their business processes, with the data category, the transferred recipients and the data subject group.

Destruction                                      
It is the deletion, destruction or anonymization of personal data.

Periodic Destruction                    
It is the deletion, destruction or anonymization process that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy in the event that all of the personal data processing conditions in the law are eliminated.

Data Recording System                
It is a recording system in which personal data is processed and structured according to certain criteria.

Data Controller                     
It is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

C-PURPOSE

This Policy sets out the principles to be followed by Eurasia and third parties contractually responsible for Eurasia in accordance with Article 7 of the Law [1] and the provisions of the Regulation. In this context, the following principles will apply to the storage and destruction of personal data:

1. Personal data should be kept for the period required by the relevant legislation or for the purpose for which they are processed.
2. Eurasia will act in accordance with the security measures in Article 12 of the Law [2], the provisions of the relevant legislation, the decisions to be taken by the Personal Data Protection Board, and the Policy while storing or deleting, destroying or anonymizing personal data.

E-RECORDING ENVIRONMENTS

Computers/servers used on behalf of Eurasia containing personal data, network devices, shared/non-shared disk drives used for data storage on the network, cloud systems, mobile phones and all storage areas inside, peripherals such as paper, microfiche, printer, fingerprint reader, recording media such as magnetic tapes, optical discs, flash memories and personal data in other media that may arise in addition to these are included in the scope of this Policy.

E-CIRCUMSTANCES REQUESTING THE DISPOSAL OF PERSONAL DATA

1. Change or repeal of the legislation that is the basis for processing,
2. Termination or invalidity of the main contract for processing,
3. The disappearance of the purposes and conditions of processing,
4. Processing activity is against the good faith or the law,
5. Withdrawal of consent in processing activities based on explicit consent,
6. Application by the data controller and acceptance of this application,
7. The decision of the Personal Data Protection Board regarding the application of the data controller and the rejection of this application, regarding the need to meet the request,
8. Expiration of the retention period.

F-DESTRUCTION OF PERSONAL DATA

The purpose of the destruction process is that it is not possible to reach the real person with the remaining data. Destruction of personal data, deletion, destruction or anonymization of data can be implemented by the following methods. These transactions should be carried out with the approval of the owner of the relevant information asset, by obtaining support from the authorized unit when necessary. In all works to be done, the Data Disposal Form must be filled and signed and processed.

The owner of the medium is responsible for requesting the appropriate deletion and destruction of data and software in the aforementioned media and updating the inventory of assets.                                    

1-DELETION

Deletion of personal data is the process of making personal data inaccessible and unusable in any way. The methods of deletion of personal data are as follows.

• Personal data in paper media is deleted using the blackout method.
• Office files on the central server are deleted with the delete command in the operating system.
• Personal data in portable media is deleted with appropriate software.
• Databases, related rows containing personal data are deleted with database commands.

2-ANNIHILATION

Destruction of personal data means the destruction of materials suitable for data storage, such as documents, files, CDs, floppy disks, hard disks, in which the data is recorded, so that the information cannot be retrieved and used again.

2.a. Local Systems

2.a.1. De-magnetizing

It is the process of corrupting the data until it becomes unreadable by exposing the magnetic media to a very high magnetic field by passing it through a special device.

2.a.2. Overwrite

It is the process of making old data unreadable by writing random data consisting of 0 and 1 at least 8 times with software on magnetic media and rewritable optical media.

2.a.3. Physical Annihilation 

It is the physical destruction of optical media or magnetic media by melting, pulverizing, grinding and similar processes. It can be applied in cases where overwrite methods fail.

 2.b. Destruction of Personal Data in Environmental Systems

It is the destruction process that should be done by overwriting and physical destruction on the indoor unit, if not, on the entire device, if there is confidential information in systems such as printer, fingerprint unit, door entry turnstile. This type of destruction must be applied before the devices are subject to backup, maintenance and similar processes.

2.b.1. Network devices (switch, router, etc.): It must be destroyed by using one or more of the appropriate methods specified in F.2.a.

2.b.2. Flash-based environments: It must be destroyed by using the manufacturer's recommended disposal method or by using one or more of the appropriate methods specified in F.2.a.

2.b.3. Units such as magnetic disk: It must be destroyed by demagnetizing or physical destruction methods such as burning or melting.

2.b.4. Mobile phones (Sim card and fixed memory areas): It must be destroyed by using one or more of the appropriate methods specified in F.2.a.

2.b.5. Optical discs: It must be destroyed by physical destruction methods such as burning, breaking into small pieces, melting.

2.b.6. Peripherals such as printer with removable data recording media, fingerprint door access system: It should be verified that all data recording media are removed and destroyed by using one or more of the appropriate methods specified in F.2.a, depending on their characteristics.

2.b.7. Peripherals such as printer with fixed data recording medium, fingerprint door access system: It must be destroyed by using one or more of the appropriate methods specified in F.2.a.

2.3. Paper Media                

It should be destroyed by dividing it into small pieces that cannot be reassembled, horizontally and vertically if possible, with paper shredders or clipping machines.

3-ANONYMIZATION

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. Anonymization of personal data is the duty of the data subject business unit within Eurasia. The data owner business unit can receive support from different units of Eurasia for the destruction of the data, provided that it is audited by itself. During the anonymization of the data, Eurasia uses the following methods.                                                                                                                 

3 a. Masking : With data masking, it is a method of anonymizing personal data by removing the basic identifier information of the personal data from the data set.                                                                

3.b. Aggregation : With the data aggregation method, many data are aggregated and personal data is rendered unrelated to any person.                                                               

3.c. Data Derivation: With the data derivation method, a more general content is created than the content of the personal data and it is ensured that the personal data cannot be associated with any person.                                                                                                                           

3.d. Data Mixing : With the data mixing method, the values in the personal data set are mixed and the link between the values and the people is broken.

G-STORAGE AND DISPOSAL TIMES

1. Periodic Disposal and Legal Storage Periods

Physical and digital data, which have completed the legal storage and destruction periods, are periodically destroyed. Eurasia deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises. Periodic destruction is carried out at 6-month intervals for all personal data. Transactions regarding deleted, destroyed and anonymized data are kept for at least 3 years, excluding other legal obligations.

2. Deletion and Destruction Process at the Request of Data Owners

In cases where data owners request the deletion or destruction of their personal data by applying to Eurasia, it checks the current status of the personal data processing conditions and takes relevant actions accordingly. If all the conditions for processing personal data have been removed, it deletes, destroys or anonymizes the personal data subject to the request. Eurasia finalizes the request of the person concerned within thirty days at the latest and informs the person concerned. If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, the data controller notifies the third party; and ensures that the necessary actions are taken within the scope of the Regulation before the third party. If all the conditions for processing personal data have not disappeared, Eurasia may reject the request by explaining the reason to the relevant data owner and notify the relevant person in writing or electronically within thirty days at the latest.

Personal Data Owners cannot claim their rights in cases within the scope of Article 28 [3] of the Law.  

H-ENFORCEMENT AND EXECUTION

This Procedure enters into force as of the approval date of the General Directorate. Procedural provisions are executed by persons/units authorized by Eurasia company.

[1] Deletion, destruction or anonymization of personal data  

ARTICLE 7- (1) Personal data is deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject, in the event that the reasons requiring processing are eliminated, although it has been processed in accordance with the provisions of this Law and other relevant laws.

(2) The provisions in other laws regarding the deletion, destruction or anonymization of personal data are reserved.

(3) The procedures and principles regarding the deletion, destruction or anonymization of personal data are regulated by a regulation.

[2]  Obligations regarding data security

ARTICLE 12- (1) Data controller;

• a) To prevent the unlawful processing of personal data,
• b) To prevent unlawful access to personal data,
• c) It is obliged to take all necessary technical and administrative measures to ensure the protection of personal data and to ensure the appropriate level of security.

(2) In case the personal data is processed by another real or legal person on his behalf, the data controller is jointly responsible with these persons for taking the measures specified in the first paragraph.

(3) The data controller is obliged to carry out or have the necessary inspections carried out in his own institution or organization in order to ensure the implementation of the provisions of this Law.

(4) Data controllers and data processors cannot disclose the personal data they have learned to others in violation of the provisions of this Law and cannot use them for purposes other than processing. This obligation continues even after they leave office.

(5) In case the processed personal data is obtained by others illegally, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its own website or by any other method it deems appropriate.

[3] Exceptions

ARTICLE 28- (1) The provisions of this Law shall not be applied in the following cases:

• a) Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with. b) Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics. c) Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime. ç) Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security. d) Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

(2) In accordance with the purpose and basic principles of this Law, Article 10, which regulates the obligation of disclosure of the data controller, Article 11, which regulates the rights of the data subject, except for the right to demand the compensation of the damage, and Article 16, which regulates the obligation to register in the Data Controllers Registry, shall not be applied in the following cases: a) The processing of personal data is necessary for the prevention of crime or for criminal investigation. b) Processing of personal data made public by the person concerned. c) If personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution, based on the authority granted by the law. ç) The processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial matters.