Founded in 1981 in Adana, Sampaş Information and Communication Systems has been a pioneer in the sector with its effective and innovative information technology solutions for local governments for more than 40 years. With ISO9001, ISO20000 and ISO27001 quality certificates, our company has proven its reliability and quality.
Sampaş's long years of experience in software development, combined with training investments and quality improvements that reinforce its leadership in the sector, aims to successfully meet the growing IT needs of municipalities. Producing software using the fourth generation programming language in Turkey, Sampaş has been a pioneer in software development since 1988, leading the sector.
The company has strengthened its leading position in the IT sector by providing training to over 25,000 businesses and countless operators. It offers a wide range of services from software design to installation, training to operation, maintenance and support services to consultancy, providing comprehensive solutions to its customers.
By establishing national and international strategic partnerships, Sampaş provides high standard information technology solutions to municipalities and aims to maintain its leadership in the sector with more than 40 years of experience and know-how.
While shaping the technologies of the future, Sampaş Information and Communication Systems continues to shape the sector by prioritizing customer satisfaction. Its history of successful projects and solid references are among the factors that make Sampaş a reliable business partner and a leader in IT solutions.
Our Vision
As SAMPAŞ Bilişim ve İletişim Sistemleri A.Ş., we aim to be a pioneer in a world transformed by technology and to shape a sustainable future. Our vision is to contribute to improving the quality of life of societies by maintaining our leadership in the field of information solutions and technology, to continue to grow nationally and internationally by adhering to the principles of sustainability and to promote excellence at every stage of our business.
Our Mission
As SAMPAŞ Bilişim ve İletişim Sistemleri A.Ş., our mission is to meet the needs of local governments and societies by providing innovative IT solutions to the needs of cities. With the digital twin-based smart city applications we have developed, we aim to help our cities achieve ISO37120 Sustainable Cities and Communities quality certification and thus become resistant to future socio-economic and cultural problems. We aim to use technology to increase efficiency and build a more sustainable world.
As Sampaş Bilişim ve İletişim Sistemleri Sanayi ve Ticaret A.Ş., our "Information Security Management System" policy based on the principle of continuous improvement is stated below.
- To comply with the requirements of ISO 27001 standard in our activities,
- Protect information from all threats that may occur intentionally or unintentionally from inside or outside by systematically evaluating information in terms of confidentiality, integrity and accessibility in the activities of collecting, reporting, sharing and processing information,
- To comply with national and international legal and other requirements regarding information security,
- To provide the necessary resources to achieve the goals we have set with the aim of ensuring information security,
As Sampaş Bilişim ve İletişim Sistemleri Sanayi ve Ticaret A.Ş., which adopts the principle of transforming cities into smart and sustainable cities, especially in our country, we are committed to ensuring the information security of all our stakeholders' assets, including customers. I fully believe that all our employees will contribute to the achievement of Sampaş Bilişim ve İletişim Sistemleri Sanayi ve Ticaret A.Ş. targets by continuing their activities within the framework of our Information Security Management System Policy.
QUALITY MANAGEMENT SYSTEM POLICY
- To create, implement and execute effective quality management systems in all processes in our organization in order to provide sustainable service at the level of international standards,
- To ensure and execute the applicable conditions by continuously auditing the effectiveness of the quality management system and making the necessary improvements,
- To keep customer satisfaction at the highest level in the products and services we provide,
- Managing customer feedback effectively, - Being a pioneering and guiding organization by going beyond customer needs - Increasing trainings for continuous development,
- To create a quality management system that aims to deliver on time with effective use of resources and continuous improvement by eliminating transactions that do not create value,
- To ensure continuous improvement and continuity of quality by following the highest technology,
- To create a fast and effective working system by using technological opportunities in corporate communication with our suppliers and customers,
- To become a brand in the national and international market in the local government sector by working in a team spirit with our employees, suppliers and business partners.
Procedures and policies supporting this policy have been established to ensure the QMS.
SAMPAŞ A.Ş. TOP MANAGEMENT is committed to the realization, review and continuous improvement of the practices related to the QMS.
OUR SERVICE MANAGEMENT POLICY
Establishing a management system that complies with the requirements of ISO/IEC 20000 within the framework of all legal regulations, raising awareness of Sampaş A.Ş. employees by receiving the necessary trainings in line with this goal, internalizing quality service management systems, sharing this perspective with all our customers and business partners, providing IT service delivery that directs our customers and business partners without being limited to customer demands.
SAMPAŞ A.Ş. aims for excellence by continuously improving IT Services and Customer satisfaction.
SAMPAŞ A.Ş. aims for excellence by continuously improving IT Services and Customer satisfaction.
INTERNET PLATFORM DISCLOSURE TEXT
1. IDENTITY OF THE DATA CONTROLLER
("Our Company") has the title of data controller within the scope of the Personal Data Protection Law No. 6698 ("Law") and carries out personal data processing activities in accordance with the regulations in the Law and other applicable legislation.
2. COLLECTION, PROCESSING AND PROCESSING PURPOSES OF PERSONAL DATA
Your personal data listed below are collected electronically and processed for the purposes listed below:
- Your identity and contact information that you will include in the application you will make to us by using the "e-mail list" and/or "contact" form on our website,
- If you visit or browse our website, your digital trace data and cookie data will also be processed.
Your personal data; It is processed for the purposes of providing our Company's services, fulfilling after-sales services, increasing customer satisfaction, evaluating and responding to complaints and suggestions, conducting statistical analyzes, fulfilling legal and regulatory requirements, providing the necessary information in line with the requests and audits of official authorities, and ensuring data security.
On the other hand, if you give your explicit consent, your identity and contact data will also be processed for promotional, e-mail newsletter sending and marketing purposes.
3. TRANSFER OF PERSONAL DATA
Your personal data may be transferred to supervisory and regulatory public institutions and organizations (BTK, TÜİK, courts, banks, etc.), auditors, software and hardware support service providers and legally authorized private persons such as lawyers, within the scope of the Law and other legislation and for the purposes described in Article 2 of this Clarification Text, depending on and limited to the reason requiring transfer.
4. YOUR RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA
The rights of natural persons whose personal data are processed are listed in Article 11 of the Law. As a personal data owner, if you submit your requests regarding your rights listed in the relevant article of the Law in accordance with the application procedures stipulated in the Communiqué on the Procedures and Principles of Application to the Data Controller to the official address of our company in person or through a Notary Public, your request will be finalized free of charge as soon as possible and within thirty (30) days at the latest, depending on the nature of your request. However, if the transaction requires an additional cost, it may charge the fee in the tariff determined by the Personal Data Protection Board.
TEXT ON EXPLICIT CONSENT FOR THE PROCESSING OF PERSONAL DATA
I consent to the processing of my personal data that I have shared with your Company for promotional, e-mail newsletter sending and marketing purposes as informed in the Clarification Text.
Commercial Message Confirmation
In addition, pursuant to the Law No. 6563 on the Regulation of Electronic Commerce, I hereby give my consent for you to contact me for commercial communication, sending newsletters and advertising and promotional purposes regarding products and services through the channels I have marked below.
SMS
Search
PERSONAL DATA PROTECTION AND PROCESSING POLICY
Version : 1
Edit Date : 01.09.2022
1. PURPOSE
("Company") and all its employees undertake to comply with the principles, decisions and rules introduced by the Constitution of the Republic of Turkey and the Law No. 6698 on the Protection of Personal Data and other relevant legislation in force and to protect the rights of individuals whose data are processed by the Company. The Company has put into effect this Personal Data Protection and Processing Policy ("Policy"), which has been written to be implemented and developed for this purpose.
The purpose of the Policy is to establish rules for the internal management of personal data, to set targets and obligations, to establish control mechanisms in accordance with the reasonable risk level, to fulfill the legal obligations in the field of personal data protection and to protect the interests of individuals in the best possible way.
2. SCOPE
The provisions of the Policy cover the employees, sub-employees and interns of the company providing support services to all units of the Company, especially the Company's board of directors. Law No. 6698 on the Protection of Personal Data or any action that violates this Policy is evaluated within the scope of the relevant legislation and sanctions are applied accordingly.
Again, the Company's business partners, suppliers and all third parties working with the Company who have access or may have access to personal data are invited to read and comply with this Policy.
3. DEFINITIONS
Explicit consent: |
Consent to a particular subject matter, based on information and freely given, |
Anonymization: |
It refers to making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data. |
Contact Person: |
The real person notified by the Data Controller during registration to the Registry for communication with the Authority regarding the obligations of the Data Controller, |
Law: |
Law No. 6698 on the Protection of Personal Data, |
Personal data: |
Any information relating to an identified or identifiable natural person, |
Personal Data Inventory: |
The inventory that data controllers create by associating the personal data processing activities they carry out depending on their business processes with the personal data processing purposes and legal grounds, data category, transferred recipient group and data subject group, and detailing the maximum retention period required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and the measures taken regarding data security, |
Processing of personal data: |
All kinds of operations performed on personal data, such as obtaining, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system, |
Institution: |
The Personal Data Protection Authority, |
Board: |
Personal Data Protection Board, |
KVK Committee: |
The structure consisting of real person or persons appointed by the data controller, who performs administrative follow-up and coordination of the processes established within the scope of the Law, |
KVK Undertaking: |
The document determining the legal obligations of third parties with whom data is shared, |
Registry: |
The register of data controllers kept by the Authority, |
Data Processor: |
A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller, |
Data Controller: |
The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
|
|
4. RESPONSIBILITIES
The Company has the title of Data Controller in accordance with the Law. Everyone who is an employee of the Company is responsible for developing and promoting the right practices in the processing of personal data within the Company and for other obligations.
All employees of the Company who process personal data are responsible for acting in accordance with the Personal Data Protection legislation.
The Company is responsible for the realization of the necessary notifications and trainings so that all employees know their responsibilities in the field of personal data protection and have the necessary awareness.
Company employees are obliged to ensure the accuracy and timeliness of all personal data provided to the Company by them or related to them.
4.1. PDP Committee:
The members of the PDP Committee are appointed by the Board of Directors by taking into account their regular training and experience in the Law and secondary legislation and practices and report directly to the Board of Directors. The PDP Committee has been established as the committee in charge of managing the personal data protection system and ensuring and documenting compliance with the Law and other relevant legislation and is responsible to the Board of Directors in these matters.
4.2. Duties and Responsibilities of the PDP Committee:
- The PDP Committee should inform the Board of Directors about personal data protection legislation and developments.
- The PDP Committee is responsible for ensuring that the Company's policies and procedures are up-to-date, that data processing audits and trainings are carried out in accordance with the planned schedule and that they are in compliance with the relevant legislation.
- The PDP Committee acts together with the relevant employees in all matters related to the protection of personal data.
- The PDP Committee is responsible for ensuring that personal data that is not clearly necessary for the purpose of processing is not collected and processed.
- The PDP Committee checks that the data processed through the personal data inventory updated every year is appropriate and relevant.
- The PDP Committee audits that all data processing methods are appropriate and relevant through the internal audit/external audit it will conduct on an annual basis.
- The PDP Committee is responsible for stopping the data processing activity in terms of personal data that it determines to be inappropriate or irrelevant or more than necessary for the purpose of processing, and for the safe destruction of the processed data in accordance with the procedure defining the storage and destruction process.
- The PDP Committee is obliged to instruct the relevant unit to review the accuracy or timeliness of certain data by evaluating the type, storage period and amount of processed data through the data inventory.
5. APPLICATION PRINCIPLES
5.1. DATA PROCESSING PRINCIPLES
The Company will comply with personal data protection legislation and data protection principles. The data processing principles adopted by the Company include the following:
- Process personal data only if it is clearly necessary for legitimate corporate purposes,
- To process as much personal data as necessary for these purposes and not to process more data than necessary (data minimization),
- Providing individuals with clear information about how and by whom their personal data is used,
- Process only relevant and appropriate personal data,
- To process personal data in accordance with equity and law,
- Keeping an inventory of the categories of personal data processed by the Company,
- Keeping personal data accurate and updated when necessary,
- To store personal data only for as long as required by legal regulations, the Company's legal obligations or legitimate corporate interests,
- To store personal data in a manner that does not allow access to the identifying information of Data Subjects for longer than is reasonably necessary for the purposes for which the personal data is processed,
- Ensure data privacy as a key factor at the inception and then throughout the lifecycle of any project or activity (Ensuring Privacy from the Start Principle),
- Respect the rights of individuals in relation to their personal data, including the right of access,
- Transfer personal data abroad only in accordance with the explicit consent of individuals or in the presence of adequate protection,
- To apply the exceptions permitted under the legislation,
- Establish and implement a personal data protection system for the implementation of the Policy,
- When necessary, to determine the internal and external stakeholders who are parties to the personal data protection system and the extent to which they are involved in the Company's personal data protection system,
- Identify employees with special powers and responsibilities related to the personal data protection system.
All personal data processing activities must be carried out in accordance with the following data protection principles. The Company's policies and procedures aim to ensure compliance with these principles:
- Compliance with the law and good faith
- Being accurate and up to date when necessary
- Processing for specific, explicit and legitimate purposes
- Being relevant, limited and proportionate to the purpose for which they are processed
- Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
In this direction, the Company includes disclosure and privacy notices in data collection channels and related forms regarding the personal data processing activities it performs. The areas where the notifications containing clear and understandable information about which data regarding whom and for what purposes are processed by the Company will be included and announced are determined by taking the opinion of the PDP Committee. The following issues are included in these notifications:
- Identity and contact information of the Company as the data controller,
- Types of personal data processed,
- Purposes of processing personal data,
- Methods of collecting personal data,
- The legal grounds on which personal data are processed,
- Rights of the data subject,
- Third parties with whom the data may be shared.
In the personal data inventory, the reasons/purposes for processing personal data are determined and personal data cannot be used for purposes other than the specified purpose without any other legal justification or explicit consent of the data subject. In the event that conditions arise that require the use of personal data for purposes other than those specified in the personal data inventory, this situation is notified to the PDP Committee by the relevant employee/unit/directorate. The PDP Committee checks the suitability of the new purpose and, if necessary, ensures that the data subject is informed about the new purpose and the new data processing activity.
Personal data must be processed in accordance with, relevant and limited to the purposes of processing and must be accurate and up-to-date. The accuracy and timeliness of data kept for a long period of time should be reviewed. The Company is responsible for training all employees on the accurate and up-to-date collection and storage of data.
The PDP Committee must be informed about all data collection channels.
The accuracy and timeliness of the data kept on employees is the responsibility of the relevant employee.
Employees/customers/clients/related organizations and other relevant persons must inform the Company to update the personal data processed.
Personal data should be processed in such a way that the data subject can only be identified if necessary for the purpose of data processing.
In cases where personal data is stored beyond the specified period due to backup etc. requirements or in cases of data security vulnerability, secure destruction methods determined by the Board are applied to protect the rights and freedoms of individuals.
When it is necessary to process personal data for more than the periods specified in accordance with the procedure defining the storage and destruction process, the written approval of the PDP Committee is obtained.
All Company units that process Personal Data are responsible for complying with the measures that enforce both the above-mentioned principles and applicable data protection laws and must be able to prove that they comply.
5.2. RISK ASSESSMENT
The Company identifies the risks associated with the processing of personal data types. If a certain type of data processing activity is likely to pose a high risk to personal rights and freedoms in line with its nature, context and purposes, the Company should manage potential risks by conducting an impact analysis prior to the data processing activity. A single assessment may be relied upon for multiple data processing activities involving similar risks.
If it is understood at the end of the impact analysis that the Company is about to start a data processing activity that may pose a high risk on personal rights and freedoms, the approval of the PDP Committee is sought. If the PDP Committee deems necessary, it obtains the opinion of the Board on the subject.
5.3. OBTAINING EXPLICIT CONSENT
The Company accepts as explicit consent the consent of the data subject for certain data processing activities and in cases required by the Law, based on information and expressing the will to process data about him/her with free will, written/verbal statement or explicit verifying action. Explicit consents are obtained in writing or in a systematically provable manner. Explicit consent can be revoked by the data subject at any time.
If the data processing activity based on explicit consent will be continuous or repeated, the explicit consents obtained are checked. The currency and accuracy of these explicit consents are the responsibility of the relevant unit. Explicit consent forms or other relevant proof tools regarding the data processing activity based on explicit consent are kept by the relevant unit.
5.4. DATA SECURITY
All employees are responsible for ensuring the secure retention of data processed by the Company and within their responsibilities, and for not disclosing it to third parties without signing a confidentiality agreement.
Only those who require access to personal data should have access to it.
Incidents that threaten the security of personal data shall be reported to the Board and the relevant individual within 72 hours from the time the incident is known, and in any case, as soon as the PDP Committee definitively determines them.
5.5. DATA SHARING
Personal data can only be shared with third parties in compliance with the law and fairness. Accordingly, one of the following conditions must be met for the sharing of personal data:
- The necessity for obtaining the explicit consent of the data subject,
- Being explicitly envisaged in the laws,
- Necessity for the protection of the life or bodily integrity of the data subject or another person who is physically or legally incapable of giving consent due to actual impossibility,
- Necessity for the establishment or performance of a contract to which the Company is a party or will be a party, provided that the processing of personal data of the parties to the contract is directly related,
- Necessity for the Company to fulfill its legal obligations,
- The data subject being made public by themselves,
- Necessity for the establishment, exercise, or protection of the rights of the Company,
- Necessity for the processing of data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject.
Personal data can only be transferred abroad if the conditions mentioned above are met and there is adequate protection in the destination country, or if explicit consent is obtained from the data subject regarding this transfer.
When transferring personal data abroad, the list of countries where adequate protection has been determined by the Board is taken into account.
When it comes to the transfer of personal data abroad, the KVK Committee ensures the necessary permissions and notifications at the Board in accordance with the Law and relevant legislation.
All transactions related to the sharing of personal data must be recorded in writing along with their justifications. These records are periodically audited by the KVK Committee.
In the absence of a legal basis or legal obligation, in the event of a regular data sharing relationship, a Data Sharing Commitment is made with the relevant party determining the conditions of data sharing.
5.6. MANAGEMENT OF RECORDS
Personal data cannot be kept for longer than necessary for the purposes of processing. The classification of records containing personal data and their retention periods are determined in accordance with the Personal Data Recording, Retention, and Destruction Procedure.
Personal data that has expired or needs to be destroyed upon the justified request of the data subject is anonymized, deleted, or destroyed in accordance with the procedure defined for retention and destruction.
5.7. DATA SUBJECTS' RIGHTS
Data subjects have the following rights regarding data processing activities and records held by the Company:
- Learning whether personal data is being processed,
- Requesting information if personal data has been processed,
- Learning the purpose of processing personal data and whether they are being used for this purpose,
- Knowing the third parties to whom personal data is transferred domestically or abroad,
- Requesting correction of personal data if it is incomplete or incorrect,
- Requesting the deletion or destruction of personal data that is processed without a legal basis or justification under the Law on the Protection of Personal Data or this policy,
- Requesting that corrections or deletions made upon request be notified to third parties to whom personal data has been transferred,
- Objecting to the emergence of a result against the person through the exclusive analysis of processed data by automatic systems,
- Demanding compensation for damages in case of damage due to the unlawful processing of personal data.
Data Subject's Application Procedure
Data subjects can submit their requests regarding their rights to the Company in accordance with the application procedures specified in the Communique on Principles and Procedures for Application to the Data Controller.
In this case, the Company will conclude the request free of charge within the shortest time possible and no later than 30 (thirty) days, depending on the nature of the request. However, if the process requires additional costs, the Company may request the fee specified in the tariff determined by the Board. The processes of receiving, transmitting, and concluding requests are carried out in accordance with the Data Subject Application Receiving, Evaluation, and Responding Procedure.
Notifications and the company's website include the data subjects' access rights and contact information so that data subjects can direct their requests.
All employees of the Company are responsible for guiding data subjects on the correct application method for data subject access requests, regardless of their job description. Employees should be informed by the KVK Committee on how to handle requests from data subjects.
In this context, applications can be made:
1. In person by the Data Subject,
2. Through a notary.
6. EFFECTIVE DATE AND MAINTENANCE OF CURRENT
This Policy shall enter into force on 01.09.2022 and shall be re-evaluated by the DPC Committee at the beginning of each year in line with the Law, relevant secondary legislation, Board Decisions, and Company business processes, and updated if necessary.
DATA SUBJECT APPLICATION RECEIVING, EVALUATION, AND RESPONSE PROCEDURE
Version : 1
Edit Date : 01.09.2022
This Data Subject Application Receiving, Evaluation, and Response Procedure ("Procedure") has been prepared to determine the principles and procedures regarding the receipt, evaluation, and response to applications made by data subjects to ("Company") for the purpose of obtaining information.
The procedures and processes related to the receipt, evaluation, and response to applications made by data subjects regarding personal data are carried out by the Company in accordance with this Procedure prepared accordingly.
1. DEFINITIONS
Law: |
Law No. 6698 on the Protection of Personal Data |
Board: |
Personal Data Protection Board |
Data Subject: |
Natural person whose personal data is processed |
Personal Data: |
Any kind of information relating to an identified or identifiable natural person as defined within the scope of the Law. |
2. RECEIVING THE APPLICATION
2.1. Form of Application
Data subjects shall submit their requests, in writing, to the Company's contact person in accordance with Article 13 of the Law to obtain information about their personal data collected by the Company and to exercise their rights specified in Article 11 of the Law.
Accordingly, applications made by data subjects can be made in writing as follows:
- The requests can be made personally by ensuring the verification of identity at our company's official address; or
- Through a notary in an official manner.
2.2. The Content of the Application
In order for the data subject's requests to be evaluated, it is first necessary to determine whether the data subject is the owner of the personal data processed by the Company. In this regard, it is required that the identity information of the data subject be clearly and truthfully stated in the applications made to our Company within the scope of the Law.
In conditional requests, the data subject must provide the necessary information on how this condition is met and submit the documents proving this claim to the Company.
Applications that are not made through the methods specified in this Procedure may be considered if the identity of the data subject has been determined and the information and/or documents requested by the Company within the scope of the Law have been provided. Otherwise, applications made through such methods will be rejected due to procedural irregularities.
Applications that do not meet the qualifications specified in this article will be evaluated, and communication with the data subject will be maintained until the requested information is obtained. However, if the requested information and/or documents are not provided by the data subject, the data subject's application will be rejected due to procedural irregularities.
3. OTHER CASES
3.1. APPLICATION MADE BY AN AGENT OR LEGAL REPRESENTATIVE
Applications to be made to the Company within the scope of the Law can also be made by the data subject's representative or legal guardian upon presentation of the official document proving the representation.
3.2. APPLICATION FEE
In the Law, it is envisaged that the Data Controller shall conclude the request transmitted to it free of charge. However, it is also stated that a fee may be charged in accordance with the principles determined by the Board if the process requires an additional cost. In this context, if the conclusion of the applications made to the Company requires any additional cost, the Company may request a fee from the Data Subject.
4. APPLICATION EVALUATION PROCESS
In the event that incomplete information and/or documents are detected in the applications made by the Data Subject, the Data Subject will be notified accordingly. If the requested information and/or documents are not provided by the Data Subject, the Data Subject's application will be rejected due to procedural irregularities.
In cases where it is not possible to respond to the Data Subject's application without sharing personal data belonging to third parties, the Company will apply the following three-step evaluation process:
- The possibility of responding to the application without sharing personal data belonging to a third party (for example, by deleting or anonymizing the personal data of the third party) will be evaluated.
- It will be determined whether the third party has given explicit consent for the sharing of their personal data.
- If explicit consent is not obtained from the third party, the possibility of sharing the personal data without obtaining explicit consent will be evaluated.
If it is not possible to conclude the application without sharing the personal data of a third party, the first step will be to seek explicit consent from the Data Subject whose personal data needs to be shared. If the third party does not consent to the sharing of their data, their information will be completely anonymized, and the application will be processed.
If it is not possible to reach the third party whose personal data will be shared, the Company will exercise maximum care and sensitivity in sharing the information containing the personal data of the third party. In this way, if necessary, the personal data of third parties may also be shared.
5. EVALUATION PERIODS FOR APPLICATIONS
The requests of the Data Subject will be evaluated and concluded by the Company within the shortest time possible and no later than thirty (30) days.
Applications made to the Company will be directed to the relevant department of the Company within a maximum of three (3) days; the investigations to be carried out by the department to which the application is directed will be concluded within a maximum of one (1) week.
6. RESPONSE TO APPLICATIONS
Applications made by the Data Subject to the Company are responded to by the designated contact person at the Company, and the responses to the applications include the following information:
- Applicant
- Requests
- Information and Documents Provided as a Result of the Requests
- Date of Receipt of the Request
- If additional information and documents related to the request have been requested; the date of these requests and the date of receipt of the relevant responses
- Actions taken regarding the request
- Company's Responses to Requests
- Date of Response to the Request
- Authorized Signature
Incident logs, documents, and outcomes related to the relevant application are stored in the electronic directory created for this purpose. A copy of the written correspondence record is also kept in the archive.
7. EFFECTIVENESS AND MAINTENANCE OF CURRENT
This Procedure came into effect on 01.09.2022 and will be re-evaluated by the DPC Committee at the beginning of each year in line with the Law, relevant secondary legislation, Board Decisions, and Company business processes, and updated if necessary.