Protocol on The Protection of Personal Data

This Protocol on the Protection of Personal Data (“Protocol“) contains the commitments of Kolay Yazılım Anonim Şirketi (“Kolay İK“), located at Mesa Koz Sahrayıcedit Mah. Atatürk Cad. No:69 K:5 D:81 Kadıköy, İstanbul, Turkey and [_____], located at [_____] (“Customer“) (individually “Party” and collectively “Parties“), with regard to the personal data transferred by the Customer to Kolay İK under the Human Resources and Personnel Management Program User Agreement (“Agreement“).

1. Under this Protocol;
   1. “Personal Data“; means any information related to a real person that can be identified directly or indirectly, 
   2. “Sensitive Personal Data“; means personal data about the race, ethnicity, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and appearance, membership in associations, foundations or unions, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data (within the scope of this Protocol, the term “Personal Data” will also include “Sensitive Personal Data” as appropriate), 
   3. “Processing“; means any operation performed on personal data, either fully or partially automated or non-automated, such as obtaining, recording, storing, maintaining, modifying, rearranging, disclosing, transferring, taking over, making it obtainable, classifying, or preventing its use, 
   4. “Law“; means the Law No. 6698 on the Protection of Personal Data.
2. The Parties acknowledge, declare and undertake to comply with the procedures and principles set forth in the Law, relevant regulatory procedures, provisions on the protection of Personal Data in the applicable legislation and decisions of the Personal Data Protection Board.
3. The Customer acknowledges, declares and undertakes that it shall process Personal Data to be transferred to Kolay İK in accordance with the procedures and principles specified in the Law, relevant regulatory procedures, provisions on the protection of Personal Data in the applicable legislation; and that it has informed data subjects of the Personal Data to be transferred to Kolay İK in accordance with the procedures and principles specified in the Law, relevant regulatory procedures, and provisions on the protection of Personal Data in the applicable legislation; and that it has obtained explicit consents of data subjects if necessary. The Customer also declares and undertakes that the transferred Personal Data is accurate and up-to-date, the processing purposes are specific, clear and legitimate; that the processed Personal Data is relevant, limited and proportionate to the processing purposes; and that it has taken all necessary technical and administrative measures to ensure an appropriate level of security in accordance with the Law and will inform Kolay İK and also inform Kolay İK about the compliance with the mentioned technical and administrative measures when necessary.
4. The Customer acknowledges and undertakes to clearly specify the purpose and duration of processing for the Personal Data transferred to Kolay İK. Kolay İK agrees and undertakes not to use, process, archive, or transfer the Personal Data to any third party or entity, either domestically or internationally, except for the purposes of the Agreement and when necessary for the performance of the Agreement.
5. The Customer undertakes to provide Kolay İK with the necessary information to erase the Personal Data in case the data subjects of the Personal Data transferred to Kolay İK withdraw their explicit consent to processing and transfer, and/or request the erasure of their Personal Data. If requested by the Customer, Kolay İK accepts, declares and undertakes to fulfill the erasure, destruction, anonymization, modification, and similar actions of Personal Data in accordance with the Law within a reasonable period required by the performance.
6. Kolay İK acknowledges, declares, and undertakes to take necessary and reasonable technical and administrative measures stipulated by the applicable legislation to prevent unauthorized access by its employees or third parties and unlawful use of Personal Data shared with or obtained on behalf of the Customer for purposes other than transfer.
7. Kolay İK shall notify the Customer within 72 hours at latest in the event of an data breach regarding the systems used within the scope of the performance of the Agreement which affects personal data transferred by the Customer. 
8. If the personal data transferred to Kolay İK by the Customer is a Sensitive Personal Data, the Customer shall transfer such personal data to Kolay İK in accordance with Article 6 of the Law, applicable legislation and the decisions of the Personal Data Protection Board and shall ensure additional security measures and authorizations.
9. Kolay İK shall be responsible for ensuring that its employees and, if applicable, subcontractors maintain the security of personal data shared with Kolay İK or obtained on behalf of the Customer. Kolay İK accepts, declares and undertakes that it shall be liable for damages within the scope of this Agreement arising due to acts of its employees and, if applicable, subcontractors to the extent of its fault and shall indemnify all direct damages faced by the the Customer as established by a finalized court or administrative authority decision to the extent of its fault. 
10. Parties accept, declare and undertake to redirect the data subject requests concerning the other Party, whether directly or indirectly conveyed to them, to the relevant Party, within a maximum of three business days and to act in accordance with the Law in this regard.
11. Kolay İK acknowledges and agrees that the Customer has the right to conduct an audit, either directly or through a third party, limited to compliance with the Agreement and this Protocol, and if the Customer requests such audit in writing within fifteen (15) days, Kolay İK shall allow such audit and cooperate with the Customer in a reasonable manner. The Customer shall provide the findings of such audit to Kolay İK, and in case of any violation of the Law, the Customer shall allow Kolay İK a reasonable time to remedy such violation.
12. Kolay İK reserves the right to recourse against the Customer for any damages that Kolay İK may incur, any legal, administrative and criminal sanctions that it may face, and any compensation it may be obliged to pay due to the Customer’s non-compliance with this Protocol or applicable legislation, or reasons arising from the Customer, the Customer’s business partners, or third parties to whom Personal Data is sent by the Customer. The Customer acknowledges, declares, and undertakes that if Kolay İK makes a request for these reasons, the Customer shall immediately pay the direct and indirect damages incurred by Kolay İK in cash and in full to Kolay İK.