PRIVACY AND PERSONAL DATA PROTECTION POLICY

PURSUANT TO THE LAW NO. 6698 ON THE PERSONAL DATA PROTECTION

LEGAL BASIS
Protection of personal data is an important issue for International Student Services Ltd (hereinafter referred to as "ISIC TÜRKİYE" or "COMPANY") and/or its affiliated companies. ISIC TÜRKİYE, first and foremost, complies with the Law No. 6698 on the Protection of Personal Data and adopts its principles ("PDP Law") (Date of Adoption: 24/3/2016 | Date of Official Gazette Published: 7/4/2016 No: 29677); and subsequently adopts the principles stipulated by the Law No. 6563 on the Regulation of Electronic Commerce, the Turkish Penal Code No. 5237 and all other legislation's criminal and administrative sanctions regarding personal data.

ISIC TÜRKİYE shows the utmost sensitivity to the security of your personal data and accordingly, ISIC TÜRKİYE attaches great importance to the processing and storage of all kinds of personal data belonging to all persons associated with ISIC TÜRKİYE in the best possible and careful manner. Accordingly, within the scope of the Law No. 6698 on the Protection of Personal Data ("Law") and the relevant legislation, your personal data notified to ISIC TÜRKİYE as Data Controller and/or provided externally as ISIC TÜRKİYE may be processed within the framework of the purpose and defined limits explained below.

Within the framework of the explanations made in the Personal Data Processing Policy, we inform you that you will be deemed to have declared that you have given your explicit consent to the processing of your personal data by reading and understanding this Policy and that you have declared your acceptance by checking the box "I have read and accept the Privacy and Personal Data Protection Policy" when applying for an ISIC card.

1. DATA CONTROLLER
In subparagraph (ı) of paragraph 1 of Article 3 of the Law, the data controller is defined as "natural or legal persons who determine the purposes and means of processing personal data and are responsible for the establishment and management of the data recording system". Within this framework, ISIC TÜRKİYE is the Data Controller.

2. THE PURPOSE FOR WHICH PERSONAL DATA MAY BE PROCESSED
ISIC TÜRKİYE, within your explicit consent and then in cases to the permitted by the legislation, will be able to record, store, update, disclose to third parties, transfer, classify, process, and maintain your Personal Data for the period required for these purposes.

In this context, some "Personal Data" of the "Relevant Person" Member and/or User may be collected and processed by ISIC TÜRKİYE while using ISIC TÜRKİYE's web and mobile site, mobile applications and/or other online/magnetic media services.

Your Personal Data is used for the following purposes:

Ensuring the legal and commercial security of ISIC TÜRKİYE and persons and institutions in business relationship with ISIC TÜRKİYE, (proper planning and execution of ISIC TÜRKİYE, our commercial partnerships and strategies, ensuring the physical security and control of the Company's locations, business partner (authorized or employees) evaluation processes, reputation research processes, legal compliance process, audit, financial affairs, etc.).
Fulfillment of legal obligations and exercise of rights arising from applicable legislation,
Providing information to public officials on matters related to public security upon request and as required by legislation,
Membership transactions can be made, Database can be created
Improving the services offered through the web and mobile site and mobile application, developing new services and providing information about them,
To communicate with our users regarding the conditions, current status and updates of the contracts we have concluded within the scope of the relevant articles of the Law on the Protection of Consumers with the user agreement and the relevant articles of the Law on Consumer Protection and the contracts concluded with the Merchants within the scope of the Turkish Commercial Code No. 6102, to provide the necessary information, to fulfill the obligations in accordance with the contracts,
To record the name/surname of natural persons and the title of legal entities as well as address, e-mail information and other necessary information for communication,
To organize all records and documents that will be the basis of the transaction in electronic (internet/mobile etc.) or written environment,
To create and increase user satisfaction, loyalty and commitment, to recognize our users who purchase services from the website and mobile site and/or mobile applications and to use them in user environment analysis, to use them in various marketing and advertising activities and to organize surveys in electronic environment and/or physical environment through contracted organizations in this context,
With your consent to receive commercial electronic messages, to prepare content suitable for the member's transaction history, to make marketing, to offer discounts or any benefits,
Traffic information of users who visit the web and mobile website or mobile application, whether they are users or not, for the purpose of fulfilling the obligations arising from the Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through These Publications and the relevant secondary legislation,
In order to evaluate and manage complaints and suggestions to ensure member satisfaction with our services,
Confirming the identity information of Users who purchase services through the website and mobile site and mobile applications and recording the address and other necessary information required for communication,
Recording the location information of the merchants and the transaction history of the merchants,
Saving the transaction history of users in which merchants the users/members use their benefit card the most while using the website, mobile site and mobile application for use in marketing strategies,
Providing suggestions and solutions to our users by our contracted institutions, Merchants and solution partners and informing our users within the scope of the legislation regarding the services we provide,
Ensuring and improving coordination, cooperation and efficiency within or between units within ISIC TÜRKİYE,
Ensuring the security of the web and mobile site, mobile application and other magnetic/electronic systems and physical environments used by ISIC TÜRKİYE,
Notification of changes in the terms of the contracts we have concluded within the scope of the legislation or in the rules and policies accepted or other notifications concerning the data subject,
Investigation, detection, prevention and reporting of breaches of contract and law to the relevant administrative or judicial authorities,
Resolution of existing and future legal disputes,
Employee recruitment needs and execution of recruitment processes within the framework of ISIC TÜRKİYE recruitment policies, development and improvement of public relations and marketing policies,
Evaluating and finalizing the eligibility of job applications and contacting job applicants,
Data processing is mandatory for the establishment, exercise or protection of a right,
Protection of ISIC TÜRKİYE's legitimate interests, provided that the fundamental rights and freedoms of the data subject are not harmed.
Your personal data may be processed when you use the call centers, web and mobile site as a member/user in order to use the services of ISIC TÜRKİYE.
Within the scope of the PDP Law, personal data cannot be processed without the explicit consent of the person concerned. However, in accordance with Article 5/2 of the PDP Law, it is possible to process personal data without the explicit consent of the person concerned under certain circumstances.

Your explicit consent will not be sought for the processing of your personal data in the presence of the following situations:
Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject;
Data processing is mandatory for the establishment, exercise or protection of a right;
It has been made public by the person concerned;
It is mandatory for the data controller to fulfill its legal obligation;
Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract.
It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid, or of another person explicitly stipulated in the law.

3. TO WHOM AND FOR WHAT PURPOSE THE PROCESSED PERSONAL DATA CAN BE TRANSFERRED
Although personal data cannot be transferred without the explicit consent of the data subject under the PDP Law, it is possible to transfer personal data without the explicit consent of the data subject if the necessary conditions are met in accordance with the provisions of Articles 8 and 9 of the PDP Law. As stated in the guidance of the PDP Authority, data transfer within a legal entity that has the title of data controller cannot be considered as transfers to third parties. When individuals share their personal data with a legal entity, the legal entity has the title of data controller. The transfer of data between employees or different units operating within the legal entity is not a transfer to a third party in this sense.

4. TRANSFER OF PERSONAL DATA DOMESTICALLY AND ABROAD
4.1 Domestic Transfer of Your Personal Data
Your personal data mentioned above are transferred to our domestic business partners for the purposes and reasons stated above.

4.2 Transfer of Your Personal Data Abroad
Your personal data may be shared with our third party business partners abroad for the purposes stated above. With this Privacy and Personal Data Protection Policy, you consent to the transfer of your personal data abroad.

Website of ISIC TÜRKİYE is hosted on servers provided by Tilda. The data coming from the online forms are sent at once to the data capture services connected to the forms. Before they are sent, they are stored on Tilda servers. Data centers where the servers are located comply with the international TIER III standards. That is, the security of our website’s data is of the highest level. Tilda's technical information is available at https://tilda.cc/lp/technical-information/

ISIC TÜRKİYE uses Stripe and Iyzico payment infrastructure, which is a virtual POS application. With the use of this infrastructure, Members' credit card data can be stored by Stripe and Iyzico. We recommend that you review the Stripe and Iyzico Privacy Policy: https://stripe.com/privacy and https://www.iyzico.com/en/privacy-policy

We share your personal data with the following parties:
(a) Companies and organisations that are subsidiaries of our organisation and with the ISIC Association: these companies and this organisation will only use your personal data in the same way as we can under this Privacy Policy. The subsidiaries we will share your personal data with: ISIC Service Office DOOID No. 21520209, ISS Global Kart Satış Hizmetleri Ltd. Şti.
(b) Service providers, partners and advisors: third parties who provide a service to us, partner with us on marketing and other business activities, advise us or that we work with in other business capacities. The service providers, partners and advisors we will share your personal data with: Orchitech Solutions, Amazon Web Services EMEA SARL, Google Ireland Limited.

5. METHOD AND LEGAL REASON FOR COLLECTING PERSONAL DATA
Your personal data that we process for the above-mentioned purposes can be obtained physically, electronically or through closed circuit imaging systems and other methods. In the processing of your personal data, we adhere to the legal reasons set out in Articles 5 and 6 of the Law, and we seek your consent when required by law.

6. MEASURES FOR THE STORAGE AND PROTECTION OF PERSONAL DATA
Personal data shared with ISIC TÜRKİYE is under the supervision and control of ISIC TÜRKİYE. ISIC TÜRKİYE has assumed the responsibility as the data controller to establish the necessary organization and take and adapt technical measures in order to protect the confidentiality and integrity of the information in accordance with the provisions of the relevant legislation in force. We would like to inform you that we always update our data processing policies with the awareness of our obligation in this regard.

7. YOUR RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA (DATA SUBJECT RIGHTS)
In accordance with the relevant article of the Law regarding your processed personal data;

Learn whether personal data is being processed,
Request information if personal data has been processed,
To learn the purpose of processing personal data and whether they are used for their intended purpose,
To know the third parties to whom personal data are transferred domestically and/or abroad,
To request correction of personal data in case of incomplete or incorrect processing,
Request deletion or destruction of personal data,
In the event that personal data is incomplete or incorrectly processed, to request that third parties to whom personal data is transferred be notified of the transactions regarding the correction and/or deletion or destruction of personal data,
To object in the event that an unfavorable result may arise if the processed data is processed exclusively by analyzing it through automated systems,
You have the right to demand compensation for damages in case of damage due to unlawful processing of personal data.
You can submit your requests to exercise your rights mentioned above and arising from the Law and any questions regarding your personal data, in Turkish and in writing, by using your registered electronic mail (KEP) address, secure electronic signature, mobile signature or your electronic mail address that you have previously notified to our Company and registered with our Company from the "Contact Us" section of our website or by filling out the application form; You can apply to ISIC TÜRKİYE by sending the relevant form to info@isicturkiye.com e-mail address.

Our Company will process your request within this scope free of charge as soon as possible but within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee determined by ISIC TÜRKİYE may be charged. Our Company reserves the right to verify your identity before responding.


DECLARATION OF EXPLICIT CONSENT FOR FOREIGN TRANSFER WITHIN THE SCOPE OF PERSONAL DATA PROTECTION LAW

SIA International Student Services Ltd ("ISIC TÜRKİYE" or "Company") within the framework of the general Clarification Text and Privacy and Personal Data Protection Policy within the Scope of the Law on the Protection of Personal Data, which is presented in accordance with the relevant provisions of the Law No. 6698 on the Personal Data Protection ("PDP Law");

All my personal data received by the Company may be transferred to business partners and service providers abroad for the purposes of providing business development services, providing statistical and technical services and conducting customer relations, providing the payment infrastructure required for the application and keeping customer data, archiving and storing customer data, taking the necessary security measures, provided that they are subject to the purposes specified by the Company, and may be subject to processing and stored here. In order to maintain the services related to the management of call center processes, the Company's employees, officers, foreign/international group companies (Company and/or its business partners, shareholders), legally authorized public institutions and organizations, foreign/international independent audit companies within the framework of legal obligations and legal limitations in order to carry out their activities, servers with overseas information technology support, I hereby accept and declare that my personal data may be transferred to hosting and infrastructure provider companies, electronic media such as programs, cloud computing, business partners and service providers located in a European Union member country and in the United States of America, where the Company receives services or works together for the execution of the services and/or activities to be provided to me, and that I have explicit consent to the transfer of my personal data abroad in this context.

In addition, I accept and declare that the personal data I have shared with the Company are accurate and up-to-date and that I will notify the Company of any changes in this information.

I hereby accept and declare that I have explicit consent to the processing of my personal data within the scope of the PDP Law, to be used and shared limited to the purpose of processing explained within the scope of the relevant process, to be stored for the required period of time and that the necessary clarification has been made to me in this regard; I accept and declare that I have read and understood this text, Privacy and Personal Data Protection Policy and Clarification Text.