BAYKAR MAKINE SANAYI VE TICARET ANONIM SIRKETI

Regarding Personal Data Processed in Recruitment Processes

Specifically for Applications Made via the Website

EMPLOYEE CANDIDATE PRIVACY NOTICE (“Privacy Notice”)

In accordance with the Personal Data Protection Law No. 6698 (“the Law”), our Company, Baykar Makine Sanayi ve Ticaret A.Ş (“Company” or “BAYKAR”), acting as the data controller, attaches great importance to personal data protection processes and aims to comply with the Law in all processes involving personal data.

With this awareness, we would like to inform you about the processing of your personal data within the scope of the Personal Data Protection Law No. 6698 (‘‘the Law’’) and the relevant legislation.  

1. PURPOSE AND LEGAL BASIS OF PROCESSING YOUR PERSONAL DATA IN THE CONTEXT OF THE PROCESS

Your personal data is processed in accordance with the Law and secondary regulations for the purposes and legal basis specified below.

In the Main Process of Conducting the Recruitment Process,

• Conducting Employee Candidate Selection and Employment Activities,

• Assessing Your Suitability for the Position,

• Conducting Necessary Operational Activities by Our Business Units;

• Your identity data, including your name, surname, nationality, place of birth, Turkish ID number, date of birth, place of birth, and gender data, are processed in accordance with the legal basis set out in Article 5/2 (f) of the Law, which states that data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject,
• Your Data in the Professional Experience Category; educational status, education information, transcript, portfolio, profession/title, previous work experience information, successful exam result information, project participation information, foreign language skills, seminar/certificate/course participation information, published publications, club membership, driving licence class, reference information, in accordance with the legal basis set out in Article 5/2 (f) of the Law, which states that data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject,
• Your contact details; your telephone number, residential address, email address information, in accordance with the legal basis set out in Article 5/2 (f) of the Law, which states that data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject,
• Your Data in the Criminal Conviction and Security Measures Category, information on the existence of a Criminal Record, if there is relevant sensitive personal data, in accordance with the legal basis of explicit consent under Article 6/3 (a) of the Law, and if there is no such data, in accordance with the legal basis of explicit consent under Article 5/1 of the Law,
• Your Data in the Health Category, information about medical operations you have undergone, physical disability status, and smoking habits, in accordance with the legal basis of explicit consent under Article 6/3 (a) of the Law,
• If you upload a photograph during your application; your Photographic and Audio Data, will be subject to processing activities under the legal basis of explicit consent under Article 5/1 of the Law.

Your personal data collected is processed for the purpose of conducting recruitment processes and fulfilling any legal obligations arising from these processes. In this context, your data is only accessible to authorised employees of our company and is used in a manner limited by their job descriptions. Access to data is protected by strong encryption methods and other security protocols, and all technical and administrative measures are taken against unauthorised access. In addition, your personal data is stored on our company's secure servers, and cyber security measures compliant with national and international standards are applied. In this context, your data will be stored for a maximum of one year, after which it will be securely deleted, destroyed or anonymized, unless required by relevant legislation or legal obligation. Destruction procedures are carried out in accordance with the procedures set out in the Personal Data Protection Law and related regulations.

Our company collects and processes your personal data through application forms filled out on our website in order to facilitate job application processes. In this process, to ensure data security, the information obtained through the form is stored on servers located abroad belonging to Amazon Web Services (AWS), from whom we receive infrastructure services.

As AWS acts as a data processor in this process, it is subject to the provisions on data transfer abroad under Article 9 of Law No. 6698 on the Protection of Personal Data. In accordance with the Law, certain conditions must be met for the transfer of personal data abroad. In this context, we are continuing our efforts to conclude a data processing agreement with AWS within the framework of standard contractual clauses to ensure the security and legal compliance of your data.

Once the agreement process is complete, the transfer of your personal data abroad will be carried out in full compliance with the Law. However, at this stage, the transfer of data to AWS servers located abroad is carried out based on the legal grounds of explicit consent, in accordance with Article 9 of the Law. Throughout the process, all administrative and technical measures are taken to ensure the security of your personal data, and it is carefully protected.

2. YOUR RIGHTS REGARDING YOUR PERSONAL DATA

We would like to remind you that you have the following rights under Article 11 of the Law:

In the Main Recruitment Process,

• to learn whether your personal data is processed or not,
• to demand for information as to his/her personal data have been processed,
• to learn the purpose processing of his/her data and whether these personal data are used in compliance with the purpose,
• to know the third parties to whom his personal data are transferred in country or abroad,
• to request the rectification of the incomplete or inaccurate data, if any,
• to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,
• to request reporting of the operations carried out in compliance with sub-paragraphs (d) and e) to third parties to whom his personal data have been transferred,
• to object to the occurrence of a result against the person himself/herself by analyzing the processed data solely through automated systems,
• to claim compensation for the damage arising from the unlawful processing of his/her personal data.

You may submit your requests within the scope of your rights specified in Article 11 of the Law to the Company in writing or via registered electronic mail (KEP) address, secure electronic signature, mobile signature, or the email address you provided when opening your Company account, through info@baykartech.com. Depending on the nature of your request and the method of application, the Company may request additional verifications (such as sending a message to your registered phone number or calling you) to determine whether the application belongs to you.

Your application must include:

• Your first name, surname and, if your application is in writing, your signature,
• Turkish Republic identity number for Turkish citizens, nationality, passport number or identity number (if available) for foreigners,
• Residential and business address subject to the notification,
• E-mail address, telephone and fax number (if available) for notification purposes,
• Subject of the request,

must be included.

The Company shall conclude the demands in the request within the shortest time by taking into account the nature of the demand and at the latest within thirty days and free of charge. However, if process requires additional costs, fees may be charged in the tariff specified in Article 7 of the Communiqué. If the request is caused due to the fault of the data controller, the fee is refunded to data subject.

BAYKAR MAKINA SANAYI VE TICARET ANONIM SIRKETI

INFORMATION REGARDING RIGHT TO MAKE A REQUEST TO THE DATA CONTROLLER CONCERNING PERSONAL DATA

As Baykar Makina Sanayi ve Ticaret A.S., we exercise the utmost care in the processing and protection of your personal data. In line with the principles of transparency and accountability, we manage your personal data in accordance with the law and meticulously implement all administrative and technical measures.

Under the Personal Data Protection Law No. 6698 (‘‘the Law’’), data subjects are granted certain rights regarding the processing of their personal data. The procedures and principles for exercising these rights are set out in the Communiqué on the Principles and Procedures for the Request to Data Controller. In order to ensure that your requests are processed effectively and concluded in accordance with the provisions of the Law, the following information and request form are provided to you.

1. Your Rights Under the Application

Under Article 11 of the Law, which regulates the rights of the data subject, you may exercise the following rights by submitting a request to the Company regarding the protection and processing of your personal data within the scope of your legal relationship with the Company:

a) to learn whether your personal data is processed or not,

b) to demand for information as to his/her personal data have been processed,

c) to learn the purpose processing of his/her data and whether these personal data are used in compliance with the purpose,

ç) to know the third parties to whom his personal data are transferred in country or abroad,

d) to request the rectification of the incomplete or inaccurate data, if any,

e) to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,

f) to request reporting of the operations carried out in compliance with sub-paragraphs (d) and (e) to third parties to whom his personal data have been transferred,

g) to object to the occurrence of a result against the person himself/herself by analyzing the processed data solely through automated systems,

ğ) to claim compensation for the damage arising from the unlawful processing of his/her personal data.

2. Circumstances Excluded from the Scope of the Right to Apply

Your right to apply cannot be exercised in the following circumstances, except for the right to request compensation for your damage:

a) Where the processing of personal data is necessary for the prevention of crime or for criminal investigations.

b) Where the processing of personal data is made public by the data subject themselves.

c) Where the processing of personal data is necessary for the performance of supervisory or regulatory tasks by public institutions and organisations authorised by law, or by professional organisations with public institution status, or for disciplinary investigations or prosecutions.

ç) Where the processing of personal data is necessary for the protection of the State's economic and financial interests in relation to budget, tax and financial matters.

3. Application Methods

Data subjects may submit their requests to our Company using the following methods:

1. Written Application:

• In-Person Application: The data subject may personally deliver a wet-signed copy of the form, along with documents proving their identity, to our Company at the address below.
• By Post or Notary: A wet-signed copy of the form may be sent to the following address via notary or registered post with return receipt.

Address: Baykar Makina San. ve Tic. A.Ş. Orhangazi Mah. Hadımköy-İstanbul Cad. No:258 Esenyurt/İstanbul

2. Electronic Application:

• Via Registered Electronic Mail (KEP): The data subject may send the form signed with a secure electronic signature to our KEP address.
• By email: The data subject may send the form by email using the email address previously provided to our Company and registered in our system.

KEP Address: info@baykartech.com  Email Address: info@baykartech.com

4. Identity Verification

In accordance with the principle that personal data belongs solely to the relevant individual and that confidentiality must be maintained, identity verification is carried out during applications. Once the application has been received by us, identity verification is performed based on the information and documents provided. If additional information or documentation is required to verify the identity of the data subject, additional documents may be requested from the data subject.

If the available information is insufficient to verify identity or if it is not possible to link the personal data to the data subject, the application will be rejected.

5. Assessment and Response to the Application

The data subject's request is assessed in accordance with the Communiqué on the Principles and Procedures for the Request to Data Controller. If the request is accepted, the necessary procedures are carried out and the data subject is informed that the request has been fulfilled. If the request is rejected, justified grounds are provided along with the rejection response to the data subject. It is also possible for requests to be partially accepted or partially rejected.

If the request contains information concerning another person, information belonging to third parties is anonymised to the extent possible. Where anonymisation is not possible, the request may be rejected with an explanation of the justified reasons.

Requests are finalised within the shortest possible time and no later than 30 days from the date they are received by our Company and communicated to the data subject. For written requests, the date of submission is considered to be the date on which it is notified to our Company. For requests made electronically, the date on which the request is received by our Company is considered to be the date of submission.

Unless otherwise specified, the response to the data subject's request is sent in writing by registered post with return receipt requested. If the data subject requests that the response be sent by a different method (e.g., email or KEP address), the response will be provided by this method to the extent possible.

No fee is charged for responding to the data subject's application. However, if it is deemed that the right to apply has been abused, a processing fee of 1 Turkish Lira will be charged for each page exceeding the first ten pages, provided that the first ten pages are free of charge. If the response to the application needs to be provided on a digital recording medium such as a CD or flash drive, only the cost of the recording medium used may be charged. The fee charged will not exceed the relevant cost.

6. Application on Behalf of Another Person

If the application is to be made on behalf of another person, an official document proving the data subject's authority to represent the relevant person (e.g. power of attorney for solicitors, court order for guardianship, etc.) must be attached to the application. In cases where no authorisation document is provided, the application will not be accepted and no information will be shared, in accordance with the principle of personal data protection.

Obtaining another person's personal data by deliberately providing false information constitutes the offence of ‘‘Unlawful Acquisition of Personal Data’’ under Article 136 of the Turkish Penal Code. Persons committing this offence are subject to imprisonment for a term of two to four years.