PERSONAL DATA PROTECTION AND PRIVACY NOTICE

The protection of personal data is a sensitive and important matter for our company as a Data Controller established abroad. We attach great importance and care to the processing of your Personal Data in accordance with Law No. 6698 on the Protection of Personal Data (“KVKK”), as well as national and international legislation. As the Data Controller, we adopt the principles stipulated by the relevant law and fully comply with our obligations regarding the processing, deletion, anonymization, transfer of personal data, informing data subjects, and ensuring data security.

As Niecegames, within the scope of Law No. 6698 on the Protection of Personal Data, related legislation, and legal regulations, we would like to inform:

  • Our Potential Product or Service Customers,
  • Individuals Purchasing Products or Services and their Parents/Guardians/Representatives,
  • Employees of Our Suppliers,
  • Authorized Representatives of Our Suppliers,
  • Members of the Board of Directors and Our Shareholders,

about the processing, storage, and transfer of their personal data.

Scope of this Privacy Notice

This Privacy Notice includes:

  • Methods and legal grounds for collecting personal data,
  • Categorization of data subjects and processed personal data,
  • Business processes and purposes for which personal data is used,
  • Administrative and technical measures taken to ensure personal data security,
  • Transfer of personal data,
  • Retention periods and destruction methods of personal data,
  • Rights of data subjects.

a) Methods and Legal Grounds for Collecting Personal Data

Your Personal Data may be collected verbally, in writing, electronically, or through technical and other methods for the purposes specified in this Privacy Notice, in order to fully and accurately fulfill legal obligations and conduct commercial activities. Such data may be processed by our company or by data processors authorized by our company.

Your Personal Data is processed within the scope of Articles 5 and 6 of Law No. 6698 in cases where:

  • It is expressly provided for by law,
  • It is directly related to the establishment or performance of a contract,
  • It is necessary for our Company to fulfill its legal obligations as the Data Controller,
  • The data has been made public by the data subject,
  • Data processing is necessary for the establishment, exercise, or protection of a legal right,
  • Data processing is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the data subject,

and where none of the above conditions apply, based on your explicit consent.

b) Categorization of Data Subjects and Processed Personal Data

Data Subject Categories

  • Potential Product or Service Customers
  • Individuals Purchasing Products or Services and Employees
  • Employees of Suppliers
  • Authorized Representatives of Suppliers
  • Members of the Board of Directors and Shareholders

Categories of Personal Data Processed

a. Identity Information

  • Potential Product or Service Customers (Website Visitors)
  • Individuals Purchasing Products or Services and Parents/Guardians/Representatives (Registered Members)
  • Supplier Employees
  • Supplier Representatives
  • Shareholders/Partners

b. Contact Information

  • Potential Product or Service Customers (Website Visitors)
  • Individuals Purchasing Products or Services and Parents/Guardians/Representatives (Registered Members)
  • Supplier Employees
  • Supplier Representatives
  • Shareholders/Partners

c. Legal Transaction Information

  • Individuals Purchasing Products or Services and Parents/Guardians/Representatives (Registered Members)
  • Supplier Employees
  • Supplier Representatives

d. Customer Transaction Information

  • Individuals Purchasing Products or Services and Parents/Guardians/Representatives (Registered Members)
  • Supplier Employees
  • Supplier Representatives

e. Transaction Security Information

  • Potential Product or Service Customers (Website Visitors)
  • Individuals Purchasing Products or Services and Parents/Guardians/Representatives (Registered Members)
  • Supplier Employees
  • Supplier Representatives
  • Shareholders/Partners

f. Financial Information

  • Individuals Purchasing Products or Services and Parents/Guardians/Representatives (Registered Members)
  • Supplier Employees
  • Supplier Representatives
  • Shareholders/Partners

g. Marketing Information

  • Individuals Purchasing Products or Services and Parents/Guardians/Representatives (Registered Members)
  • Supplier Employees
  • Supplier Representatives

h. Visual and Audio Records

  • Individuals Purchasing Products or Services and Parents/Guardians/Representatives (Registered Members)
  • Supplier Employees
  • Supplier Representatives

c) Business Processes and Purposes for Using Personal Data

Potential Product or Service Customers (Website Visitors)

  • Conducting information security processes
  • Managing access authorizations
  • Following and conducting legal affairs
  • Conducting sales processes
  • Providing after-sales support services
  • Managing communication activities
  • Responding to information requests
  • Conducting marketing and analysis activities
  • Marketing products and services
  • Managing customer relations and satisfaction processes
  • Conducting strategic marketing activities
  • Storage and archiving activities
  • Risk management processes
  • Tracking requests and complaints
  • Ensuring operational security of the Data Controller

Individuals Purchasing Products or Services and Parents/Guardians/Representatives (Registered Members)

  • Conducting information security processes
  • Managing access authorizations
  • Ensuring compliance with legislation
  • Conducting finance and accounting activities
  • Following and conducting legal affairs
  • Managing communication activities
  • Conducting purchasing processes
  • Conducting sales processes
  • Providing after-sales support services
  • Conducting production, service, and operational processes
  • Managing customer relationship processes
  • Conducting customer satisfaction activities
  • Marketing and analysis activities
  • Managing advertising, campaign, and promotion processes
  • Risk management activities
  • Storage and archiving activities
  • Contract management processes
  • Tracking requests and complaints
  • Marketing products and services
  • Ensuring operational security of the Data Controller
  • Providing information to authorized persons, institutions, and organizations
  • Conducting management activities

Supplier Employees

  • Finance, accounting, and procurement activities
  • Access authorization management
  • Information security processes
  • Compliance with legislation
  • Storage and archiving activities
  • Legal affairs management
  • Business operations and auditing activities
  • Purchasing processes
  • Sales processes
  • After-sales support services
  • Production, service, and operational activities
  • Supply chain management
  • Communication activities
  • Contract management
  • Providing information to authorized institutions and organizations

Supplier Representatives

  • Finance, accounting, and procurement activities
  • Access authorization management
  • Information security processes
  • Compliance with legislation
  • Storage and archiving activities
  • Legal affairs management
  • Business operations and auditing activities
  • Purchasing processes
  • Sales processes
  • After-sales support services
  • Production, service, and operational activities
  • Supply chain management
  • Communication activities
  • Contract management
  • Providing information to authorized institutions and organizations

Shareholders/Partners

  • Information security processes
  • Access authorization management
  • Finance, accounting, and procurement activities
  • Business operations and auditing
  • Purchasing processes
  • Production, service, and operational activities
  • Organization and event management
  • Contract management
  • Supply chain management
  • Providing information to authorized institutions and organizations

d) Administrative and Technical Measures for Personal Data Security

As Niecegames, we attach utmost importance to implementing administrative and technical measures determined under Law No. 6698, related legislation, and decisions of the Personal Data Protection Board.

By taking necessary administrative and technical measures, we prevent unauthorized access, unlawful processing, disclosure, alteration, or destruction of personal data against risks arising internally or externally.

Administrative Measures

  • Preparation of Personal Data Inventory
  • Corporate Policies (Access, Information Security, Usage, Retention, Destruction, etc.)
  • Contracts (Data Controller – Data Processor Agreements)
  • Confidentiality Commitments
  • Periodic and/or Random Internal Audits
  • Inclusion of Legal Provisions in Employment Contracts and Disciplinary Regulations
  • Corporate Communication (Crisis Management, Information Processes, Reputation Management, etc.)
  • Training and Awareness Activities (Information Security and KVKK Training)
  • Registration and Notification to VERBIS

Technical Measures

  • Authorization Matrix and Access Control
  • Access Logs and User Account Management
  • Network and Application Security
  • Penetration Testing and Firewalls
  • Intrusion Detection and Prevention Systems
  • Log Records and Data Loss Prevention Software
  • Backup Systems and Updated Antivirus Solutions
  • Deletion, Destruction, or Anonymization Procedures

e) Transfer of Personal Data

Our Company may transfer your personal data to relevant parties in line with the above-mentioned processing purposes and the conditions set forth in Articles 8 and 9 of the KVKK. In addition, data processed through cloud technologies may be transferred to secure third-party infrastructure providers.

To provide greater value and improve service quality, your data may be shared with affiliated institutions, suppliers, business partners, authorized public authorities, and other relevant parties both domestically and internationally.

Main recipients include:

  • Niecegames Internal Departments (for Coordination and Efficiency Purposes)
  • Research and Marketing Companies
  • Banks and Payment Service Providers
  • Natural Persons and Private Legal Entities
  • Domestic and International Cloud Service Providers
  • Law Firms and Legal Authorities
  • Authorized Public Institutions and Organizations
  • Suppliers and Business Partners

f) Retention Periods and Destruction Methods of Personal Data

Retention periods for personal data are determined as follows:

  • If a retention period is prescribed by applicable legislation, data will be retained for at least that period.
  • If no legal retention period is specified, data will be retained for a reasonable period considering the purpose of processing and the principles of the KVKK.
  • At the end of the applicable retention period, data will be deleted, destroyed, or anonymized.

g) Rights of Data Subjects

Pursuant to Article 11 of Law No. 6698, as data subjects, you have the right to:

  • Learn whether your personal data is processed,
  • Request information regarding processed personal data,
  • Learn the purpose of processing and whether data is used in accordance with that purpose,
  • Learn the third parties to whom personal data is transferred domestically or abroad,
  • Request correction of incomplete or inaccurate personal data,
  • Request deletion or destruction of personal data within the framework of Article 7 of the Law,
  • Request notification of corrections, deletions, or destructions to third parties to whom data has been transferred,
  • Object to outcomes against you arising solely from automated processing,
  • Request compensation for damages suffered due to unlawful processing of personal data.

You may submit your requests and applications, including but not limited to the rights listed above, through the Personal Data Protection Law Data Subject Application Form, either in writing in person or via a notary public, Registered Electronic Mail (KEP), secure electronic signature, mobile signature, or the email address registered in our system.

Your requests will be concluded free of charge as soon as possible and no later than thirty (30) days, depending on the nature of the request. However, fees may be charged in accordance with the applicable legal tariff.