İSTANBUL KÜLTÜR VE SANAT ÜRÜNLERİ TİC.A.Ş. ("ISTANBUL KÜLTÜR A.Ş."), as a data controller within the scope of the Personal Data Protection Law No. 6698 ("KVKK") processes your personal data due to the activities it carries out. ISTANBUL KÜLTÜR A.Ş. takes all necessary technical and legal measures in processing personal data. Relevant individuals can access detailed information on the processing of their personal data, the transfer to third parties, the legal reasons for collecting personal data, and the rights specified in the PDPL from the following privacy notice.


I. Purposes of Processing Personal Data

Your personal data may be processed by ISTANBUL KÜLTÜR A.Ş. as the data controller or by individuals/legal entities appointed by it, in accordance with the conditions specified in Articles 5 and 6 of the Personal Data Protection Law for the following purposes:

● Execution of public services to be carried out within the scope of the duties and responsibilities of Istanbul Metropolitan Municipality under Law No. 5216 on Metropolitan Municipalities and relevant legislation,
● To provide healthy services to individuals living in Istanbul and those residing in our city for various reasons, to improve the quality of life and living standards of citizens living in Istanbul, to ensure effective and rapid utilization of public services,
● To improve, develop, diversify our services, and to provide alternatives to individuals/legal entities with whom we are in commercial relations,
● To ensure communication and cooperation between our company and IMM, provision of coordination, implementation of joint business areas, identification of the needs of our customers and employees, fulfillment of obligations related to contracts, customer tracking, creation of a joint database, facilitation of the functionality of the joint database, provision of communication and marketing convenience, brand and reputation management,
● Preparation of various reports, research, and presentations, planning of emergency management processes, monitoring of finance and accounting affairs, ensuring security within our company,
● Conducting training activities,
● Fulfillment of contractual obligations towards suppliers and customers,
● Fulfillment of legal obligations,
● With your consent in this regard, promotion and marketing,
● Execution and monitoring of financial reporting and risk management processes, creation and monitoring of visitor records, development and improvement of public relations and marketing policies.r.


II. Transfer of Personal Data

Your processed personal data may be transferred to the following recipients and within the framework of the conditions specified in Article 8 of the Personal Data Protection Law, for the purposes stated below:

● To our business partners or Istanbul Metropolitan Municipality and IMM subsidiary companies for the purpose of fulfilling public services and commercial activities and ensuring their continuity,
● To our suppliers and business partners within the country, limitedly, for the purpose of providing products and services,
● To IMM, the Ministry of Interior Affairs of the Republic of Turkey, and audit firms within the country under relevant contracts for the purpose of auditing activities of public service nature in accordance with relevant legislation,
● To our suppliers and business partners within the country for the preparation and implementation of strategies related to our public service and commercial activities,
● To Istanbul Metropolitan Municipality, IMM subsidiary companies, Istanbul Water and Sewerage Administration (ISKI), Istanbul Electric Tramway and Tunnel Establishments (IETT), and district municipalities,
● To legally authorized public institutions and organizations within the country upon their requests and limited to the purposes of their requests,
● To servers located within the country belonging to individuals/legal entities and public institutions and organizations with whom we collaborate domestically, in order to carry out our company's activities and public services.


III. Method and Legal Basis of Personal Data Collection

Your personal data is collected by individuals/legal entities processing data on behalf of ISTANBUL CULTURE INC. through verbal, written, or electronic channels, including but not limited to application forms, Beyaz Masa, website, various contracts, all kinds of information forms, camera recordings, surveys, social media applications, call centers, member registration forms on our website, and other means, based on your explicit consent or within the exceptions foreseen in Articles 5 and 6 of the Personal Data Protection Law. These data are collected based on the legal grounds specified in Articles 5 and 6 of the PDPL, including
(i) stipulation in laws,
(ii) fulfillment of contractual and legal obligations,
(iii) necessity for the establishment, exercise, or protection of a right,
(iv) acquisition within the legitimate interests pursued by the data controller.


IV. Data Security

Our company takes all necessary reasonable technical and administrative measures to ensure the security of personal data at an appropriate level.

Rights of the Data Subject

Individuals whose personal data is processed within İstanbul Kültür A.Ş. can exercise the following rights by filling out the Application Form provided at https://kultur.istanbul/kultur-a-s/kisisel-verilerin-korunmasi/veri-sorumlusuna-basvuru-formu/ and submitting a written notification to our company's address at Maltepe Mahallesi 328. Sokak No: 49 / Zeytinburnu Istanbul:
https://kultur.istanbul/kultur-a-s/kisisel-verilerin-korunmasi/veri-sorumlusuna-basvuru-formu/

● To learn whether their personal data is being processed,
● To request information if their personal data has been processed,
● To learn the purpose of processing personal data and whether they are being used in accordance with their purpose,
● To know the third parties to whom personal data are transferred domestically or abroad,
● To request correction of personal data if it is incomplete or inaccurate and to request notification of the correction made to third parties to whom personal data have been transferred within this scope,
● To request the deletion or destruction of personal data if the reasons requiring their processing have ceased, despite being processed in accordance with the PDPL and other relevant laws, and to request notification of the deletion or destruction made to third parties to whom personal data have been transferred within this scope,
● To object to the occurrence of a result against oneself as a result of the analysis of processed data solely through automated systems,
● To request compensation for damages in case of suffering damages due to the unlawful processing of personal data.
● Requests of the data subjects shall be evaluated and concluded free of charge within the shortest time possible and ultimately within thirty (30) days at the latest. If the evaluation and decision-making process necessitates additional costs, the fee determined by the Personal Data Protection Board shall be considered based on the tariff.

The TS EN ISO 27001:2022 Information Security Management System aims to demonstrate that information security management is ensured within human resources, infrastructure, software, hardware, customer information, organizational information, third-party information, and financial resources. It aims to secure risk management, measure the performance of information security management processes, and regulate relationships with third parties regarding information security issues through a systematic approach.

The purpose of our ISMS Policy is to:

● Protect information assets, ensure accessibility to information as required by business processes, meet legal regulatory requirements, and engage in continuous improvement efforts.
● Ensure the continuity of the three fundamental elements of the Information Security Management System in all activities conducted.
● Privacy: Prevent unauthorized access to sensitive information.
● Integrity: Ensure the accuracy and integrity of information.
● Accessibility: Demonstrate accessibility to information for authorized personnel when necessary.
● Address the security of all data, not only electronically stored data but also data in written, printed, verbal, and similar formats.
● Raise awareness among all personnel by providing Information Security Management training.
● Report all existing or suspected vulnerabilities in information security to the ISMS Team for investigation.
● Prepare, maintain, and test business continuity plans.
● Periodically assess information security to identify existing risks. Review and follow up on action plans based on assessment results.
● Prevent any disputes and conflicts of interest arising from contracts.
● Meet the business requirements for accessibility to information and information systems.