1.   Purpose

The board of directors and management of Game Cafe Services Information and Communication Services Limited Company (“Game Cafe”) commit to complying with the principles and rules established by the Constitution of the Republic of Turkey, the Personal Data Protection Law No. 6698 (“PDPL”), and other related legislations concerning the protection of personal data. This commitment includes the protection of the rights and freedoms of individuals whose personal data are processed by Game Cafe.

In this direction, Game Cafe has adopted this Personal Data Protection Policy (“Policy”) to determine the procedures and principles to be followed and developed in fulfilling its legal obligations regarding the protection and processing of personal data.

This Policy aims to establish and implement Game Cafe's own standards in managing personal data; to define and support organizational goals and obligations; to fulfill obligations under international treaties, the Constitution, laws, contracts, and professional rules concerning personal data protection; and to ensure the secure protection of individuals' fundamental rights and freedoms.

2.   Scope

The scope of the Policy is determined as follows:

1.   Subject Matter Scope

Information related to an identified or identifiable natural person is considered personal data for the application of this Policy. Subject to any special provisions in legal regulations, the protection, processing, and use of all types of personal data in electronic or physical media constitute the subject matter scope of this Policy. Game Cafe will comply with data protection legislation and data protection principles.

The principles adopted by Game Cafe particularly include:

• Respecting the privacy of individuals and the confidentiality of private life,
• Processing personal data only when it is explicitly necessary for legitimate corporate purposes,
• For these purposes, to process personal data only to the minimum extent necessary and not to process more data than required,
• To inform individuals about who is using their personal data and how it is being used,
• To process only the personal data that is relevant and necessary for the purposes of use,
• To process personal data fairly and in accordance with the law,
• To keep personal data accurate and up to date when necessary,
• To retain personal data only for the period required by legal regulations, Game Cafe's legal obligations, or legitimate corporate interests,
• To respect the rights of individuals concerning their personal data, including the right to access,
• To maintain personal data in strict security and confidentiality,
• To transfer personal data abroad only if adequate protection is provided or other legal conditions are met,
• To designate personnel with special authority and responsibility for the implementation of this Policy.

2.   Personal Scope

As a legal entity, Game Cafe falls under the scope of this Policy as a data controller.

Game Cafe's executives at all levels; employees, candidate employees in relation with service contracts and other private law contracts; service providers, visitors, and other third parties listed below as natural persons are within the scope of this Policy. Statements related to these individuals are explained under Article 7 of this Policy.

3.   Temporal Scope

The Policy remains in effect indefinitely. The text of the Policy is published on the web pages of companies obligated to create a web page. Game Cafe reserves the right to make changes and/or updates to the Policy in parallel with legal regulations and operational procedures.

 

3.   Data Protection Principles

All personal data processing activities must be carried out in compliance with the following data protection principles. Game Cafe's policies and procedures aim to ensure compliance with these principles:

• Compliance with law and principles of honesty

While striving to achieve its data processing objectives, Game Cafe considers the interests and reasonable expectations of the data subjects; in other words, it acts in a way to prevent outcomes that the data subject would not expect and should not have to anticipate.

• Be accurate and up to date when necessary

Game Cafe keeps channels open to ensure that the information of the concerned individuals is accurate and up-to-date. To ensure the accuracy and currentness of personal data; the sources from which personal data are obtained are identified, care is taken to ensure the correctness of the source from which personal data are collected, requests arising from incorrect personal data are carefully examined and reasonable measures are taken in this context. The accuracy and currency of data held about personnel are the responsibility of the concerned personnel.

• Processing for specific, explicit, and legitimate purposes

Game Cafe has clearly and definitively determined its data processing purposes and confirms that these purposes are legitimate. Personal data will not be used for purposes other than those stated to the concerned individual.

• Being relevant, limited, and proportionate to the purposes for which they are processed

Game Cafe commits that the personal data processed are suitable for the realization of the determined purposes and does not process personal data that are irrelevant or unnecessary for the realization of the purpose.

• Retained for the period foreseen in the relevant legislation or as necessary for the purposes for which they are processed

Game Cafe takes necessary administrative and technical measures to ensure that personal data are retained for a period appropriate to the purpose for which they are processed.
 

Accordingly; Game Cafe will comply with the period prescribed in the legislation for the concerned personal data; if no such period is prescribed, data will be retained only for the period necessary for the purposes for which they are processed. If there is no valid reason to retain data longer, it will be deleted, destroyed, or anonymized. Personal data will not be retained for the possibility of future use or for any other reason.

4.   Data Processing Purposes

The purposes for processing personal data within Game Cafe have been determined in accordance with data protection principles; the use of personal data for purposes other than those determined and for discriminatory purposes is strictly prohibited.

The purposes for processing personal data within Game Cafe are as follows:

• Cnducting emergency management prcesses,
•  Executin f infrmatin security prcesses,
•  Cnducting selectin and placement prcesses fr Candidate Emplyees/Interns/Students,
•  Managing applicatin prcesses f candidate emplyees,
•  Executing emplyee satisfactin and lyalty prcesses,
•  Fulfilling cntractual and regulatry bligatins fr emplyees,
•  Managing benefit prcesses fr emplyees,
•  Cnducting audit/ethics activities,
•  Cnducting training activities,
•  Implementatin f access permissins,
•  Ensuring cmpliance f activities with regulatins,
•  Managing finance and accunting peratins,
•  Executing lyalty prcesses fr cmpany/prducts/services,
•  Cnducting assignment prcesses,
•  Mnitring and executing legal affairs,
•  Executing internal audit/investigatin/intelligence activities,
•  Managing cmmunicatin activities,
•  Planning Human Resurces prcesses,
•  Executin and cntrl f business activities,
•  Cnducting ccupatinal health and safety activities,
•  Receiving and evaluating suggestins fr imprvement f business prcesses,
•  Executing activities t ensure business cntinuity,
•  Managing prcurement prcesses fr gds/services,
•  Executing after-sales supprt services fr gds/services,
•  Managing sales prcesses fr gds/services,
•  Executing prductin and peratin prcesses fr gds/services,
•  Managing custmer relatinship management prcesses,
•  Cnducting activities fr custmer satisfactin,
•  rganizatin and event management,
•  Executing marketing analysis studies,
•  Cnducting perfrmance evaluatin prcesses,
•  Executing advertising, campaign, and prmtin prcesses,
•  Managing strage and archiving activities,
•  Cnducting risk management prcesses,
•  Executing scial respnsibility and civil sciety activities,
•  Managing cntractual prcesses,
•  Cnducting strategic planning activities,
•  Tracking requests/cmplaints,
•  Ensuring the security f mvable assets and resurces,
•  Managing supply chain management prcesses.
•  Executing the wage plicy,
•  Cnducting marketing prcesses fr prducts/services,
•  Ensuring the security f data cntrller peratins,
•  Prcessing wrk and residence permit prcedures fr freign persnnel,
•  Managing investment prcesses,
•  Cnducting talent and career develpment activities,
•  Prviding infrmatin t authrized persns, institutins, and rganizatins,
•  Executing management activities

5.   Data Processing Tools

Data processing tools are physical media and information systems used for the physical or electronic recording, storage, and processing of data.

Under the application of this policy, personal data contained in contracts, correspondence, or other documents and their annexes that are transmitted to our company in physical or electronic form without the purpose of data processing, from the moment they are separated and subjected to any processing in physical or electronic media, outside of the original document's integrity, for any purpose, will be subject to the provisions of this policy.

6.   Categories of personal data processed

Identity Information	: Information contained in identity documents such as identity card, passport, driver's license.
Communication information	: Phone number, address, e-mail address information.
Personal Information	: Information regarding employees' personal rights.
Legal Transaction Information	: Correspondence with judicial and administrative authorities, information in case and enforcement files.
Customer Transaction Information	: Invoice, promissory note, check information.
Transaction Security Information	: IP address information, website login and exit information, password and password information.
Risk Management Information	Information processed for the management of commercial, technical and administrative risks.
Financial Information	: Bank account information of the data subject.
Professional Experience Information	: Past study process, diploma information and courses attended.
Marketing Information	: Data regarding the preferences, tastes, needs and habits of the data owner.
Audiovisual Records	: Camera footage and photography.
Health information	: Personal health information and information regarding disability status.
Criminal Conviction and Security Measures Information	: Information regarding criminal convictions, information regarding security measures.

 

7.   Personal Data Owners

Employee Candidate	Real persons who have applied for a job at Game Cafe by any means or have made their CV and relevant information available for review by companies.
Employee	Real persons working within Game Cafe under service contracts and other private law agreements
Shareholder/Partner	Real person shareholders of Game Cafe.
Potential product or service buyer	Real persons who have requested or are interested in using Game Cafe's products and services, or whose interest has been evaluated in accordance with commercial practices and rules of honesty.
The person who receives the product or service	Real persons who use or have used the products and services offered by the companies, regardless of whether they have any contractual relationship with Game Cafe.
Intern	Real persons working as interns at Game Cafe.
Supplier employee and officer	Officials and employees of real and legal persons (such as suppliers, service providers) with whom Game Cafe has all kinds of business relations.

 

8.   Recipients to whom Personal Data is Transferred

Real persons or private law legal entities	: Real persons and private law legal entities with whom our company has a legal relationship within the framework of a contract.
Shareholders	: Real person shareholders of Game Cafe
Business partners and suppliers	: Real and legal persons who are third parties from whom goods and services are procured or goods and services are offered for data processing purposes.
Authorized Public Institutions and Organizations	: Answering requests for information and documents requested by relevant institutions and organizations.

 

9.   Conditions for Processing Special Categories of Personal Data

Subject to the provisions of Article 6 of the Personal Data Protection Law No. 6698, special categories of personal data cannot be processed without the explicit consent of the data subject. The processing of special categories of personal data is additionally regulated in the “Policy on Processing and Protection of Special Categories of Personal Data” in order to take sufficient measures for the processing of these data, due to the sensitivity of the subject matter and the importance we give to it.

10.   Method and Legal Reason for Personal Data Collection

Personal data are collected physically within Game Cafe or in electronic or physical form within the gaming environment and processed in accordance with the general principles listed in Article 4 of the PDPL, and then within the conditions of personal data processing specified in Articles 5 and 6, under the data processing purposes listed in Article 4 of this Policy. If none of the exceptions for the processing of personal data applies, then explicit consent is obtained from the Relevant Person.

11.   Deletion, Destruction, or Anonymization of Personal Data

Subject to the provisions of other laws concerning the deletion, destruction, or anonymization of personal data, if the reasons necessitating the processing of personal data cease to exist, personal data will be deleted, destroyed, or anonymized by Game Cafe either on its own initiative or upon the request of the data subject.

When personal data is deleted, it is destroyed in a manner that it can no longer be used or retrieved. Accordingly, personal data are irrecoverably deleted from mediums such as documents, files, CDs, and floppies in which they are recorded.

Destruction of personal data means the irrevocable and unusable destruction of the materials suitable for data storage such as documents, files, CDs, and floppies in which the information is recorded.

Anonymization of data means rendering personal data unable to be associated with an identifiable or identifiable natural person, even when matched with other data.

 

12.   Maximum Duration Necessary for the Purposes for Which Personal Data are Processed

Personal data related to the commercial transactions and operations conducted by our Company are stored for 10 years in principle, in accordance with Article 82 of the Turkish Commercial Code, unless legal or contractual obligations require a longer period.

For other actions and transactions, the general 10-year statute of limitations period specified in Article 146 of the Turkish Code of Obligations is taken as the basis.

While personal data of Game Cafe's employees are kept for the general statute of limitations period, personal data that fall under the category of health information, which is considered special category personal data, are kept for 15 years for the purpose of fulfilling occupational health and safety obligations.

Personal data of candidates who apply for open positions at Game Cafe are kept for 1 year in accordance with the principle of keeping personal data accurate and up-to-date.

Personal data that can be used as evidence in financial, legal, or criminal disputes will be preserved for the statute of limitations periods specified in the relevant legal regulations, for the purposes of providing evidence in potential legal disputes or asserting or defending rights related to personal data. In this case, access to the stored personal data is provided only when necessary for the related legal dispute and not for any other purposes.

13.   Destruction Periods

The periodic destruction period is determined as once every six months, with a minimum frequency of twice a year. The destruction processes will be carried out in the first periodic destruction period following the end of the maximum storage periods specified in the aforementioned Article 12.

14.   Responsibilities and Division of Duties

The titles, units, and job descriptions of those involved in ensuring the security of personal data and in storage and destruction processes are as follows:

 

Title	Unit or Organization	Duty
KVK Committee Members	KVK Committee	Following up all necessary regulations within the scope of compliance with the personal data protection legislation, ensuring the implementation of the Policy, following the necessary updates, and presenting suggestions for improvement within the scope of the legislation.
Information Technologies Director	Information Technologies Unit	Providing and implementing the technical solutions needed in the implementation of the Policy.
HR, Legal	Other Units	Executing the Policy in accordance with their duties.

The processes of deleting, destroying, and anonymizing data are carried out by the unit authorized solely for these tasks/processes, within the framework of the decisions taken by the Board of Directors, with regard to the Personal Data Storage and Destruction Policy.

 

15.   Personal Data Transfer

Personal data collected by our Company can be transferred to our business partners in Turkey and to individuals and organizations within the scope of legal relations, provided that necessary security measures are taken and limited to product and customer information, in line with the purposes of data processing.

Regarding the transfer of personal data abroad, personal data within Game Cafe are stored on servers located in Turkey; therefore, there is no such activity of transferring data abroad.

Currently, there is no activity of transferring data abroad within Game Cafe. Should personal data be transferred abroad in future processes, it will be carried out either through the Commitment method, one of the methods determined by the Personal Data Protection Board, or based on the explicit consent of the relevant individuals.

 

16.   Measures Taken for Data Security

Game Cafe, in compliance with Article 12 of the Law, takes necessary technical and administrative measures to prevent unlawful processing of the personal data it processes, to prevent unlawful access to the data, and to ensure the appropriate level of security for the preservation of the data, as well as to ensure the lawful destruction of personal data. In this context, Game Cafe conducts or outsources necessary audits. 

Game Cafe operates a system that ensures the notification of the relevant Personal Data Subject and the Data Protection Authority as soon as possible through the use of a Breach Notification Form, in the event that personal data are obtained by others through illegal means.

The administrative and technical measures taken in this context are as follows:

• Network security and application security are maintained.
•  A closed system network is used for personal data transmissions via network.
   Key management is implemented.
•  Security measures in the scope of procurement, development, and maintenance of information technology systems are taken.
•  Disciplinary regulations containing data security provisions are in place for employees.
•  Periodic training and awareness activities on data security are conducted for employees.
•  An authorization matrix is established for employees.
•  Access logs are regularly maintained.
•  Corporate policies on access, information security, usage, storage, and destruction have been prepared and implemented.
•  Data masking measures are implemented when necessary.
•  Confidentiality agreements are made.
•  The authorities of employees who change positions or leave the company are revoked in this area.
•  Current antivirus systems are used.
•  Firewalls are utilized.
•  Contracts signed include data security provisions.
•  Extra security measures are taken for personal data transferred via paper, and related documents are sent in a confidential document format.
•  Personal data security policies and procedures are established.
•  Personal data security issues are reported promptly.
•  Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
•  Security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
•  Security of environments containing personal data is maintained.
•  Personal data is minimized as much as possible.
•  Personal data is backed up, and the security of backed-up personal data is also ensured.
•  User account management and authorization control systems are in place and monitored.
•  Periodic and/or random internal audits are conducted and enforced.
•  Log records are kept in a way that cannot be altered by users.
•  Current risks and threats have been identified.
•  Protocols and procedures for the security of special categories of personal data have been determined and are being implemented.
•  Special categories of personal data are sent via email only in encrypted form and using KEP (Registered Electronic Mail) or corporate email accounts.
•  Attack detection and prevention systems are used.
•  Penetration testing is conducted.
•  Cybersecurity measures are in place and continuously monitored.
•  Encryption is performed.
•  Data loss prevention software is used.

17.   Confidentiality Obligation

Confidentiality commitments and obligations are specifically stipulated in contracts containing personal data, including employment contracts and procurement contracts.

18.   Record Environments

 

Personal data recording environments can be physical or electronic mediums, and visual mediums such as camera recordings. In this context, electronic mediums include servers (email, databases, etc.); software; information security devices (firewalls, antivirus, etc.); personal computers (desktops, laptops); mobile devices (phones); and physical mediums include files, folders, paper, written, printed, and visual mediums (cameras).

 

19.   Personal Data Destruction Techniques

 

Upon the expiry of the period stipulated by relevant legislation or the period necessary for the purposes for which they are processed, personal data are destroyed, either on its own initiative or upon the request of the data subject, in accordance with the provisions of the Law, using the techniques specified below.

1.   Deletion of Personal Data

Data Recording Environment	Description
Personal data on servers	Deletion is done by the system administrator by removing the access permission of the relevant users.
Personal data in electronic environment	It is made inaccessible and unusable in any way for other employees except the database administrator.
Personal data in physical environment	It is made inaccessible and unusable in any way for other employees except the relevant unit manager.

 

2.   Destruction of Personal Data

Data Recording Environment	Description
Personal data in physical environment	It is irreversibly destroyed in paper clipping machines.

 

3.   Anonymization of Personal Data

 

Anonymization of personal data means rendering the data in such a way that it cannot be associated with an identifiable or identifiable natural person, even when matched with other data, under any circumstances.
 

20.   Publication and Storage of the Policy

 

This policy has been approved by the Board of Directors as of the date of its publication and has been published with the signature of the General Manager.

The current version of this document has been made available to all Game Cafe personnel and published on the company website.
 

21.   Updating and Implementation of the Policy
    
    The Policy is regularly reviewed and updated as necessary. Each update is considered to be in effect following its publication.

ANNEX-1: DEFINITIONS

The definitions of the concepts included in this Policy are as follows:

Explicit consent	: Consent regarding a specific subject, based on information and expressed with free will,
Anonymise	: Making data that was previously associated with a person impossible to associate it with an identified or identifiable natural person in any way, even by matching it with other data,
Electronic environment	: Environments where personal data can be created, read, changed and written with electronic devices,
Physical environment	: All written, printed, visual, etc. media other than electronic media,
Contact person/Data owner	: The real person whose personal data is processed,
Destruction	: Deletion, destruction or anonymization of personal data,
Personal data	: Any information regarding an identified or identifiable natural person,
Special (sensitive) personal data	: Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data,
Processing of personal data	: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any action performed on data such as blocking,
KVKK	: Personal Data Protection Law No. 6698,
KVK Committee	: Personal Data Protection Committee,
KVK Institution	: Personal Data Protection Institution
Data processor	: Real or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller,
Data recording system	: The recording system in which personal data is structured and processed according to certain criteria,
Data controller	: It refers to the real or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

This document has been updated on November 29, 2023.