The board of directors and management of Game Cafe Services Information and Communication Services Limited Company (“Game Cafe”) commit to complying with the principles and rules established by the Constitution of the Republic of Turkey, the Personal Data Protection Law No. 6698 (“PDPL”), and other related legislations concerning the protection of personal data. This commitment includes the protection of the rights and freedoms of individuals whose personal data are processed by Game Cafe.
In this direction, Game Cafe has adopted this Personal Data Protection Policy (“Policy”) to determine the procedures and principles to be followed and developed in fulfilling its legal obligations regarding the protection and processing of personal data.
This Policy aims to establish and implement Game Cafe's own standards in managing personal data; to define and support organizational goals and obligations; to fulfill obligations under international treaties, the Constitution, laws, contracts, and professional rules concerning personal data protection; and to ensure the secure protection of individuals' fundamental rights and freedoms.
The scope of the Policy is determined as follows:
Information related to an identified or identifiable natural person is considered personal data for the application of this Policy. Subject to any special provisions in legal regulations, the protection, processing, and use of all types of personal data in electronic or physical media constitute the subject matter scope of this Policy. Game Cafe will comply with data protection legislation and data protection principles.
The principles adopted by Game Cafe particularly include:
• Respecting the privacy of individuals and the confidentiality of private life,
• Processing personal data only when it is explicitly necessary for legitimate corporate purposes,
• For these purposes, to process personal data only to the minimum extent necessary and not to process more data than required,
• To inform individuals about who is using their personal data and how it is being used,
• To process only the personal data that is relevant and necessary for the purposes of use,
• To process personal data fairly and in accordance with the law,
• To keep personal data accurate and up to date when necessary,
• To retain personal data only for the period required by legal regulations, Game Cafe's legal obligations, or legitimate corporate interests,
• To respect the rights of individuals concerning their personal data, including the right to access,
• To maintain personal data in strict security and confidentiality,
• To transfer personal data abroad only if adequate protection is provided or other legal conditions are met,
• To designate personnel with special authority and responsibility for the implementation of this Policy.
As a legal entity, Game Cafe falls under the scope of this Policy as a data controller.
Game Cafe's executives at all levels; employees, candidate employees in relation with service contracts and other private law contracts; service providers, visitors, and other third parties listed below as natural persons are within the scope of this Policy. Statements related to these individuals are explained under Article 7 of this Policy.
The Policy remains in effect indefinitely. The text of the Policy is published on the web pages of companies obligated to create a web page. Game Cafe reserves the right to make changes and/or updates to the Policy in parallel with legal regulations and operational procedures.
All personal data processing activities must be carried out in compliance with the following data protection principles. Game Cafe's policies and procedures aim to ensure compliance with these principles:
• Compliance with law and principles of honesty
While striving to achieve its data processing objectives, Game Cafe considers the interests and reasonable expectations of the data subjects; in other words, it acts in a way to prevent outcomes that the data subject would not expect and should not have to anticipate.
• Be accurate and up to date when necessary
Game Cafe keeps channels open to ensure that the information of the concerned individuals is accurate and up-to-date. To ensure the accuracy and currentness of personal data; the sources from which personal data are obtained are identified, care is taken to ensure the correctness of the source from which personal data are collected, requests arising from incorrect personal data are carefully examined and reasonable measures are taken in this context. The accuracy and currency of data held about personnel are the responsibility of the concerned personnel.
• Processing for specific, explicit, and legitimate purposes
Game Cafe has clearly and definitively determined its data processing purposes and confirms that these purposes are legitimate. Personal data will not be used for purposes other than those stated to the concerned individual.
• Being relevant, limited, and proportionate to the purposes for which they are processed
Game Cafe commits that the personal data processed are suitable for the realization of the determined purposes and does not process personal data that are irrelevant or unnecessary for the realization of the purpose.
• Retained for the period foreseen in the relevant legislation or as necessary for the purposes for which they are processed
Game Cafe takes necessary administrative and technical measures to ensure that personal data are retained for a period appropriate to the purpose for which they are processed.
Accordingly; Game Cafe will comply with the period prescribed in the legislation for the concerned personal data; if no such period is prescribed, data will be retained only for the period necessary for the purposes for which they are processed. If there is no valid reason to retain data longer, it will be deleted, destroyed, or anonymized. Personal data will not be retained for the possibility of future use or for any other reason.
The purposes for processing personal data within Game Cafe have been determined in accordance with data protection principles; the use of personal data for purposes other than those determined and for discriminatory purposes is strictly prohibited.
The purposes for processing personal data within Game Cafe are as follows:
Data processing tools are physical media and information systems used for the physical or electronic recording, storage, and processing of data.
Under the application of this policy, personal data contained in contracts, correspondence, or other documents and their annexes that are transmitted to our company in physical or electronic form without the purpose of data processing, from the moment they are separated and subjected to any processing in physical or electronic media, outside of the original document's integrity, for any purpose, will be subject to the provisions of this policy.
Identity Information |
: Information contained in identity documents such as identity card, passport, driver's license. |
Communication information |
: Phone number, address, e-mail address information. |
Personal Information |
: Information regarding employees' personal rights. |
Legal Transaction Information |
: Correspondence with judicial and administrative authorities, information in case and enforcement files. |
Customer Transaction Information |
: Invoice, promissory note, check information. |
Transaction Security Information |
: IP address information, website login and exit information, password and password information. |
Risk Management Information |
Information processed for the management of commercial, technical and administrative risks. |
Financial Information |
: Bank account information of the data subject. |
Professional Experience Information |
: Past study process, diploma information and courses attended. |
Marketing Information |
: Data regarding the preferences, tastes, needs and habits of the data owner. |
Audiovisual Records |
: Camera footage and photography. |
Health information |
: Personal health information and information regarding disability status. |
Criminal Conviction and Security Measures Information |
: Information regarding criminal convictions, information regarding security measures. |
Employee Candidate |
Real persons who have applied for a job at Game Cafe by any means or have made their CV and relevant information available for review by companies. |
Employee |
Real persons working within Game Cafe under service contracts and other private law agreements |
Shareholder/Partner |
Real person shareholders of Game Cafe. |
Potential product or service buyer |
Real persons who have requested or are interested in using Game Cafe's products and services, or whose interest has been evaluated in accordance with commercial practices and rules of honesty. |
The person who receives the product or service |
Real persons who use or have used the products and services offered by the companies, regardless of whether they have any contractual relationship with Game Cafe. |
Intern |
Real persons working as interns at Game Cafe. |
Supplier employee and officer |
Officials and employees of real and legal persons (such as suppliers, service providers) with whom Game Cafe has all kinds of business relations. |
Real persons or private law legal entities |
: Real persons and private law legal entities with whom our company has a legal relationship within the framework of a contract. |
Shareholders |
: Real person shareholders of Game Cafe |
Business partners and suppliers |
: Real and legal persons who are third parties from whom goods and services are procured or goods and services are offered for data processing purposes. |
Authorized Public Institutions and Organizations |
: Answering requests for information and documents requested by relevant institutions and organizations. |
Subject to the provisions of Article 6 of the Personal Data Protection Law No. 6698, special categories of personal data cannot be processed without the explicit consent of the data subject. The processing of special categories of personal data is additionally regulated in the “Policy on Processing and Protection of Special Categories of Personal Data” in order to take sufficient measures for the processing of these data, due to the sensitivity of the subject matter and the importance we give to it.
Personal data are collected physically within Game Cafe or in electronic or physical form within the gaming environment and processed in accordance with the general principles listed in Article 4 of the PDPL, and then within the conditions of personal data processing specified in Articles 5 and 6, under the data processing purposes listed in Article 4 of this Policy. If none of the exceptions for the processing of personal data applies, then explicit consent is obtained from the Relevant Person.
Subject to the provisions of other laws concerning the deletion, destruction, or anonymization of personal data, if the reasons necessitating the processing of personal data cease to exist, personal data will be deleted, destroyed, or anonymized by Game Cafe either on its own initiative or upon the request of the data subject.
When personal data is deleted, it is destroyed in a manner that it can no longer be used or retrieved. Accordingly, personal data are irrecoverably deleted from mediums such as documents, files, CDs, and floppies in which they are recorded.
Destruction of personal data means the irrevocable and unusable destruction of the materials suitable for data storage such as documents, files, CDs, and floppies in which the information is recorded.
Anonymization of data means rendering personal data unable to be associated with an identifiable or identifiable natural person, even when matched with other data.
Personal data related to the commercial transactions and operations conducted by our Company are stored for 10 years in principle, in accordance with Article 82 of the Turkish Commercial Code, unless legal or contractual obligations require a longer period.
For other actions and transactions, the general 10-year statute of limitations period specified in Article 146 of the Turkish Code of Obligations is taken as the basis.
While personal data of Game Cafe's employees are kept for the general statute of limitations period, personal data that fall under the category of health information, which is considered special category personal data, are kept for 15 years for the purpose of fulfilling occupational health and safety obligations.
Personal data of candidates who apply for open positions at Game Cafe are kept for 1 year in accordance with the principle of keeping personal data accurate and up-to-date.
Personal data that can be used as evidence in financial, legal, or criminal disputes will be preserved for the statute of limitations periods specified in the relevant legal regulations, for the purposes of providing evidence in potential legal disputes or asserting or defending rights related to personal data. In this case, access to the stored personal data is provided only when necessary for the related legal dispute and not for any other purposes.
The periodic destruction period is determined as once every six months, with a minimum frequency of twice a year. The destruction processes will be carried out in the first periodic destruction period following the end of the maximum storage periods specified in the aforementioned Article 12.
The titles, units, and job descriptions of those involved in ensuring the security of personal data and in storage and destruction processes are as follows:
Title |
Unit or Organization |
Duty |
KVK Committee Members |
KVK Committee |
Following up all necessary regulations within the scope of compliance with the personal data protection legislation, ensuring the implementation of the Policy, following the necessary updates, and presenting suggestions for improvement within the scope of the legislation. |
Information Technologies Director |
Information Technologies Unit |
Providing and implementing the technical solutions needed in the implementation of the Policy. |
HR, Legal |
Other Units |
Executing the Policy in accordance with their duties. |
The processes of deleting, destroying, and anonymizing data are carried out by the unit authorized solely for these tasks/processes, within the framework of the decisions taken by the Board of Directors, with regard to the Personal Data Storage and Destruction Policy.
Personal data collected by our Company can be transferred to our business partners in Turkey and to individuals and organizations within the scope of legal relations, provided that necessary security measures are taken and limited to product and customer information, in line with the purposes of data processing.
Regarding the transfer of personal data abroad, personal data within Game Cafe are stored on servers located in Turkey; therefore, there is no such activity of transferring data abroad.
Currently, there is no activity of transferring data abroad within Game Cafe. Should personal data be transferred abroad in future processes, it will be carried out either through the Commitment method, one of the methods determined by the Personal Data Protection Board, or based on the explicit consent of the relevant individuals.
Game Cafe, in compliance with Article 12 of the Law, takes necessary technical and administrative measures to prevent unlawful processing of the personal data it processes, to prevent unlawful access to the data, and to ensure the appropriate level of security for the preservation of the data, as well as to ensure the lawful destruction of personal data. In this context, Game Cafe conducts or outsources necessary audits.
Game Cafe operates a system that ensures the notification of the relevant Personal Data Subject and the Data Protection Authority as soon as possible through the use of a Breach Notification Form, in the event that personal data are obtained by others through illegal means.
The administrative and technical measures taken in this context are as follows:
Confidentiality commitments and obligations are specifically stipulated in contracts containing personal data, including employment contracts and procurement contracts.
Personal data recording environments can be physical or electronic mediums, and visual mediums such as camera recordings. In this context, electronic mediums include servers (email, databases, etc.); software; information security devices (firewalls, antivirus, etc.); personal computers (desktops, laptops); mobile devices (phones); and physical mediums include files, folders, paper, written, printed, and visual mediums (cameras).
Upon the expiry of the period stipulated by relevant legislation or the period necessary for the purposes for which they are processed, personal data are destroyed, either on its own initiative or upon the request of the data subject, in accordance with the provisions of the Law, using the techniques specified below.
Data Recording Environment |
Description |
Personal data on servers |
Deletion is done by the system administrator by removing the access permission of the relevant users. |
Personal data in electronic environment |
It is made inaccessible and unusable in any way for other employees except the database administrator. |
Personal data in physical environment |
It is made inaccessible and unusable in any way for other employees except the relevant unit manager. |
Data Recording Environment |
Description |
Personal data in physical environment |
It is irreversibly destroyed in paper clipping machines. |
Anonymization of personal data means rendering the data in such a way that it cannot be associated with an identifiable or identifiable natural person, even when matched with other data, under any circumstances.
This policy has been approved by the Board of Directors as of the date of its publication and has been published with the signature of the General Manager.
The current version of this document has been made available to all Game Cafe personnel and published on the company website.
ANNEX-1: DEFINITIONS
The definitions of the concepts included in this Policy are as follows:
Explicit consent |
: Consent regarding a specific subject, based on information and expressed with free will, |
Anonymise |
: Making data that was previously associated with a person impossible to associate it with an identified or identifiable natural person in any way, even by matching it with other data, |
Electronic environment |
: Environments where personal data can be created, read, changed and written with electronic devices, |
Physical environment |
: All written, printed, visual, etc. media other than electronic media, |
Contact person/Data owner |
: The real person whose personal data is processed, |
Destruction |
: Deletion, destruction or anonymization of personal data, |
Personal data |
: Any information regarding an identified or identifiable natural person, |
Special (sensitive) personal data |
: Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data, |
Processing of personal data |
: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any action performed on data such as blocking, |
KVKK |
: Personal Data Protection Law No. 6698, |
KVK Committee |
: Personal Data Protection Committee, |
KVK Institution |
: Personal Data Protection Institution |
Data processor |
: Real or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller, |
Data recording system |
: The recording system in which personal data is structured and processed according to certain criteria, |
Data controller |
: It refers to the real or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. |
This document has been updated on September 4, 2024.