CLARIFICATION ON THE PROTECTION OF PERSONAL DATA

We, as Garanti Emeklilik ve Hayat A.Ş. (referred to herein as "the Company"), have respect for security of your personal data and for your right of privacy, and make account of confidentiality and protection of your personal data.

We present this clarification text to apprise you of the processing, transfer, storage and destruction of your personal data provided to us by you as the participant, the person who pays contribution on behalf and account of the participant, the insured, the insurer, the premium payer, the beneficiary, the loss payee, the legal heir and the legal representatives of these specified persons, the relevant person as the legal representative in the context of private pension contracts, insurance policies (including life insurance and/or supplementary health insurance), and related services within the framework of the Private Pension Savings and Investment System Law No. 4632, Insurance Law No. 5684, and pertinent regulations. Furthermore, we outline your entitlements concerning the utilization and safeguarding of your personal data pursuant to the Personal Data Protection Law No. 6698 ("PDPL"/"Law").

As delineated in this Clarification Text, your personal data and sensitive personal data may be recorded, archived, updated, transferred, classified and processed pursuant to and under PDPL and other applicable laws and regulations appertaining thereto.

1- DATA SUPERVISOR

This clarification text is published by Garanti Emeklilik ve Hayat A.Ş. as and in the capacity of data supervisor, in accordance with the pertinent provisions of PDPL No. 6698, Private Pension Savings and Investment System Law No. 4632, Insurance Law No. 5684, and other applicable laws and regulations in relation therewith. As per the Law, “Data Processing” refers to all kinds of transactions effected on personal data, such as acquisition, recording, storage, updating and classification of personal data, fully or partially, by automatic means and ways or by non-automatic means and ways, providing that it is a part of any data registration system, and sharing of data with third parties or transfer to them to the extent permitted by the applicable laws and regulations.

We, as data supervisor, are keeping and safeguarding all kinds of personal data, shared by you with us, in strict compliance with the applicable laws and regulations, and by taking all kinds of the technical and administrative actions and measures required for protection of your personal data under an appropriate security level.

2- PERSONAL DATA COLLECTED BY US

2.1- Personal Data Collected by Us within the Scope of Private Pension Contract

Personal data, varying according to the type, nature and past of the relations between our Company and the related person and depending on the method of acquisition of data and the following purposes, to be collected in the course of relations to be established by us with you in tandem with the private pension products and services you are going to receive from our Company in accordance with the private pension system legislation and other relevant legislation, and to be processed in compliance with the principles set down in the Law and in our Company’s personal data processing and protection policy, are generally as listed below, without however being limited thereto:

Personal Identification Data: Name, surname, maternal and paternal names, Turkish ID number, identity card serial number, passport number, place and date of birth, gender, marital status, spouse/child details, citizenship status, nationality, and registration particulars.

Visual Media: Photograph

• Contact Details: Comprising addresses, email addresses, registered email addresses, mobile phone numbers, landline numbers, fax numbers, alongside communication records encompassing telephone conversations, video calls, email exchanges, and other audio-visual data.

• Transaction Security Information: Consisting of customer details, IP addresses, login and logout passwords for internet branch channels, security applications utilized in said channels, and location data processed to fulfil legal obligations.

• Marketing Data: Encompasses shopping history, survey responses, cookie records, and data acquired through promotional campaigns, subject to the consent of customers, potential customers, and other relevant individuals.

• Business-related Data: Includes demographic details identifying individuals in legal entity documents such as tax certificates, trade registry publications, authorization certificates, trade registry records, qualification documents, signature endorsements, and operational certificates, as well as tax liability status information.

• Private Pension Records: Covering unique identifiers, particulars of private pension contracts, credit card details, account numbers, IBANs, transaction instructions, and financial activities associated with private pension products and services provided by our Company.

• Educational, Occupational, and Professional Information: Encompasses occupation, job title, employment history, educational background, and curriculum vitae details.

Legal Documentation: Comprises data exchanged in correspondence with judicial authorities, details contained within case files, information related to alternative dispute resolution mechanisms, records maintained under the auspices of the Insurance Arbitration Commission (IAC), and data present in letters from various administrative and judicial bodies concerning legal disputes involving our Company.

Surveillance and Access Records: Pertains to entry and exit logs and surveillance footage capturing employees' and visitors' movements, aimed at ensuring physical security within company premises.

Sensitive Personal Data Categories: Includes medical documents, examination findings, disability-related information, blood type, details regarding medical devices and prosthetics usage, membership in associations and foundations, criminal convictions, and security measures.

2.2- Personal Data Collected by Us within the Scope of Insurance Products

Personal data, varying according to the type, nature and past of the relations between our Company and the related person and depending on the method of acquisition of data and the following purposes, to be collected in the course of relations to be established by us with you in tandem with the insurance products and services you are going to receive from our Company in accordance with the insurance legislation and other relevant legislation, and to be processed in compliance with the principles set down in the Law and in our Company’s personal data processing and protection policy, are generally as listed below, without however being limited thereto:

• Personal Identification Data: Name, surname, maternal and paternal names, Turkish ID number, identity card serial number, passport number, place and date of birth, gender, marital status, spouse/child details, citizenship status, nationality, and registration particulars.

• Visual Media: Photograph

Contact Details: Comprising addresses, email addresses, registered email addresses, mobile phone numbers, landline numbers, fax numbers, alongside communication records encompassing telephone conversations, video calls, email exchanges, and other audio-visual data.

• Transaction Security Information: Consisting of customer details, IP addresses, login and logout passwords for internet banking channels, security applications utilized in said channels, and location data processed to fulfil legal obligations.

Marketing Data: Encompasses shopping history, survey responses, cookie records, and data acquired through promotional campaigns, subject to the consent of customers, potential customers, and other relevant individuals.

• Business-related Data: Includes demographic details identifying individuals in legal entity documents such as tax certificates, trade registry publications, authorization certificates, trade registry records, qualification documents, signature endorsements, and operational certificates, as well as tax liability status information.

• Insurance Records: Covering unique identifiers, particulars of insurance contracts, credit card details, account numbers, IBANs, transaction instructions, and financial activities associated with insurance products and services provided by our Company.

• Educational, Occupational, and Professional Information: Encompasses occupation, job title, employment history, educational background, and curriculum vitae details.

Legal Documentation: Comprises data exchanged in correspondence with judicial authorities, details contained within case files, information related to alternative dispute resolution mechanisms, records maintained under the auspices of the Insurance Arbitration Commission (IAC), and data present in letters from various administrative and judicial bodies concerning legal disputes involving our Company.

• Surveillance and Access Records: Pertains to entry and exit logs and surveillance footage capturing employees' and visitors' movements, aimed at ensuring physical security within company premises.

• Sensitive Personal Data Categories: Includes medical documents, examination findings, disability-related information, blood type, details regarding medical devices and prosthetics usage, membership in associations and foundations, criminal convictions, and security measures.

3- PERSONAL DATA COLLECTION METHOD

3.1- Personal Data Collection Method within the Scope of Private Pension Contract

The collection of your personal data occurs in the context of the products and services provided by our Company under the purview of the Private Pension Savings and Investment System Law No. 4632 and other pertinent statutes. Your personal data might be acquired through in-person encounters, via the call centre, website interactions, email correspondence, SMS messages, digital messaging platforms, and social media channels, as well as through completed forms on the website and collaborations with other institutions and organizations. Your personal data may be gathered through fully or partially automated or manual processes as an integral component of any data recording system, encompassing verbal, written, or electronic mediums, across various organizational units including the head office, regional directorates, agencies, and all related channels (ATMs, kiosks, internet branches, call centres, SMS, etc.), as well as through brokers, private pension and insurance intermediaries, the Customer Communication Centre, and all digital platforms such as the Company's mobile and internet branches and system integrations shared by public institutions and organisations (such as Identity Sharing System). Additionally, data transfer from other private pension companies may also be involved in the context of private pension contracts.

Your personal data may be obtained by the following methods:

• Non-automated acquisition of your personal data may occur through in-person service channels (including headquarters and regional offices, direct sales teams, support service/external service organizations, agencies, and all affiliated channels, brokers, business partners, reinsurers, and other private pension companies).

• Non-automated acquisition of your personal data may also take place through remote service channels (utilizing communication tools such as mobile and internet branches, call centers, websites, email, digital messaging platforms, social media channels, and SMS).

• Furthermore, non-automated collection of your personal data may transpire through entities such as the Insurance Information and Surveillance Centre (SBGM), Pension Surveillance Centre (EGM), Social Security Institution, and databases operated by public institutions (including the Central Population Administration System (MERNİS), Identity Sharing System (KPS), and Address-Based Population Registration System (ADKNS)).

3.2- Personal Data Collection Method within the Scope of Insurance Products

The collection of your personal data occurs in the context of the products and services provided by our Company under the purview of the Insurance Law No. 5684 and other pertinent statutes. Your personal data might be acquired through in-person encounters, via the call centre, website interactions, email correspondence, SMS messages, digital messaging platforms, and social media channels, as well as through completed forms on the website and collaborations with other institutions and organizations. Your personal data may be gathered through fully or partially automated or manual processes as an integral component of any data recording system, encompassing verbal, written, or electronic mediums, across various organizational units including the head office, regional directorates, agencies, and all related channels (ATMs, kiosks, internet branches, call centres, SMS, etc.), as well as through brokers, private pension and insurance intermediaries, the Customer Communication Centre, and all digital platforms such as the Company's mobile and internet branches and system integrations shared by public institutions and organisations (such as Identity Sharing System).

Your personal data may be obtained by the following methods:

• Non-automated acquisition of your personal data may occur through in-person service channels (including headquarters and regional offices, direct sales teams, support service/external service organizations, agencies, and all affiliated channels, brokers, business partners, reinsurers, and other private pension companies).

• Non-automated acquisition of your personal data may also take place through remote service channels (utilizing communication tools such as mobile and internet branches, call centers, websites, email, digital messaging platforms, social media channels, and SMS).

• Furthermore, non-automated collection of your personal data may transpire through entities such as the Insurance Information and Surveillance Centre (SBGM), Pension Surveillance Centre (EGM), Social Security Institution, and databases operated by public institutions (including the Central Population Administration System (MERNİS), Identity Sharing System (KPS), and Address-Based Population Registration System (ADKNS)).

4- PURPOSES AND LEGAL REASONS FOR PROCESSING PERSONAL DATA

4.1- Purposes and Legal Grounds for Processing Personal Data within the Scope of Private Pension Contract

The personal data acquired by our company during the provision of private pension contract products and associated services are primarily processed for the following purposes and legal justifications, primarily aimed at delivering safe, efficient, and high-quality service to you:

Our Processing Purposes Legal grounds
To record the identity, address and other necessary information in order to identify the customer, to carry out identification and confirmation procedures, to identify the information of our customers in the transactions to be carried out, to receive information from local postal services, national address database (Central Population Administration System "MERNİS") and similar institutions for address verification and updating.
  • - Compulsory to meet the legal requirement 
  • -Specifically stated in the law 
  • -Data processing is imperative for the establishment, exercise, or defense of a legal claim 
  • -The presence of explicit approval
To create proposals and contracts for private pension products, to make the requested changes, to communicate with the customers on issues related to the terms of the contract and the current status of the contract during the establishment and continuation of the private pension contract, to inform them about the changes in the contract or legislation, to ensure the printing and sending of the necessary documents, to follow up the payment transactions, to prevent abuses, if any, to carry out additional benefit services, to follow up provision processes, to fulfil obligations related to products and services, to complete payment and fund and portfolio management transactions, to collect contributions, to complete internet and mobile branch transactions, to carry out reinsurance processes, to transfer the private pension contract to another pension company upon the request of customers.
  • -Processing personal data of contractual parties is essential when directly linked to the conclusion or execution of a contract
  •  -Compulsory to meet the legal requirement
  •  -Specifically stated in the law
  •  -The presence of explicit approval 
  • -Data processing is necessary for the    legitimate interests of the Company, ensuring it does not infringe upon the fundamental rights and freedoms of the data subject
To fulfil the obligations arising from the Private Pension Savings and Investment System Law No. 4632 and other legislation.
  • -Specifically stated in the law 
  • -Compulsory to meet the legal requirement
In accordance with Law No. 5549 on Prevention of Laundering Proceeds of Crime, Law No. 6415 on Prevention of Financing of Terrorism and the relevant legislation issued based on these laws, to determine the identity information of our real person customers, to report suspicious transactions and to fulfil our obligations arising from the legislation.
  • -Compulsory to meet the legal requirement
To offer private pension products and services within the scope of the Private Pension Savings and Investment System Law, Banking Law, Turkish Commercial Code, Turkish Civil Code, Capital Markets Law and other legislation, to fulfil the related transactions, requirements, notifications and information obligation, risk monitoring, internal systems obligations and other obligations arising from the legislation, to carry out operational processes related to products and services, to record communication.
  • -Compulsory to meet the legal requirement 
  • -Processing personal data of contractual parties is essential when directly linked to the conclusion or execution of a contract 
  • -Specifically stated in the law 
  • -Data processing is necessary for the legitimate interests of the Company, ensuring it does not infringe upon the fundamental rights and freedoms of the data subject
To plan and implement special product, service and offer activities for our customers, to send commercial electronic and written messages to customers, to make product, service and working model offers, to use in profiling, segmentation, internal target creation, scoring, risk analysis, customer relationship management, internal performance monitoring and analysis studies, to carry out statistical studies, service quality studies, advertising, promotion, campaign and marketing activities, survey studies, communication activities, designing the Company's service delivery models, conducting market research, evaluating complaints, requests and suggestions, taking actions and improving processes, and carrying out activities for customer satisfaction.
  • -Presence of explicit approval
  •  -Data processing is necessary for the legitimate interests of the Company, ensuring it does not infringe upon the fundamental rights and freedoms of the data subject
To keep, report and inform the information and documents requested by judicial and administrative institutions such as the Ministry of Treasury and Finance, Insurance and Private Pension Regulatory and Supervisory Authority (SEDDK), Insurance Information and Surveillance Centre (SBM), Financial Crimes Investigation Board (MASAK), Pension Surveillance Centre (EGM), Capital Markets Board (SPK), Banking Regulation and Supervision Agency (BDDK), Credit Bureau (KKB), Insurance Arbitration Commission (STK), Central Bank of the Republic of Turkey (TCMB), Association of Insurance, Reinsurance and Pension Companies of Turkey (TSB)
  • -Specifically stated in the law
  •  -Compulsory to meet the legal requirement
To organise all necessary records and documents, including the processing of location information, in order to complete transactions on paper and verbal media and in digital and electronic media.
  • -Compulsory to meet the legal requirement
  •  -Processing personal data of contractual parties is essential when directly linked to the conclusion or execution of a contract
To conduct business and relations with the Company's shareholders, domestic and foreign group companies, business/programme partners.
  • -Compulsory to meet the legal requirement
  •  -Processing personal data of contractual parties is essential when directly linked to the conclusion or execution of a contract
To carry out the analysis, development and information security processes of the company systems, to carry out data analysis studies, to establish, manage and implement information systems infrastructures, to carry out information/document storage, reporting, audit studies, finance and accounting transactions within the Company.
  • -Compulsory to meet the legal requirement 
  • -Data processing is necessary for the legitimate interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the data subject
To manage relationships with support service providers, business/programme partners or suppliers.
  • -Processing personal data of contractual parties is essential when directly linked to the conclusion or execution of a contract
  •  -Data processing is necessary for the legitimate interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the data subject
To improve the reputation and business relations of the company and to determine its strategies, to plan and execute business activities and operational processes, to carry out corporate communication activities.
  • -Compulsory to meet the legal requirement 
  • -Data processing is necessary for the legitimate interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the data subject.
To carry out litigation and execution proceedings to which the Company is a party and to follow other legal processes.
  • -Compulsory to meet the legal requirement
  •  -Specifically stated in the law
To ensure legal and physical security, to record camera footage in the headquarters and regional directorate buildings and to carry out communication activities within the scope of the obligations arising from the law and as a basis for the transaction carried out within the scope of the service provided with security.
  • -Specifically stated in the law
  • -Compulsory to meet the legal requirement 
  • -Data processing is necessary for the legitimate interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the data subject
To establish transaction security in the use of digital channels, to protect customers, the Company and the system against fraud, forgery and attacks that customers may be exposed to in any physical or electronic environment, to keep logs in case of internet access, to create and monitor visitor records separately for the website and physical location.
  • -Compulsory to meet the legal requirement
  •  -Data processing is necessary for the legitimate interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the data subject
To plan, supervise and implement corporate sustainability, corporate governance, strategic planning and information security processes.
  • -Specifically stated in the law
  •  -Compulsory to meet the legal requirement 
  • -Data processing is necessary for the legitimate interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the data subject
To perform legal and commercial obligations within the framework of the contracts concluded or activities carried out with third real or legal persons in business relations, to perform obligations arising from contracts concluded with business partners/programme partners/customers/suppliers, to establish rights, to protect rights, to carry out commercial and legal evaluation processes, to carry out legal and commercial risk analyses, to carry out legal compliance process, financial affairs, to manage relations with business partners/programme partners or suppliers, to plan and execute business activities, to create records with the form of money not sought by the right holders.
  • -Compulsory to meet the legal requirement
  •  -Processing personal data of contractual parties is essential when directly linked to the conclusion or execution of a contract 
  • -Data processing is necessary for the legitimate interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the data subject
To set up business processes and activities, to plan and execute operational processes and purchasing operations.
  • -Processing personal data of contractual parties is essential when directly linked to the conclusion or execution of a contract 
  • -Data processing is necessary for the legitimate interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the data subject

4.2- Purposes and Legal Grounds for Processing Personal Data within the Scope of Insurance Products

The personal data acquired by our company during the provision of  insurance products and associated services are primarily processed for the following purposes and legal justifications, primarily aimed at delivering safe, efficient, and high-quality service to you:

Our Processing Purposes Legal grounds
To record the identity, address and other necessary information in order to identify the customer, to carry out identification and confirmation procedures, to identify the information of our customers in the transactions to be carried out, to receive information from local postal services, national address database (Central Population Administration System "MERNİS") and similar institutions for address verification and updating.
  • -Compulsory to meet the legal requirement
  •  -Specifically stated in the law
  •  -Data processing is imperative for the establishment, exercise, or defense of a legal claim 
  • -The presence of explicit approval
To create proposals and contracts for insurance products, to carry out policy approval, rejection, cancellation and renewal procedures, to evaluate applications for insurance products, to make the requested changes, to communicate with customers on issues related to the terms of the contract and the current status of the contract during the establishment and continuation of the insurance contract, to inform about changes in the contract or legislation, to ensure the printing and sending of the necessary documents, to determine the guarantees and additional guarantees in insurance products, to carry out risk assessment, to finalise claims applications, to make indemnity payments, to follow up payment transactions, to prevent abuses, to offer special premium and payment options, to calculate premiums, if any, to carry out additional benefit services, to follow up provision processes, to fulfil obligations related to products and services, to complete payment transactions, to collect premiums, to refund premiums, to complete internet and mobile branch transactions, to carry out reinsurance and coinsurance processes.
  • -Processing personal data of contractual parties is essential when directly linked to the conclusion or execution of a contract
  •  -Compulsory to meet the legal requirement 
  • -Specifically stated in the law 
  • -The presence of explicit approval 
  • -Data processing is necessary for the legitimate interests of the Company, ensuring it does not infringe upon the fundamental rights and freedoms of the data subject
To offer life and supplementary health insurance products and services within the scope of the Insurance Law, Banking Law, Turkish Commercial Code, Turkish Commercial Code, Turkish Civil Code, Capital Markets Law and other legislation, to fulfil the related transactions, requirements, notifications, information obligation, risk monitoring, internal systems obligations and other obligations arising from the legislation, to carry out operational processes related to products and services, to record communication.
  • -Compulsory to meet the legal requirement 
  • -Processing personal data of contractual parties is essential when directly linked to the conclusion or execution of a contract
  • -Specifically stated in the law 
  • -Data processing is necessary for the legitimate interests of the Company, ensuring it does not infringe upon the fundamental rights and freedoms of the data subject
To plan and implement special product, service and offer activities for our customers, to send commercial electronic and written messages to customers, to make product, service and working model offers, to use in profiling, segmentation, internal target creation, scoring, risk analysis, customer relationship management, internal performance monitoring and analysis studies, to carry out statistical studies, service quality studies, advertising, promotion, campaign and marketing activities, survey studies, communication activities, designing the Company's service delivery models, conducting market research, evaluating complaints, requests and suggestions, taking actions and improving processes, and carrying out activities for customer satisfaction.
  • -Presence of explicit approval 
  • -Data processing is necessary for the legitimate interests of the Company, ensuring it does not infringe upon the fundamental rights and freedoms of the data subject
To keep, report and inform the information and documents requested by judicial and administrative institutions such as the Ministry of Treasury and Finance, Insurance and Private Pension Regulatory and Supervisory Authority (SEDDK), Insurance Information and Surveillance Centre (SBM), Financial Crimes Investigation Board (MASAK), Pension Surveillance Centre (EGM), Capital Markets Board (SPK), Banking Regulation and Supervision Agency (BDDK), Credit Bureau (KKB), Insurance Arbitration Commission (STK), Central Bank of the Republic of Turkey (TCMB), Association of Insurance, Reinsurance and Pension Companies of Turkey (TSB)
  • -Specifically stated in the law 
  • -Compulsory to meet the legal requirement
To organise all necessary records and documents, including the processing of location information, in order to complete transactions on paper and verbal media and in digital and electronic media.
  • -Compulsory to meet the legal requirement 
  • -Processing personal data of the contract parties is necessary if directly pertinent to the conclusion or execution of a contract
To conduct business and relations with the Company's shareholders, domestic and foreign group companies, business/programme partners.
  • -Compulsory to meet the legal requirement 
  • -Processing personal data of contractual parties is essential when directly linked to the conclusion or execution of a contract
In accordance with Law No. 5549 on Prevention of Laundering Proceeds of Crime, Law No. 6415 on Prevention of Financing of Terrorism and the relevant legislation issued based on these laws, to determine the identity information of our real person customers, to report suspicious transactions and to fulfil our obligations arising from the legislation.
  • -Compulsory to meet the legal requirement
To carry out the analysis, development and information security processes of the company systems, to carry out data analysis studies, to establish, manage and implement information systems infrastructures, to carry out information/document storage, reporting, audit studies, finance and accounting transactions within the Company.
  • -Compulsory to meet the legal requirement 
  • -Data processing is necessary for the legitimate interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the data subject
To manage relationships with support service providers, business/programme partners or suppliers.
  • -Processing personal data of contractual parties is essential when directly linked to the conclusion or execution of a contract
  •  -Data processing is necessary for the legitimate interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the data subject
To improve the reputation and business relations of the company and to determine its strategies, to plan and execute business activities and operational processes, to carry out corporate communication activities.
  • -Compulsory to meet the legal requirement 
  • -Data processing is necessary for the legitimate interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the data subject
To carry out litigation and execution proceedings to which the Company is a party and to follow other legal processes.
  • -Compulsory to meet the legal requirement
  •  -Specifically stated in the law
To ensure legal and physical security, to record camera footage in the headquarters and regional directorate buildings and to carry out communication activities within the scope of the obligations arising from the law and as a basis for the transaction carried out within the scope of the service provided with security.
  • -Specifically stated in the law 
  • -Compulsory to meet the legal requirement 
  • -Data processing is necessary for the legitimate interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the data subject
To establish transaction security in the use of digital channels, to protect customers, the Company and the system against fraud, forgery and attacks that customers may be exposed to in any physical or electronic environment, to keep logs in case of internet access, to create and monitor visitor records separately for the website and physical location.
  • -Compulsory to meet the legal requirement 
  • -Data processing is necessary for the legitimate interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the data subject
To plan, supervise and implement corporate sustainability, corporate governance, strategic planning and information security processes.
  • -Specifically stated in the law
  •  -Compulsory to meet the legal requirement
  •  -Data processing is necessary for the legitimate interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the data subject
To perform legal and commercial obligations within the framework of the contracts concluded or activities carried out with third real or legal persons in business relations, to perform obligations arising from contracts concluded with business partners/programme partners/customers/suppliers, to establish rights, to protect rights, to carry out commercial and legal evaluation processes, to carry out legal and commercial risk analyses, to carry out legal compliance process, financial affairs, to manage relations with business partners/programme partners or suppliers, to plan and execute business activities, to create records with the form of money not sought by the right holders.
  • -Compulsory to meet the legal requirement 
  • -Processing personal data of contractual parties is essential when directly linked to the conclusion or execution of a contract 
  • -Data processing is necessary for the         legitimate interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the data subject
To set up business processes and activities, to plan and execute operational processes and purchasing operations.
  • -Processing personal data of contractual parties is essential when directly linked to the conclusion or execution of a contract 
  • -Data processing is necessary for the legitimate interests of the Company, provided it does not infringe upon the fundamental rights and freedoms of the data subject

Your personal data are collected and acquired in all types of verbal, written, visual and electronic media for the purposes tabulated hereinabove and for provision of the private pension, insurance (including life insurance and/or supplementary health insurance products and services within the legal framework specified herein and for full, complete and smooth performance by Company of all of its legal and contractual obligations. Legal reasons underlying the collection of your personal data are Personal Data Protection Law (PDPL) and other applicable laws and regulations appertaining thereto. Your personal data are processed by our Company by automatic and non-automatic methods and ways in case of receipt of your explicit consent pursuant to article 5/1 of the PDPL or alternatively in reliance upon certain legal motives pursuant to and under article 5/2 of the PDPL.

Your sensitive personal data may be processed in compliance with the PDPL and its associated subsidiary regulations.

5- TRANSFER OF PERSONAL DATA

Where required by the applicable laws and regulations or where permitted by you, your personal data may be shared with third party persons or entities for the purposes and motives set forth in this Clarification Text by taking all kinds of technical and administrative actions and measures required for establishment of an appropriate level of security pursuant to PDPL and other applicable laws and regulations. These persons or entities may vary depending on the probable changes in pertinent laws, but are nevertheless the following parties in general.

Your personal data are transferred to the following parties for the following purposes and legal reason:

5.1- Transfer of Personal Data within the Scope of Private Pension Contract

Persons/Organisations to whom Information is Transferred Transfer Objectives
The public institutions and organisations legally authorised to receive information (such as the Ministry of Treasury and Finance, SEDDK, SBM, MASAK, EGM, BDDK, KKB, SPK, TCMB), judicial authorities, Insurance Arbitration Commission, consumer arbitration committees, mediators, contracted lawyers of the Company, independent audit companies. Legal reasons such as legal reporting, conducting inspection, regulation, audit and surveillance activities, complaints and legal proceedings
Persons, organisations, institutions deemed as financial institutions as permitted by the Law on Private Pension Savings and Investment System, Banking Law, Turkish Commercial Code and other legislation. Carrying out private pension activities and fulfilling legal obligations
The Company's shareholders, domestic and foreign group companies (e.g. T. Garanti Bankası A.Ş., Garanti Konut Finansmanı Danışmanlık Hizmetleri A.Ş., Garanti Faktoring A.Ş., Garanti Finansal Kiralama A.Ş., Garanti Ödeme Sistemleri A.Ş., Garanti Bilişim Teknolojisi ve Ticaret A.Ş., Garanti Yatırım Menkul Kıymetler A.Ş. and Garanti Portföy Yönetimi A.Ş.) Carrying out private pension activities and sharing information within the group in accordance with the relevant legislation
Institutions that are the Company's intermediaries or agents and brokers, reinsurance institutions, support service institutions, programme partner institutions from which the Company receives services or cooperates with in order to carry out its activities, persons and institutions from which the Company receives services and/or consultancy, business partners, service providers, insurance, reinsurance and private pension companies. Carrying out the activities with the parties from which support is received for the execution of private pension activities and with our business partnerships

5.2- Transfer of Personal Data within the Scope of Insurance Products

Persons/Organisations to whom Information is Transferred Transfer Objectives
The public institutions and organisations legally authorised to receive information (such as the Ministry of Treasury and Finance, SEDDK, SBM, MASAK, EGM, BDDK, KKB, SPK, TCMB), judicial authorities, Insurance Arbitration Commission, consumer arbitration committees, mediators, contracted lawyers of the Company, independent audit companies. Legal reasons such as legal reporting, conducting inspection, regulation, audit and surveillance activities, complaints and legal proceedings
Persons and entities permitted by the Insurance Law, Banking Law, Turkish Commercial Code and other legislation, institutions deemed to be financial institutions, health institutions and organisations affiliated to the Ministry of Health, expert institutions evaluating compensation processes, persons and institutions providing expert opinion on the health status of the insured candidate, insurance companies and other third parties. Carrying out insurance activities and fulfilling legal obligations
The Company's shareholders, domestic and foreign group companies (e.g. T. Garanti Bankası A.Ş., Garanti Konut Finansmanı Danışmanlık Hizmetleri A.Ş., Garanti Faktoring A.Ş., Garanti Finansal Kiralama A.Ş., Garanti Ödeme Sistemleri A.Ş., Garanti Bilişim Teknolojisi ve Ticaret A.Ş., Garanti Yatırım Menkul Kıymetler A.Ş. and Garanti Portföy Yönetimi A.Ş.) Carrying out insurance services and sharing information within the group in accordance with the relevant legislation
Institutions that are the Company's intermediaries or agents and brokers, reinsurance institutions, support service institutions, programme partner institutions (Bupa Acıbadem Sigorta A.Ş., Eureko Sigorta A.Ş., Sencard Direkt Satış Sigorta Aracılığı A.Ş., Sigortaladım Sigorta ve Reasürans Brokerliği A.Ş.) from which the Company receives services or cooperates with in order to carry out its activities, persons and institutions from which the Company receives services and/or consultancy, business partners, service providers, insurance, reinsurance and private pension companies. Carrying out the activities with the parties from which support is received for the execution of insurance services and with our business partnerships

6- YOUR RIGHTS REGARDING THE PROTECTION OF PERSONAL DATA

Whenever you like, you may apply to our Company, and:

1-  May ask whether your personal data are processed or not, and if so, for which purposes, and whether your personal data are used for the intended purposes or not, and if processed, may request detailed information thereabout; and

2-  May learn the identity of third parties with whom your personal data are shared within Turkey or abroad in accordance with the laws; and

3-  If you think your personal data are processed incompletely or inaccurately, may request completion or correction of them, as the case may be; and

4-  May request deletion or destruction of your personal data within the frame of conditions stipulated in article 7 of the Law; and

5-  May request the transmission of your requests stated in subparagraphs 3 and 4 hereinabove to third parties to whom your personal data are transferred, so that such third parties also take the same actions in connection therewith; and

6-  May raise an opposition against any consequences in your disfavour due to analysis of your personal data by automatic systems, or if you think that your personal data are recorded or used unlawfully, and if you have actually incurred damages due to that reason, may claim indemnification of your damages.

If and when you use any one of your rights to learn whether your personal data are processed or not, and if your personal data are processed, to request information thereabout, and to access to and request your personal data, and to learn the purpose of processing of your personal data and whether your personal data are used for the intended purposes or not, and to learn the identity of third parties to whom your personal data are transferred in Turkey or abroad, then and in this case, the information requested by you will be given to you in writing via electronic media or by using the communication data designated by you.

7- DATA SECURITY AND RIGHT OF APPLICATION

Your personal data are carefully protected within the reach of available technical and administrative means, and the required security actions and measures are taken at a level appropriate for the probable risks by also considering the technological opportunities.

You may transmit your requests under the PDPL:

- By delivering the same in writing and by hand to our Head Offices, Regional Offices, or

- By sending via a notary public,

- By delivering the same with secure electronic or mobile signature to our Registered Electronic Mail Address of garantiemeklilik.musterihizmetleri@hs02.kep.tr, by using your registered electronic mail address or your electronic e-mail address registered in our systems.

If any application filed by you for the aforementioned purposes requires an additional cost, you may need to pay a fee as specified in the tariff to be designated by the Personal Data Protection Board. Your requests in your application will be responded as soon as possible and in any case within no later than 30 (thirty) days, depending on the kind of your request.

In case of any change in the personal data inventory, our Company will promptly revise this information text.