KVKK and Privacy Protocol APPENDIX-2 TO ORBÄ°FO FRAMEWORK MEMBERSHIP AGREEMENT
​​
​
PDPL AND PRIVACY PROTOCOL
The Parties have agreed on the implementation of the following provisions to the Agreement, effective as of the date of signature of this Protocol, in addition to the Framework Membership Agreement ("Main Agreement"):
Under this Protocol, ORBÄ°FO CORPORATE SERVICES JOINT STOCK COMPANY ("Company") is the Data Controller, and the MEMBER holds the status of Data Processor for the Company.
PROTECTION OF PERSONAL DATA
-
Each Party is obligated to take utmost care and fulfill their legal obligations regarding the protection of Personal Data, which is safeguarded by the Turkish Constitution, the Turkish Commercial Code, the Personal Data Protection Law, the Law on the Regulation of Electronic Commerce, the Law on Intellectual and Artistic Works, the Turkish Penal Code, the Turkish Civil Code, and any primary and/or secondary legislation in force that is not specifically mentioned. This obligation also affects the employees of the Contracting Parties and all third parties they cooperate with, and each Party is required to take all necessary and legally and technically feasible measures in this regard.
-
The Data Processor agrees, declares, and undertakes to take all necessary technical and administrative measures to ensure data security in order to prevent unlawful access by third parties to the personal data processed under the instructions of the Data Controller, to prevent its deletion, destruction, or anonymization, and to ensure its preservation, and to prevent the alteration, damage, or disclosure of personal data.
-
The Data Processor agrees, declares, and undertakes that the personal data obtained for processing under the contractual or commercial relationship with the Data Controller will be processed within the borders of the Republic of Turkey, and that, except for cases allowed by special provisions in other laws and the clear provisions of the agreement or agreements between the Parties, the personal data obtained will not be transferred to third parties within or outside the borders of the Republic of Turkey without the written consent of the Data Controller, and that data processing activities will not be transferred to a sub-data processor without the written consent of the Data Controller.
-
In cases where the Data Processor must share personal data obtained with legally authorized administrative and judicial authorities in accordance with lawful and legitimate requests, the Data Processor is obliged to immediately inform the Data Controller and provide all necessary support regarding all matters concerning the Data Controller.
-
The Data Processor agrees and declares that it will take all necessary measures to ensure the reliability of its personnel who have access to personal data obtained from the Data Controller, provide training on the processing of personal data to authorized personnel, increase their awareness, and not seek support from personnel who lack the necessary training and awareness in processing personal data.
-
The Data Processor agrees, declares, and undertakes that upon the termination of the contractual relationship between the Parties for any reason, it will immediately return the obtained personal data to the Data Controller or delete, destroy, or anonymize it according to the written instructions of the Data Controller.
-
If the Data Processor's breach of this Personal Data Protection Commitment causes any damage to the Data Controller, subjects the Data Controller to legal, administrative, or criminal sanctions, or requires compensation for any damages, the amounts in question will be recourse to the Data Processor, who will pay them in cash and immediately. The Data Controller, in addition to other legal rights, may request immediate remedial measures, apply for temporary injunctions, and/or pursue other appropriate legal remedies. The Data Processor agrees, declares, and undertakes to compensate for all direct damages suffered by the Data Controller due to a finalized court decision or an investigation decision by the Personal Data Protection Board.
-
The Data Processor and its employees undertake to treat as trade secrets and confidential information all (whether provided in written or electronic form) information, standards, applications, software, programs, training, documents, correspondence, and other related information learned from the Data Controller in connection with the performance of the Agreement and its annexes, including any information obtained from third parties through legal means, and not to use, disclose, or provide such information to third parties for any purpose other than the purposes of the Agreement and its annexes without the written consent of the Data Controller.
-
The Data Processor agrees and undertakes that if any of its representatives violate or act contrary to the terms of this Agreement, it will be responsible for any damages that the Data Controller and/or third parties may suffer under this Agreement and will take all reasonable measures to prevent the unauthorized and illegal disclosure or use of Confidential Information by these representatives.
Confidentiality
-
Within the scope of the confidentiality principle established between the Parties under the Agreement; any information and documents obtained by the Parties from each other directly or indirectly, in writing or orally, in visual, magnetic, or any other medium, and disclosed by one Party's employees, agents, or workers to the other Party's employees, agents, or workers under the Agreement, will be considered "Confidential Information." The following information is considered "Confidential Information":
a. All ideas, inventions, work, methods, b. Patents, know-how, copyrights, trademarks, trade secrets c. Any innovations subject to legal protection or not d. All written or oral commercial, financial, technical information, legal written or oral information, subscription, and conversation information learned within the scope of the commercial relationship and business ventures that the Parties intend to establish and/or have established e. Any other projects aimed at progress, f. All written and oral commercial information classified as confidential by each party, g. Databases, computer programs and their documentation, encryption techniques, processes, advertising, packaging, and marketing plans, product plans, technical plans, business strategies, strategic alliances, and partner information, engineering data, personnel information, product designs, specifications, offers, data, graphs, formulas, processes, designs, plans, samples, reports, financial information, customer information, sales information, marketing information, production information, commercial information, definitions, computer programs, designs, analyses, passwords, techniques, concepts, systems, experimental studies developed or implemented by the person himself/herself h. Any information relating to an identifiable or unidentifiable natural person within the scope of the Personal Data Protection Law No. 6698 ("Personal Data").
In addition to these, any documents and other information containing, reflecting, or derived from the said information and prepared by the managers, personnel, representatives, financial or legal advisors of the Parties, including the information described above as "Confidential Information," and the protection obligations regarding such information disclosed by employees or agents are also included within this scope.
-
All rights related to the Confidential Information and its owner will remain solely with the Party that owns the Confidential Information. The Parties acknowledge that the Party owning the Confidential Information does not grant the other Party any right, license, or other authority concerning the said Confidential Information. The Parties recognize that the Confidential Information of the other party is valuable commercial information. The Parties agree not to make any representations or warranties regarding the accuracy, completeness, condition, suitability, usability, or performance of the Confidential Information, and that the other Party has no obligation to provide its trade secrets.
-
The following information is not considered Confidential Information under this Agreement:
a. Information previously obtained without any obligation of confidentiality b. Information that has become public c. Information required to be disclosed by applicable laws or regulations or a court order, administrative order d. Information permitted to be disclosed without any confidentiality obligation by the written consent of the Party disclosing its confidential information.
-
The Parties irrevocably agree, declare, and undertake that they will always keep confidential, store, and protect Confidential Information obtained from the other Party, even if the Agreement is terminated; they will not use it directly or indirectly for any purpose other than the purpose of the Agreement; they will not disclose or provide it to third parties without the written consent of the other Party; except for confidential information given exclusively to individuals, they will share it only in necessary cases and with employees, sub-employees, and those working on their behalf who need to know it and are authorized to do so, and in such cases, they will inform and warn their employees, sub-employees, and those working on their behalf about the confidentiality of the information; they will protect it with the same care as their Confidential Information.
-
The Parties agree, declare, and undertake:
a. To take all reasonable measures to protect Confidential Information, and these measures will be no less than the measures taken by the Party to protect its Confidential Information, b. That, except for confidential information given exclusively to individuals, they will inform and warn their employees, sub-employees, and those working on their behalf about the confidentiality of the information before sharing it, c. That their employees, sub-employees, and those working on their behalf will comply with confidentiality principles, and in case of any violation, they will be personally and directly responsible to the other Party, even if no damage is caused, d. To indemnify all damages, including auxiliary damages, caused to the other Party due to the disclosure of Confidential Information, e. That if they cause the disclosure of Confidential Information to third parties without written permission, they will immediately report this in writing to the other Party and take all necessary measures to prevent its spread, f. That in cases where Confidential Information is partially disclosed to third parties or unauthorized personnel, the confidentiality obligation regarding the undisclosed part will continue, and this situation will not justify the disclosure of the remaining part.
GENERAL PROVISIONS
h. This Protocol will remain in effect during the term of the Main Agreement. Even if the Agreement ends, the responsibilities of the Parties arising from this Protocol will continue for 2 (two) years.
i. Disputes arising from this Protocol will be resolved by the Istanbul Anatolian Courts and Execution Offices.
j. This Protocol will enter into force on the date of signature of the Main Agreement.