HUNKO MOTORLU ARAÇLAR SAN. VE TİC. LTD. ŞTİ.
PERSONAL DATA PROTECTION AND PROCESSING POLICY
The Law on the Protection of Personal Data No. 6698 (“Law”) entered into force on 7 April 2016. This Hunko Motorlu Araçlar San. ve Tic. Ltd. Şti. Personal Data Protection and Processing Policy (“Policy”) aims to ensure the compliance of Hunko Motorlu Araçlar San. ve Tic. Ltd. Şti., located at Doğuşkent Mah. Doğuşkent Cd. No:3 D:3, 34852 Maltepe/Istanbul (“WindyCar” or the “Company”), with the Law and to set out the principles to be followed in fulfilling the Company’s obligations regarding the protection and processing of personal data.
This Policy determines the conditions for processing personal data and sets out the main principles adopted by the Company in the processing of personal data. In this context, the Policy covers all personal data processing activities carried out by the Company within the scope of the Law, all data subjects whose personal data are processed by the Company, and all personal data processed by the Company.
Matters regarding the processing of personal data of Company employees are not within the scope of this Policy and are regulated separately under the Hunko Motorlu Araçlar San. ve Tic. Ltd. Şti. Employee Personal Data Protection and Processing Policy.
Definitions of the terms used in the Policy are provided in Annex-1.
This Policy has been published on the Company’s website and presented to the public. In the event of any conflict between the provisions of applicable legislation—primarily the Law—and the provisions of this Policy, the provisions of the legislation shall prevail.
The Company reserves the right to amend this Policy in line with legal regulations. The current version of the Policy is accessible on the Company website at: https://www.windycar.com.tr/kisisel-verilerin-korunmasi
Data subjects within the scope of this Policy are all natural persons whose personal data are processed by the Company, excluding Company employees. In general, the data subject categories are as follows:
| DATA SUBJECT CATEGORY | DESCRIPTION |
|---|---|
| Customer | Natural persons who benefit from the products and services offered by the Company. |
| Potential Customer | Natural persons who show interest in using the products and services offered by the Company and have the potential to become customers. |
| Visitor | Natural persons who visit the Company, its stores/premises, campuses, and website. |
| Job Applicant | Natural persons who apply for a job by sending a CV to the Company or through other methods. |
| Third Parties | Natural persons other than the data subject categories listed above and Company employees. |
The data subject categories are provided for general information purposes. The fact that a data subject does not fall within any of these categories does not eliminate their status as a data subject as defined under the Law.
The Company processes your personal data in accordance with the principles set out in Article 4 of the Law. Compliance with these principles is mandatory for each personal data processing activity, including but not limited to:
Processing in compliance with the law and the principles of good faith;
Ensuring that personal data are accurate and kept up to date where necessary;
Processing for specific, explicit, and legitimate purposes;
Processing in a manner that is relevant, limited, and proportionate to the purposes;
Retaining personal data for the period required by the relevant legislation or for the purposes for which they are processed, and deleting, destroying, or anonymizing them upon expiry of such period or upon elimination of the reasons requiring processing.
Your personal data are processed by the Company where at least one of the processing conditions listed in Article 5 of the Law is present, such as:
Explicit consent of the data subject (where other legal bases do not apply);
Explicitly stipulated by laws;
Necessity to protect the life or physical integrity of a person who is unable to express consent due to factual impossibility;
Necessity for the establishment or performance of a contract;
Necessity for the Company to comply with its legal obligations;
Data made public by the data subject, limited to the purpose of disclosure;
Necessity for the establishment, exercise, or protection of a right;
Necessity for the legitimate interests of the data controller, provided that fundamental rights and freedoms of the data subject are not harmed.
Special categories of personal data are listed in Article 6 of the Law in a limited manner. These include data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
The Company may process special categories of personal data by taking adequate technical and administrative measures determined by the Personal Data Protection Board in the following cases:
Where the explicit consent of the data subject exists, provided that general principles under Section 3.1 are complied with and additional security measures are taken.
Where the processing of personal data is explicitly stipulated by law.
Where the data subject has made such data public, limited to the purpose of disclosure.
Where processing is necessary to protect the life or physical integrity of a person who cannot express consent.
Where processing is necessary for the establishment, exercise or protection of a legal right.
Where it is necessary for public health purposes by persons under confidentiality obligations or authorized institutions.
Where it is necessary to fulfill legal obligations in employment, occupational health and safety, social security or social services.
Where processing is carried out by non-profit organizations for their members in line with their legal purposes and limited to their activities.
The Company may transfer personal data domestically or abroad in accordance with Articles 8 and 9 of the Law and additional regulations determined by the Personal Data Protection Board.
Personal data may be transferred to third parties within Türkiye if at least one of the processing conditions specified in Articles 5 and 6 of the Law exists and provided that general principles are complied with.
Personal data may be transferred abroad in line with Article 9 of the Law, provided that adequate technical and administrative measures are taken, including:
Transfer based on an adequacy decision issued by the Board
Transfer with appropriate safeguards such as standard contractual clauses, binding corporate rules, written undertakings, or international agreements
Transfer based on exceptional cases such as explicit consent, contractual necessity, protection of a right, public interest, or protection of life or physical integrity
The Company may share personal data with the following parties in line with the Law:
Business Partners
Suppliers
Affiliates
Authorized Public Institutions
Authorized Private Institutions
Transfers are limited to the purposes required by business operations and legal obligations.
According to Article 10 of the Law, data subjects must be informed before or at the time personal data are processed.
In this context, the Company has established internal procedures to ensure transparency and information.
Data subjects have the following rights under Article 11 of the Law:
To learn whether their personal data are processed
To request information if processed
To learn the purpose of processing
To know third parties to whom data are transferred
To request correction of incomplete or incorrect data
To request deletion or destruction of data
To object to automated decisions
To request compensation for damages
Applications can be sent to [email protected]. Requests are concluded within 30 days unless additional cost is required.
Although personal data are processed in accordance with the Law, if the reasons requiring processing disappear, the Company deletes, destroys, or anonymizes personal data ex officio or upon request, in accordance with the guidelines issued by the Authority.
According to Article 28 of the Law, certain cases are outside its scope, including:
Personal data processed for purely personal or household activities
Data processed for statistical purposes after anonymization
Data processed for artistic, historical, literary or scientific purposes
Data processed by authorized public institutions for national security or public safety
Data processed during judicial proceedings
Certain provisions regarding informing data subjects and their rights may not apply in cases such as crime prevention or public economic interests.
The Company takes all necessary technical and administrative measures under Article 12 of the Law to ensure data security.
Employee training on data protection
Confidentiality clauses in supplier agreements
Internal audits of data processing activities
Implementation of internal policies
Updated security systems and software
Access control systems
Regular security audits
Data access limited to authorized personnel
Security measures are regularly audited and reported internally.
If personal data are unlawfully obtained, the Company notifies the Personal Data Protection Board and relevant data subjects without delay.
Explicit Consent: Consent given freely, informed, and specific.
Anonymization: Making personal data impossible to link to an identifiable person.
Employee: Natural person employed by the Company.
Personal Data: Any information relating to an identified or identifiable person.
Data Subject: Natural person whose personal data are processed.
Data Controller: The person/entity determining purposes and means of processing.
Data Processor: Person/entity processing data on behalf of controller.
Law: Law on Protection of Personal Data No. 6698.
Policy: Hunko Motorlu Araçlar Personal Data Protection Policy.
