BiTaksi - Your Taxi!

PERSONAL DATA PROCESSING AND PROTECTION POLICY

We have prepared this Personal Data Processing and Protection Policy (“Policy”) to explain how we process and protect your personal data as Bitaksi Mobil Teknoloji Anonim Şirketi (“BiTaksi” or “Company”).

As BiTaksi, we process personal data in accordance with the Personal Data Protection Law no. 6698 (“PDPL”) and secondary legislation on the protection of personal data and the decisions of the Personal Data Protection Board (“Board”) (collectively referred to as “PDP Legislation”). We act in accordance with the principles in the PDP Legislation in the processing of personal data and take all necessary measures to ensure the security of personal data.

You can contact us at kisiselveriler@bitaksi.com for further information about the processing of your personal data by BiTaksi and to direct your questions.

1. PURPOSE AND SCOPE OF THE POLICY
This Policy covers all personal data that BiTaksi processes as data controller, including personal data belonging to its users, employees, employee candidates, officials/representatives, natural person business partners/suppliers, employees of business partners/suppliers, website visitors and workplace visitors.

As BiTaksi, we act in accordance with the PDP Legislation and the principles and rules set out in this Policy in all personal data processing activities.

2. OUR RESPONSIBILITIES UNDER THE POLICY
As BiTaksi, we aim to comply with applicable laws, rules, regulations, and best practices in all personal data processing activities we carry out. For this reason, all employees of BiTaksi and other persons involved in the processing of personal data are obliged to comply with this Policy and the principles and rules determined by this Policy. Within this framework, we take the necessary measures to ensure that our employees and third parties who are data processors act in accordance with this Policy.

3. DEFINITIONS
We have set out below the terms and their definitions in the Policy:

Recipient: The category of natural or legal person to whom personal data is transferred by BiTaksi

Explicit Consent: Freely given and informed consent on a specific subject

Employee: BiTaksi employee

Electronic Recording Medium: Recording medium or mediums where personal data can be created, read, changed, and written with electronic devices

Non-electronic Recording Medium: All written, printed, visual and other recording medium or mediums that are not electronic mediums.

Service Provider: Natural or legal persons who provide services under a a contract with BiTaksi

Data subject: Natural persons whose personal data are processed

Destruction: Erasure, destruction or anonymization of personal data

Recording Medium: Any medium in which personal data processed by wholly or partially automatic means or by non-automatic means provided that it is a part of any data recording system

Personal Data: Any information relating to an identified or an identifiable natural person

Personal Data Retention Policy: The policy on which BiTaksi relies for determining the maximum period of time required for the purpose for which personal data are processed, and for erasure, destruction or anonymization

Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by wholly or partially automatic means or by non-automatic means provided that it is part of any data recording system

Authority: Personal Data Protection Authority

Special Categories of Personal Data: Data relating to race, ethnicity, political opinion, philosophical belief, religion, religious sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data

Data Recording System: The recording system in which personal data is structured and processed according to certain criteria

Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller

Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system

For the definitions not included in this Policy, the definitions in the PDP Legislation apply.

4. OUR LEGAL OBLIGATIONS REGARDING THE PROCESSING OF PERSONAL DATA
As a data controller, we explain our legal obligations arising from PDP Legislation in this section of the Policy.

4.1. Obligation to Inform
As BiTaksi, in processes in which we obtain and process personal data, we fulfil our obligation to inform in accordance with Communique on Principles and Procedures to be Followed in Fulfillment of the Obligation to Inform, specific to the process and at the latest at the time of obtaining personal data. In this regard, we take utmost care to inform all data subjects on the following:

For what purpose the personal data of the data subject will be processed
Company information (trade name, address, contact methods), information on the identity of the Company representative(s), if any
To whom and for what purpose the personal data can be transferred
The method and legal reason for obtaining personal data
Rights of data subjects arising from the PDPL

4.2. Obligation to Ensure the Security of Personal Data
As BiTaksi, we take all necessary technical and organizational measures in our personal data processing activities in order to ensure the confidentiality and security of personal data and to prevent personal data from breached or accessed by unauthorized third parties. We have detailed the technical and administrative measures we have taken regarding these obligations in section 9 of this Policy. We act in accordance with the PDP Legislation regarding the deletion, destruction or anonymization of personal data; we have included our process regarding the destruction of personal data in section 8 of this Policy.

4.3. Obligation to Respond to Data Subject Requests
As BiTaksi, we carry out our process resolving all requests and applications of data subjects as soon as possible and respond to data subjects within the framework of the BiTaksi Data Subject Request Handling Procedure. In the event the data subjects send their requests by one of the methods described in the Article 10 of this Policy, we finalize the requests of the data subjects free of charge within 30 days at the latest, explaining the reasons for acceptance or rejection of the request, in accordance with the PDPL.

4.4. Obligation to Register to the Data Controllers Registry
We fulfil our obligation to register with the Data Controllers Registry in accordance with the Article 16 of the PDPL and the Regulation on the Data Controllers Registry. Within the scope of our data processing activities, we keep the registration up to date and provide details of our data processing activities to the public.

4.5. Obligation to Fulfil the Decisions of the Personal Data Protection Board
As BiTaksi, we give utmost importance to compliance with the decisions of the Board, which is an important and integral part of the PDP Legislation. We closely follow all decisions of the Board, especially the principal decisions, which are binding for all data controllers, published on the website of the Authority, and use all means to implement all technical and organizational measures stipulated by the Board for the protection of personal data.

5. PROCESSING OF PERSONAL DATA
5.1. Personal Data Processing Activities

We process the personal data of data subjects we collect within the scope of our operations based on the legal reasons explained in the continuation of this Policy. Examples of our data processing activities are given in the tables below.

5.2. Principles of Processing Personal Data
As BiTaksi, we comply with the following data processing principles when processing the personal data we obtain as data controller:

Compliance with law and good faith: All data processing activities are carried out transparently in accordance with the legislation and the principles of good faith.
Being accurate and up to date when necessary: Channels which ensure that personal data are accurate and up to date are always kept open, and effective request channels are provided to data subjects for the rectification of inaccuracies in their personal data.
Processing for specific, explicit, and legitimate purposes: The purposes for which personal data will be processed are determined in accordance with the legislation and the ordinary course of life, and these purposes are notified to data subjects in a transparent and clear manner.
Being relevant, limited and proportionate to the purposes of processing: Personal data that are not related to or not needed for the purpose of processing personal data are not processed, and personal data processing activities are not carried out to meet indefinite needs. If the necessity arises to use obtained personal data for other purposes, a new data processing activity comes to the agenda; the activity in question is carried out within the scope of the legal grounds stipulated in the PDPL as a completely new processing activity.
Retention of personal data for the period stipulated in the relevant legislation or required for the purpose for which personal data are processed: If there is a period stipulated in the legislation for the storage of personal data, this period is complied with. If no such period is stipulated in the legislation, personal data are only stored for the period required for the purposes for the processing.

5.3. Processing of Personal Data
As BiTaksi, we process the personal data we obtain as data controller only when there is one of the legal grounds stipulated in the Article 5/2 of the PDPL. In case of the absence of these legal grounds, we apply for the consent of data subjects in accordance with the Article 5/1 of the PDPL. The legal grounds we rely on when processing personal data are explained below:

Processing of personal data is governed under the law
Processing of personal data is necessary for the protection of life or physical integrity of a person who is unable to explain their consent due to a physical disability, or whose consent is deemed legally invalid.
Processing of personal data is necessary for the performance of a contract between BiTaksi and data subjects
Processing personal data is necessary for fulfilling BiTaksi legal obligations.
Personal data has been made public by the data subject himself/herself
Processing of personal data for the establishment, exercise or protection of a right
Processing of personal data is necessary for our legitimate interests

While determining whether a data processing activity is necessary for the legitimate interests of BiTaksi, we make an assessment based on the criteria specified in the Board's Decision dated 25/03/2019 and numbered 2019/78; while making this assessment, we carry out a balance test by comparing the fundamental rights and freedoms of the data subject with the legitimate interest that will arise.

In cases where at least one of the above-mentioned legal grounds for the processing of personal data does not exist, we act in accordance with the explicit consent of the data subject for the processing of personal data.

Explicit consent is defined in the PDPL as "consent regarding a specific subject, based on information and expressed with free will". As BiTaksi, we take into consideration the following three elements when asking for the explicit consent of data subjects:

Being related to a specific subject: The explicit consent of the data subjects is asked for the specific data processing activity/activities and it is ensured that the consent texts are clear and understandable.
Being based on information: Consent texts and notices are presented together/on the same channel, and it is ensured that the data subject understands the consequences of the data processing activity. In this context, firstly, the data subjects are provided with notice, then they are asked whether they have explicit consent or not.
Being expressed with free will: When asking for the explicit consent of data suıbjects, misleading statements that may impair their will are avoided, and alternatives/right of refusal are given to data subjects who do not wish to give their explicit consent.

5.4. Processing of Special Categories of Personal Data
As BiTaksi, we process special categories of personal data by taking the necessary organizational and technical measures stipulated in the PDP Legislation, specifically the Board Decision dated 31.01.2018 numbered 2018/10. In BiTaksi’s Policy on the Processing of Special Categories of Personal Data, we have included the rules and principles we comply with when we process special categories of personal data.

5.5. Use of Cookies and Identification Technologies
We process personal data by using cookies to give data subjects the best experience when they visit BiTaksi website and to ensure website functions fully. By using cookies, we aim to provide the best experience to our users and website visitors. Regarding personal data we process by cookies, we give notice and the option to manage cookie preferences to data subjects. You can find further information about cookies and personal data we process by using cookies in our Cookie Policy.

In BiTaksi mobile app, we use identification technologies to increase user experience and ensure that the app works in the best way possible. Further information regarding identification technologies can be found in the Information on Identification Technologies on the Help page in the Profile tab of the BiTaksi app.

5.6. Notifications from BiTaksi App
As BiTaksi, in accordance with the purpose and legal grounds described in the Personal Data Privacy Notice, we send notifications and communicate via phone or email with to our users who have given explicit consent through the application. You can manage your communication preferences for notifications sent by BiTaksi on the Communication Preferences page in the Profile tab of the BiTaksi app.

5.7. Keeping Personal Data Up-to-date
Within the scope of our obligation to keep personal data complete, accurate and up to date arising from PDP Legislation, we provide mechanisms that will allow data subjects to change and rectify their personal data. For example, our users always have the opportunity to update their personal data other than their phone number, on the Profile tab on the BiTaksi app or BiTaksi website.

As BiTaksi, in order to ensure the security of personal data during account creation and log-in steps, we confirm the phone number by sending SMS OTP (one-time password) to phone numbers of data subjects. In accordance with the measures for privacy and security of personal data, it is not possible to change phone numbers registered to BiTaksi accounts.

6. TRANSFER of PERSONAL DATA
As BiTaksi, in order to provide our services, we work together with infrastructure and IT service providers in Turkey and abroad. We transfer personal data of data subjects to third parties both domestically and abroad in compliance with the legal grounds stipulated under Article 8 titled transfer of personal data and Article 9 titled transfer of personal data abroad, and otherwise in line with the explicit consent of data subjects for the transfer.

7. RETENTION of PERSONAL DATA
As BiTaksi, we retain the personal data we process for the period required by the purpose of the processing and within the scope of BiTaksi Personal Data Retention and Destruction Policy, without prejudice to the retention periods stipulated in the relevant legislation.

Within the scope of the process that require personal data processing, we determine a retention period for the personal data processed with business teams. In case personal data is processed for more than one purpose, we destroy (delete, destroy or anonymize) personal data if all the purposes of processing are completed or a data subject requests deletion and there are no legal obligations to retain personal data. We act in accordance with the PDP Legislation in matters of deletion, destruction or anonymization.

8. DESTRUCTION of PERSONAL DATA
We destroy personal data upon the request of data subjects or ex officio, provided that the period stipulated in the relevant legislation or required for the purpose for which it was processed expired. We carry out such destruction (deletion, destruction and anonymization) operations within the scope of BiTaksi Personal Data Retention and Destruction Policy, without prejudice to the relevant legislation.

Unless otherwise specified by the Board, we choose the appropriate method of destroying the personal data. In case the data subject has a request for the destruction of personal data, after determining the appropriate method for the destruction of personal data, we explain this method to the data subject along with our reasons.

9. SECURITY of PERSONAL DATA
As BiTaksi, we take necessary organizational and technical measures to ensure the protection of personal data. For example, we use intrusion detection and prevention softwares to detect and prevent possible cyber-attacks, determine and limit the access authorizations of our employees to personal data, and use data loss prevention software. We have detailed the measures we take to ensure the privacy and security of personal data in this section.

9.1. Organizational Measures
Organizational measures we take for the protection of personal data are as below:

Regarding the processing and protection of personal data, corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
Personal data security policies and procedures have been determined.
Existing risks and threats to personal data have been identified.
Employees who change their position or leave their job are no longer authorized to access personal data.
Contracts contain data security and privacy clauses.
There are disciplinary actions in place for employees regarding data security and privacy.
Personal data processing inventory has been prepared.
It is ensured that employees are periodically trained on issues related to data security, such as not disclosing and sharing personal data unlawfully, and awareness activities are carried out for employees.
Extra security measures are taken for personal data transferred via physical methods and the relevant documents are sent in confidential document format.
Necessary security measures are taken regarding entry and exit to non-electronic media containing personal data.
Non-electronic media containing personal data are secured against external risks (fire, flood, etc.).
The security of environments containing personal data is ensured.
Confidentiality undertakings are prepared to ensure the confidentiality of personal data.
Data transfer agreements are signed with the data controllers and data processors to whom personal data are transferred and these third parties’ awareness is ensured.
In the event that personal data is unlawfully obtained by third parties, the procedures to be applied to notify the data subjects and the Board have been determined.
Policies and procedures for the security of special categories of personal data have been determined and implemented.
Service providers that process personal data are made aware of data security.
In-house periodic and/or random audits are carried out.

Technical Measures
Technical measures we take for the protection of personal data are as below:

Network security and application security are provided.
Closed system network is used for personal data transfers through the network.
Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
The security of personal data stored in the cloud is ensured.
An authorization matrix has been created for employees.
Personal data is backed up and the security of backed up personal data is also ensured.
Personal data security issues are reported immediately.
Personal data security is monitored.
User account management and authorization control system are implemented and these are also monitored.
Access logs are kept regularly.
Log records are kept without user intervention.
Secure encryption/cryptographic keys are used for sensitive personal data and managed by different units.
Encryption method is used.
Data masking measures are applied when necessary.
Penetration tests are applied.
Cyber security measures have been taken and their implementation is continuously monitored.
Intrusion detection and prevention systems are used.
Up-to-date anti-virus systems are used.
Data loss prevention software is used.

9.3. Responsibilities of Employees
Employees who process personal data within the scope of BiTaksi’s activities are obliged to pay attention to the following issues according to the procedures and principles mentioned in this Policy:

All employees who have access to personal data must act in accordance with the procedures and principles specified in this Policy and other relevant policies and procedures regarding the protection of personal data.
Employees must carry out data processing activities in accordance with the principles of protection of personal data specified in the PDPL.
When the employees obtain the personal data of data subjects, they must ensure that the data subject is given notice regarding:
- The purpose for which personal data will be processed
- Information on the identity of the data controller and its representative, if any
- To whom and for what purpose the processed personal data can be transferred
- The method and legal grounds for obtaining personal data
- Rights of data subjects arising from the PDPL
Employees must ensure that the explicit consent of the data subject is obtained before processing personal data, unless it is one of the cases of processing personal data without explicit consent.
Employees must ensure that all technical and organizational security measures are taken to prevent unlawful processing of personal data.
Employees must ensure that the transfer of data is in accordance with the purpose of the transfer and does not exceed the purpose of the transfer.
Employees must ensure that personal data is not accessed by unauthorized persons during data transfer.
Employees must carry out data processing within the scope of the purposes for which the data processing is necessary and without exceeding their limits.
Employees must immediately notify authorized persons within the Company if they become aware of a personal data breach.

DATA SUBJECT RIGHTS
Article 11 of the PDPL regulates the rights of the data subjects. You may exercise the rights pursuant to Article 11 of the PDPL which are as follows:

1. To be informed whether your personal data is processed or not
If your personal data has been processed, to request information regarding the same
2. To be informed on the purpose of processing your personal data and whether it is used in accordance with its purpose
3. To be informed on the third parties to whom your personal data is transferred in the country or abroad
4. To request the correction of your personal data if it is incomplete or incorrectly processed
5. To request the deletion or destruction of your personal data within the scope of the conditions stipulated in Article 7 of the PDPL
6. If your personal data is deleted or destroyed within the scope of Article 7 of the Law and your personal data is incomplete or incorrectly processed, to request the notification of the third parties to whom the personal data has been transferred to
7. To object to the emergence of a result against you due to the analysis of your personal data exclusively by automated systems
8. To request compensation of the damage in case you suffer damage due to unlawful processing of your personal data

You may use the following methods to exercise your rights specified in the Article 11 of the PDPL and submit your requests to BiTaksi:

By using your email address registered in our system to kisiselveriler@bitaksi.com
By using your registered e-mail (KEP) address to bitaksi@hs01.kep.tr

In writing, including the documents proving your identity, to Levent Mah. Ebulula Mardin Cad. No. 23 K. 1 Etiler/Beşiktaş, İstanbul.

11.ABOUT THIS POLICY
This Policy is reviewed by BiTaksi as needed and updated when necessary. Apart from this, in case of changes in the PDP Legislation, the changes in the relevant legislation are applied immediately, even if the Policy has not been updated.

Last updated: March 2023

Personal Data Protection Policy