Legal

Personal Data Protection and Processing Policy

Last updated: 08.04.2026

Article 1 — Purpose

Cebeci Finans is committed to complying with regulations on the protection, processing, and destruction of personal data, as part of its social and legal responsibilities. This policy is based on Articles 7/3 and 22/1(e) of KVKK and has been prepared in accordance with the Regulation on the Deletion, Destruction, or Anonymisation of Personal Data (Official Gazette No. 30224, dated 28 October 2017).

Article 2 — Scope

This policy covers the personal data of Cebeci Finans employees, job candidates, visitors, third parties with whom we cooperate (including agents and brokers), and their employees, where such data is processed fully or partially by automated means, or by non-automated means that form part of a data recording system.

Article 3 — Definitions

  • Explicit Consent: Consent that is specific to a subject, based on information, and expressed by free will.
  • Data Subject: The natural person whose personal data is processed.
  • Destruction: Deletion, erasure, or anonymisation of personal data.
  • Law / KVKK: Law No. 6698 on the Protection of Personal Data.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing of Personal Data: Any operation performed on data, including collection, recording, storage, alteration, disclosure, transfer, or destruction.
  • Board: The Personal Data Protection Board.
  • Special Categories of Personal Data: Race, ethnicity, political opinion, religion, health, sexual life, criminal conviction, biometric and genetic data.
  • Data Processor: A natural or legal person who processes personal data on behalf of and under the authority of the data controller.
  • Data Controller: The person who determines the purposes and means of processing personal data.

Article 4 — Recording Environments

Electronic environments:

  • Servers (email, database, web, backup, etc.)
  • Software (office applications, portals, document management systems)
  • Information security devices (firewalls, antivirus, audit logs)
  • Personal computers and mobile devices
  • Removable media and optical discs
  • Printers, scanners, and photocopiers

Non-electronic environments:

  • Paper and manual record systems (survey forms, visitor logs)
  • Written, printed, and visual media

Article 5 — Personal Data Processing Policy

5.1. General Principles

  • Acting in accordance with legal regulations and general principles of good faith
  • Ensuring personal data is accurate and up to date
  • Defining the purpose of processing clearly and processing only for the services offered and legal obligations
  • Avoiding collection of more data than necessary for the stated purpose
  • Retaining data only for the period required by law or for the purpose of processing

5.2. Conditions for Processing Personal Data

Explicit consent is the primary basis. However, processing may also occur without explicit consent in the following circumstances:

  • Where expressly provided by law
  • Where necessary to protect the life or physical integrity of a person who cannot express consent
  • Where directly related to and necessary for the performance of a contract
  • Where personal data has been made public by the data subject
  • Where necessary for the establishment, exercise, or protection of a right

Article 6 — Obligation to Inform

As a constitutional right, everyone has the right to be informed about their personal data. Under Article 11 of KVKK, Cebeci Finans is obligated to provide the necessary information when a data subject requests it.

Article 7 — Transfer of Personal Data

Personal data will not be disclosed to third parties outside the legal framework. Parties to whom data may be transferred include:

  • Public institutions and organisations required or permitted by legislation
  • Business partners and service providers
  • Courts, prosecutor's offices, and regulatory authorities such as BDDK, SPK, MASAK
  • Domestic and international subsidiaries
  • Companies for whom we act as intermediary or agent
  • Independent audit and support service providers
  • Domestic and international banks and financial institutions

Article 8 — Rights of the Data Subject (KVKK Article 11)

  • To learn whether personal data has been processed
  • If processed, to request information about the processing
  • To learn the purpose of processing and whether it is used in accordance with that purpose
  • To know the third parties to whom data is transferred
  • To request correction of incomplete or inaccurate data
  • To request deletion or destruction where conditions are met
  • To object where processing through automated systems produces results to the data subject's detriment
  • To claim compensation for damages caused by unlawful processing

Article 9 — Data Controller

Company: Cebeci Finansal Danışmanlık ve Yönetim Hizmetleri Ltd. Şti.

Address: Yukarı Dudullu, Bayrak Cd. Bilim Tower No:30 Kat:10 d:77, 34775 Ümraniye/Istanbul

Email: info@cebecifinans.com

Article 10 — Final Provisions

In the event of any inconsistency between this policy and KVKK or other applicable legislation, KVKK and the relevant legislation shall take precedence. Cebeci Finans reserves the right to update this policy; amendments shall take effect from the date of publication.