Puhutv Privacy/Protection of Personal Data Policy

Puhutv Privacy/Protection of Personal Data Policy

Puhutv Privacy Policy

Protection of personal data is an important issue for Dogus Dijital Hizmetler A.S. (”Dogus Dijital"). Dogus Dijital fulfills its liabilities on processing, deleting, destroying, anonymizing, transferring personal data, enlightening the person concerned and ensuring data security and adopts the principles of the Law No. 6698 on the Protection of Personal Data (“KVK Law”) to align with the KVK Law. In this context, Privacy and Protection of Personal Data Policy is made available to real persons whose personal data is processed (“Related Person”).

1. The Scope and Purpose of Privacy and Protection of Personal Data Policy

This Privacy and Protection of Personal Data Policy explains the below principles of Dogus Dijital:

• Methods of collecting personal data and legal grounds
• Which person groups' personal data are processed (Data Owner Categorization),
• In which category personal data is processed (Data Categories) and sample data types regarding these person groups,
• In which business processes and for what purposes this personal data is used,
• Technical and administrative measures taken to ensure the security of personal data,
• To whom and for what purpose the personal data can be transferred,
• Personal data retention times,
• What are the rights of Related Persons to their personal data and how they can exercise those rights,
• How Related Persons can change their positive or negative preferences for receiving electronic commercial messages
• Sharing personal data with authorities

1. Methods and Legal Grounds For Collecting Personal Data

Dogus Dijital collects personal data through Puhutv website, mobile apps, mobile websites, smart TV app, the device/operating systems, in printed form, the Related Person, third-party software, contracts, business cards, social media accounts, cookies, call center, e-mail, and through various channels of communication, in audial, electronic or written form, as per the personal data process terms in the KVK Law and based on the legal grounds stipulated herein this Privacy/Protection of Personal Data Policy.

1. Data Subject Person Group Categorization

In personal data processing processes and related activities, Dogus Dijital categorizes the groups of people whose personal data are processed as follows.

1. Subscriber
2. User
3. Advertiser/Agency Data
4. Supplier and supplier’s employee
5. Contact person data

1. Data categories and sample data types
2. Subscriber

• Identity Information: Name, surname, date of birth (year), gender
• Contact Information: Email address
• Subscriber Information: Subscription ID number
• Subscriber Transaction Information: Call center calling records, commercial communication permission, the content he/she follows, the content he/she watches
• Legal Transaction Information/Risk Management Information: IP address
• Transaction Security Information: Password, code information
• Marketing Information: Cookie records, targeting information, evaluations showing habits and likes, DMP, IDFA, AdID , e-mail messages for marketing purposes sent based on commercial electronic message permission given by the Related Person.
• Audio Data: Call center calling recordings
• Legal Transaction and Compliance Information: The start and end time of the service provided, the type of service used, the amount of data transferred, the commercial electronic message permit given by the Related Person in the electronic environment, the subscription agreement that he/she approves.
• Demand/Complaint and Reputation Management Information: Records regarding the complaints and/or requests submitted by the Related Person through the website, mobile application, mobile website, smart TV application, social media accounts or call center on the services that the Related Person benefits from, and the transactions made during the evaluation or management of these requests.

2. User

• Contact Information: Email address
• User Transaction Information: Call center calling records, the content he/she follows, the content he/she watches
• Legal Transaction Information/Risk Management Information: IP address
• Marketing Information: Cookie records, targeting information, habits, DMP, IDFA, AdID
• Audio Data: Call center calling recordings
• Legal Transaction and Compliance Information: The start and end time of the service provided, the type of service used, the amount of data transferred,
• Demand/Complaint and Reputation Management Information: Records regarding the complaints and/or requests submitted by the Related Person through the website, mobile application, mobile website, smart TV application, social media accounts or call center on the services that the Related Person benefits from, and the transactions made during the evaluation or management of these requests.

3. Advertiser/Agency Data

• Identity Information: Name, surname, title
• Location Information: Address
• Contact Information: Mobile number, email address, address, landline number
• Financial Information: Bank account information, tax office, tax identification number, tax certificate
• Advertiser/Agency Transaction Information : DFP ID
• Legal Transaction Information: DFP logs, signature circular, activity certificate
• Sensitive Personal Data/Legal Transaction Information: Signature

4. Supplier and Supplier’s employee

• Identity Information: Name, surname, title
• Contact Information: Mobile phone number, email address, address, landline
• Financial Information: Bank account information, tax office, tax identification number, tax certificate
• Legal Transaction Information: Signature circular, activity certificate
• Sensitive Personal Data/Legal Transaction Information: Signature

5. Contact person data

• Identity Information: Name, surname
• Location Information: Country, city information
• Contact Information: Mobile number, email address, landline number
• Legal Transaction /Risk Management Information: IP address,
• Customer transaction information: Device information, browser information

1. The Business Processes and the Purposes of the Use of Personal Data

The personal data is used by Dogus Dijital for purpose of carrying out below mentioned process:

• Processing of traffic information of Subscribers /Users (IP address, start and end date of service provided, type of service used, amount of data transferred and subscriber credentials) in accordance with relevant legislation,
• Performing of Subscription transactions,
• Improving the services/content offered, developing new services/content and informing Subscribers with commercial electronic message approval,
• Analyzing the preferences and preferences of the Subscriber and offering specific services/content for the Subscribers who have commercial electronic message approval for the purpose of the performance of the Subscription agreement.,
• Monitoring Subscriber/User actions to improve Subscriber/User experience and service / content quality,
• Promotion and marketing of applications, products and services for Subscriber /Users as per the information contained in the cookie policy, direct marketing, digital marketing, remarketing, targeting, profiling and analysis, in line with the preferences and likings of the Subscriber/User,
• Resolving Subscriber /User problems and complaints,
• Improving Subscriber /User experience in website, mobile application, mobile website and smart TV application,
• Creating Subscriber /User satisfaction, loyalty and commitment,
• Making statistical evaluations and market surveys
• Corporate Reputation Management and media communication,
• Determination and implementation of Dogus Dijital's commercial and business strategies,
• Follow up of accounting and purchasing transactions,
• Carrying out legal processes and ensuring compliance with legislation,
• Answering information requests from administrative and judicial authorities,
• In-house reporting and planning of business development activities,
• Providing information and transaction security and preventing malicious use,
• Carrying out the activities of Dogus Dijital in accordance with the Dogus Dijital procedures and the policies prepared under KVK Law

1. Technical and Administrative Measures Taken to Ensure the Security of Personal Data

Dogus Dijital undertakes to take all necessary technical and administrative measures and take due care to ensure the confidentiality, integrity and security of your personal data. Dogus Dijital takes the necessary measures to prevent unauthorized access to personal data, improper use of personal data, unlawful processing, disclosure, alteration or destruction. Dogus Dijital uses generally accepted security technology standards such as firewalls and Secure Socket Layer (SSL) encryption when processing personal data. In addition, when you send your personal data to Dogus Dijital via the website, mobile application, mobile website and smart TV application, it is transferred using SSL. Dogus Dijital performs the following procedures in order to prevent unlawful access to the personal data it processes, to prevent unlawful processing of such data and to ensure the protection of personal data:

• Protects all areas in the website, mobile application, mobile website and smart TV application where personal data is taken, with SSL,
• Creates and implements access authorization and control matrices for its employees so that personal data collected from the website, mobile application, mobile website and smart TV application is not unlawfully processed,
• Periodically conducts infiltration tests and tests the system's resistance to unauthorized access to ensure that personal data is not illegally accessed,,
• It uses the Pseudonymization (alias data) method for all secondary data processing other than the primary processing purpose. In order to provide that pseudonymous data makes it impossible to identify the related person, it uses encryption methods in systems where this data exists and implements a more strict access authorization to such data and control policy,
• It ensures that personal data in the paper is kept in lockers and only accessible by authorized people,
• Personal data processed through third-party cookies from which the service is received is deleted from third-party systems upon termination of Subscription.
• Despite the necessary information security measures taken by Dogus Dijital, Dogus Dijital immediately notifies you and the Personal Data Protection Board if personal data is damaged or falls into unauthorized third parties as a result of attacks on the platforms operated by Dogus Dijital or the Dogus Dijital system and takes necessary measures.

1. Persons to Whom Personal Data May Be Transferred and The Purpose of Transfer

Dogus Dijital transfers personal data to third parties only in accordance with the purposes set out in this Privacy and Protection of Personal Data Policy and in accordance with Articles 8 and 9 of the KVK Law. Subscriber/User data processed in this context is shared with Facebook, Google, Akamai, Oracle (Bluekai & Moat), Amazon Web Services and email delivery companies to make segmentation and contact with Subscriber /User according to Subscriber /User preferences and likings of website, mobile application, mobile website and smart TV application. In this context, personal data transfers are carried out through secure media and channels provided by the third party concerned. Depending on the content and scope of the service received from third parties, in all cases where there is no need to transfer the personal data of the Subscriber /User, the transfer is made using Pseudonymous data.

In order to increase customer satisfaction and loyalty, Subscriber /User anonymous data is shared with Sunday research companies (Gemius, Nielsen).

Within the scope of reporting and statistical studies, the data belonging to the Subscriber/User is shared with Dogus Holding A.S. and Ay Sanat Produksiyon ve Yapım A.S. which are the shareholders of Dogus Dijital. In addition, data is also shared with Dogus Musteri Sistemleri A.Ş. (DMS), a subsidiary of Dogus Holding A.S, within the framework of CRM and Data Analytics services.

The personal data subject to domestic and international transfer, which we mentioned above, are protected as follows, together with technical measures to ensure their security;

• Taking into consideration whether the other party of the legal relationship is the data controller or the data processor, personal data is protected legally, with the provisions in accordance with the KVK Law included in our contracts.
• In cases where personal data is transferred abroad, model contract clauses published by KVK institution are signed by the counter party of the contract.

1. Personal Data Retention Times

Dogus Dijital maintains the personal data it processes in accordance with the KVK Law for the periods stipulated in the relevant legislation or required by the processing purpose. According to our Personal Data Retention and Destruction Policy, these periods are approximately as follows

You can review our Cookie Policy on the retention periods of personal data we obtain through the SDK and cookies.

1. Profiling

Dogus Dijital makes profiling using the personal data it processes regarding the Subscriber/User. For more information about profiling, see our Cookie Policy.

1. Rights of the Related Persons Related on Personal Data and How to Use These Rights

The rights of the Related Person in accordance with article 11 of the KVK Law on the personal data processed by Dogus Dijital are listed below:

• to learn whether his/her personal data are processed or not,
• to request information if his/her personal data are processed,
• to learn the purpose of his/her data processing and whether this data is used for intended

purposes,

• to know the third parties to whom his/her personal data is transferred at home or abroad,
• to request the rectification of the incomplete or inaccurate data, if any,
• to request the erasure or destruction of his/her personal data under the conditions laid

down in Article 7,

• to request notification of the operations carried out in compliance with subparagraphs (d) and (e) to third parties to whom his personal data has been transferred,
• to object to the processing, exclusively by automatic means, of his personal data,

which leads to an unfavorable consequence for the data subject,

• to request compensation for the damage arising from the unlawful processing of his/her personal data.

The Subscriber/Subscriber may exercise his/her right in this sense by applying to our Company as per the art. 13/f.1 of KVK Law:

• Send an e-mail to the e-mail address kisiselveri@Puhutv.com, signed with the secure electronic signature of the User/Subscriber (also a file in the form of “word or pdf.” signed with a secure e-signature can be sent to our Company)
• Send an e-mail to our company's registered e-mail address signed with a secure electronic signature belonging to the User/Subscriber
• Submit a petition to the address on the DYG's web page where identification is made in the notary public

1. How Related Persons Can Change Their Positive or Negative Preferences for Receiving Electronic Commercial Messages

You can change your positive or negative preferences for receiving commercial electronic messages when you subscribe to the Puhutv website, mobile app, mobile website and smart TV app or at a later time as follows:

• You can change or update it by accessing “My Account" section, or
• You can click the exit link in the e-mails we have sent.

Termination of Subscription does not mean that your consent to receive commercial electronic messages is revoked. Therefore, make sure that you have completed all procedures to withdraw your approval.

As regards cookie management, you can follow the steps set out in our Cookie Policy.

1. Sharing Personal Data with Authorities

Dogus Dijital may share information with public institutions and organizations which are authorized to request this information legally, such as traffic and navigation information of your visit to Puhutv website, mobile applications, mobile websites and smart TV app and personal information related to Subscription in order to perform the obligation to the law (in cases where Dogus Dijital has the legal or administrative obligation to provide information or notification, including but not limited to combating crime, threats of state and public security, etc.)

1. Use and Management of Cookies

For detailed information about cookies, cookie types, purposes, storage times, profiling and cookie management used by Dogus Dijital, you can review our Cookie Policy.

2. Conditions for Deleting, Destroying and Anonymizing Personal Data

Dogus Dijital stores the personal data it processes through its website, mobile application, mobile website and smart TV application in accordance with Article 7, 17 of the KVK Law and article 138 of the Turkish Penal Code for the periods stipulated by the relevant laws and/or as required by the purpose of processing. Upon expiry of those periods, it will delete, destroy or anonymize in accordance with the provisions of the Regulation on the Deletion, Destruction or Anonymization of Personal Data.

The deletion of personal data by Dogus Dijital refers to the process of making personal data inaccessible and unusable for the Users concerned in any way. Dogus Dijital creates and implements a user-level access authorization and control matrix for this and takes the necessary measures to perform the deletion in the database.

The destruction of personal data by Dogus Dijital means the process of making personal data inaccessible, irreversible and non-reusable by anyone.

The anonymity of personal data by Dogus Dijital means that the personal data cannot be associated with a specific or identifiable real person under any circumstances, even if it is matched with other data.

Dogus Dijital has explained in detail the methods and technical and administrative measures taken for deletion, destruction and anonymization within the scope of the Personal Data Retention and Disposal Policy drafted in line with the Regulation on the Deletion, Destruction or Anonymization of Personal Data. In this Policy, the period for the periodic destruction stipulated by the Regulation is determined as 6 months.

3. Changes to the Privacy and Protection of Personal Data Policy

Dogus Dijital may make changes to this Privacy and Personal Data Protection Policy at any time. These changes will come into effect immediately with the release of the new, amended Privacy and Personal Data Protection Policy. Our Subscribers will be informed via e-mail in order to make you aware of the changes in this Privacy and Personal Data Protection Policy.  In addition, both Users and our Subscribers will be informed about these updates on Puhutv.com