1. Purpose
This policy aims to define the methods adopted for personal data processing activities and personal data protection in compliance with the Law No. 6698 on the Protection of Personal Data (KVKK) and the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679) (“GDPR”), as well as the technical and administrative measures implemented in all activities conducted by Trabzonspor Club and its group companies (Trabzonspor Club Association, Trabzonspor Football Management Trade Inc., Trabzonspor Sportive Investment and Football Management Trade Inc., Trabzonspor Bordo Mavi Energy Electricity Production Inc., Bordo Mavi Football Investments Trade Inc., Trabzonspor Telecommunication Consulting and Service Trade Inc.).
The Personal Data Protection and Processing Policy includes the principles applied by Trabzonspor Club in relation to data security, transparency, individuals' rights over their personal data, and the technical, legal, and administrative responsibilities of data collection, usage, sharing, storage, and destruction processes.
It is intended to inform customers, institution employees, visitors, employees of collaborating organizations, and third parties whose personal data is processed by the institution, including individuals maintaining an association with Trabzonspor Club and its group companies.
2. Scope
This Policy covers all personal data processed in the processes of our institution, whether automatically or non-automatically, provided that it is part of a data recording system.
It applies to customers, institution employees, visitors, employees of collaborating organizations, and third parties who maintain an ongoing relationship with our institution.
3. Authority and Responsibilities
All employees, consultants, external service providers, and any other individuals who store and process personal data on behalf of the institution are responsible for complying with the Law, Regulations, and Policy regarding the deletion, destruction, and anonymization of data as required.
Each business unit is responsible for storing and protecting the data it generates within its own processes.
Any data destruction that may affect business processes, compromise data integrity, result in data loss, or lead to non-compliance with legal regulations will be decided by the relevant information systems department, considering the type of personal data, the systems in which it is stored, and the business unit responsible for data processing.
The KVKK Board liaison officer is responsible for handling official notifications, correspondences, acceptance, and registration procedures on behalf of the Data Controller.
4. Definitions and Abbreviations
Explicit Consent: Consent that is related to a specific matter, based on information, and freely given.
GDPR: General Data Protection Regulation, the European Union General Data Protection Regulation (Regulation (EU) 2016/679).
Relevant User: Individuals who process personal data within the data controller’s organization or under the authorization and instructions received from the data controller, excluding those responsible for the technical storage, protection, and backup of data.
Destruction: The deletion, erasure, or anonymization of personal data.
Law: KVKK, Law No. 6698 on the Protection of Personal Data.
Recording Environment: Any environment where personal data is processed, either fully or partially automated, or through non-automated means as part of a data recording system.
Personal Data: Any information related to an identified or identifiable natural person.
Processing of Personal Data: Any operation performed on personal data, whether automated or non-automated as part of a data recording system, including collection, recording, storage, preservation, modification, reorganization, disclosure, transfer, acquisition, retrieval, classification, or blocking its use.
Anonymization of Personal Data: The process of rendering personal data impossible to associate with an identified or identifiable natural person, even when matched with other data.
Deletion of Personal Data: The process of making personal data inaccessible and unusable for Relevant Users in any way.
Destruction of Personal Data: The process of making personal data completely inaccessible, irretrievable, and unusable by anyone.
Board: The Personal Data Protection Board.
Sensitive Personal Data: Data regarding a person’s race, ethnic origin, political opinion, philosophical beliefs, religion, sect, or other beliefs, appearance, attire, association, foundation or union membership, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data.
Periodic Destruction: The deletion, destruction, or anonymization of personal data at regular intervals, as specified in the Personal Data Retention and Destruction Policy, when all conditions for data processing under the Law cease to exist.
Data Subject/Relevant Person: The natural person whose personal data is processed.
Data Processor: A natural or legal person who processes personal data on behalf of the Data Controller, based on the authority granted by the Data Controller.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Data Controller’s Contact Person and Assistants: Since the Data Controller is a legal entity based in Turkey, a contact person has been appointed. The primary duty of the contact person and their assistants is to determine the purposes and means of processing personal data and to manage the data recording system.
Regulation: The Regulation on Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017.
5. Personal Data Protection and Processing Policy
Our institution has established this policy to define the measures taken and the processes applied for the protection and processing of personal data in a concrete manner.
In cases where there is a conflict between this policy and the relevant laws and regulations, or if the policy is not updated in line with amended legislation, Trabzonspor Club and its group companies acknowledge that they will comply with the applicable legislation in force.
This policy will be updated and revised according to changes in laws, regulations, and legislation to ensure Trabzonspor Club and its group companies fulfill their legal obligations.
5.1. Ensuring the Security of Personal Data
Trabzonspor Club and its group companies take all necessary technical and administrative measures to ensure an appropriate level of security for the protection of personal data.
In accordance with Article 12, Paragraph 1 of KVKK, the following measures are taken:
· Preventing the unlawful processing of personal data,
· Preventing unlawful access to personal data,
· Ensuring the preservation of personal data.
The measures implemented by our institution to ensure the security of personal data are detailed in the following sub-sections.
5.1.1. Technical Measures
Trabzonspor Club and its group companies employ knowledgeable and experienced personnel to ensure data security and provide necessary KVKK compliance training to their staff.
In accordance with Article 32 of GDPR, the necessary technical measures are implemented to ensure compliance with GDPR provisions, with stricter measures applied for access to sensitive personal data.
In line with these processes, technical measures are taken in accordance with technological advancements. Investments are made in infrastructure that aligns with developing technology. Antivirus protection systems and necessary software and hardware are installed to ensure data security in cloud environments.
Up-to-date system versions with necessary security measures against known vulnerabilities are used, and penetration tests and continuous vulnerability scans are conducted to assess system security.
Access authorizations are controlled to ensure that employees' access to personal data is properly regulated.
Authorization and access definitions are determined in accordance with legal compliance requirements specific to each business unit. Access permissions are regularly checked to ensure they align with the defined authorization policies.
The continuous monitoring of implemented security measures ensures that they remain effective over time.
5.1.2. Administrative Measures
Trabzonspor Club and its group companies take the necessary administrative measures to ensure the security of personal data and monitor employees' compliance with these measures. Access and authorization levels are defined in accordance with the legal compliance requirements specific to each business unit and at a level that does not disrupt business processes. Employees' access rights to personal data and the related rules are defined. Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the Personal Data Protection Law, cannot use it for purposes other than processing, and that this obligation will continue even after they leave their position. Employees continuously receive the necessary awareness, technical, administrative, and legal training under the General Data Protection Regulation (GDPR) and Law No. 6698 on the Personal Data Management System. Necessary commitments are obtained from employees in this regard. Employees are continuously informed that a framework agreement is signed with third parties with whom personal data is shared, or data security is ensured by adding specific clauses to contracts. Third parties receiving personal data accept the obligation to take necessary security measures to protect personal data and to ensure compliance with these measures within their organizations. If it is determined that processed personal data has been unlawfully obtained by others, the data representative notifies the relevant individuals and the KVKK Board. An investigation is conducted into how the personal data was obtained by unauthorized parties. Trabzonspor Club and its group companies implement the necessary administrative measures to eliminate identified vulnerabilities and, if needed, apply technical measures to reinforce security.
5.1.3. Secure Storage of Personal Data
Trabzonspor Club and its group companies take the necessary technical and administrative measures based on technological capabilities and implementation costs to store the personal data they obtain in secure environments. The rules and methods related to secure data storage are detailed in the "Data Retention and Destruction Policy."
5.1.4. Audits for the Sustainability of Personal Data Protection
Trabzonspor Club and its group companies conduct and commission the necessary audits in compliance with Article 12 of the KVK Law.
Regular penetration tests are conducted to identify potential technical vulnerabilities in the systems. The institution continuously monitors its systems. Additionally, system log records are reviewed to ensure security against cyberattacks.
Following management system audits, analysis of alert system data, and system monitoring, necessary technical and administrative measures are taken based on the identified findings.
If any unauthorized access or unlawful processing of personal data is detected during audits, the issue is reported to the Personal Data Protection Committee. The institution's management is informed by the committee.
5.1.5. Measures Taken in Case of Unauthorized Disclosure of Personal Data
Trabzonspor Club and its group companies, in compliance with Article 12 of the KVK Law, notify both the relevant personal data owner and the KVK Board in the event of unauthorized disclosure of processed personal data.
If deemed necessary by the KVK Board, this situation may be announced on the KVK Board’s website or through other methods.
5.1.6. Measures Implemented to Ensure Third Parties Protect Personal Data
Trabzonspor Sportive Investment and Football Management Trade Inc. includes necessary contractual provisions in agreements with third parties to prevent the unlawful processing of personal data, unauthorized access to data, and ensure the proper protection of data.
Before any information sharing with third parties, confidentiality agreements are signed. Additionally, necessary awareness-raising measures and informative communications are provided to third parties to enhance their understanding of data protection responsibilities.
5.1.7. Measures Implemented for the Protection of Special Categories of Personal Data
Special categories of personal data require adequate precautions due to their nature and their potential to cause harm or discrimination to individuals. Article 6 of the KVK Law classifies certain personal data as "special categories" because their unlawful processing could lead to discrimination or victimization.
These data include race, ethnic origin, political opinion, philosophical beliefs, religion, sect, or other beliefs, appearance and dress, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
Trabzonspor Club and its group companies take the necessary precautions to protect lawfully processed special categories of personal data, as specified in the KVK Law. The technical and administrative measures implemented for the protection of personal data are applied with extra sensitivity when handling special categories of personal data.
Trabzonspor Club and its group companies process special categories of personal data in compliance with the adequate measures determined by the KVK Board. Before processing such data, explicit consent from the data subject is obtained. If explicit consent is not available, personal data may only be processed under the legal authority granted by the law in accordance with the following criteria.
· Special categories of personal data, excluding the data related to the health and sexual life of the data subject, may be processed in cases explicitly provided for by law.
· Special categories of personal data related to the health and sexual life of the data subject may only be transferred to persons or authorized institutions and organizations under an obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of healthcare services and financing.
5.1.8. Creating Awareness for Ensuring the Protection of Personal Data
Necessary information is provided to business units, training sessions are organized, and the effectiveness of these activities is measured to raise awareness of preventing the unlawful processing of personal data, preventing unauthorized access to data, and ensuring data security.
The "Personal Data Protection and Processing Policy" and other relevant policies have been published on our institution’s website. Employees of our institution have been informed about these policies.
In the event of changes in the relevant laws, regulations, or legislation, the policies are revised and re-communicated to employees.
5.2. Principles for Processing Personal Data Principles for Processing Personal Data
Article 4, Paragraph 2 of the KVK Law defines the principles for processing personal data. Trabzonspor Sportive Investment and Football Management Trade Inc. processes personal data in compliance with these established principles.
The processing of personal data is carried out in accordance with the following principles:
a) Compliance with the law and the principles of honesty.
b) Accuracy and, where necessary, keeping data up to date.
c) Processing for specific, explicit, and legitimate purposes.
d) Being relevant, limited, and proportionate to the purpose for which they are processed.
e) Retention for the period required by relevant legislation or necessary for the purpose for which they are processed.
5.3. Conditions for Processing Personal Data
Trabzonspor Club and its group companies process a significant portion of personal data based on legal obligations and the necessity of maintaining public order, utilizing the authorities granted by law.
In accordance with Article 5/2 of the relevant law, which can be accessed in its full text, the processing of personal data is considered lawful under the following conditions:
a) Explicitly provided for by law.
b) Necessary for the protection of the life or physical integrity of the data subject or another person who is unable to express consent due to actual impossibility or whose consent is not legally valid.
c) Required for the establishment or performance of a contract, provided that the personal data processed belongs to the parties to the contract.
d) Necessary for the data controller to fulfill its legal obligations.
e) Publicly disclosed by the data subject.
f) Necessary for the establishment, exercise, or protection of a legal right.
g) Necessary for the legitimate interests of the data controller, provided that it does not violate the fundamental rights and freedoms of the data subject.
For any situations not covered by the above conditions, our institution processes personal data only with the explicit consent of the data subjects.
5.4. Purposes of Personal Data Processing
Our institution has conducted the necessary work in accordance with KVKK & GDPR, and based on information obtained from departments, a data inventory has been created, identifying the purposes of processing personal data within business processes.
Personal data is processed under the Personal Data Protection Law No. 6698 in accordance with Articles 5 and 6, as well as Article 6(1)(b) of the GDPR, when it is necessary to fulfill a contract or take steps related to a contract made with you.
If requested, the data subject will be provided with relevant information within the scope of the Personal Data Processing Notice upon completing the KVKK and GDPR Application Form.
5.5. Disposal of Personal Data
Trabzonspor Club and its group companies dispose of the personal data they have obtained upon the request of data subjects, provided that it is not required for legal obligations or the protection of public order.
Personal data belonging to data subjects is deleted based on the institution's decision when the necessity for continuing service to the customer, fulfilling legal obligations, or planning employee rights and benefits ceases to exist.
The rules and methods regarding the disposal of personal data are detailed in the "Data Retention and Disposal Policy."
5.6. Transfer of Personal Data to Domestic Recipients
Trabzonspor Club and its group companies adhere strictly to the conditions stipulated in the KVKK regarding the sharing of personal data with third parties, without prejudice to the provisions of other laws.
In this regard, personal data is not transferred to third parties without the explicit consent of the data subject. However, in the presence of one of the conditions set forth by the KVKK, personal data may be transferred without the explicit consent of the data subject under the following circumstances:
· Explicitly provided for by law,
· Necessary for the protection of the life or physical integrity of a person who is unable to express consent due to actual impossibility or whose consent is not legally valid,
· Required for the establishment or performance of a contract, provided that the personal data processed belongs to the parties to the contract,
· Necessary for the data controller to fulfill its legal obligations,
· Publicly disclosed by the data subject,
· Necessary for the establishment, exercise, or protection of a legal right,
· Necessary for the legitimate interests of the data controller, provided that it does not violate the fundamental rights and freedoms of the data subject.
In the processing of special categories of personal data, it is also mandatory to take the adequate precautions determined by the KVK Board.
Özel nitelikli kişisel verilerin işlenmesi yasaktır. Ancak bu verilerin işlenmesi; The processing of special categories of personal data is prohibited, except in the following cases:
· The explicit consent of the data subject,
· Explicitly provided for by law,
· Necessary for the protection of the life or physical integrity of a person who is unable to express consent due to actual impossibility or whose consent is not legally valid,
· Relevant to the personal data that the data subject has made public and aligned with their intention to disclose it,
· Necessary for the establishment, exercise, or protection of a legal right,
· Required by persons under an obligation of confidentiality or authorized institutions and organizations for the purposes of public health protection, preventive medicine, medical diagnosis, treatment and care services, and the planning, management, and financing of healthcare services,
· Necessary for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance,
· Processed by foundations, associations, and other non-profit organizations or entities established for political, philosophical, religious, or trade union purposes, provided that they comply with the relevant legislation and their objectives, are limited to their area of activity, are not disclosed to third parties, and concern only their current or former members or individuals in regular contact with them.
The transfer of special categories of personal data is also subject to the same conditions specified in the processing requirements.
5.7. Transfer of Personal Data to Foreign Recipients
Personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Articles 5 and 6 is met and if an adequacy decision has been issued regarding the recipient country, sectors within the country, or international organizations.
The adequacy decision is issued by the KVK Board and published in the Official Gazette. The Board may seek opinions from relevant institutions and organizations if necessary. The adequacy decision is reviewed at least every four years. The Board may amend, suspend, or revoke the adequacy decision with prospective effect based on the evaluation results or in other cases deemed necessary.
When issuing an adequacy decision, the following factors are considered:
a) Reciprocity in personal data transfers between Turkey and the recipient country, sectors within the country, or international organizations.
b) The legislation and practices of the recipient country and the rules governing the international organization to which the data will be transferred.
c) The existence of an independent and effective data protection authority and the availability of administrative and judicial remedies in the recipient country or international organization.
d) Whether the recipient country or international organization is a party to international agreements related to personal data protection.
e) Whether the recipient country or international organization is a member of global or regional organizations to which Turkey is a member.
f) International agreements to which Turkey is a party.
If adequate protection is not available, personal data may be transferred abroad without the explicit consent of the data subject, provided that the data controllers in Turkey and the relevant foreign country undertake to ensure adequate protection in writing and have the Board's approval.
If an adequacy decision is not available, personal data may be transferred abroad by data controllers and data processors without the explicit consent of the data subject, provided that one of the conditions specified in Articles 5 and 6 exists, the data subject has the right to exercise their rights in the recipient country, and effective legal remedies are available. Additionally, one of the following appropriate safeguards must be ensured by the parties:
a) The existence of a non-international agreement between public institutions and organizations or international organizations in the recipient foreign country and public institutions or professional organizations with public institution status in Turkey, with the Board’s approval for the transfer.
b) The existence of binding corporate rules approved by the Board, which contain provisions on personal data protection that companies within a group of enterprises engaged in joint economic activity are required to comply with. These rules should include data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures for special categories of personal data as announced by the Board.
c) The existence of a written commitment containing provisions ensuring adequate protection and approval from the Board for the transfer.
A standard contract must be notified to the Board within five business days from the date of signing by the data controller or data processor.
Without prejudice to international agreements, personal data may only be transferred abroad if Turkey’s or the data subject’s interests would be severely harmed, and only with the approval of the Board after consulting the relevant public institution or organization.
5.8. Categorization of Personal Data
Trabzonspor Club and its affiliated companies classify personal data into two main categories: Data Subject Groups and Data Types.
Data Subject Group Categories:
Company Employees: Employees whose personal data is processed in accordance with relevant legislation, primarily the Labor Law and Occupational Safety regulations.
Former Company Employees: Employees whose employment contract has been terminated, but whose personal data must be retained for a certain period due to legal obligations under the Labor Law, Occupational Safety regulations, and other applicable legislation.
Company Service Providers, Suppliers, Subcontractors, and Their Employees: Individuals or employees of businesses from whom the company procures services or products or engages as subcontractors.
Former Company Service Providers, Suppliers, Subcontractors, and Their Employees: Individuals or businesses whose contractual relationship with the company has ended, but whose data continues to be processed due to legal obligations. These personal data will be deleted or anonymized in accordance with the relevant procedures once the legal obligation to process them ceases.
Data Type Categories:
Data CategoryExplanation of Personal Data Categorization
Identity Information
Information Contained in Documents Such as Driver’s License, ID Card, Residence Certificate, Passport, Attorney ID, Marriage Certificate (e.g., Turkish Citizenship Number, Passport Number, ID Card Serial Number, Name-Surname, Photograph, Place of Birth, Date of Birth, Age, Registered Address, Certified Copy of ID Card)
Contact Information
Information Used for Communication with the Person (e.g., Email Address, Phone Number, Mobile Phone Number, Address)
Customer Transaction Information
Information Related to Any Transactions Performed by the Customer Utilizing Our Services (e.g., Requests and Instructions, etc.)
Physical Space Security Information
Personal Data Related to Records and Documents Collected Upon Entry to and During Stay in a Physical Space (e.g., Entry-Exit Logs, Visitor Information, Camera Recordings, etc.)
Transaction Security Information
Personal Data Processed to Ensure the Technical, Administrative, Legal, and Commercial Security of Our Institution and Related Parties (e.g., Information Such as Website Passwords and Passcodes That Associate the Transaction with the Data Subject and Verify Their Authorization to Perform That Transaction)
Financial Information
Personal Data Within the Scope of Information, Documents, and Records Showing Any Financial Outcome Created Based on the Type of Existing Legal Relationship with the Data Subject (e.g., Information Indicating the Financial Result of Transactions Performed by the Data Subject, Tax Debt Amount, Card Information, Tax Payments, Interest Amount and Rate to Be Paid, Debt Balance, Receivable Balance, etc.)
Personal Information
Personal Data Forming the Basis for the Personnel Rights of Our Institution's Suppliers' Employees (Any Information and Documents That Are Legally Required to Be Included in the Personnel File)
Legal Transaction and Compliance Information
Personal Data Processed for the Determination and Follow-up of Legal Claims and Rights, as well as for the Fulfillment of Debts and Legal Obligations (e.g., Data Contained in Documents Such as Court and Administrative Authority Decisions)
Audit and Inspection Information
Personal Data Processed Within the Scope of Our Institution’s Legal Obligations and Compliance with Company Policies (e.g., Audit and Inspection Reports, Relevant Meeting Records, and Similar Records)
Special Category Personal Data
Data on Individuals' Race, Ethnic Origin, Political Opinion, Philosophical Belief, Religion, Sect or Other Beliefs, Appearance and Attire, Association, Foundation or Trade Union Membership, Health, Sexual Life, Criminal Convictions and Security Measures, as well as Biometric and Genetic Data
Request/Complaint Management Information
Personal Data Related to the Receipt and Evaluation of Any Requests or Complaints Directed to Our Institution (e.g., Requests and Complaints Addressed to Our Institution, Related Records and Reports)
Visual and Audio Data
Visual and Audio Records Associated with the Personal Data Owner (e.g., Photographs, Camera Recordings, and Audio Recordings)
5.9. Printed Documents, Camera Recordings, Personal Data of Website Visitors
5.9.1. Printed Documents
Our company, in certain cases, collects personal data in printed document format to provide services to customers. These types of data are processed, stored, and disposed of in accordance with the conditions specified in the Personal Data Protection Law (KVKK).
Personnel personal records used in human resources include all personal data processed for obtaining information necessary for establishing the personnel rights of our employees or real persons engaged in a working relationship with our organization.
Personal data collected for healthcare services: Our company retains personal data for the healthcare services provided to its employees.
5.9.2. Personal Data of Website Visitors and Personal Data Collected for Internet Access Service
On the websites owned by our institution, the internet activities of visitors are recorded through technical means (e.g., cookies) to ensure that visitors conduct their visits in accordance with their intended purposes.
Detailed explanations regarding the protection and processing of personal data related to these activities are provided in the "Cookie Policy" texts of the relevant websites.
Our company provides free internet service to all visitors in open areas. The log records of the provided service are retained in compliance with Law No. 5651 (Law on the Regulation of Publications on the Internet and the Fight Against Crimes Committed Through These Publications) and to verify access information.
5.9.3. Rights of the Personal Data Owner
You can access the full text of your data subject rights under the Law on the Protection of Personal Data (KVKK) from the official KVKK website. These rights are listed in Article 11 of the relevant law and include:
Article 11- (1) Every individual has the right to apply to the data controller and:
a) Learn whether their personal data has been processed,
b) Request information if their personal data has been processed,
c) Learn the purpose of processing personal data and whether it is used in accordance with that purpose,
ç) Know the third parties to whom personal data is transferred domestically or abroad,
d) Request the correction of personal data if it is incomplete or incorrectly processed.
Under the GDPR, you also have the following rights. More information can be found at: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights_en
a) Right to Withdraw Consent (Article 7 GDPR)
b) Right of Access (Article 15 GDPR)
c) Right to Rectification (Article 16 GDPR)
d) Right to Erasure (Right to be Forgotten) (Article 17 GDPR)
e) Right to Restriction of Processing (Article 18 GDPR)
f) Right to Data Portability (Article 20 GDPR)
g) Right to Object (Article 21 GDPR)
These rights may be restricted under the GDPR or national laws. For example, if fulfilling your request would reveal personal data about another individual, infringe the rights of a third party (including our rights), or if you request the deletion of information that we are legally required to retain or have a compelling legitimate interest in preserving. The relevant exemptions are outlined in the GDPR and applicable national laws.
If the data controller decides not to take action on a data subject's request, they will inform the data subject without undue delay and at the latest within one month from the receipt of the request, explaining the reasons for the refusal and providing information on the right to lodge a complaint with a supervisory authority and seek legal remedies.
You can exercise the rights mentioned above by filling out the "KVKK and GDPR Request Form."
In accordance with the relevant law, the data controller, data controller representative, and data controller application details are as follows:
In accordance with Article 11 of the Law on the Protection of Personal Data titled "Rights of the Data Subject" and Article 12 of the GDPR, you can submit your requests within the scope of the rights of the data subject by filling out the Trabzonspor Sportif Yatırım ve Futbol İşletmeciliği Application Form in accordance with the "Communiqué on the Procedures and Principles of Application to the Data Controller" and sending it in writing to the address: Üniversite Mahallesi A.Suat Özyazıcı Cad. M.Ali Yılmaz Tesisleri No:19E Ortahisar/Trabzon, or by filling out the "KVKK and GDPR Application Form" on our website, or by sending it via email to kvkk@trabzonspor.org.tr.
5.9.4. Institution’s Obligation to Inform and Notify
Under Article 10 of the Law on the Protection of Personal Data (KVKK), data subjects must be informed before or at the time of obtaining their personal data. Within the scope of this obligation, the following information must be provided to data subjects:
· The identity of the data controller and its representative, if any,
· The purpose for which personal data will be processed,
· The recipients to whom the processed personal data may be transferred and the purpose of the transfer,
· The method and legal basis for collecting personal data,
· Other rights listed in Article 11 of the KVKK.
On the other hand, under Article 28(1) of the KVKK, there is no obligation to inform in the following cases:
· The processing of personal data by natural persons exclusively within the scope of activities related to themselves or their family members living in the same household, provided that it is not disclosed to third parties and the obligations regarding data security are complied with.
· The processing of personal data for research, planning, and statistical purposes by making it anonymous within the scope of official statistics.
· The processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights, and does not constitute a crime.
· The processing of personal data for preventive, protective, and intelligence-related activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security.
· The processing of personal data by judicial authorities or enforcement agencies in relation to investigation, prosecution, trial, or execution procedures.
A "Explicit Consent and Disclosure Statement" has been prepared to inform Data Subjects and obtain their explicit consent.
5.10. Conditions for Deletion, Destruction, and Anonymization of Personal Data
Trabzonspor Club and its affiliated companies delete, destroy, or anonymize the personal data they have obtained if it is not mandatory to use them due to legal obligations and the protection of public order, in accordance with the requests of personal data owners. The rules and methods regarding the deletion, destruction, and anonymization of personal data are detailed in the "Data Retention and Destruction Policy."
5.11. Working Principles of the Personal Data Protection Committee
Trabzonspor Club and its affiliated companies have established the "Personal Data Protection Committee" to fulfill the requirements of KVKK and GDPR and to maintain compliance.
The primary purpose and objectives of the Personal Data Protection Committee are:
· Protecting the privacy of private life
· Safeguarding individuals' fundamental rights and freedoms
· Regulating the duties and authorities of data processors
6. Reference Documents
· Law No. 6698 on the Protection of Personal Data
· General Data Protection Regulation of the European Union (Regulation (EU) 2016/679) (“GDPR”)
· Regulation on the Deletion, Destruction, or Anonymization of Personal Data
· Explicit Consent and Information Disclosure Statement
7. Related Documents
· Data Retention and Destruction Policy
