INFORMATION NOTICE FOR USERS AND SERVICE RECIPIENTS UNDER THE PERSONAL DATA PROTECTION LAW

Data Controller:

[Company/Commercial Enterprise Name]: International Institute of Health, Safety and Environment Association Edremit Commercial Enterprise (hereinafter referred to as the “Company”)

MERSIS/Tax No: 8900488430

Address: Hekimzade Mahallesi Çınarliçeşme Cd. No:5/B Edremit/Balıkesir/Türkiye

E-mail: [email protected]– KEP: [•]

Phone: +905510520033

In this text, “Digital Platform” refers to all websites, membership/account areas, and mobile applications (if any) belonging to the Company.

In accordance with the Personal Data Protection Law No. 6698 (“Law”), the [• Association Commercial Enterprise] (“Company”), as the data controller, processes your personal data listed in the section “Data Categories and Processed Personal Data” below in compliance with the relevant legislation and with due care, when you use any of our Company’s websites, user account areas, or mobile applications, or when you purchase subscriptions, webinars, digital content, or services from these digital platforms.

All digital platforms belonging to our Company will hereinafter be referred to as the “Digital Platform.”

This information notice has been prepared to inform all users and individuals who:

• Create an account on the Digital Platform,

• Purchase subscriptions or services from our Company,

• Access services under a subscription provided by a third party,

• Contact us through forms on our website for corporate subscriptions, grants, support, or suggestions,

about the protection and processing of their personal data.

Cases Requiring Explicit Consent

In situations where we need to carry out marketing activities to inform you about campaigns and innovations, to offer you personalized products or services, or to use personalized content and cookies in line with your preferences, we obtain your explicit consent in advance. If you do not give consent, these data will not be processed.

Transaction Security and Account Activation

Before completing your payment transaction, an e-mail verification is conducted to ensure transaction security and to comply with the principles set by the Personal Data Protection Board. Once you confirm the verification link sent to you, your account becomes active, and your personal data begin to be processed from that moment on.

Card Data and Password Security

• The credit/debit card information you enter during payment is neither processed nor stored by our Company; these details are processed and stored solely by licensed payment institutions that provide the payment infrastructure.

• No one, including our Company, can access your account passwords; they are stored using cryptographic algorithms and hashed irreversibly.

Security Measures

To ensure the security of your personal data, our Digital Platforms use up-to-date security certificates, firewalls, and cybersecurity systems, and all necessary technical and administrative measures are taken in accordance with the legislation.

In the event of any data security breach, both the Personal Data Protection Board and the relevant individuals will be notified immediately in accordance with Article 12 of the Law.

To access any of the digital platforms belonging to [• Association Commercial Enterprise], you must create a user account. However, not all personal data listed in the section “Data Categories and Processed Personal Data” of this Information Notice are required or processed during the account creation stage.

During the account creation and subscription process, only the personal data necessary for the performance of the service are requested, while other data are processed based on user preference or in cases required by law.

Apart from the explanations above, this Information Notice informs you, within the scope of the information obligation set out in Article 10 of the Personal Data Protection Law No. 6698, about:

• Which personal data of yours are processed,

• For what purposes your processed data are used,

• With whom and on what legal grounds your data may be shared,

• How your data are collected,

• Your rights to apply and seek remedies under the Law.

IDENTITY INFORMATION: Name and Surname, (optional) Turkish ID Number, (for corporate subscribers) Tax Identification Number, (optional) Year of Birth, (optional) Occupation, Signature.

Explanations Regarding Identity Information:

• Providing your Turkish ID Number is not mandatory; it appears as an optional field in our forms. If shared, it is used for issuing invoices and verifying transaction security. However, in some cases, sharing your Turkish ID Number may be required under legal obligations.

• The Tax Identification Number is processed only for corporate subscriptions belonging to legal entities who are taxpayers. It is not requested from individual subscribers.

CONTACT INFORMATION: E-mail address, phone number, business/invoice address.

CUSTOMER TRANSACTION INFORMATION: Subscription and service purchase history, invoice details, request and complaint records, subscription cancellation/renewal information.

FINANCIAL INFORMATION: Bank account number and IBAN.

Explanations Regarding Financial Information:

If you purchase a corporate subscription package as a self-employed professional or sole trader, your bank account details will be processed because payments are made via wire transfer/EFT. For payments made by credit/debit card, your card details are not processed or stored by the Company and are securely processed only by the payment provider.

TRANSACTION SECURITY INFORMATION: IP address, log records, login and usage details, browsing history on the digital platform.

Explanations Regarding Transaction Security Information:

IP information of all users accessing the digital platform is processed to prevent unauthorized access and for cybersecurity measures. Usage logs may also be processed to improve user experience, ensure service delivery, and detect unlawful actions on the platform.

MARKETING INFORMATION AND COOKIES: Cookie data, survey responses, campaign preferences.

Explanations Regarding Marketing Information and Cookies:

• Personal data may be collected through cookies and surveys.

• Except for mandatory cookies, all cookies (functional, analytical, marketing) are activated only with your consent. If consent is not provided, such cookies are not activated.

• Participation in surveys is entirely voluntary.

LEGAL TRANSACTION INFORMATION: Contract number, notice/warning records, lawsuit/dispute records, information shared with judicial or administrative authorities.

VISUAL AND AUDIO RECORD INFORMATION:

• Call center audio recordings (with prior notification),

• Audio and/or video recordings taken during webinars, online trainings, or other video conferences (with prior notification).

Explanation: These recordings are processed solely for the following purposes:

• Quality control of training and events,

• Improving user experience,

• Documenting participation and preventing future disputes.

Relevant individuals are clearly informed in advance, and those who do not wish to be recorded have the right to turn off their camera or microphone.

Children’s Personal Data: The platform is intended only for users aged 18 and over. For users under 18, personal data are not processed without the explicit consent of their parents or legal guardians.

PURPOSES OF PERSONAL DATA PROCESSING

Personal data shared with our Company through electronic or physical means are processed lawfully, fairly, accurately, up to date, and in a manner that is relevant, limited, and proportionate to the intended purposes.

Your personal data are used for the following purposes:

• Fulfillment of obligations arising from subscriptions and other contracts,

• Management of product and service purchase and usage processes,

• Providing a better user experience,

• Ensuring the security of our digital platforms,

• Providing access to subscribers and users on behalf of subscribers,

• Ensuring the efficient operation of websites and mobile applications,

• Carrying out e-mail verification procedures,

• Managing grant and corporate subscription processes,

• Preparing, storing, and archiving records and documents,

• Managing request and complaint processes,

• Fulfilling financial and fiscal obligations,

• Sharing data with third parties due to legal or contractual obligations,

• Providing information to authorized persons, institutions, and organizations,

• Conducting our Company’s business operations,

• Sharing data with business partners in necessary cases,

• Receiving and evaluating feedback for process improvement,

• Managing administrative activities,

• Managing information security processes,

• Conducting audit, ethics, and internal control activities,

• Monitoring risk management and contract processes,

• With your explicit consent: advertising, campaigns, marketing, and personalized product/service offerings,

• Managing customer loyalty processes related to products and services,

• Following up and conducting legal affairs,

• Performing identity verification procedures upon applications,

• Registering and monitoring visitors to our Company,

• Conducting marketing analyses, statistical studies, and satisfaction surveys,

• Managing customer relations and satisfaction processes.

TRANSFER OF PERSONAL DATA

Your collected personal data may be transferred, within the scope of the purposes mentioned above and in compliance with Articles 8 and 9 of the Law, to:

• Supervisory and regulatory public institutions and organizations,

• Judicial authorities and administrative bodies,

• Relevant public institutions due to financial and fiscal obligations,

• Suppliers, consultants, and business partners from whom we receive services, within the scope of our legitimate interests.

Except for cases specified by law, no data is transferred to third parties without your explicit consent. Data transfer abroad is carried out only with your explicit consent or when the conditions in Article 9 of the Law are met.

Transfer Abroad: Where the conditions stipulated in Article 9 of the Law are met, or with your explicit consent, personal data may be transferred abroad. For example, when cloud services with servers located abroad are used, your data are transferred only to the extent necessary to provide the service.

METHOD AND LEGAL BASIS OF PERSONAL DATA COLLECTION

Your personal data are collected through the following methods:

• Communication via call center,

• Completion of contracts and subscription forms,

• Membership/subscription through our digital platforms and service purchases,

• Completion of electronic forms available on websites and mobile applications,

• Submission of physical documents to us,

• Applications, orders, complaints, and communications made via e-mail, telephone, post, or other means,

• Communication through our social media accounts,

• Banking transactions (wire transfer/EFT, etc.).

Legal Bases:

• Clearly stipulated by law (Article 5/2-a),

• Necessary for the establishment and performance of a contract (Article 5/2-c),

• Necessary for compliance with a legal obligation (Article 5/2-ç),

• Necessary for the establishment, exercise, or protection of a right (Article 5/2-e),

• Necessary for the legitimate interests of the data controller, provided it does not harm the fundamental rights and freedoms of the data subject (Article 5/2-f),

• Explicit consent where required (Article 5/1).

YOUR RIGHTS UNDER THE LAW

Under Article 11 of the Law, you have the following rights:

• To learn whether your personal data are processed,

• To request information if your personal data have been processed,

• To learn the purpose of processing and whether they are used in accordance with their purpose,

• To know the third parties to whom your personal data have been transferred domestically or abroad,

• To request correction of your personal data if they are incomplete or inaccurate,

• To request deletion or destruction of your personal data within the framework of the conditions set forth in the Law,

• To request notification of correction, deletion, or destruction to third parties to whom your personal data have been transferred,

• To object to any result arising against you from the analysis of your personal data exclusively through automated systems,

• To demand compensation if you suffer damage due to unlawful processing of your personal data.

Application Procedure:

You may submit your requests regarding your rights in accordance with the “Communiqué on the Principles and Procedures for the Application to the Data Controller” through the following means:

• Written application to [Company Address],

• KEP: [•],

• E-mail: [email protected]

,

• “KVKK Application Form” available on our Company website.

Your applications will be concluded within 30 days at the latest. In cases requiring cost, the fee schedule determined by the Personal Data Protection Board shall apply.

IIHSE CODE OF ETHICS DECLARATION

As a member of the International Institute for Health, Safety and Environment (IIHSE), we pledge to fulfill our scientific, academic, professional, and social responsibilities in accordance with the highest ethical standards.

1. General Principles

• We adhere to honesty, transparency, and accountability in all our activities.
• We respect human rights, international laws and regulations, cultural diversity, and differences.
• We act on the basis of scientific accuracy and impartiality in the fields of health, safety, and environment.

2. Scientific and Academic Ethics

• We refrain from plagiarism, falsification, distortion, and unethical practices in research, publications, and projects.
• We respect fair contribution and authorship rights in collaborative work.
• We share scientific data transparently, while complying with confidentiality rules when required.

3. Environment and Sustainability

• We prioritize the protection of natural resources, reduction of carbon footprint, and sustainable practices in all our work.
• We avoid any practices that may harm the environment and support alternative green solutions.

4. Professional and Institutional Responsibility

• We treat colleagues, partners, and society with respect, fairness, and reliability.
• We avoid any behavior that may damage the name and reputation of IIHSE.
• We adopt a zero-tolerance policy against corruption, conflicts of interest, discrimination, harassment, and other unethical practices.

5. Confidentiality and Data Protection

• We comply with the protection of personal data, the security of confidential information, and international standards of data management.
• We safeguard the confidentiality of all information obtained within the scope of membership, partnerships, and projects.

6. Social Contribution

• We aim for our activities to add value not only to our members, but also to society and the future.
• We support education, dissemination of scientific knowledge, and the development of younger generations.

Commitment

This Code of Ethics is an integral part of IIHSE membership. As a member, I unconditionally agree to comply with the above principles and accept the sanctions deemed necessary by the Institute in the event of a violation.