As NORMSOFT BILGI TEKNOLOJILERI A.S, we attach utmost importance to the legal processing and protection of personal data in accordance with the Law on the Protection of Personal Data No. 6698 (“Law”), and we act with such care in all our planning and activities.

The main purpose of this information is to make explanations about the systems for the processing and protection of personal data in accordance with the law and the purpose of the law. To inform the persons whose personal data are processed by our Company, especially the persons. In this way, it is aimed to ensure full compliance with the legislation in the processing and protection of personal data carried out by our Company and to protect all the rights of personal data owners arising from the legislation regarding personal data.

Scope of Disclosure and Personal Data Owners

This information; Persons whose personal data are processed by our Company, especially Company Stakeholders, Company Officials, Company Business Partners, Employees and Employee Candidates, Visitors, Company Customers, Potential Customers and Third Parties, either automatically or by non-automatic means provided that they are part of any data recording system. It has been prepared for and will be implemented within the scope of these specified persons.

Our company informs the Personal Data Owners in question about the Law by publishing this information on its website.

General Principles in the Processing of Personal Data

Personal Data is processed by the Company by the procedures and principles stipulated in the Law and this Policy. The Company acts with the following principles when processing Personal Data:

  • Personal Data is processed by the relevant legal rules and the requirements of the honesty rule.
  • It is ensured that Personal Data is correct and up-to-date. In this context, issues such as determining the sources from which the data is obtained, confirming its accuracy, and evaluating whether it needs to be updated are carefully considered.
  • Personal Data; processed for specific, explicit and legitimate purposes. Being legitimate means that the Personal Data processed by the Company is related to and necessary for the work it does or the service it provides.
  • Personal Data is related to the purpose to achieve the purposes determined by the Company, and the processing of Personal Data that is not related to the realization of the purpose or is not needed is avoided. It limits the processed data only to what is necessary for the realization of the purpose. Personal Data processed in this context are related, limited and measured for the purpose for which they are processed.
  • If there is a period foreseen for data storage in the relevant legislation, it complies with these periods; otherwise, it retains the Personal Data only for the period necessary for the purpose for which they are processed. If there is no valid reason for further preservation of Personal Data, the said data is deleted, destroyed or anonymized.

Personal Data Processing Conditions

The Company does not process Personal Data without the explicit consent of the data owner. In the presence of one of the following conditions, Personal Data may be processed without seeking the data owner’s explicit consent.

  • The Company may process Personal Data of Personal Data Owners in cases expressly stipulated by law, even without express consent. E.g; Following Article 230 of the Tax Procedure Law, the person’s explicit consent will not be sought to include the name of the person on the invoice.
  • Personal Data may be processed without explicit consent to protect the life or physical integrity of the person or another person who cannot express their consent or whose consent cannot be validated due to actual impossibility. For example, in a situation where the person is unconscious or whose consent is not valid due to mental illness, the Personal Data of the Personal Data Owner may be processed during the medical intervention to protect the integrity of life or body. In this context, data such as blood type, diseases and surgeries, and medications used can be processed through the relevant health system.• Personal Data of the parties to the contract can be processed, provided that it is directly related to the establishment or performance of a contract by the Company. For example, according to a contract made, the account number of the creditor can be obtained for the payment of money.
  • The Company may process the Personal Data of the Personal Data Owners if it is necessary to fulfill its legal obligations as a data controller.
  • Personal Data made public by the Personal Data Owners by the Company, in other words, disclosed to the public in any way, can be processed because the legal benefit that needs to be protected is no longer valid.
  • The Company may process the Personal Data of Personal Data Owners without seeking explicit consent in cases where data processing is necessary for the exercise or protection of a legally legitimate right.
  • The Company may process the Personal Data of the Personal Data Owners in cases where it is necessary to process the Personal Data for their legitimate interests, provided that the fundamental rights and freedoms of the Personal Data Owners are protected under the Law and Policy. The Company shows the necessary sensitivity to comply with the basic principles regarding the protection of Personal Data and to observe the balance of interests of the Personal Data Owners.

Purposes of Processing and Transferring Personal Data

Personal Data; in accordance with the law and the purpose of the Law,

  •  Best planning and implementation of human resources policies,
  •  Correct planning, execution and management of commercial partnerships and strategies,
  •  Ensuring the legal, commercial and physical security of itself and its business partners,
  •  Ensuring corporate functioning, planning and execution of management and communication activities,
  •  Making the best use of the products and services of the Personal Data Owners and recommending them   by customizing them according to their demands, needs and wishes,
  •  Ensuring data security at the highest level,
  •  Creation of databases,
  •  Improving the services offered on the website and eliminating the errors that occur on the website,
  •  Communicating with the Personal Data Owners who have forwarded their requests and complaints to   him and ensuring the management of requests and complaints,
  •  Event management,
  •  Management of relations with business partners or suppliers,
  •  Execution of personnel procurement processes,
  •  Supporting the company’s personnel procurement processes and compliance with the relevant   legislation,
  •  Planning and execution of audit activities to ensure that the company’s activities are carried out in   accordance with the relevant legislation,
  •  Supporting the company in the realization of company and partnership law transactions,
  •  Execution/follow-up of financial reporting and risk management transactions,
  •  Execution/follow-up of company legal affairs,
  •  Carrying out studies to protect its reputation,
  •  Managing investor relations,
  •  Giving information to authorized institutions based on legislation,
  •  Creation and tracking of visitor records.

It is processed within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law, limited to its purposes. If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated in the Law, your explicit consent is obtained by the Company regarding the relevant processing process.

Persons to whom Personal Data will be Transferred

Personal Data can be shared with public institutions and organizations, our business and solution partners, banks and third parties who perform technical, logistics and other similar transactions on our behalf, in order to ensure that the services offered to you are complete and flawless, and only to the extent that it is appropriate with the nature of the service. These third parties consist of persons who are obliged to have access to the relevant information in order to provide the relevant services completely and flawlessly.

Apart from these, your Personal Data is also required in cases where data has to be shared with other third parties in order to provide the service fully and flawlessly, it is compulsory for the Company to fulfill its legal obligations, it is expressly stipulated in the laws or there is a judicial/administrative order given in accordance with the law. It can be transferred only to the person or institution concerned.

Anonymized data is information that cannot be matched with you, our visitors/customers, and does not contain your identity information or make your identity identifiable. Your privacy is guaranteed in anonymized data.

Method and Legal Reason for Personal Data Collection

For the purpose of checking the compliance with Article 1, which regulates the purpose of the Law, and Article 2, which regulates the scope of the Law, Personal Data; in all kinds of verbal, written, electronic media; It is collected through technical and other methods, in various ways such as call center, Company website, mobile application, in order to fulfill the responsibilities arising from the law completely and accurately within the framework of legal reasons based on legislation, contract, demand and request in order to achieve the purposes stated in the Policy, and It is processed by the Company or data processors appointed by the Company.


In accordance with Article 12 of the Law, the Company takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the illegal processing of the Personal Data it processes, to prevent the illegal access to the data and to ensure the preservation of the data, and in this context, it performs the necessary inspections or is making.

Ensuring the Security of Personal Data

The main measures taken by the Company to ensure the legal processing of Personal Data are listed below:

  • Employees are informed and trained about the law on the protection of Personal Data and the legal processing of Personal Data.
  • All activities carried out by the Company are analyzed in detail specific to all business units, and as a result of this analysis, Personal Data processing activities are revealed, specific to the activities carried out by the relevant business units.
  • Personal Data processing activities carried out by the Company’s business units; The requirements to be fulfilled in order to ensure that these activities comply with the Personal Data processing conditions sought by the Law are determined by each business unit and the detailed activity it carries out.
  • In order to meet the legal compliance requirements determined on the basis of the business unit, awareness is created for the relevant business units and the rules of practice are determined; Necessary administrative measures are implemented through in-house policies and trainings to ensure the supervision of these issues and the continuity of implementation.
  • Except for the Company’s instructions and the exceptions made by law, in the contracts and documents governing the legal relationship between the Company and the employees, records that impose the obligation not to process, disclose or use Personal Data are set, and awareness of the employees is created in this regard, and audits are carried out and liabilities arising from the Law. is fulfilled.
  • Personal Data processing activities carried out within the company are audited by established technical systems.
  • Personnel knowledgeable in technical matters are employed.

The Company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and the cost of implementation in order to prevent the reckless or unauthorized disclosure, access, transfer or any other unlawful access to Personal Data.

Disclosure of Personal Data Owner

The Company informs the Personal Data Owners during the acquisition of Personal Data in accordance with Article 10 of the Law. In this context, if any, the identity of the Company representative, the purpose for which the Personal Data will be processed, to whom and for what purpose the processed Personal Data can be transferred, the method of collecting Personal Data and the legal reason, and the rights of the Personal Data Owner are provided in writing.

Rights of the Personal Data Owner in accordance with the KVK Law

The Company informs you of your rights in accordance with Article 10 of the Law; It provides guidance on how to exercise these rights and carries out the necessary internal functioning, administrative and technical arrangements for all these. The Company, in accordance with Article 11 of the Law, to the persons whose Personal Data is received;

  • Learning whether Personal Data is processed or not,
  • Requesting information about the Personal Data if it has been processed,
  • Learning the purpose of processing Personal Data and whether they are used in accordance with its  purpose,
  • Knowing the third parties to whom Personal Data is transferred in the country or abroad,
  • Requesting correction of Personal Data if it is incomplete or incorrectly processed,
  • Requesting the deletion or destruction of Personal Data within the framework of the conditions  stipulated in Article 7 of the Law,
  • Requesting notification of the transactions made pursuant to subparagraphs (d) and (e) of Article 11 of the Law, to third parties to whom personal data has been transferred,
  • Objecting to the emergence of a result against the person himself by analyzing the processed data  exclusively through automated systems,
  • Explains that they have the right to demand compensation of the damage in case of loss due to unlawful processing of Personal Data.

Circumstances in which the Personal Data Owner cannot assert his rights

Since the following cases are excluded from the scope of the Law according to Article 28 of the Law, Personal Data Owners cannot claim their rights listed in the article (6.2.) of this Policy in the following cases:

  • Processing of Personal Data by real persons within the scope of activities related to themselves or their family members living in the same residence provided that they are not given to third parties and that the obligations regarding data security are complied with.
  • Processing Personal Data for purposes such as research, planning, and statistics by making it anonymous with official statistics.
  • Processing Personal Data for art, history, literature, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, the privacy of private life, or personal rights or constitute a crime.
  • Processing of Personal Data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order, or economic security.
  • Processing of Personal Data by judicial authorities or enforcement authorities in relation to the investigation, prosecution, trial, or execution proceedings.

According to Article 28/2 of the Law; In the cases listed below, Personal Data Owners cannot claim their rights listed in the article (6.2.) of this Policy, except for the right to demand the compensation of the damage:

  •  The processing of Personal Data is necessary for crime prevention or criminal investigation.
  •  Processing of personal data made public by the Personal Data Owner.
  •  The processing of Personal Data is required by the authorized and authorized public institutions and   organizations and professional organizations in the nature of public institutions for the execution of   supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority   given by the law.
  •  The processing of Personal Data is necessary for the protection of the economic and financial interests   of  the State with regard to budgetary, tax and financial matters.

Exercise of Personal Data Owner’s Rights

Personal Data Owners can submit their requests regarding their rights listed in the article (6.2.) of this Policy with the information and documents that will determine their identity and with the methods specified below or with other methods determined by the KVK Board and through the methods in our application clarification text explaining how you should apply. They will be able to fill in and sign the Application/Contact Form, which you can access from the link, and forward it to the Company:

  1.  After filling the application form, a wet-signed copy can be sent to Uğur Mumcu Mah.  Kartal / İSTANBUL / TÜRKİYE to the address,
  2.  Filling the application form and sending it via mobile signature or e-mail to e-mail   address.

For third parties to apply on behalf of personal data owners, a special power of attorney issued by the data owner through a notary public on behalf of the person to apply must be present.