Data Protection and Processing Policy

JEOPARK MUNICIPALITIES UNION Data Protection and Processing Policy
INTRODUCTION
As the data controller, the Jeopark Municipalities Union ("Union") attaches great importance to the protection of personal data belonging to citizens, employees, and other individuals with whom it has a relationship. The Union takes the necessary administrative and technical measures for the processing and protection of personal data in accordance with the Law on the Protection of Personal Data No. 6698 (Law) and relevant legislation.

OBJECTIVE AND SCOPE OF THE POLICY

The main purpose of this Policy is to explain the personal data processing activities carried out by the Union in a lawful manner and to provide transparency regarding the systems adopted for the protection of personal data. This Policy covers the processing and protection of personal data of citizens, employees, job applicants, visitors, employees of collaborating institutions, and third parties who are in a relationship with the Union, whether processed automatically or non-automatically, as part of any data recording system.

PROTECTION OF PERSONAL DATA

3.1 PROTECTION OF PERSONAL DATA

The Union, in accordance with Article 12 of the Law, takes the necessary technical and administrative measures to prevent the unlawful processing of personal data it processes, prevent unauthorized access to data, and ensure the preservation of data. In this context, the Union takes the necessary administrative and technical measures to ensure the required security level, conducts inspections, and complies with the guides published by the Personal Data Protection Board ("Board").

3.2 PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA
Special emphasis has been placed on personal data that is sensitive due to the risk of causing harm or discrimination when processed unlawfully. According to Article 6 of the Law, "special categories" of personal data include data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, criminal convictions, and security measures ("Special categories of personal data excluding health and sexual life") as well as health, sexual life, biometric, and genetic data ("Special categories of personal data related to health and sexual life"). The Union, in accordance with the measures envisaged in the Board's Decision dated 31/01/2018 and numbered 2018/10, takes the necessary measures for the protection of special categories of personal data as explained in the Special Categories of Personal Data Protection Policy and monitors and audits the activities carried out in this regard within the Union.

3.3 AUDIT OF MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA AND TRAINING OF INSTITUTIONAL EMPLOYEES

There is a Data Protection Committee within the Union. The Committee, on behalf of the Union, ensures the implementation of the provisions of the Law within its institution or organization, conducts necessary inspections, and, if necessary, ensures inspections are carried out with the support of competent authorities. Based on the results of these inspections, identified violations, negative aspects, and non-compliances are reported to the responsible individuals within the committee, and necessary measures are taken in this regard. In cases where personal data is transferred to external service providers by the Union, additional contracts containing provisions regarding the lawful transfer of personal data are signed with relevant companies, ensuring that the necessary security measures are taken and compliance with these measures is ensured in their organizations. In addition, the Union enters into contracts with its institutional employees to comply with the discipline policies related to personal data protection. Likewise, Jeopark Municipalities Union enters into contracts related to compliance with personal data protection measures with employees subject to the Labor Law No. 4857, who are not subject to Law No. 657, within its institutional discipline policies. For employees covered by Law No. 657, the Union acts in accordance with the Decision of the Personal Data Protection Board dated 26/12/2019 and numbered 2019/393. In this context, informative texts regarding the procedures and principles to be followed in terms of the right to protect personal data are communicated to officials working under Law No. 657. The Union promotes awareness to prevent the unlawful processing of personal data, prevent unauthorized access to data, and ensure data preservation, and provides necessary training to its employees for this purpose.

ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

The Municipality processes personal data in accordance with Article 20 of the Constitution and Article 4 of the Law. The Municipality retains personal data for the duration prescribed by laws or as long as necessary for the purpose of personal data processing. In accordance with Article 10 of the Law, the Municipality informs the individuals whose personal data is processed, requests their consent in cases where consent is required, and processes these personal data based on their consent, considering the criteria specified below.
8.1. Processing in Compliance with the Law and the Principle of Honesty
The Municipality acts in accordance with legal principles and the principle of public trust and honesty in the processing of personal data. In accordance with the principle of honesty, the Municipality strives to achieve its data processing goals while considering the rights of the individuals concerned.
8.2. Ensuring the Accuracy and Currency of Personal Data
Maintaining personal data accurately and up-to-date is necessary for the protection of the fundamental rights and freedoms of the individual concerned from the Municipality's perspective. The Municipality fulfills its maximum care obligation in ensuring that personal data is accurate and up-to-date. For this reason, all communication channels are open to individuals whose data is processed by the Municipality, and necessary precautions are taken in this regard.
8.3. Processing for Specific, Clear, and Legitimate Purposes
The Municipality determines the purpose of processing personal data clearly and precisely, in a legitimate and lawful manner. The Municipality processes personal data as much as necessary for its activities and public services.
8.4. Processing Connected, Limited, and Proportional to the Purpose
The Municipality processes personal data within the purposes that are necessary for relevant and its business. Therefore, the Municipality processes personal data in a way that is suitable for achieving the defined purposes and avoids processing personal data that is irrelevant or unnecessary for achieving the purpose.
8.5. Retaining Personal Data for the Period Foreseen in the Relevant Legislation or as Necessary for the Purpose of Processing
The Municipality retains personal data only for the period specified in the relevant legislation or, if a period is not specified, for the time necessary for the purpose of processing personal data. In this context, the Municipality first determines whether a period is specified for the storage of personal data in the relevant legislation, complies with the specified period if any, and if no period is specified, keeps personal data for the period necessary for the purpose of processing, as stated in the Municipality's retention policy. The Municipality adheres to the principles specified in the Law, and after these periods, personal data is deleted, destroyed, or anonymized in accordance with the obligations under the Law, depending on the nature and purpose of the data.

PROCESSING OF PERSONAL DATA

The explicit consent of the data subject, whose personal data is processed, is only one of the legal bases that enable the lawful processing of personal data. In addition to explicit consent, personal data can be processed if one of the conditions specified in the law exists. The legal basis for personal data processing activity can be only one of the conditions listed below, or more than one of these conditions can be the basis for the same personal data processing activity. In the case of processing data that is of a special nature, the conditions specified in section 3.3 of this Policy ("Processing of Special Categories of Personal Data") will apply.

9.1 CONDITIONS FOR PROCESSING PERSONAL DATA

a) Existence of Explicit Consent of the Data Subject

One of the conditions for the processing of personal data is the explicit consent of the data subject. The explicit consent of the data subject must be based on specific information, informed, and given with free will regarding a particular subject. In the presence of the following conditions for personal data processing, personal data can be processed without the explicit consent of the data subject.

b) Explicit Provision in the Law

If the personal data of the data subject is explicitly provided for in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, it can be said that the condition for data processing is met.

c) Impossibility to Obtain Explicit Consent Due to Physical Impossibility

If it is necessary to process the personal data of the data subject or another person for the protection of life or physical integrity, and it is impossible to obtain the explicit consent of the data subject due to physical impossibility, the personal data of the data subject can be processed.

d) Directly Related to the Establishment or Performance of a Contract

If the processing of personal data is necessary for the establishment or performance of a contract to which the data subject is a party and is directly related to it, this condition may be deemed to have been fulfilled.

e) Fulfillment of the Legal Obligation of the Municipality

If it is necessary to process the personal data of the data subject for the municipality to fulfill its legal obligations, the personal data of the data subject can be processed.

f) Public Disclosure of Personal Data by the Data Subject

If the data subject has publicly disclosed their personal data, the relevant personal data can be processed limitedly for the purpose of public disclosure.

g) Necessity of Data Processing for the Establishment or Protection of a Right

If it is necessary to process the personal data of the data subject for the establishment, exercise, or protection of a right, the personal data of the data subject can be processed.

h) Necessity of Data Processing for the Legitimate Interests of the Municipality

If it is necessary to process the personal data of the data subject for the legitimate interests of the municipality, provided that it does not harm the fundamental rights and freedoms of the data subject, the personal data of the data subject can be processed.

9.2 PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

Special categories of personal data are processed by our municipality in accordance with the principles specified in this Policy and taking all necessary administrative and technical measures, including methods determined by the Board. The processing is carried out under the following conditions:

a) Personal data other than health and sexual life can be processed without the explicit consent of the data subject if it is explicitly foreseen in the laws, in other words, if there is a clear provision in the relevant law regarding the processing of personal data. Otherwise, explicit consent of the data subject will be obtained.
b) Special categories of personal data related to health and sexual life can be processed without the explicit consent of the data subject for the purposes of protecting public health, preventive medicine, conducting medical diagnosis, treatment, and care services, and planning and management of health services, by persons or authorized institutions and organizations under the obligation of confidentiality. Otherwise, explicit consent of the data subject will be obtained.

PURPOSES OF PROCESSING PERSONAL DATA

The municipality processes personal data within the purposes specified in Article 5, paragraph 2, and Article 6, paragraph 3 of the Personal Data Protection Law, limited to these purposes. Detailed information on this matter can be found in the EK-2 ("Annex 2 - Personal Data Processed by the Municipality and Purposes") document of this Policy. In addition, general purposes for processing personal data are also mentioned in the Registered Data Controllers Registry.

INFORMING AND ENLIGHTENING THE DATA SUBJECT

The municipality, in accordance with Article 10 of the Personal Data Protection Law, informs the data subjects whose personal data is processed during the acquisition of personal data. In this context, the municipality provides information to the data subject, depending on the nature of the data subject and the data processing process, about the identity of the data controller, the identity of its representative if any, the purposes for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data, and the legal reason for processing personal data. Within this scope, the municipality has placed pre-information notices and information texts that can be easily seen within the municipality and common areas. In addition to this policy, the municipality has published a process and individual-based information text, a cookie policy, and an application form on its website.

TRANSFER OF PERSONAL DATA

The municipality, in line with lawful purposes of personal data processing, can transfer the personal data of the data subject to third parties by taking necessary security measures. In this context;

If there is an explicit regulation in the laws regarding the transfer of personal data,

If the transfer of personal data belonging to the parties of the contract is directly related to the establishment or performance of a contract,
If the transfer of personal data is necessary for the municipality to fulfill its legal obligations,
If the transfer of personal data is necessary for the establishment, exercise, or protection of a right,
If the transfer of personal data is necessary for the legitimate interests of the municipality, without harming the fundamental rights and freedoms of the data subject,
For special categories of personal data other than health and sexual life; if there is the existence of cases foreseen in the laws;
For personal data related to health and sexual life, only if there is a necessity to share with authorized individuals, institutions, or organizations within the scope of protecting public health, preventive medicine, conducting medical diagnosis, treatment and care services, and planning and management of health services;

is being transferred.

THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED BY THE MUNICIPALITY AND PURPOSES OF TRANSFER

The municipality, in line with lawful purposes of personal data processing, can transfer the personal data, including special categories of personal data, of the relevant individual to third parties by taking necessary security measures. The municipality acts in accordance with the regulations envisaged in Article 8 of the Law in this regard. Detailed information on this matter can be found in the Annex 3 ("(Annex 3 - Third Parties to Whom Personal Data is Transferred by the Municipality and Purposes of Transfer)" document of this Policy.

MUNICIPALITY'S PERSONAL DATA INVENTORY AND CLASSIFICATION OF PERSONAL DATA

Within the municipality, personal data, including special categories of personal data, in the categories specified below, are processed by informing the relevant individuals in accordance with the principles stated in Article 5 and Article 6 of the Law, based on one or more of the processing conditions specified in Article 5 and Article 6 of the Law and limited to them, and in compliance with the general principles specified in the Law and all obligations regulated in the Law for the legitimate and lawful purposes of personal data processing by the municipality. The municipality has created a personal data inventory in accordance with the Personal Data Controllers Registry Regulation introduced by the Personal Data Protection Authority. This data inventory includes data categories, data sources, purposes of data processing, data processing procedures, recipient groups to whom the data is transferred, and retention periods. Within this scope, the municipality has personal data in the following data categories.

PERSONAL DATA CATEGORIZATION	EXPLANATION OF PERSONAL DATA CATEGORIZATION
Identity Data	Data group containing information about the person's identity.
Contact Data	Data group that can be used to reach the person.
Visual and Auditory Data	Data group containing visual and auditory data belonging to the person.
Personal Data	This data category refers to types of data related to individuals, such as payroll information, asset declaration information, and resume information.
Financial Data	Data group containing the financial information of the individual.
Professional Experience	Data group containing information about the individual's profession, professional experiences, and education.
Customer Transaction Data	This data category includes data types such as call center records, receipts, receipts, securities information, and invoice information.
Legal Transaction Data	This data category includes information from correspondences with judicial authorities, information in the case file, and similar data types.
Transaction Security Data	Data group containing transaction security data such as IP information, log records, and cookies related to the individual.
Physical Space Security Data	Data group containing physical space security data such as camera recordings and entry-exit records related to the individual.
Union Membership	Information about the individual's membership in the union.
Risk Management	This data category refers to information processed for managing technical and administrative risks.
Criminal Conviction Data	Data group related to public and criminal sanctions received in the individual's history.
Health Data	Data group related to the individual's health data.
Other	Data that is not categorized in the Data Controllers Registry such as Military Service Status, License Plate Information, Title Deed Information.

DURATION OF STORAGE OF PERSONAL DATA

The municipality stores personal data for the duration specified in the relevant laws and regulations in cases foreseen by the relevant laws and regulations. If the duration for storing personal data is not regulated in the legislation, the municipality retains the personal data for the period required by the municipality's practices and public customs, associated with the activity carried out by the municipality when processing that data. Pursuant to Article 138 of the Turkish Penal Code, Article 7 of the Personal Data Protection Law, and the "Regulation on the Deletion, Destruction, and Anonymization of Personal Data" issued by the Personal Data Protection Authority, personal data processed in compliance with the relevant legal provisions are deleted, destroyed, or anonymized upon the elimination of the reasons requiring their processing, in accordance with the policies of the municipality or upon the request of the relevant individual. The municipality has created a policy in this regard and acts in accordance with this policy.

RIGHTS OF DATA SUBJECTS; EXERCISING THESE RIGHTS

The municipality informs the data subject of their rights in accordance with Article 10 of the Personal Data Protection Law and guides the data subject on how to exercise these rights regulated in Article 11. The municipality, in accordance with Article 13 of the Personal Data Protection Law, manages the necessary channels, internal processes, and administrative and technical arrangements for the evaluation of the rights of the data subjects and the provision of the necessary information to the data subjects. 17.1 Rights of Data Subjects Whose Personal Data is Processed Data subjects whose personal data is processed have the following rights:

To learn whether personal data is being processed,
To request information if personal data has been processed,
To learn the purpose of processing personal data and whether they are used in accordance with that purpose,
To know the third parties to whom personal data is transferred domestically or abroad,
To request correction of incomplete or incorrect processing of personal data and to request notification of this correction to third parties to whom personal data has been transferred,
To request the deletion or destruction of personal data in case personal data has been processed in compliance with the KVK Law and other relevant laws, but the reasons requiring their processing have ceased, and to request notification of this deletion to third parties to whom personal data has been transferred,
To object to a result that arises against the individual as a result of the processing of the processed data exclusively through automated systems,
To request the remedy of damages in case of harm due to the illegal processing of personal data.

17.2. Cases where Data Subjects Whose Personal Data is Processed Cannot Exercise Their Rights

Data subjects whose personal data is processed cannot exercise their rights regarding the situations specified in Article 28 of the KVK Law, as these situations are excluded from the scope of the KVK Law. Therefore, they cannot assert their rights in these matters mentioned in 20.1.1.

Processing of personal data for research, planning, and statistical purposes by anonymizing them with official statistics,
Processing of personal data for artistic, historical, literary, or scientific purposes or for freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, the privacy of private life, or personal rights, and does not constitute a crime,
Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized and empowered by law to ensure national defense, national security, public security, public order, or economic security,
Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial, or execution processes.

In accordance with Article 28/2 of the Personal Data Protection Law; data subjects whose personal data is processed cannot assert their rights listed in 20.1.1, except for the right to request the remedy of damages in the cases listed below:

When processing personal data is necessary for the prevention of crime or for the investigation of a crime,
When processing the personal data of the data subject, which has been made public by the data subject themselves,
When processing personal data is necessary for the performance of supervisory or regulatory duties by authorized public institutions and organizations with a duty and authority based on the law, or for the conduct of disciplinary investigations or prosecutions,
When processing personal data is necessary for the protection of the State's economic and financial interests in relation to budget, tax, and financial matters.

17.3. Exercising the Rights of the Data Subject Data subjects whose personal data is processed can submit their requests regarding the rights specified in this Policy to the Municipality free of charge by filling out and signing the application form with information and documents that identify their identity. Regulations in this regard are made in theGeopark Municipalities Union Personal Data Application and Response Procedure and the information texts. The data subject,

After filling out the form available at http://geoparkbelediyelerbirligi.com, the wet-signed copy of the form must be personally delivered or sent in writing by registered mail to the address “4 Eylül Mah. Yunus Emre Cad. No: 96 Kula / MANİSA,” or submitted in person,
After filling out the form and signing it with a "secure electronic signature" within the scope of Law No. 5070 on Electronic Signature, the form signed with a secure electronic signature can be sent to the email address manisageopark@hs01.kep.tr. Alternatively, the application can be made to the email address info@geoparkbelediyelerbirligi.com with a secure electronic signature, mobile signature, or using the email address previously notified to the municipality and registered in the municipality's system or through a software or application developed for the purpose of the application.

can use the following methods to exercise their rights. In order for the application mentioned above to be considered a valid application, the data subject must provide the following information in accordance with the Communique on Application Procedures to the Data Controller:

a) Name, surname, and signature if the application is in writing,
b) Republic of Turkey ID number for Turkish citizens, nationality, passport number for foreigners, or, if available, ID number,
c) Residence or business address for notification purposes,

ç) If available, the email address for notification, phone, and fax numbers,

d) Subject of the request,

information must be provided. Otherwise, the application will not be considered a valid application. In case of applications without filling out the application form, the mentioned information must be communicated to the municipality in full. In order for third parties to request on behalf of data subjects whose personal data is processed, there must be a special power of attorney prepared through a notary on behalf of the person making the application on behalf of the data subject.
Data Controller         : Geopark Municipalities Union
Address                        “4 Eylül Mah. Yunus Emre Cad. No: 96 Kula / MANİSA”
Definitions and purposes of processing personal data and purposes of transfer are provided below to assist in the examination of the policy.

ANNEX-1 DEFINITIONS
Explicit Consent: Consent based on information about a specific subject, declared with free will and informed consent.
Anonymization: Changing personal data in a way that it will lose its personal nature and cannot be reversed. Examples include masking, aggregation, data distortion, etc., to make personal data unidentifiable to a real person.
Application Form: “Application Form for Applications to the Data Controller by the Data Subject in Accordance with the Law on the Protection of Personal Data No. 6698” including the application to exercise the rights of the relevant individuals whose personal data is processed.
Job Applicant: Individuals who have applied for a job to the Geopark Municipalities Union in any way or have submitted a resume and relevant information.
Employees, Shareholders, and Officials of Collaborating Institutions: Real and legal persons, including employees, shareholders, and officials of institutions with which the municipality has any kind of business relationship (such as business partners, suppliers, etc., but not limited to them).
Business Partner: Parties with whom the municipality establishes partnerships to carry out various projects, receive services, etc., while conducting its activities.
Processing of Personal Data: Any operation performed on data, whether fully or partially automatic or non-automatic, which is part of any data recording system, including obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making it obtainable, classifying, or preventing its use.
Data Subject: Real person whose personal data is processed. For example; visitor, employee, citizen, etc.
Personal Data: Any information about a specific or identifiable individual. (For example; name, ID number, email, address, birth date, credit card number, etc.) The processing of information about legal entities is not covered by the Law.
Special Categories of Personal Data: Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association, foundation, or union membership, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data.
Supplier: Parties that provide services to the municipality based on contracts, complying with the orders and instructions of the municipality.
Third Party: Individuals whose personal data is processed under the policy and not defined differently within the scope of the policy. For example; family members, former employees.
Data Processor: Real and legal persons who process personal data on behalf of the data controller based on the authorization given by them. For example; companies that provide services to the municipality.
Data Controller: The person who determines the purposes and means of processing personal data and manages the place (data recording system) where the data is systematically kept. Geopark Municipalities Union is the data controller within the scope of this policy.
Deletion of Data: It refers to the situation where access to personal data is blocked in a way that it is encrypted for all relevant users within the municipality and only the data protection officer has access to this password.
Deletion of Data: It refers to the complete elimination of personal data in a way that cannot be reversed, either physically or through technological methods.
< Visitor: Real individuals who have entered the physical premises owned by the municipality for various purposes.

Annex 2- PERSONAL DATA PROCESSED BY THE MUNICIPALITY AND PURPOSES

Data Subject	Processed Personal Data Category	Purposes of Processing Personal Data
Employee	Identity Contact Professional Experience Legal Transaction Finance Personnel Visual and Audio Records Military Data	Personal data of employees is processed for the purposes of complying with the laws and regulations, including but not limited to the Labor Law, Law No. 657 on Civil Servants, Law No. 6331 on Occupational Health and Safety, such as: · Management of Employee Satisfaction and Loyalty Processes, · Fulfillment of Obligations Arising from Employment Contracts and Legislation for Employees, · Execution of Rights and Benefits Processes for Employees, · Conducting Activities in Compliance with Legislation, · Conducting Financial and Accounting Affairs, · Execution of Assignment Processes, · Tracking and Execution of Legal Affairs, · Internal Audit/Investigation/Intelligence Activities, · Conducting Communication Activities, · Conducting Business Activities/Control in Compliance with Legislation, · Execution of Contract Processes, · Planning of Human Resources Processes, · Providing Information to Authorized Persons, Institutions, and Organizations, · Conducting Training Activities.
Employee	Criminal Record	Criminal records are processed for the purpose of determining whether the condition of not being deprived of public rights, which is a necessary qualification to be a civil servant according to Article 48 of Law No. 657 on Civil Servants, is fulfilled or not.
Employee	Union Information	Union information of employees is processed by our municipality in accordance with Article 25 of Law No. 4688 on Public Officials' Trade Unions and Collective Bargaining for municipal employees.
Employee	Health Information	In accordance with the Regulation on the Duties, Powers, Responsibilities, and Training of Workplace Doctors and Other Health Personnel, workplace doctors are required to conduct entry and periodic health examinations to ensure that employees are fit for the job. Employee health information is processed for the purpose of conducting occupational health and safety activities, tracking the suitability of municipal employees for their duties.
Visitor	Identity Physical Space Security	For the purpose of tracking the entry and exit of visitors to the municipality and ensuring the security of the municipal building, images of visitors are recorded through camera recordings within the municipality, in line with the legitimate interests of the municipality.
Visitor	Identity Transaction Security	In accordance with Law No. 5651 on the Regulation of Publications Made on the Internet and the Fight Against Crimes Committed Through These Publications, the identity information, IP address information, and website entry and exit information of internet site visitors are processed to record who uses the internet service provided by our municipality and for what purpose, and to confirm user information in e-municipality activities on our corporate website and mobile applications.
Job Applicant	Identity Contact Professional Experience Visual and Audio Records	For the purpose of evaluating candidates for employment in the hiring process, personal information, contact information, professional experience information, and financial information of job applicants are processed to facilitate the preparation of employment-related procedures.
Citizen	Identity Contact Title Deed Information Professional Experience	In accordance with Law No. 3194 on Urbanization, citizen identity information, contact information, professional experience information, and title deed information related to renovations are processed for the purpose of ensuring the proper formation of settlements and structures in these places in accordance with planning, engineering, health, and environmental conditions. For example, citizen information is processed to grant permission and excavation permits to individuals who will excavate for infrastructure-related purposes, and to evaluate renovation applications submitted to the municipality, prepare auction contracts, and prepare technical reports for zoning plan changes.
Citizen	Identity Contact Financial Information Invoice Information Title Deed Information Visual and Audio Records Professional Experience Legal Transaction Data	In accordance with Law No. 1319 on Property Tax; processes are carried out to ensure the registration of title deeds for immovables that need to be registered in the name of the municipality, for leasing and auction proceedings.
Citizen	Identity Contact	In accordance with Law No. 5393 on Municipalities; the municipality is obliged to evaluate the requests and complaints of citizens to regulate the legal status of the municipal administration and ensure that services are carried out in a planned, programmed, effective, efficient, and harmonious manner. In this context, the identity and contact information of citizens who contact our municipality through the Call Center is processed.
Citizen	Identity Contact Financial Information Legal Transaction Data	In accordance with Law No. 5326 on Misdemeanors; citizen identity, contact, financial information, judicial file information, and execution file information are processed to protect public order, general morality, the environment, and economic order and to follow up legal-execution affairs.
Citizen	Identity Contact Visual and Audio Records Health Information	In accordance with Law No. 5393 on Municipalities; our municipality carries out various social and cultural services for the elderly, disabled, women, youth, and children, including the opening of courses, operating or subcontracting vocational and skills training courses, and ensuring the planning and implementation of projects for the planning of transportation systems. The information of citizens who benefit from these services, such as name, surname, and photographs, is processed for the purpose of providing these services and announcing them to our citizens.
Citizen	Identity Contact Financial	In accordance with Law No. 1319 on Property Tax; our municipality processes the assessment and accrual of buildings, land, and land within its borders, maintains records of the revenues and receivables collected by the municipality, pays expenses and debts to the rightful owners, and performs accounting services related to all financial transactions, including the acceptance, storage, delivery, and other financial transactions related to cash and values expressed in money. For these purposes, citizen identity information, contact information, and financial information are processed.
Citizen	Religious Information	In accordance with Article 7 of the Population Registry Law; for the purpose of conducting marriage affairs and procedures, religious information of citizens applying to our municipality for marriage is processed.
Council and Assembly Members	Identity Contact Declaration of Assets	In accordance with the Municipal Council Working Regulation; important decisions specified in the law are made by the municipal council. For the preparation of municipal council decisions, the identity, contact, and asset declaration information of committee members is processed.
Parent/Guardian/Representative	Identity Contact	In accordance with Law No. 5393 on Municipalities; our municipality carries out social and cultural services for the elderly, disabled, and children and opens courses and creates nursing home records. The identity and contact information of the parents, guardians, and representatives of citizens who want to benefit from these services is processed.
Person Featured in the News	Identity Visual Record	Our municipality shares news posts on the website regarding social and cultural services it has realized. For the purpose of providing social services and announcing these services to our citizens, the names, surnames, and photographs of citizens benefiting from the service are processed.
Supplier Representative/Employee	Identity Contact Financial Information Professional Experience Criminal Record	In accordance with Law No. 4734 on Public Procurement; processing involves organizing the procurement of all products needed by the unit based on the nature of the requests in the units, ensuring payment to the relevant supplier, coordinating the preparation of relevant documents and organizing the procurement file according to the method determined in product and service purchases within the scope of procurement activities. Coordination includes creating and maintaining a list of suppliers directly used in the final product, coordinating the evaluation of suppliers' performance, and keeping records of relevant quality. The department prepares estimates for approved product and service needs of the departments, ensuring that they are carried out by the relevant department. Processing also includes identifying and ensuring traceability of purchased products in accordance with procedures. Additionally, for cases where the bidder is a real person in accordance with Law No. 4734 on Public Procurement, processing involves checking for individuals prohibited from participating in bids and processing the identity, contact, financial, professional experience, vehicle plate information, and criminal records of suppliers for the purpose of public procurement processes.

Attachment 3 - THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED BY OUR MUNICIPALITY AND PURPOSES OF TRANSFER

Entities to Which Data Transfer May Be Made	Relevant Individuals	Purpose of Data Transfer
Business Partner	Citizen	Limited transfer is made for the purpose of ensuring the preparation, implementation, and fulfillment of the objectives of partnership in the establishment of business partnerships related to our public services and activities.
Suppliers	Citizen	Limited transfer is made for the purpose of providing services necessary for the municipality to carry out its activities, which the municipality has procured from external sources.
Authorized Public Institutions and Organizations	Citizen	Limited transfer is made in situations where public institutions and organizations request and provide legal basis.
Banks	Citizen	Limited transfer is made for the purpose of payment activities when our citizens want to make payments via our website.