Personal Data Processing and Protection Policy

06 Ara, 2025

1. Introduction

1.1 Introduction

Protection of personal data is among the most important priorities of “METCO DENTAL A.Ş.” (the “Company”) as it is a fundamental human right. In order to guarantee the right to protection of personal data, the Company makes maximum effort to act in accordance with all applicable legislation in this regard. Within the framework of this “METCO DENTAL A.Ş.” Personal Data Protection and Processing Policy (the “Policy”), the principles adopted in the execution of personal data processing activities carried out by our Company and the basic principles adopted regarding the compliance of our Company's data processing activities with the regulations in the Law on the Protection of Personal Data No. 6698 (the “Law”) are explained, and thus our Company ensures the necessary transparency by informing the relevant persons. With full awareness of our responsibility in this context, your personal data is processed and protected under this Policy.

1.2 Scope

The “METCO DENTAL A.Ş.” (“COMPANY”) Personal Data Processing and Protection Policy (“Policy”) has been prepared with the aim of disciplining the processing of personal data within the framework of legislation regarding personal data and protecting fundamental rights and freedoms, primarily the privacy of private life as stipulated in the Constitution. While preparing the “Policy”, the fundamental principle was determined to identify which data the working units collect and why they collect it within the “COMPANY” organization chart, why there is a need to transfer this data to third parties, and to understand the “COMPANY”s personal data processing procedure. While transferring the requirements of the relevant legislation to the “Policy”, it has been adopted as a principle to explain in a simple and understandable language which data the “COMPANY” obtains and why, and why it processes this data, within the framework of the sensitivity felt within the necessity of protecting personal data. In addition, it is aimed to take the necessary administrative and technical measures to protect data privacy within and outside the “COMPANY” organization and to inform and enlighten the individuals whose data are processed. All natural persons whose data are processed by the “COMPANY” fall within the scope of the “Policy”. Within the scope of this “Policy”, customized information regarding the data processed within the framework of the transactions and activities in the “COMPANY” organization, the categorization of data, data recipient groups, legal reason and method of data collection, third party groups to whom data are transferred, data processing periods, and data deletion periods have been attempted to be included. However, in the event that data processing is/will be carried out by the “COMPANY” other than the current processing activities, it is possible to carry out the processing activity and provide information within a separate clarification text, provided that the basic principles and principles specified in this policy are complied with. In this case, the clarification provided will constitute an integral part of this “Policy” and it cannot be claimed that it is not included in this “Policy”. As a matter of fact, within the scope of Article 5 of the Communiqué on the Procedures and Principles to be Followed in the Fulfillment of the Obligation to Inform, it is possible to provide information orally, in writing, by voice recording, by using physical or electronic media such as a call center. 1.3 Implementation of the Policy and KVKK Legislation Regarding the processing and protection of personal data, the relevant legal regulations in force will be applied primarily. In case of inconsistency between the current legislation and the Policy, our Company accepts that the current legislation will apply. The Policy regulates the rules set forth by the relevant legislation by embodying them within the scope of Company practices. 1.4 Enforcement of the Policy The effective date of this Policy is 01.01.2021. The version prepared by “METCO DENTAL A.Ş.” which entered into force on 01.01.2021 and was updated on 15.03.2021 has been renewed as of the effective date of this Policy. This Policy is published on the website of “METCO DENTAL A.Ş.” at [https://metcodental.com/].

2. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

2.1 Ensuring the Security of Personal Data

In accordance with Article 12 of the Law, our Company takes the necessary measures according to the nature of the data to be protected in order to prevent unlawful disclosure, access, transfer of personal data, or security deficiencies that may occur in other ways. In this context, our Company takes administrative measures and conducts or has conducted audits intended to ensure the necessary security level in accordance with the guidelines published by the Personal Data Protection Board (the “Board”).

2.2 Protection of Special Categories of Personal Data

Special importance has been attributed to certain personal data by the Law due to the risk of causing victimization or discrimination of individuals when processed unlawfully. This data includes; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, membership to associations, foundations or unions, health, sexual life, criminal conviction and security measures, and biometric and genetic data. “METCO DENTAL A.Ş.” acts with sensitivity in the protection of special categories of personal data, which are determined as “special quality” by the Law and processed in accordance with the law. In this context, the technical and administrative measures taken by “METCO DENTAL A.Ş.” for the protection of personal data are carefully applied in terms of special categories of personal data and necessary audits are provided within “METCO DENTAL A.Ş.”. Note: Detailed information regarding the technical and administrative measures taken in the processing of personal data is included in section “8” of this policy.

2.3 Increasing Awareness and Supervision of Business Units on Protection and Processing of Personal Data

“METCO DENTAL A.Ş.” organizes trainings at regular intervals to increase awareness to prevent unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data. Necessary systems are established to create awareness among “METCO DENTAL A.Ş.” employees regarding the protection of personal data, and consultants are worked with if needed regarding the issue. In this direction, our Company participates in relevant trainings, seminars, and information sessions, primarily those prepared by the Personal Data Protection Authority, through its employees and renews its trainings in parallel with the updating of the relevant legislation.

3. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA

3.1 Processing of Personal Data in Compliance with Principles Stipulated in Legislation

3.2 Processing in Compliance with Law and Integrity Rules

“METCO DENTAL A.Ş.” acts in accordance with the principles introduced by legal regulations and the general rule of trust and integrity in the processing of personal data. In this framework, personal data is processed to the extent required by our Company's business activities and limited to these.

3.3 Ensuring Personal Data is Accurate and Up-to-Date When Necessary

“METCO DENTAL A.Ş.” takes the necessary measures to ensure that personal data is accurate and up-to-date throughout the period it is processed and establishes the necessary mechanisms regarding the assurance of the accuracy and currency of personal data at certain periods.

3.4 Processing for Specific, Explicit, and Legitimate Purposes

“METCO DENTAL A.Ş.” clearly sets forth the purposes of processing personal data and processes it within the scope of purposes connected with these activities in line with business activities.

3.5 Being Connected, Limited and Proportionate to the Purpose for which they are Processed

“METCO DENTAL A.Ş.” collects personal data only in the quality and extent required by business activities and processes it limited to the determined purposes. Retaining for the Period Stipulated in Relevant Legislation or Required for the Purpose for which they are Processed “METCO DENTAL A.Ş.” retains personal data for the period required for the purpose for which they are processed and the minimum period stipulated in the legal legislation to which the relevant activity is subject. In this context, our Company primarily determines whether a period is foreseen for the storage of personal data in the relevant legislation, and acts in accordance with this period if a period is determined. If no legal period exists, personal data is stored for the period required for the purpose for which they are processed. At the end of the determined storage periods, personal data is destroyed in accordance with periodic destruction periods or the application of the data owner and with the determined destruction methods (deletion and/or destruction and/or anonymization).

3.6 Conditions for Processing Personal Data

Except for the explicit consent of the personal data owner, the basis of the personal data processing activity may be only one of the conditions specified below, or more than one condition may be the basis of the same personal data processing activity. In the event that the processed data is special categories of personal data, the conditions included in heading 3.3 of this Policy (“Processing of Special Categories of Personal Data”) will apply. i. Existence of Explicit Consent of Personal Data Owner One of the conditions for processing personal data is the explicit consent of the data owner. The explicit consent of the personal data owner must be explained regarding a specific subject, based on information and with free will. In the presence of the personal data processing conditions listed below, personal data may be processed without the explicit consent of the data owner. ii. Explicitly Stipulated in Laws If the personal data of the data owner is explicitly stipulated in the law, in other words, if there is a clear provision regarding the processing of personal data in the relevant law, the existence of this data processing condition may be mentioned. iii. Failure to Obtain Explicit Consent of the Relevant Person Due to Actual Impossibility In the event that the processing of personal data is mandatory to protect the life or physical integrity of the person who is unable to explain his/her consent due to actual impossibility or whose consent cannot be validated, or of another person, the personal data of the data owner may be processed. iv. Direct Relevance to the Establishment or Performance of a Contract Provided that it is directly related to the establishment or performance of a contract to which the data owner is a party, this condition may be deemed fulfilled if the processing of personal data is necessary. v. Fulfillment of the Company's Legal Obligation In the event that processing is mandatory for our Company to fulfill its legal obligations, the personal data of the data owner may be processed. vi. Making Personal Data Public by the Personal Data Owner In the event that the data owner has made his/her personal data public, the relevant personal data may be processed limited to the purpose of making it public. vii. Mandatory Data Processing for the Establishment or Protection of a Right If data processing is mandatory for the establishment, use, or protection of a right, the personal data of the data owner may be processed. viii. Mandatory Data Processing for the Legitimate Interests of Our Company Provided that it does not harm the fundamental rights and freedoms of the personal data owner, if data processing is mandatory for the legitimate interests of our Company, the personal data of the data owner may be processed.

3.7 Processing of Special Categories of Personal Data

Special categories of personal data are processed by our Company in accordance with the principles specified in this Policy and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions: (i) Special categories of personal data other than health and sexual life may be processed without seeking the explicit consent of the data owner if explicitly stipulated in laws, in other words, if there is a clear provision regarding the processing of personal data in the law to which the relevant activity is subject. Otherwise, the explicit consent of the data owner will be obtained for the processing of such special categories of personal data. (ii) Special categories of personal data relating to health and sexual life may be processed without seeking explicit consent by persons under the obligation of secrecy or authorized institutions and organizations for the purposes of protection of public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and financing. Otherwise, the explicit consent of the data owner will be obtained for the processing of such special categories of personal data.

3.8 Informing Relevant Persons

“METCO DENTAL A.Ş.” informs personal data owners in accordance with Article 10 of the Law and secondary legislation. In this context, “METCO DENTAL A.Ş.” informs relevant persons about who processes personal data as the data controller, for what purposes it is processed, with whom it is shared for what purposes, by what methods it is collected and the legal reason, and the rights possessed by data owners within the scope of the processing of their personal data.

3.9 Transfer of Personal Data

Our Company may transfer the personal data and special categories of personal data of the personal data owner to third parties (third party companies, official and private authorities, third real persons) by taking necessary security measures in line with lawful personal data processing purposes. In this direction, our Company acts in accordance with the regulations stipulated in Article 8 of the Law. Detailed information on this subject can be accessed from the APPENDIX X (“APPENDIX X- Third Parties to Whom Personal Data is Transferred and Purposes of Transfer”) document of this Policy. Even without the explicit consent of the personal data owner, personal data may be transferred to third parties by our Company by showing due care and taking all necessary security measures, including methods stipulated by the Board, in the event that one or several of the conditions specified below exist.

  • Explicit stipulation of relevant activities regarding the transfer of personal data in laws,
  • Transfer of personal data by the Company being directly related and necessary for the establishment or performance of a contract,
  • Transfer of personal data being mandatory for our Company to fulfill its legal obligation,
  • Transfer by our Company limited to the purpose of making public, provided that personal data has been made public by the data owner,
  • Transfer of personal data by the Company being mandatory for the establishment, use, or protection of the rights of the Company or the data owner or third parties,
  • Requirement to engage in personal data transfer activity for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data owner,
  • Being mandatory for the protection of the life or physical integrity of the person himself/herself or another person who is unable to explain his/her consent due to actual impossibility or whose consent is not legally recognized.

3.10 Transfer of Special Categories of Personal Data

Special categories of personal data may be transferred by our Company in accordance with the principles specified in this Policy and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions: (i) Special categories of personal data other than health and sexual life may be processed without seeking the explicit consent of the data owner if explicitly stipulated in laws, in other words, if there is a clear provision regarding the processing of personal data in the relevant law. Otherwise, the explicit consent of the data owner will be obtained. (ii) Special categories of personal data relating to health and sexual life may be processed without seeking explicit consent by persons under the obligation of secrecy or authorized institutions and organizations for the purposes of protection of public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and financing. Otherwise, the explicit consent of the data owner will be obtained.

4. CATEGORIZATION AND PROCESSING PURPOSES OF PERSONAL DATA PROCESSED BY OUR COMPANY

Before our Company, relevant persons are informed in accordance with Article 10 of the Law and secondary legislation, and personal data is processed in accordance with the general principles specified in the Law, primarily the principles specified in Article 4 of the Law regarding the processing of personal data, based on and limited to at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law, in line with our Company's personal data processing purposes. Within the framework of the purposes and conditions specified in this Policy, detailed information on processed personal data categories and categories can be accessed from the APPENDIX 3 (“APPENDIX 3- Personal Data Categories”) document of the Policy. Detailed information regarding the processing purposes of the said personal data is included in APPENDIX 1 of the Policy (“APPENDIX 1- Personal Data Processing Purposes”).

5. STORAGE AND DESTRUCTION OF PERSONAL DATA

Our Company retains personal data in accordance with the period required for the purpose for which they are processed and the minimum periods stipulated in the legal legislation to which the relevant activity is subject. In this context, our Company primarily determines whether a period is foreseen for the storage of personal data in the relevant legislation, and acts in accordance with this period if a period is determined. If no legal period exists, personal data is stored for the period required for the purpose for which they are processed. At the end of the determined storage periods, personal data is destroyed in accordance with periodic destruction periods or the application of the data owner and with the determined destruction methods (deletion and/or destruction and/or anonymization).

6. RIGHTS OF THE RELEVANT PERSON

6.1 Rights of the Relevant Person

Within the scope of KVKK (LPPD), you have the right to; i. Learn whether your Personal Data is processed, ii. Request information if your Personal Data has been processed, iii. Learn the purpose of processing your Personal Data and whether they are used in accordance with their purpose, iv. Know the third parties to whom your Personal Data is transferred domestically or abroad, v. Request correction of your Personal Data in case of incomplete or incorrect processing, vi. Request the deletion or destruction of your Personal Data within the framework of the conditions stipulated in the KVKK legislation, vii. Request notification of the transactions made within the scope of items v. and vi. to third parties to whom your Personal Data has been transferred, viii. Object to the occurrence of a result against you by analyzing the processed data exclusively through automated systems, ix. Request compensation for the damage in case you suffer damage due to the unlawful processing of your Personal Data.

6.2 How Can You Exercise Your Rights?

You can fill out the “application form” which you can download using the link https://metcodental.com/ in line with your request/complaint, and send the said form to us via the address https://metcodental.com/ or fill out the form physically and send it via cargo/post to the address “CAFERAĞA MAHALLESİ ALBAY FAİK SÖZDENER CADDE NO: 13/7 KADIKÖY İSTANBUL”. In case you submit your request to us using one of the methods shown above, pursuant to Art. 13/2 of KVKK, your request will be evaluated within 30 days at the latest and you will be informed about the subject. If your request is accepted, the necessary actions will be taken immediately by the data controller COMPANY. Requests are met free of charge as a rule, however, if fulfilling the requirement of the request requires a cost, strictly adhering to the provision stipulated in Article 7 of the “Communiqué on the Procedures and Principles of Application to the Data Controller”; “If the application of the relevant person is to be answered in writing, no fee is charged up to 10 pages. A transaction fee of 1 TL may be charged for each page exceeding 10 pages. If the response to the application is given in a recording medium such as a CD or flash memory, the fee that may be requested by the data controller cannot exceed the cost of the recording medium.”, a fee may be requested by the COMPANY.

7. SPECIAL SITUATIONS WHERE PERSONAL DATA IS PROCESSED

7.1 Personal Data Processing Activities Made at Building and Facility Entrances and Within the Building/Facility and Website Visitors

In order to ensure security by “METCO DENTAL A.Ş.”, personal data processing activities are carried out regarding monitoring with security cameras in “METCO DENTAL A.Ş.” buildings and facilities and tracking guest entries and exits.

7.2 Monitoring Activities with Cameras Conducted at “METCO DENTAL A.Ş.” Building, Facility Entrances and Inside

In order to ensure security in its buildings and facilities, monitoring activity with cameras is carried out by “METCO DENTAL A.Ş.” in accordance with the Law on Private Security Services and relevant legislation. “METCO DENTAL A.Ş.” engages in security camera monitoring activity in accordance with the personal data processing conditions listed in the Law and for the purposes stipulated in the relevant legislation in force, in order to ensure security in its buildings and facilities. In accordance with Article 10 of the Law, the personal data owner is informed by “METCO DENTAL A.Ş.” through more than one method regarding the monitoring activity with cameras. In addition, “METCO DENTAL A.Ş.” processes personal data in a connected, limited, and proportionate manner to the purpose for which they are processed, in accordance with Article 4 of the Law. The purpose of continuing the video camera monitoring activity by “METCO DENTAL A.Ş.” is limited to the purposes listed in this Policy. In this direction, the monitoring areas, number, and timing of security cameras are implemented sufficiently to achieve the security purpose and limited to this purpose. Areas that may result in interference exceeding security purposes regarding the privacy of the person (for example, toilets) are not subject to monitoring. Only a limited number of “METCO DENTAL A.Ş.” employees have access to live camera images and records recorded and maintained in the digital environment. The limited number of people with access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.

7.3 Tracking of Guest Entries and Exits Conducted at “METCO DENTAL A.Ş.” Building, Facility Entrances and Inside

Personal data processing activity regarding the tracking of guest entries and exits in “METCO DENTAL A.Ş.” buildings and facilities is carried out by “METCO DENTAL A.Ş.” for the purposes specified in this Policy and to ensure security. While obtaining the names and surnames of people coming to “METCO DENTAL A.Ş.” buildings as guests, the said personal data owners are informed in this context through texts posted before “METCO DENTAL A.Ş.” or made available to guests in other ways. Data obtained for the purpose of tracking guest entry-exit is processed only for this purpose and relevant personal data is recorded in the data recording system in the physical environment.

8. MEASURES REGARDING THE SECURITY OF PERSONAL DATA

The “COMPANY” provides all necessary reasonable care and diligence regarding ensuring the confidentiality and security of the personal data it is processing, with the awareness of responsibility provided by being a well-established Company. The “COMPANY” takes the necessary technical and administrative measures at a reasonable level to ensure data privacy and security within the framework of Article 12 of the KVKK, in addition to the requirements of the relevant legislation. With the said administrative and technical security measures, it is aimed to prevent the unlawful processing of personal data, prevent unlawful access to personal data, and maintain personal data at an appropriate security level. In the event that personal data is processed by another real or legal person (data processor) on its own behalf, the “COMPANY” will take the necessary measures to ensure that the measures specified above are also taken by the relevant data processors. In the event that personal data is unlawfully obtained by third parties, it will notify data owners, the Board, and other relevant public institutions and organizations in accordance with the provisions of the relevant legislation. While taking measures regarding the security of personal data, the Personal Data Security Guide (Technical and Administrative Measures) published by the Board is taken into consideration. Administrative Measures

  • Establishment and operation of information security management system within the Company,
  • Signing undertakings and confidentiality agreements with Company personnel and related parties,
  • Performing risk analyses on business processes,
  • Creation of personal data inventories,
  • Operation of information security policies and procedures,
  • Organizing and evaluating trainings on information security and personal data processing activities,
  • Use of tools and equipment such as employee computers only by authorized persons to prevent unauthorized access,
  • Reviewing activities through internal or independent audits,
  • Creation of records that will produce objective evidence for transactions made,
  • Technical Measures
  • Necessary precautions are taken by revealing risks, threats, vulnerabilities and gaps, if any, regarding Company information systems through penetration tests.
  • Risks and threats that will affect the continuity of information systems are constantly monitored as a result of real-time analyses made with information security incident management.
  • Access to information systems and authorization of users are done through security policies over the corporate active directory with access and authorization matrix.
  • When software changes and/or updates are to be made on systems, trials are made in the test environment, security vulnerabilities, if any, are detected and necessary measures are taken, and the change to be made is finalized after these processes.
  • Necessary precautions are taken for the physical security of “METCO DENTAL A.Ş.” information systems equipment, software, and data.
  • Hardware (access control system allowing only authorized personnel to enter the system room, ensuring physical security of edge switches forming the area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, intrusion prevention systems, network access control, systems preventing malware, etc.) measures are taken to ensure information systems security against environmental threats.
  • Risks aimed at preventing unlawful processing of personal data are determined, appropriate technical measures are taken for these risks, and technical controls regarding the measures taken are carried out.
  • Reporting and analysis studies regarding access to personal data are carried out by creating access procedures within the Company.
  • The Company takes necessary measures to ensure that deleted personal data is inaccessible and unusable for relevant users.
  • Appropriate preparatory work has been carried out by the Company to notify the relevant person and the Board in case personal data is unlawfully obtained by others.
  • Security vulnerabilities are followed, appropriate security patches are installed, and information systems are kept up to date.
  • Strong passwords are used in electronic environments where personal data is processed.
  • Secure logging systems are used in electronic environments where personal data is processed.
  • Data backup programs ensuring secure storage of personal data are used.
  • Access to personal data stored in electronic or non-electronic environments is limited according to access principles.
  • Access to the Company website is encrypted with SHA 256 Bit RSA algorithm using secure protocol (HTTPS).
  • Trainings on special quality personal data security have been provided to employees involved in special quality personal data processing processes, confidentiality agreements have been made, and the authorities of users with access authority to data have been defined.
  • Electronic environments where special quality personal data is processed, stored and/or accessed are preserved using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of environments are constantly monitored, necessary security tests are regularly performed/had performed, test results are recorded,
  • Sufficient security measures are taken for physical environments where special quality personal data is processed, stored and/or accessed, unauthorized entries and exits are prevented by ensuring physical security.
  • If special quality personal data needs to be transferred via e-mail, it is transferred encrypted with a corporate e-mail address or using a KEP account. If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment.
  • If transfer via paper medium is required, necessary precautions are taken against risks such as theft, loss, or viewing by unauthorized persons, and the document is sent in “confidential” format.

APPENDIX 1 – Definitions

Explicit Consent Refers to the consent that relates to a specific subject, is based on information, and is declared with free will.
Company “METCO DENTAL A.Ş.” residing at the address CAFERAĞA MAHALLESİ ALBAY FAİK SÖZDENER CADDE NO: 13/7 KADIKÖY İSTANBUL.
Cookie Small files saved on users' computers or mobile devices that help store preferences and other information on the web pages they visit.
Relevant User Persons who process personal data within the organization of the data controller or in line with the authority and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.
Destruction Deletion, destruction or anonymization of personal data.
Contact Person The real person notified by the data controller during registration to the Registry for communication to be established with the Authority regarding the obligations of legal entities residing in Turkey and the representative of the legal entity data controller not residing in Turkey within the scope of the Law and secondary regulations to be issued based on this Law. (The contact person is not authorized to represent the Data Controller. As the name suggests, he/she is the person assigned only to ensure communication “contact” between the data controller and the relevant persons and the Authority.)
Recording Medium Any medium containing personal data processed by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Personal Data Any information relating to an identified or identifiable natural person.
Processing of Personal Data Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification, or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.
Anonymization of Personal Data Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.
Deletion of Personal Data Deletion of personal data; making personal data inaccessible and unusable for Relevant Users in any way.
Destruction of Personal Data The process of making personal data inaccessible, unretrievable, and reusable by anyone in any way.
The Board Personal Data Protection Board.
Special Categories of Personal Data Data relating to persons' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, membership to association, foundation or union, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Periodic Destruction The deletion, destruction, or anonymization process carried out ex officio at recurring intervals specified in the personal data storage and destruction policy in the event that all of the conditions required for the processing of personal data are eliminated.
Policy Personal data protection policy created by the Company.
Data Processor Natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
Data Recording System The recording system where personal data is structured and processed according to specific criteria.
Data Owner/Relevant Person The natural person whose personal data is processed.
Data Controller The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Regulation Regulation on the Deletion, Destruction or Anonymization of Personal Data.
Source Law on the Protection of Personal Data No. 6698 - Regulation on the Deletion, Destruction or Anonymization of Personal Data – Regulation on the Data Controllers Registry – Communiqué on the Procedures and Principles to be Followed in the Fulfillment of the Obligation to Inform – Communiqué on the Procedures and Principles of Application to the Data Controller

 

APPENDIX 2 – Personal Data Processing Purposes

PERSONAL DATA CATEGORY CATEGORIZATION DESCRIPTION
Identity Data Personal data regarding the identity information of natural persons will be evaluated under this category. (name surname, parents' names, mother's maiden name, date of birth, place of birth, marital status, TR identity no)
Contact Data Any kind of personal data that can be used for communication purposes with people will be evaluated under this category. (address no, e-mail address, contact address, registered electronic mail address (KEP), phone no)
Location Data Location information of the whereabouts of people, etc.
Personnel File Data Data contained in the personnel file of Company employees within the scope of relevant legislation (payroll information, disciplinary investigation, employment entry-exit document records, property declaration information, leave information, resume information, diploma, maternity leave, incapacity report, military service, performance evaluation reports and in convict applications, criminal convictions and security measures records (criminal record), health information are included. In general, the following documents are found in personnel files: 1. Criminal record 2. Family status notification form 3. Employment Certificate/Service Certificate 4. Report stating fit for heavy and dangerous works for very dangerous works 5. Photocopy of Diploma 6. Maternity leave, fit/unfit for work reports, breastfeeding leave petitions, 7. Disability report if disabled worker, İŞKUR application registration document 8. Documents showing military status for male workers 9. İŞKUR application registration document of ex-convict, terror victim worker 10. Photocopy of marriage certificate 11. Worker approval letter for overtime work 12. Document showing the consent of the worker to be transferred temporarily to another workplace 13. Documents proving justifiable termination if any, resignation petition or termination notice 14. Release form 15. Certificate of residence 16. Employment contract 17. All correspondence made about the worker and records kept 18. Letter stating that workers have been informed about occupational health and safety, occupational risks, precautions to be taken and legal rights and responsibilities. 19. Payrolls belonging to the worker and documents regarding payment 20. Employment entry and exit declarations 21. Minutes regarding unauthorized absence / late arrival and warning letter 22. Blood group card 23. Severance and notice pay payrolls 24. Photocopy of ID card 25. Copy of birth record 26. Resume 27. Health report and periodic health examination reports 28. Picture 29. Health Report 30. Letter from the Revenue Administration stating that discount will be applied for those who will benefit from disability discount 31. Documents regarding administrative procedures to be done in insurance events (work accident minutes, work accident notification etc.) 32. Embezzlement document if tools and equipment delivered exist 33. Petitions, forms and charts regarding unpaid leaves and annual paid leave 34. Training certificates received if any 35. Work permit for foreign workers
Data Regarding Education, Work and Professional Life Any data regarding the education and working lives of people will be included under this category. (Education- Diploma- Certificate, Transcript, In-Service Training Information)
Legal Action Data Information in correspondence with judicial authorities, Information in case files, etc.
Financial Data Account, bank, invoice information of people
Visual Auditory Records Visual/auditory records kept for customer satisfaction purposes
Digital Environment Usage Data Any personal data obtained as a result of tracking users' activities in the digital environment will be classified under this category.
Special Categories of Personal Data Health, Criminal Conviction – Security Measures,

 

APPENDIX 4 – Personal Data Categories

PERSONAL DATA OWNER CATEGORY CATEGORIZATION DESCRIPTION
Company Personnel Administrative personnel.
Board of Directors, Senate Members Data of members taking part in the organs and studies of the company
3rd Parties Participating in Company Studies 3rd parties included in Company commissions, working groups and organizations
Company Activity Invitees Natural persons invited to the Company's organizations
Company Activity Participants Persons participating in Company organizations
Payment Recipient/Person from Whom Service is Received 3rd parties to whom payment must be made in Company Activities
Relatives of Company Employees Relative of Company Employee, Persons living in the same residence and dependents
Potential Employees Potential employees applying to work for the Company
Supplier Persons, organizations or persons related to them providing goods or services to the “COMPANY”.
Project Partner Persons involved in projects carried out by the “COMPANY”
Consultant Persons, organizations or persons related to them providing external consultancy services to the “COMPANY”.
Potential Product and Service Buyer, Person Buying Product or Service Persons who buy or are likely to buy products and services from the “COMPANY”.
Other Persons, organizations or persons related to them who have established a continuous or incidental, direct or indirect relationship with the “COMPANY”, other than those above.

 

APPENDIX 5 – Third Parties to Whom Personal Data is Transferred by Our Company and Purposes of Transfer “METCO DENTAL A.Ş.” may transfer the personal data of data owners managed by this Policy to the categories of persons listed below in accordance with Articles 8 and 9 of the Law on Protection of Personal Data (KVKK): (i) To “METCO DENTAL A.Ş.” business partners, (ii) To “METCO DENTAL A.Ş.” suppliers, (iii) Smart İdea Gayrimenkul Geliştirme ve Danışmanlık Ltd (iv) To legally authorized public institutions and organizations (v) To legally authorized private law persons. The scope of the persons mentioned above to whom transfer is made and data transfer purposes are stated below.

Persons to Whom Data Transfer Can Be Made Definition Data Transfer Purpose
Business Partner Defines the parties with whom “METCO DENTAL A.Ş.” establishes a business partnership for purposes such as carrying out various projects together with Smart İdea Gayrimenkul Geliştirme ve Danışmanlık Ltd Companies or receiving services while carrying out its commercial activities. Banks, Pension and Assistance Fund Foundation Limited to ensuring the fulfillment of the establishment purposes of the business partnership
Supplier Defines the parties providing services to “METCO DENTAL A.Ş.” on a contractual basis in accordance with the orders and instructions of “METCO DENTAL A.Ş.” while carrying out the commercial activities of “METCO DENTAL A.Ş.”. Limited to ensuring the provision of services necessary for “METCO DENTAL A.Ş.” to carry out its commercial activities, which “METCO DENTAL A.Ş.” procures from the supplier as an external source, to “METCO DENTAL A.Ş.”.
Legally Authorized Public Institutions and Organizations Public institutions and organizations authorized to receive information and documents from “METCO DENTAL A.Ş.” according to relevant legislation provisions Limited to the purpose requested within the legal authority of the relevant public institutions and organizations
Legally Authorized Private Law Persons Private law persons authorized to receive information and documents from “METCO DENTAL A.Ş.” according to relevant legislation provisions Limited to the purpose requested within the legal authority of the relevant private law persons

 

APPENDIX – 6 Data Controller Identity

Data Controller: “METCO DENTAL A.Ş.”
Address: CAFERAĞA MAHALLESİ ALBAY FAİK SÖZDENER CADDE NO: 13/7 KADIKÖY İSTANBUL
Phone: 0216 345 74 24
KEP: metcoinsaat@hs01.kep.tr
Website: https://metcodental.com/
E-Mail: metco@metcodental.com

 

Corporate
Contact UsAbout UsHuman ResurcesOur Policies
Brands
Morita Melag Ritter Meyer Apple Dental Ekom Metasys Mingtai Medical Sun
Library
Literature
Categories
Implants (10) Sterilization (33) Endodontics (33) Clicinical Equipments (88) Imaging (36) Patient–Dentist Communication (22) General (17) Oral and Dental Health (173) Prosthodontics (1) One Device, One Feature (1)
Contact
Caferağa Mah. Albay Faik Sözdener Cad.
Çetintaş İş Merk. No:13 Kat:3
34710, Kadıköy – İstanbul
+90 216 345 74 24
metco@metcodental.com
© 2026 Metco Dental Istanbul v: 2026-001
Platform BitsCosmos Software