gain-logo
Log In
Sign Up
Log In

Personal Data And Privacy Policy

1. INTRODUCTION

 

In accordance with the Law No. 6698 on the Protection of Personal Data ("KVKK") and Article 20(3) of the Constitution of the Republic of Turkey, the protection of personal data is recognized as a fundamental human right. GAIN MEDYA A.Ş. ("Company") diligently safeguards this right and conducts all data processing activities in strict compliance with legal limitations. The fundamental principles outlined in Article 4 of the KVKK are meticulously adhered to by the Company in all data processing activities. 

 

2. PURPOSE OF THE POLICY

 

This Personal Data Protection Policy ("Policy") aims to ensure that all data processing activities conducted by the Company are carried out transparently and lawfully. It also ensures that data subjects can access all information regarding their rights under applicable legislation throughout and after the data processing process.

The Policy further determines:

• Which data is collected by the Company’s organizational units and for what purposes, 
• Whether such data is transferred abroad,
• The methods used in data processing.

 

3. SCOPE OF THE POLICY

 

This Policy covers all personal data processed by the Company, whether directly or indirectly, including data belonging to:

• Employees,
• Corporate executives,
• Workplace visitors,
• Website visitors,
• GAİN members and subscribers,
• Customers,
• Other third parties. Processing includes both automated and non-automated methods, provided the latter are part of a data recording system.

 

4. DEFINITIONS

 

The definitions below are derived from the KVKK and related regulations:

• Explicit Consent: Freely given, informed, and specific consent for a particular purpose.
• Destruction: The deletion, destruction, or anonymization of personal data.
• Contact Person: The natural person designated by the data controller for communication with the Authority regarding obligations under the KVKK.
• KVKK: Law No. 6698 on the Protection of Personal Data, published in the Official Gazette No. 29677 on April 7, 2016.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing of Personal Data: Any operation performed on personal data, including collection, recording, storage, modification, disclosure, or destruction.
• Board: The Personal Data Protection Board.
• Authority: The Personal Data Protection Authority.
• Special Categories of Personal Data: Data relating to race, ethnicity, political opinion, philosophical belief, religion, sect, dress code, association/foundation/union membership, health, sexual life, criminal convictions, security measures, biometric and genetic data.
• Policy: The data protection and processing policy established by the Data Controller.
• VERBIS: The Data Controllers Registry Information System where data controllers must register before processing personal data.
• Data Processor: A natural or legal person processing personal data on behalf of the Data Controller.
• Data Recording System: A system where personal data is processed based on specific criteria.
• Data Subject: The natural person whose personal data is processed.
• Regulation: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017.
• Data Controller: The natural or legal person determining the purposes and means of processing personal data.

 

5. COMPANY’S KVKK COMMISSION

 

To ensure compliance with the KVKK and secondary legislation, the Company has established a Personal Data Protection Commission ("Commission"), composed of at least one representative from each department (Finance, Drama, Programming/Documentary/Production, International Licensing and Sales, Product Development and Software, Broadcasting Planning, Marketing). Nilda BALTALI has been appointed as the Contact Person.

The Commission is responsible for:

• Preparing a personal data processing inventory,
• Drafting contracts,
• Conducting periodic and/or random internal audits,
• Informing data subjects,
• Training employees on data security,
• Updating the Policy as needed,
• Monitoring new regulations,
• Providing KVKK awareness training,
• Ensuring VERBIS registrations,
• Implementing administrative and technical measures recommended by the IT Department.

The Commission reports its findings and recommendations to the Board of Directors or General Manager, as applicable.

 

6. DUTIES AND RESPONSIBILITIES OF THE CONTACT PERSON

 

• The Contact Person is not authorized to legally represent the Company under the KVKK.
• Facilitates communication between data subjects and the Company regarding requests.
• Manages VERBIS registration and relations with the Board.
• Evaluates legal requests with the Commission and ensures necessary actions are taken.
• Oversees the preparation of data processing, destruction, and anonymization policies.
• Collaborates with the Commission and other departments to implement administrative and technical measures.

 

7. GENERAL PRINCIPLES OF PERSONAL DATA PROCESSING

 

The Company adheres to the following principles under Article 4 of the KVKK:

• Lawfulness and fairness,
• Accuracy and, where necessary, up-to-dateness,
• Processing for specified, explicit, and legitimate purposes,
• Relevance, limitation, and proportionality to the purposes of processing,
• Retention for the period required by law or the purpose of processing.

 

8. CONDITIONS FOR PROCESSING PERSONAL DATA

 

Personal data may only be processed with the explicit consent of the data subject, except in the following cases (KVKK Art. 5/2):

• Explicitly permitted by law,
• Necessary to protect the life or physical integrity of the data subject or another person,
• Necessary for the performance of a contract,
• Necessary for compliance with a legal obligation,
• Made public by the data subject,
• Necessary for the establishment, exercise, or defense of a legal claim,
• Necessary for the legitimate interests of the Company, provided it does not violate fundamental rights.

 

9. CONDITIONS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

 

Processing of special categories of personal data is prohibited without explicit consent, except under limited conditions (KVKK Art. 6/3):

• Explicitly permitted by law,
• Necessary to protect life or physical integrity,
• Made public by the data subject,
• Necessary for legal claims,
• Necessary for public health, medical diagnosis, or treatment,
• Necessary for employment, social security, or occupational health obligations,
• Related to associations, foundations, or unions acting within legal limits.

 

10. METHODS OF COLLECTING PERSONAL DATA

 

Personal data is collected through:

• Physical documents (CVs, application forms, contracts),
• Digital platforms (membership/subscription forms, receipts),
• Information systems and electronic devices,
• Visual/audio recordings (e.g., security cameras).

Data is stored in physical and/or digital formats.

 

11. DELETION, DESTRUCTION, OR ANONYMIZATION OF PERSONAL DATA

 

The Company erases, destroys, or anonymizes personal data when:

• Legal grounds for processing no longer exist,
• Requested by the data subject.

Retention periods are determined based on:

• Statute of limitations,
• Contractual obligations,
• Legal precedents,
• Industry-specific requirements.

 

12. TRANSFER OF PERSONAL DATA TO THIRD PARTIES

 

• Personal data is not transferred without explicit consent, except under KVKK Art. 5/2. 
• Special categories of data may only be transferred under KVKK Art. 6/3 with adequate safeguards.

 

Recipient Purpose of Transfer
Business Partners Limited to fulfilling partnership objectives.
Shareholders For strategic planning and auditing.
Consultants
 Legal, cybersecurity, and design services (strictly purpose-limited).
Company Officials Compliance with contractual and legal obligations.
Authorized Legal Entities (e.g., law firms, notaries) Limited to their authorized activities.
Public Authorities Limited to legally mandated requests.

 

 

13. INTERNATIONAL TRANSFERS OF PERSONAL DATA

 

• Personal data may not be transferred abroad without explicit consent, unless:

• The recipient country ensures adequate protection, or
• The data controllers in Turkey and the foreign country provide written guarantees approved by the Board.

Transfers are only permitted to countries meeting the Board’s "adequate protection" criteria or with Board-approved safeguards (e.g., encryption, access restrictions, annual audits).

 

14. DISCLOSURE OBLIGATION

 

The Company informs data subjects about:

• The identity of the Data Controller,
• Purposes of processing,
• Recipients of data transfers,
• Data collection methods and legal basis,
• Rights under KVKK Art. 11.

This information is provided via:

• Website privacy notices, 
• Membership/subscription consent forms,
• In-person disclosures.

 

15. RIGHTS OF DATA SUBJECTS

 

Data subjects may request:

1. Confirmation of whether their data is processed, 
2. Access to their processed data,
3. Information on processing purposes,
4. Details of third-party transfers,
5. Rectification of inaccurate/incomplete data,
6. Deletion or destruction of data (where legal grounds no longer exist),
7. Notification of corrections/deletions to third parties,
8. Objection to automated decision-making,
9. Compensation for damages due to unlawful processing.

Requests must be submitted via:

• Email: kvkk@gain.com.tr
• Posta mail: Atatürk Mah. Muhtar Hasan Sok. No:1/73, Ataşehir/İstanbul

The Company responds within 30 days. Responses are free of charge, unless the request incurs additional costs (subject to the Board’s tariff).

 

16. DATA SECURITY MEASURES

 

The Company implements technical and administrative measures to:

• Prevent unlawful processing,
• Secure data aGAINst unauthorized access,
• Ensure data retention compliance. Measures include:
• Risk assessments,
• Employee training,
• Data minimization,
• Cybersecurity protocols,
• Encryption and access controls,
• Regular audits,
• Physical/digital security for data storage.

In case of a data breach, the Company notifies:

• Affected data subjects,
• The Board,
• Relevant authorities (within 72 hours).

 

17. CONFIDENTIALITY

 

Employees and executives must not disclose personal data unlawfully or use it beyond its intended purpose. This obligation continues after employment termination.

 

18. NOTIFICATION OF BREACHES

 

If personal data is unlawfully accessed, the Contact Person must:

1. Notify the data subject and senior management immediately,
2. Report the breach to the Board.

 

19. EFFECTIVENESS

 

This Policy enters into force upon publication on the Company’s website: https://www.gain.tv/en/legal/privacy-policy In case of conflict between the Policy and legislation, legal provisions prevail. The Company reserves the right to amend the Policy in line with regulatory changes.