PERSONAL DATA PROTECTION POLICY

1. Purpose

This policy sets out the principles, procedures, and methods adopted by ZZGTech for the processing, protection, storage, retention, and destruction of personal data in all activities carried out by ZZGTech in its capacity as a Data Controller.

This policy has been prepared in accordance with the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (UK) and aims to fulfil ZZGTech's information and transparency obligations under Articles 13 and 14 of the UK GDPR by defining the principles applied during the collection, use, disclosure, storage, and disposal of personal data.

This policy informs individuals whose personal data is processed by ZZGTech, including: employees, job applicants, employees' relatives, references, supplier employees, business partners, supplier and prospective supplier personnel, customer prospects, website visitors, outsourced staff, partner employees, partner company representatives, customers, and other relevant individuals.

2. Scope

This policy applies to all record environments and processing activities relating to personal data processed by ZZGTech, including personal data belonging to employees and job applicants, employees' relatives and references, customers and prospective customers, suppliers, partners and their employees, website visitors, and outsourced and partner personnel.

3. Authorities and Responsibilities

All ZZGTech employees, contractors, and third-party service providers involved in processing personal data are responsible for complying with this policy.

Each business unit is responsible for ensuring the lawful processing, protection, and secure storage of personal data generated within its own activities.

Key Roles

Data Controller Contact Person
Responsible for designing, implementing, and supervising compliance with the UK GDPR, including cooperation with supervisory authorities and handling data subject requests.

Archivist
Responsible for the organisation, secure storage, retention, deletion, destruction, and anonymisation of archived personal data.

Information Security Committee Member
Supports compliance activities, data security controls, audits, and ISO 27001 / ISO 27701 / ISO 9001 management systems. Participates in the evaluation of data subject requests and incident response.

4. Definitions and Abbreviations

Key definitions used in this policy are aligned with UK GDPR terminology, including:

Definition / Abbreviation Description
Explicit Consent Freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they signify agreement to the processing of personal data.
Data Subject An identified or identifiable natural person whose personal data is processed.
Data Controller A natural or legal person which determines the purposes and means of the processing of personal data.
Data Processor A natural or legal person which processes personal data on behalf of the data controller.
Destruction The process of deleting, destroying, or anonymising personal data so that it can no longer be accessed or used.
Periodic Destruction The systematic deletion, destruction, or anonymisation of personal data at regular intervals once the purpose of processing no longer exists.
UK GDPR United Kingdom General Data Protection Regulation, as incorporated into UK law.
Anonymisation Processing personal data in such a way that the data subject can no longer be identified, directly or indirectly.
Record Environment Any electronic or physical environment in which personal data is processed or stored.
Personal Data Any information relating to an identified or identifiable natural person.
Personal Data Inventory A record maintained by the data controller documenting personal data processing activities, including purposes, categories of data and data subjects, recipients, retention periods, international transfers, and security measures.
Processing of Personal Data Any operation performed on personal data, whether automated or not, including collection, recording, storage, alteration, disclosure, transfer, retrieval, use, restriction, or erasure.
Deletion of Personal Data The process of rendering personal data inaccessible and unusable for authorised users.
Destruction of Personal Data The irreversible process of rendering personal data inaccessible, irretrievable, and unusable by any means.
Supervisory Authority The competent data protection authority responsible for monitoring compliance with data protection laws, including the UK Information Commissioner's Office (ICO).
Electronic Medium Environments in which personal data is created, stored, processed, or transmitted electronically.
Non-Electronic Medium Physical environments such as paper, printed, or visual records where personal data is stored.
Special Categories of Personal Data Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, sexual orientation, or criminal offence data.
Data Recording System A structured set of personal data accessible according to specific criteria.
Employee Personnel employed by ZZGTech.
Service Provider A natural or legal person providing services to ZZGTech under a contractual relationship.
Online Visitor Individuals who visit ZZGTech's website and from whom cookie or log data may be collected.
Customer Natural or legal persons who have a contractual relationship with ZZGTech and benefit from its services.
Customer's Data Subject Individuals whose personal data is processed by ZZGTech on behalf of a customer acting as the data controller.
SSL VPN Secure virtual private network technology used to protect data transmission.

5. Personal Data Processing and Protection Policy

ZZGTech defines and implements the necessary technical and organisational measures for protecting personal data.

If this policy conflicts with applicable UK data protection legislation, the legislation shall prevail. ZZGTech commits to reviewing and updating this policy in line with legislative changes and regulatory guidance.

5.1 Data Subjects and Categories of Personal Data Processed by ZZGTech

ZZGTech processes personal data relating to the following categories of data subjects:

Data Subject Categories of Personal Data
Employees Criminal record data, bank and salary information, visual and audio recordings, legal records, contact details, identity information, log records, professional information, personal data, health data
Job Applicants Photographs, identity information, contact details, professional and personal information
Employees' Relatives Name, surname, telephone number
Website Visitors IP address, browser information, anonymised website logs, cookie data
Customers Bank and financial information, legal documents, identity information, contact details, log records, complaint and support records, company and tax registration information, service and quotation information
Customers' Related Persons Financial data, visual and audio recordings, communication data, transaction security data, identity information, location data, customer transaction data, personal data, cookie information
Business Partners Bank and financial information, identity information, contact details, signature authorisations, powers of attorney
Outsourced Employees Bank and financial information, contact details, log records, identity information, personal data, inventory information
Partner Employees Identity information, contact details
Partner Representatives Identity information, contact details
Prospective Customers Identity information, contact details, log records, service content and quotation information, company information
Prospective Suppliers Name, surname, title, contact details, quotation information
References Name, surname, title, contact details, company information
Supplier Employees Name, surname, contact details
Supplier Representatives Identity information, contact details, log records, bank and financial information, legal records, tax registration information
5.2 Purposes of Processing Personal Data

ZZGTech processes personal data for the following purposes:

Purpose of Processing Data Subjects
Execution of Emergency Management Processes Employees' Relatives
Execution of Information Security Processes Employees, Outsourced Employees
Execution of Recruitment and Job Application Processes Job Applicants, References
Fulfilment of Employment Contracts and Legal Obligations Employees
Management of Disciplinary Processes Employees
Execution of Training and Development Activities Employees, Outsourced Employees
Management of Access Authorisation Employees, Customers, Outsourced Employees, Supplier Representatives
Compliance with Legal and Regulatory Obligations Employees, Website Visitors, Customers, Outsourced Employees
Execution of Finance and Accounting Operations Employees, Customers, Business Partners, Supplier Representatives
Provision of Physical Premises Security Employees
Execution of Assignment and Workforce Management Processes Employees
Monitoring and Execution of Legal Affairs Employees, Customers, Supplier Representatives
Execution of Internal and External Communication Activities Employees, Job Applicants, Outsourced Employees, Supplier Employees
Planning and Management of Human Resources Processes Employees, Employees' Relatives, Outsourced Employees
Execution and Audit of Business Activities Employees, Business Partners, Outsourced Employees, Partner Employees, Partner Representatives
Execution of Occupational Health and Safety Activities Employees
Evaluation of Suggestions for Business Process Improvement Partner Employees, Partner Representatives
Execution of Business Continuity and Disaster Recovery Activities Employees, Outsourced Employees
Execution of Procurement and Supplier Management Processes Supplier Employees, Supplier Representatives
Provision of After-Sales Support Services Customers
Execution of Sales Processes Customers, Partner Employees, Partner Representatives
Execution of Production and Operational Processes Customers, Customer Contact Persons
Conducting Marketing and Usage Analysis Activities Website Visitors
Execution of Contract Management Processes Employees, Outsourced Employees
Management and Resolution of Requests and Complaints Customers, Prospective Customers
Protection of Movable Assets and Corporate Resources Employees, Outsourced Employees
Execution of Supply Chain Management Processes Prospective Suppliers
Execution of Salary and Compensation Policies Employees
Execution of Marketing Activities for Products and Services Customers, Prospective Customers
Ensuring Data Controller Operational Security Employees
Providing Information to Authorised Public Authorities and Third Parties Employees
5.3 Personal Data Processed Based on Processes

ZZGTech processes personal data through the following organisational units and sub-processes:

Unit Process Categories of Personal Data
IT Operations and Infrastructure Access Authorisation Controls Communication data, Identity data
User Support Identity data
Email Services Communication data, Identity data
Application Log Management Communication data, Log records, Identity data
Remote Working Processes Communication data, Log records, Identity data
Collection of Cookie Information IP address, Browser information, Anonymised website logs
Customer Account Management Communication data, Log records, Identity data
Application Activation Communication data, Identity data, Personnel data
IT Operations and Infrastructure Software Distribution Financial data, Visual and audio data, Communication data, Log records, Identity data, Location data, Customer transaction data, Personnel data, Marketing data
Software Support Communication data, Identity data, Customer transaction data, Personnel data
Human Resources Payroll Management Financial data, Communication data, Identity data, Personnel data, Health data
Creation and Maintenance of Personnel Files Criminal record data, Financial data, Visual and audio data, Identity data, Communication data, Professional experience data, Personnel data, Health data
Disciplinary Processes Identity data, Personnel data
Training and Development Financial data, Identity data
Legal HR Processes Financial data, Legal transaction data, Communication data, Identity data, Personnel data
Recruitment and Candidate Selection Visual and audio data, Communication data, Identity data, Professional experience data, Personnel data
Exit Procedures Financial data, Communication data, Identity data, Personnel data
Consent Management Identity data
Outsourced Personnel Management Financial data, Communication data, Identity data
Contract Management Financial data, Communication data, Identity data
Human Resources Receipt of Commitments and Declarations Identity data, Personnel data
Assignment and Secondment Processes Identity data, Personnel data
Procurement Processes Financial data, Communication data, Identity data, Personnel data
Business Development Business Development Activities Communication data, Identity data
Financial Affairs Financial Operations Financial data, Communication data, Identity data, Personnel data
Customer Operations Customer Operations Management Financial data, Communication data, Identity data, Personnel data
Supplier Operations Supplier Management Financial data, Communication data, Identity data, Personnel data
Sales and Marketing Sales and Marketing Activities Communication data, Log records, Identity data, Personnel data, Cookie data
Collection of Cookie Information IP address, Browser information, Anonymised cookie data
Top Management Execution of Legal and Corporate Processes Financial data, Legal transaction data, Communication data, Identity data
Software Development and R&D Development of Artificial Intelligence Models Visual and audio data, Customer transaction data, Marketing data
Software Analysis Communication data, Identity data
Software Development Log records, Identity data
Software Testing Communication data, Identity data
5.4 Data Collection Methods

ZZGTech collects personal data through the following lawful and proportionate methods, in accordance with the UK GDPR:

Categories of Personal Data Methods of Collection
Criminal Record Data Hand-delivered documents in paper format
Financial Information Electronic and paper-based forms, customer and supplier account records, email correspondence, electronic archives, hand-delivered documents, invoices, accounting systems, payroll records, personnel files, employment contracts, purchase and customer contracts, written declarations, secure software databases
Visual and Audio Records Hand-delivered materials, recruitment platform interfaces, email correspondence, customer-provided data sources, secure software databases, recruitment service providers
Legal Transaction Data Legal correspondence, contracts, customer and supplier account records, personnel files
Contact Information Electronic and paper-based forms, verbal statements, IT systems, customer and supplier account records, support portals, email correspondence, electronic archives, invoices, recruitment platforms, accounting systems, onboarding documentation, contracts, written statements, project management tools, social media platforms (where lawfully obtained), secure software databases, recruitment service providers
Transaction Security Information IT systems, email correspondence, application portals, project management systems, secure software databases, website logs
Identity Information Electronic and paper-based forms, verbal and visual identification, IT systems, email correspondence, support portals, HR documentation (disciplinary records, consent forms, approval documents, expense forms, leave requests), electronic archives, hand-delivered documents, invoices, recruitment platforms, accounting systems, business cards, contracts, personnel files, policy documents, project management systems, social media platforms (where applicable), secure software databases, recruitment service providers
Location Information Secure software databases
Professional Information Hand-delivered documents, recruitment platforms, email correspondence, recruitment service providers
Customer Transaction Information Support portals, email correspondence, customer-provided data sources, secure software databases
Personal Information Electronic and paper-based forms, verbal and visual statements, contracts, support portals, HR documentation (disciplinary records, resignation letters, termination notices, leave forms), electronic archives, hand-delivered documents, invoices, recruitment platforms, accounting systems, personnel files, purchase contracts, written declarations, secure software databases, recruitment service providers
Marketing Information Email communications, customer-provided data sources, secure software databases, websites, electronic registration and consent forms
Health Information Hand-delivered documents provided by the data subject or authorised third parties
5.5 Legal Bases for Data Processing (UK GDPR)

ZZGTech processes personal data in accordance with Article 6 of the UK GDPR and, where applicable, Article 9 of the UK GDPR.

Article 6 – Lawfulness of Processing
Processing is carried out where at least one of the following applies:

  • The data subject has given consent
  • Processing is necessary for the performance of a contract
  • Processing is necessary to comply with a legal obligation
  • Processing is necessary to protect vital interests
  • Processing is necessary for legitimate interests, provided such interests do not override the rights and freedoms of the data subject

Article 9 – Special Categories of Personal Data
Special category data is processed only where:

  • Explicit consent has been obtained, or
  • Processing is required for employment, social security, or legal claims, or
  • Processing is necessary for health, safety, or occupational medicine purposes, subject to appropriate safeguards
5.6 Data Processing Principles

ZZGTech processes personal data in line with Article 5 UK GDPR principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability
5.7 Transfer of Personal Data

Customers', suppliers', and employees' personal data are processed in accordance with the fundamental principles stipulated in the UK GDPR, the EU GDPR, and relevant data protection legislation, taking into account the public interest. Within the scope of the processing conditions and purposes of personal data set out in Chapter V of the UK GDPR, Chapter V of the EU GDPR, and the applicable provisions of the Data Protection Act 2018, personal data may be shared with the domestic and/or foreign parties specified below.

5.7.1 Transfer of Personal Data to Individuals in the European Union / European Economic Area

ZZGTech may transfer personal data to individuals or entities located within the European Union ("EU") and the European Economic Area ("EEA") in accordance with applicable data protection legislation. As the EU and EEA are recognised by the United Kingdom as jurisdictions providing an adequate level of data protection, such transfers may be carried out without the implementation of additional transfer safeguards, provided that all other requirements of the UK GDPR are met.

Transfers to the EU/EEA are based on the following lawful bases where applicable:

  • Being explicitly stipulated in applicable laws,
  • Being necessary for the performance of a contract or pre-contractual steps,
  • Being necessary for compliance with a legal obligation,
  • Being necessary for the establishment, exercise, or defence of legal claims,
  • Being necessary for the legitimate interests of the data controller, provided that such interests do not override the fundamental rights and freedoms of the data subject.

Transfers involving special categories of personal data to the EU/EEA are carried out in compliance with Article 9 of the UK GDPR and the EU GDPR and are supported by appropriate technical and organisational measures.

Parties in the EU/EEA to whom personal data may be transferred are detailed below:

Related Party (EU/EEA) Transfer Reason Transfer Method Legal Basis According to UK & EU GDPR
Contracted Customers (EU/EEA) Personal data obtained within the scope of the contract must be visible to the contracted customer Software provided to the customer Performance of a Contract Legitimate Interests
Advertising Publishers (EU/EEA) Promotion of products or services on behalf of the contracted customer; cookie-based advertising activities Cookie redirect, customer software, advertising publisher API Explicit Content Performance of a Contract
Cloud / IT Service Providers (EU/EEA) Data hosting, system maintenance, backup, and technical support services Secure electronic transfer Performance of a Contract Legitimate Interests
5.7.2 Transfer of Personal Data to Individuals in Turkey

Regarding the sharing of personal data with third parties located in Turkey, ZZGTech carefully complies with the conditions specified in applicable data protection legislation, subject to the provisions of other relevant laws. Personal data is not transferred to third parties without the explicit consent of the data subject unless one of the following lawful bases exists:

  • Explicitly stipulated in applicable laws,
  • Being necessary to protect the vital interests of the data subject or another individual,
  • Being necessary for the performance of a contract or pre-contractual steps,
  • Being necessary for compliance with a legal obligation,
  • The personal data has been manifestly made public by the data subject,
  • Being necessary for the establishment, exercise, or defence of legal claims,
  • Being necessary for the legitimate interests of the data controller, provided that such interests do not override the data subject's fundamental rights and freedoms.

Provided that appropriate safeguards and adequate technical and organisational measures are implemented; special categories of personal data may be transferred where permitted by law.

The domestic parties to whom personal data is transferred are detailed below:

Related Party Transfer Reason Transfer Method Legal Basis According to UK GDPR
Contracted Banks Distribution of profits; execution of financial processes; payment of employee salaries Mail, hand delivery, electronic bulk transfers Legal Obligation
Contracted Law Firms Legal advisory services; dispute resolution; execution proceedings Courier, mail, data storage media Legal Obligation Legitimate Interests Performance of a Contract
Contracted Insurance Companies Mandatory automatic enrolment and insurance processes Insurance company interface Legal Obligation
Contracted Suppliers Fulfilment of contractual obligations Mail or written notification Performance of a Contract Legitimate Interests
Contracted HR Companies Outsourced recruitment and employment processes Mail Performance of a Contract Legitimate Interests
Revenue Authorities Submission of tax declarations Official electronic systems Legal Obligation
Social Security Institutions Submission of employment and social security declarations Official notification systems Legal Obligation
Enforcement / Execution Offices Execution processes via contracted law firms Hand-delivered via law firms Legal Obligation
Authorised Courts Legal disputes involving employees, customers, or suppliers Hand-delivery or data storage media Legal Obligation Legitimate Interests
Authorised Public Institutions Continuity of institutional activities Mail or hand-delivery Legal Obligation
5.7.3 Transfer of Personal Data to Individuals in Other Third Countries

Personal data may be transferred by ZZGTech to individuals or entities located in countries outside the UK, EU, and EEA, provided that appropriate safeguards are implemented in accordance with the UK GDPR and the Data Protection Act 2018.

These safeguards may include:

  • The International Data Transfer Agreement (IDTA),
  • The UK Addendum to EU Standard Contractual Clauses,
  • Binding Corporate Rules, where applicable,
  • A valid derogation under the UK GDPR.
5.7.4 Transfer Risk Assessments

ZZGTech conducts a Transfer Risk Assessment for transfers to non-adequate countries to evaluate legal, technical, and organisational risks. Transfers are permitted only where such risks can be effectively mitigated.

5.7.5 Data Subject Rights and Transparency

Data subjects' rights are preserved regardless of the destination country. Information regarding international transfers, legal bases, and safeguards is provided through privacy notices and other relevant disclosures.

5.8 Personal Data of Website Visitors and Personal Data Obtained for Internet Access Point Services

Personal data of website visitors and users benefiting from internet access point services are processed by ZZGTech in accordance with the UK GDPR, the EU GDPR, the Data Protection Act 2018, and other applicable data protection legislation.

5.8.1 Personal Data Processed Through Cookies

Cookie data is collected on websites owned and operated by ZZGTech. Detailed information regarding the types of cookies used, purposes of processing, retention periods, and users' rights is provided in the Cookie Policy published on the relevant websites.

The information obligation and the purposes of processing personal data obtained through cookies are fulfilled in accordance with Articles 13 and 14 of the UK GDPR and the EU GDPR. Cookie processing activities are carried out based on the relevant lawful bases, including explicit consent where required.

5.8.2 Personal Data Obtained Through Internet Access Point Services

ZZGTech uses mobile internet services for internet access. Therefore, ZZGTech does not process or retain internet access point traffic logs that would be generated through fixed network infrastructure.

5.8.3 Log Records and Access Data

During the management of customer accounts, software distribution, application log management, remote working arrangements, and software development processes, system and application access logs of customers, suppliers, and employees may be processed.

Such log data is processed solely for purposes including:

  • Ensuring information security,
  • Monitoring system performance and continuity,
  • Detecting and preventing unauthorised access,
  • Fulfilling legal and contractual obligations.

Access to log records is strictly limited to authorised personnel only. The following technical and organisational measures are implemented to ensure the security of log data:

  • Role-based authorisation and access controls,
  • Timestamping of logs to ensure traceability,
  • Secure remote access through VPN,
  • Verification of static IP addresses and MAC addresses,
  • Regular monitoring and access reviews.
5.8.4 Retention and Security of Website and Log Data

Personal data obtained from website visitors and log records is retained for the minimum period necessary in line with the purposes of processing and applicable legal obligations. Upon expiration of retention periods, such data is securely deleted, destroyed, or anonymised in accordance with ZZGTech's data retention and destruction procedures.

5.9 Rights of the Data Subject

Data subjects have the rights set out under Chapter III of the UK GDPR, Chapter III of the EU GDPR, and other applicable data protection legislation. These rights are detailed below:

  • To learn whether their personal data is being processed and, if so, to request access to such personal data,
  • To request information regarding the processing of their personal data,
  • To learn the purposes of processing personal data and whether such data is used in accordance with those purposes,
  • To know the third parties to whom personal data is transferred, whether domestically or abroad,
  • To request the rectification of personal data if it is incomplete or inaccurately processed,
  • To request the erasure or destruction of personal data where the conditions set out under the applicable legislation are met,
  • To request that third parties to whom personal data has been transferred be notified of rectification, erasure, or restriction requests, where applicable,
  • To request the restriction of processing of personal data,
  • To request data portability, where the processing is based on consent or contract and carried out by automated means,
  • To object to the processing of personal data based solely on automated decision-making, including profiling, where such processing produces legal effects concerning the data subject or similarly significantly affects them,
  • To request compensation for damages incurred as a result of unlawful processing of personal data.

ZZGTech responds to data subject requests in accordance with the procedures, time limits, and conditions set out under the UK GDPR and the EU GDPR.

6. Storage and Destruction of Personal Data

6.1 Data Controller Organization and Data Environments

All employees of ZZGTech actively participate in the implementation of technical and administrative measures taken within the scope of this Policy by responsible units to prevent the unlawful processing and access of personal data. Measures are applied to ensure data security in all environments where personal data is processed, including: employee training and awareness programs, continuous monitoring, and auditing to prevent unlawful processing or access.

Personal data is lawfully and securely stored by ZZGTech in the environments specified below:

Electronic Environments Non-Electronic Environments
Servers (Domain, application, database) Paper documents
Office applications Written, printed, visual records
Accounting application Folders
Cloud systems Locked cabinets of units
IT applications Employee records
Phone directories Job application forms
Information security devices (firewall, log files)
Personal computers (desktop, laptop)
Mobile devices (phone, tablet, etc.)
Portable media (USB, portable disk)
Cookie information
Email

ZZGTech stores and destroys personal data for the following main categories of data subjects in accordance with applicable legislation: employees, candidate employees, employees' relatives, references, supplier employees, company partners, supplier and candidate suppliers, prospective customers, online visitors, outsourced employees, partner employees, partner company officials, customers, and relevant individuals of customers.

The concept of processing personal data is defined in Article 3 of the UK GDPR and Article 4 of the EU GDPR. Personal data must be relevant, limited, and proportionate to the purposes for which it is processed and retained only for as long as necessary to fulfil those purposes or for the duration specified in applicable legislation. Conditions for processing personal data are outlined in Articles 5 and 6 of the UK GDPR and the EU GDPR. Accordingly, ZZGTech stores personal data for the duration required by legislation or for periods suitable for the purposes of processing within the framework of its activities.

6.2 Legal Grounds Requiring Storage

Personal data may be processed without explicit consent where required by applicable legislation, including but not limited to the following jurisdictions:

6.2.1 United Kingdom (UK)
  • UK GDPR (General Data Protection Regulation, as incorporated into UK law)
  • Data Protection Act 2018
6.2.2 European Union / European Economic Area (EU/EEA)
  • EU GDPR (Regulation (EU) 2016/679)
  • National implementing legislation of EU/EEA member states, where applicable
6.2.3 Republic of Turkey
  • Execution and Bankruptcy Law No. 2004
  • Tax Procedure Law No. 213
  • Regulation on the Regulation of Publications Made on the Internet No. 26716
  • Regulation on Individual Pension System No. 28462
  • Labor Law No. 4857
  • Banking Law No. 5411
  • Social Security Institution and General Health Insurance Law No. 5510
  • Law on the Regulation of Publications on the Internet No. 5651
  • Turkish Code of Obligations No. 6098
  • Turkish Commercial Code No. 6102
  • Occupational Health and Safety Law No. 6331
6.2.4 Non-EU / Non-EEA Countries
  • Legislation of other countries outside the EU/EEA and UK, where ZZGTech operates or transfers personal data, requiring storage, processing, or disclosure to fulfil legal, regulatory, or contractual obligations
6.2.1 Reasons Requiring Erasure

Personal data may be erased under the following circumstances, depending on the applicable jurisdiction:

6.2.1.1 United Kingdom (UK)
  • Changes in UK legislation that form the legal basis for processing,
  • Cessation of the purpose requiring processing or storage,
  • Withdrawal of explicit consent by the data subject where processing is solely based on consent,
  • Acceptance by ZZGTech of the data subject's request for deletion, destruction, or anonymization in accordance with UK GDPR,
  • Expiration of the maximum retention period specified by UK law and absence of any legal or operational justification for continued storage; in such cases, data is deleted, destroyed, or anonymized upon the request of the data subject or ex officio.
6.2.1.2 European Union / European Economic Area (EU/EEA)
  • Changes in EU or member state legislation that form the legal basis for processing,
  • Cessation of the purpose for which personal data is processed,
  • Withdrawal of explicit consent under EU GDPR,
  • Acceptance of the data subject's request for deletion, destruction, or anonymization under EU GDPR,
  • Expiration of the legally mandated retention period without any conditions justifying further storage; data is erased, destroyed, or anonymized upon request or ex officio.
6.2.1.3 Republic of Turkey
  • Changes in relevant legislative provisions that constitute the basis for processing,
  • The purpose requiring processing or storage ceases to exist,
  • Withdrawal of explicit consent where processing is solely based on consent,
  • Acceptance by ZZGTech of the data subject's request for deletion, destruction, or anonymization under KVKK or applicable Turkish legislation,
  • If ZZGTech rejects the data subject's request, fails to respond within the legally prescribed period, or the response is insufficient, the data subject may appeal to the relevant authority, which may then approve the deletion, destruction, or anonymization,
  • Expiration of the maximum retention period requiring storage, and absence of legal or operational justification for continued retention.
6.2.1.4 Non-EU / Non-EEA Countries
  • Changes in local legislation that form the legal basis for processing,
  • Cessation of the purpose requiring processing or storage,
  • Withdrawal of explicit consent where applicable,
  • Acceptance by ZZGTech of the data subject's request for deletion, destruction, or anonymization in accordance with local data protection laws,
  • Expiration of the maximum retention period and absence of legal or operational justification for continued storage; data is deleted, destroyed, or anonymized upon request or ex officio.
6.3 Ensuring the Security of Personal Data

ZZGTech implements all necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data in accordance with:

  • United Kingdom: UK GDPR, Data Protection Act 2018
  • European Union / European Economic Area: EU GDPR, national implementing legislation
  • Republic of Turkey: KVKK and relevant Turkish legislation
  • Non-EU / Non-EEA Countries: Applicable local legislation of third countries where ZZGTech operates or transfers personal data

The objectives of these measures include:

  • Preventing unlawful processing of personal data,
  • Preventing unlawful access to personal data,
  • Ensuring secure storage of personal data.
6.3.1 Technical Measures

ZZGTech implements the following technical measures across all jurisdictions (UK, EU/EEA, Turkey, Non-EU/Non-EEA countries):

  • Infrastructure investments in information security are continuously updated according to advancing technology.
  • Access permissions of IT and other unit employees are controlled based on role-based authorizations, limited strictly to the tasks defined. Remote access is secured by layered security measures.
  • Principle of least privilege is applied to all personal data. Servers, applications, and file accesses are periodically audited under ISO 27001 and ISO 27701 standards. Privileged access is time-limited.
  • Access rights are defined, monitored, and compliance is checked. Risks are identified and mitigated with technical measures.
  • System and application access logs are maintained; third-party supplier access is documented in writing and processed via SSL VPN. Two-factor authentication, MAC filtering, and static IP verification are implemented.
  • Networks storing personal data are segmented and access-controlled; no guest networks exist. Network logs are maintained.
  • Annual penetration tests and social engineering exercises are conducted; findings are remediated promptly.
  • Licensed antivirus, firewalls, and updated security software are deployed on all systems. Cloud infrastructure security is ensured through provider facilities.
  • Automatic backups are taken regularly, and their integrity is verified.
  • User accounts for employees and customers are centrally managed, with complex password requirements.
  • SSL certificates secure web services and websites.
  • Applications and web services are included in security tests; masking, encryption, and hashing are applied for data transfers. Development and test environments are segregated.
  • Logs of applications are monitored, abnormal situations trigger warnings, and backups are periodically verified.
  • Personal data deletion, destruction, and anonymization are carried out considering contractual obligations and processing purposes; obsolete data is hashed, wiped, formatted, or reassigned securely.
6.3.2 Administrative Measures

Administrative measures implemented across all jurisdictions include:

  • ZZGTech maintains a Personal Data Inventory for detection, analysis, and control of personal data, updated whenever new data is obtained or processing purposes change.
  • Knowledgeable personnel are employed to ensure data security; all staff receive Information Security and GDPR awareness training.
  • Policies, procedures, and instructions are established under ISO 27001 and ISO 27701 to secure personal data.
  • Data privacy responsibilities are included in contracts with employees, partners, and third parties. Third parties commit to implementing necessary security measures and are audited for compliance.
  • Internal audits and independent assessments are conducted to monitor compliance.
  • Risk analyses, data classification, information security risk assessment, and business impact analyses are performed to guide technical measures and align with technological developments.
  • Employee contracts include obligations to maintain confidentiality of personal data, restrict use to authorized purposes, and ensure continuity of obligations after employment ends. Disciplinary actions are applied according to law.
  • Internal communication channels are established, a Data Controller Contact Person is appointed, and an Information Security Committee oversees personal data protection. Roles, responsibilities, and emergency communication procedures are clearly defined.
6.3.3 Audits for the Sustainability of Personal Data Protection

ZZGTech conducts or ensures necessary audits to maintain the security of personal data across all jurisdictions: UK, EU/EEA, Turkey, and Non-EU/Non-EEA countries.

  • Internal audits are conducted to verify the effectiveness and sustainability of personal data protection measures.
  • Audit processes follow ISO 27001 Information Security Management System and ISO 27701 Personal Data Management System standards.
  • Regular penetration tests are performed to detect potential technical vulnerabilities.
  • Information systems are continuously monitored by the IT department.
  • In the event of detecting unauthorized access or unlawful processing of personal data, the Data Controller Contact Person is immediately notified.
6.3.4 Measures Taken to Ensure the Protection of Personal Data by Third Parties

To ensure personal data protection by third parties across all jurisdictions, ZZGTech:

  • Includes contractual clauses imposing sanctions for unlawful processing, unauthorized access, or non-compliance with data retention requirements.
  • Signs privacy agreements with third parties before sharing personal data.
  • Provides necessary information and guidance to increase awareness among third parties regarding personal data protection.
  • Maintains access logs for third parties requiring system access.
6.3.5 Measures Taken for the Protection of Sensitive Personal Data

Sensitive personal data (special categories of personal data) requires additional protection due to its nature and potential to cause harm or discrimination. Such data includes:

  • Race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or trade unions,
  • Health data, sexual life, criminal convictions, security measures, biometric and genetic data.

ZZGTech ensures that sensitive personal data is:

  • Processed lawfully and only under the conditions permitted by UK GDPR, EU GDPR, Turkish Law, or relevant local legislation.
  • Not processed without the explicit consent of the data subject or without meeting other legal bases defined in applicable legislation.
  • Not shared with third parties or institutions outside of informed and explicit consent, except where required by law.
  • Protected using enhanced technical and administrative measures reflecting the sensitivity of the data.
  • Employees are informed via policies, procedures, and training on the proper handling of sensitive personal data.
6.3.6 Creating Awareness for the Protection of Personal Data

To strengthen the culture of personal data protection across all jurisdictions, ZZGTech:

  • Conducts regular training sessions to prevent unlawful processing, unauthorized access, and to ensure proper data retention.
  • Measures the effectiveness of training programs to ensure compliance and awareness.
  • Updates policies and procedures in response to changes in relevant laws, regulations, or legislation and communicates these updates promptly to all staff.
  • Promotes continuous awareness among employees regarding their obligations for data protection and the handling of sensitive personal data.
6.4 Techniques for the Destruction of Personal Data

ZZGTech destroys personal data when it is no longer required for legal obligations, contractual requirements, or operational purposes. Destruction occurs when:

  • Personal data is no longer necessary for data subjects' requests,
  • Legal retention obligations have expired,
  • Retention is no longer required for operational purposes.

Destruction is conducted annually, as determined by the Data Controller Contact Person, using the following methods: deletion, destruction, and anonymization.

6.4.1 Deletion of Personal Data
Data Recording Environment Description
Personal Data on Servers System administrator removes access rights for expired data and deletes it.
Personal Data in Electronic Environment Data becomes inaccessible for all employees except authorized administrators; operational file systems are deleted securely.
Personal Data in Physical Environment Data becomes inaccessible for all employees except the unit manager responsible for archives; blackout (marking/drawing/deleting) ensures it is unreadable.
Personal Data on Portable Media Flash-based storage media is encrypted; access is limited to the system administrator; encrypted data is stored securely with keys.
6.4.2 Destruction of Personal Data
Data Recording Environment Description
Personal Data in Physical Environment Paper-based data whose storage period has expired is shredded irreversibly.
Personal Data on Optical / Magnetic Media Data is physically rendered unreadable and irreversible; disposal is documented using a Destruction Record Form.
6.4.3 Anonymization of Personal Data
  • Anonymization ensures data cannot be linked to a specific individual under any circumstances, even if combined with other data.
  • Techniques depend on the recording environment and business context, e.g., returning personal data to the controller or third parties and preventing matching with other datasets.
6.5 Storage and Destruction Periods

Storage periods are defined in ZZGTech's Data Inventory and consider:

  • Applicable laws in the jurisdiction (UK, EU/EEA, Turkey, Non-EU/Non-EEA),
  • Contractual obligations with relevant parties,
  • Operational needs of ZZGTech.

The Data Controller Contact Person updates storage periods as necessary. Personal data exceeding its retention period is destroyed ex officio.

Maximum Retention Periods by Data Category are as follows:

Data Data Subject Retention Period
Judicial Records Employees 10 Years from Termination of Employment Contract
Financial Information Employees 10 Years from Termination of Employment Contract
Customers 10 Years
Customer's Relevant Person 2 Years
Partners 10 Years
Outsource Employees 10 Years from Termination of Employment Contract
Potential Supplier 10 Years
Supplier Representative 10 Years
Visual and Auditory Records Employees 10 Years from Termination of Employment Contract
Job Applicants 1 Year
Customer's Relevant Person 10 Years
Legal Transaction Employee 10 Years
Clients 10 Years
Supplier Representative 10 Years
Contact Information Employees 10 Years from Termination of Employment Contract
Employee Candidates 1 Year
Employee's Relative 10 Years from Termination of Employment Contract
Clients 10 Years
Client's Relevant Person 2 Years
Partners 10 Years
Outsourced Employees 10 Years from Termination of Employment Contract
Partner Employee 10 Years
Partner Representative 10 Years
Potential Customer 5 Years
Potential Supplier 10 Years
References 1 Year
Supplier Employee 10 Years
Supplier Representative 10 Years
Transaction Security Information Employees 10 Years
Online Visitors 2 Years
Clients 10 Years
Client's Relevant Person 2 Years from Termination of Service Contract
Outsourced Employees 2 Years
Potential Customer 5 Years
Supplier Representative 2 Years
Identity Information Employees 10 Years from Termination of Employment Contract
Employee Candidates 1 Year
Employee's Relative 10 Years from Termination of Employment Contract
Clients 10 Years
Client's Relevant Person 2 Years
Partners 10 Years
Outsourced Employees 10 Years
Partner Employee 10 Years
Partner Representative 10 Years
Potential Customer 5 Years
Potential Supplier 10 Years
References 1 Year
Supplier Employee 10 Years
Supplier Representative 10 Years
Location Information Client's Relevant Person 2 Years from Termination of Service Contract
Professional Information Employees 10 Years from Termination of Employment Contract
Employee Candidates 1 Year
Customer Transaction Information Clients 10 Years
Client's Relevant Person 10 Years
Personal Information Employees 10 Years from Termination of Employment Contract
Employee Candidates 1 Year
Clients 10 Years
Client's Relevant Person 2 Years from Termination of Service Contract
Partners 10 Years
Outsourced Employees 10 Years
Potential Customer 5 Years
References 1 Year
Supplier Representative 10 Years
Marketing Information Client's Relevant Person 10 Years
Customer 5 Years
Potential Customer 5 Years
Online Visitors 2 Years
Health Information Employees 10 Years from Termination of Employment Contract

7. Application Methods

Data subjects can exercise their rights regarding their personal data under UK GDPR, EU GDPR, Turkish Law (KVKK), and other applicable data protection laws using the methods outlined below.

7.1 Data Controller and Contact Information

Data Controller: ZZGTech Ltd. (United Kingdom)

Data Protection Officer / Contact Person: Rugul Kose Cinar – [email protected]

Address (UK): 124 City Road, London, EC1V 2NX, UK

Notes for Multi-Jurisdiction Requests:

  • UK / EU Data Subjects: Requests will be handled according to UK GDPR or EU GDPR, depending on the location of the data subject.
  • Turkish Data Subjects: Requests are handled in accordance with KVKK.
  • Non-EU / Non-EEA Data Subjects: Requests will be processed according to applicable local legislation and contractual or contractual-like commitments ZZGTech has adopted for data protection.
7.2 Methods for Submitting Personal Data Requests

To make a request regarding your personal data, you must complete the Personal Data Application Form. Identity verification is required to ensure data is provided only to the correct data subject.

Method Contact Information Description
Hand Delivery 5 Kew Road, Richmond, TW9 2PR, United Kingdom Present the Personal Data Application Form in person. Bring a valid identification document (passport, ID card, or driver's license) to verify your identity.
Email [email protected] Send the Personal Data Application Form via email. ZZGTech may verify your identity by checking internal records or contacting you to confirm identity.
7.3 Handling Requests for Different Jurisdictions
Jurisdiction Processing Method / Notes
UK Requests handled according to UK GDPR. Responses are provided within the legal timeframe (usually 1 month, extendable by 2 months if complex).
EU / EEA Requests handled according to EU GDPR. Data subjects are informed of the legal basis, categories of data, retention period, and transfers.
Turkey Requests handled according to KVKK. Data subjects are informed of domestic and international data transfers, processing purposes, and retention periods.
Non-EU / Non-EEA Requests handled according to applicable local law and ZZGTech's international data protection commitments. Adequate safeguards and identity verification apply.
7.4 Response to Data Subject Requests

ZZGTech will acknowledge receipt of all requests and communicate the expected response timeframe.

Responses may include:

  • Confirmation of whether personal data is processed
  • Access to the personal data processed
  • Correction, deletion, or restriction of personal data
  • Data portability (where applicable)
  • Notification of third parties with whom data has been shared (if applicable)

Responses are provided electronically or in writing, depending on the preference of the data subject.

PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA

ZZGTech Ltd. (ZZGTech) would like to inform and enlighten you about our personal data processing activities in accordance with Article 13-14 of the EU General Data Protection Regulation (EU GDPR), the UK Data Protection Act / UK GDPR, and other applicable legislation in relevant jurisdictions.

In accordance with the above legislation, your personal data may be processed by ZZGTech, acting as the data controller, for the purposes described below. Personal data may be processed, recorded, stored, classified, updated, and, where permitted by law and limited to the purpose of processing, disclosed or transferred to third parties.

1. PURPOSE OF PROCESSING PERSONAL DATA

Within the scope of services provided by ZZGTech, personal data of the following data subjects may be processed:

  • Employees, employee candidates, and their close relatives
  • References
  • Supplier employees and candidate suppliers
  • Company partners and partner company employees
  • Customers and their relevant individuals
  • Potential customers
  • Online visitors
  • Outsourced employees

Categories of personal data are detailed in the Personal Data Protection and Destruction Policy.

ZZGTech processes personal data for the following purposes:

  • Software and AI Services: ZZGTech provides messaging platform management software to medium and large enterprises. AI models may process customer data for personalized advertisement in compliance with applicable laws.
  • Customer Data Management: Processing customer data to execute contracts, activate applications, provide support, define access permissions, and manage user profiles.
  • Customer Requests and Complaints: Personal data is used to evaluate and respond to requests and complaints to improve customer satisfaction.
  • Employee Data Processing: Human Resources processes, contracts, payroll, disciplinary actions, retirement and benefits administration, social security notifications, and minimum subsistence calculations.
  • Emergency Contact Data: Storage of employee and relative contact information for emergency or employment-related notifications.
  • Outsourced and Partner Employees: Personal data of outsourced staff and partner company employees may be processed for service continuity, corporate collaborations, business improvements, and market research.
  • Training and Security Awareness: Records of training sessions to improve operational efficiency and information security awareness.
  • Legal Processes: Personal data may be processed to comply with legal obligations, including enforcement and bankruptcy procedures.
  • Supplier Data: Supplier information is processed to ensure smooth contractual operations, supplier evaluation, and communication.
  • Financial Transactions: Processing of accounting, billing, and reconciliation in accordance with applicable tax laws.
  • Potential Customer Data: Processed for sales, marketing, and business development purposes.
  • Log and System Data: Logs of employees, customers, suppliers, and outsourced employees for security, software development, and audit purposes.

2. DELETION OF PERSONAL DATA

For detailed information on deletion, anonymization, or destruction of personal data, refer to the Personal Data Protection and Destruction Policy.

3. SHARING OF DATA

Personal data may be shared with:

  • Customers
  • Contracted banks
  • Contracted law firms
  • Contracted suppliers
  • Advertising publishers

In addition, data may be shared with public institutions and other organizations to comply with legal obligations.

Transfers to other countries, including the EU, UK, and non-EU countries, are conducted in compliance with GDPR/UK GDPR requirements and applicable safeguards.

4. METHODS AND LEGAL BASIS OF DATA COLLECTION

ZZGTech collects personal data through:

  • Electronic channels: websites, registration forms, application interfaces, emails, career portals, software interfaces, customer systems, IT/project applications
  • Written channels: contracts, invoices, business cards, internal forms, HR forms, training records, official documents
  • Oral/visual/hand-delivery methods

Legal bases include:

  • Consent (where applicable)
  • Legal obligation
  • Contract performance
  • Legitimate interests
  • Public disclosure
  • Establishment, exercise, or defence of a legal right

5. RIGHTS OF DATA SUBJECTS

You may exercise the following rights under GDPR/UK GDPR (and local laws where applicable):

  • Confirm whether your personal data is processed
  • Access the processed personal data
  • Learn the purpose of processing and whether data is used for intended purposes
  • Know the third parties with whom your data is shared
  • Request correction of incomplete or inaccurate data
  • Request deletion or destruction of your data
  • Request notification of correction/deletion to third parties
  • Request restriction of processing and data portability
  • Object to automated decision-making or profiling
  • Claim compensation for damages from unlawful processing

Requests are typically processed within 30 days, and responses are provided free of charge, unless a fee is justified under local law.

6. CONTACT METHODS

You can submit requests regarding your personal data using the methods below:

Data Controller: ZZGTech Ltd. (United Kingdom)

Data Protection Officer / Contact Person: Rugul Kose Cinar – [email protected]

Address: 124 City Road, London, EC1V 2NX, UK

Method Contact Information Description
Hand Delivery 5 Kew Road, Richmond, TW9 2PR, United Kingdom Present the Personal Data Application Form in person with a valid ID (passport, ID card, or driver's license) for identity verification.
Email [email protected] Send the Personal Data Application Form by email. ZZGTech may verify your identity via system records or direct confirmation.

Notes:

  • Identity verification is required before responding.
  • Requests are processed in writing or electronically within legal timeframes.
  • ZZGTech no longer accepts courier/notarized mail submissions.