**Protection of Personal Data**
**Cyprus Taxi**
**PERSONAL DATA PROCESSING AND PROTECTION POLICY**

**ARTICLE – INTRODUCTION**

**Introduction**

The Personal Data Protection Law No. 6698 (“Law”) introduces significant obligations for those processing personal data to protect individuals’ fundamental rights and freedoms, particularly the right to privacy. Cyprus Taxi (“Company”), registered at Ramadan Cemil Square, GİRNE/CYPRUS, is dedicated to fulfilling these obligations and ensuring that all personal data processing activities comply with the relevant regulations. This Personal Data Processing and Protection Policy (“Policy”) has been established to regulate all aspects of the Company’s personal data processing activities, in line with the Law and other applicable legislation.

**Purpose and Scope**

**Purpose**

This Policy is designed to inform individuals in specific data categories and employees about the Company’s personal data processing and protection activities, provide a detailed guide on the processes, principles, and methods adopted by the Company, and share the practices developed and implemented by the Company to meet its obligations arising from the Law and other related regulations.

**Scope**

The data subject groups covered by this Policy are detailed below. The personal data of real persons in the categories such as employee, employee candidate, employee family member, supplier representative, customer, and visitor, processed by the Company, are handled and protected within the framework of this Policy, either automatically or manually as part of a data recording system.

**Explanation of Data Subject Groups**

– **Employee:** Refers to individuals under a service contract with the Company.
– **Employee Candidate:** Refers to individuals evaluated by the Company for potential employment.
– **Employee Family Member:** Refers to close family members (e.g., spouse, child) of the Company’s employees.
– **Customer:** Refers to real persons who have purchased the Company’s products or services or are considered customers through verbal or written agreements, or who are evaluated as prospective customers through the Company’s departments.
– **Customer Representative:** Refers to individuals working within legal entities whose data is processed through verbal or written agreements or by being evaluated as prospective customers by the Company’s departments.
– **Supplier Representative:** Refers to individuals from whom the Company receives products and services based on contractual relationships, or the authorized persons or employees of legal entities providing such products and services.
– **Visitors:** Refers to individuals visiting the Company’s locations or e-commerce site.
– **Third Parties:** Refers to individuals whose personal data is processed according to this Policy, but not explicitly defined under other categories.

**Policy and Applicable Law**

This Policy aims to ensure systematic compliance with the obligations related to personal data processing imposed by the Law and relevant regulations. In the event of any conflict between the provisions of this Policy and Applicable Law, the Company will prioritize compliance with Applicable Law to protect the personal data rights enshrined in the Constitution of the Turkish Republic of Northern Cyprus (TRNC).

**Enforcement and Amendment of the Policy**

This Policy, prepared under the guidance and diligent work of the Company’s Personal Data Protection Commission, was approved by the relevant authority and took effect on {14.05.2022}.

The Policy will be reviewed every six months by the Personal Data Protection Commission and amended as necessary to ensure compliance with current regulations. These amendments will be published on the Company’s website and, if requested, made available to relevant individuals via other means at the Company’s discretion, within the limits of the law.

**ARTICLE – DEFINITIONS**

– **Recipient Group:** Refers to the category of natural or legal persons to whom personal data is transferred by the data controller.
– **Data Subject:** Refers to the individual whose personal data is processed.
– **Personal Data:** Refers to any information relating to an identified or identifiable natural person.
– **Processing of Personal Data:** Refers to any operation performed on personal data, such as obtaining, recording, storing, preserving, altering, organizing, disclosing, transferring, taking over, making available, classifying, or preventing its use, fully or partially automated or non-automated, as part of a data recording system.
– **Sensitive Personal Data:** Refers to personal data related to race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, dress, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
– **Data Category:** Refers to the class of personal data belonging to a group or groups of data subjects, grouped according to their common characteristics.
– **Data Subject Group:** Refers to the category of individuals whose personal data is processed by the data controllers.
– **Board:** Refers to the Personal Data Protection Board.
– **Request Management Procedure:** Refers to the guide procedure determining the details of the data subject’s right to apply to the data controller under Article 11 of the Law and the Company’s response process to such applications.
– **Data Controller:** Refers to the Company, responsible for determining the purposes and means of processing personal data, establishing, and managing the data recording system.
– **Website:** Refers to the Company’s corporate website and e-commerce site through which its online activities are conducted.

**ARTICLE – PERSONAL DATA PROCESSING**

When designing its personal data processing activities for each data subject group, the Company adheres to the provisions set forth by the Law from the first interaction with personal data until its destruction. One of the main purposes of this Policy is to transparently inform data subjects about the Company’s principles for processing and protecting personal data. The methodology adopted in the Policy is based on the principle that “the Data Subject can follow the journey of their personal data within the Company from start to finish.”