1. Introduction

1.1. Introduction

Personal data protection has a great importance in terms of Gotrend (“GOTREND” or the “COMPANY”) and finds place in company priorities. Within this scope, GOTREND pays utmost attention to protect personal data of it’s insured employees, job applicants, authorities, visitors, commercial relation parties (institutions, employees, authorities) and third parties, whose data is somehow processed by the COMPANY.

GOTREND takes the organizational and technical precautions, which are needed to protect personal data, processed in accordance with legislation. In this Policy, GOTREND following principles about personal data processing will be explained in detail.

• Processing personal data in compliance with law and good faith,
• Providing the accuracy and actuality of personal data,
• Processing personal data for specific, legitimate and explicit purposes,
• Processing personal data related, limited and proportional to the processing purpose,
• Preserving personal data in accordance with the processing purpose and the duration stated in legislation,
• Clarifying and informing personal data subjects,
• Providing the system, required for data subjects to exercise their rights,
• Taking the measures, necessary for the security of personal data,
• Complying with the regulations and legislations, in the matter of transferring personal data to third parties in accordance with the processing purpose,
• Showing sensitivity, required for processing and protecting sensitive personal data,
• Taking necessary technical, technological, organizational, administrative and legal for your data.

1.2. Policy Purpose

The main purpose of this Policy is to elucidate the lawful processing of ersonal data and the systems, internalized by the COMPANY to protect processed data. Within this scope, we aim to provide a transparent processing procedure, by informing the subjects of data processing, particularly our employees, job applicants, authorities, visitors, commercial relation parties (institutions, employees, authorities) and third parties, whose data is somehow processed by the COMPANY.

1.3. Scope

This Policy pertains to all personal data of GOTREND’s insured employees, job applicants, authorities, visitors, commercial relation parties (institutions, employees, authorities) and third parties, whose data is somehow processed within GOTREND, by an automatic data recording system or a non-automatic one, under the condition that must be a part of an automatic data recording system.

1.4. Enforcement of the Policy

This Policy is drawn up by GOTREND and has entered into force in published on GOTREND’s Website. The Policy is published on GOTREND’s Website and allows access to concerned persons on data subjects’ demand.

1.5. Definitions

Personal Data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Data Subject Consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Genetic Data: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question

Biometric Data: personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

International Organization: an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

2. Personal Data Protection Releated Matters

2.1. Ensuring the Security of Personal Data

GOTREND, in compliance with Art 5 and 32 of General Data Protection Regulation (“GDPR”), takes the necessary organizational and technical measures and also ensures that the inspections are made in order to safely store the data, prevent unlawful data processes and/or avoid illegal access to these data.

2.1. Technical and Organizational Measures Taken to Ensure Lawful Processing of Personal Data, Prevent Unlawful Access to Personal Data and Provide Personal Data Retention

GOTREND, within the bounds of technological possibilities, Council’s guide and current developments, takes all measures, which are necessary to ensure the lawful processing of personal data, prevent unauthorized, improvident or in any other way unlawful declaration and access, store safely and avoid illegal destruction or transformation.

Technical measures taken within this scope are as follows:

• To ensure the network and application security,
• Closed system network is used to transfer data through a network path,
• Key method is used,
• Authorization matrix for employees is formed,
• Security measures are taken, in the scope of supply, development and maintenance of information technologies system,
• Access logs are kept regularly,
• Mission based authorization of employees, who change position or quit the job, are taken back,
• Updated anti-virus system are used,
• Security walls are used,
• Security of personal data is followed up,
• Necessary security measures for entries and exits to personal data involving physical medium are taken,
• Personal data involving media are secured,
• Backups for personal data are made and secured,
• User account management and authorization controlling system are used and followed up,
• Log records are kept free from user intervention,
• Current risks and threats are determined,
• Attack detection and prevention systems are used,
• Penetration tests are run,
• Cyber security measures are taken and followed up continuously,
• Encryption is set,
• Software, preventing data loss, are installed,

Organizational measures taken within this scope are as follows;

• Key management is set,
• Security measures are taken, in the scope of supply, development and maintenance of information technologies system,
• There are disciplinary regulations, involving data security provisions for employees,
• Data security and awareness themed periodical trainings for employees are arranged,
• Authorization matrix for employees is formed,
• Corporate policies are created and started to be executed in fields of access, information security, retention and destruction,
• Confidentiality agreements are made,
• Mission based authorization of employees, who change position or quit the job, are taken back,
• Concluded agreements involve data security provisions,
• Additional security measures are taken for personal data, that are transferred through paper and the concerned paper is sent in classified document format,
• Personal data security policies and procedures are determined,
• Personal data security issues are reported swiftly,
• Personal data security is followed up continuously,
• Necessary security measures for entries and exits to personal data involving physical medium are taken,
• Personal data involving physical media are secured against external risks (fire, flood, etc.),
• Personal data involving media are secured,
• Personal data are minimized as far as possible,
• Periodical/random in-house inspections are conducted,
• Current risks and threats are determined,
• Policies and procedures for the security of sensitive personal data are specified and executed,
• Data processing service providers are periodically inspected in the matter of data security,
• Awareness of data processing service providers in the matter of data security must be raised.

2.1.2. Assessing The Measures Relating To Personal Data Protection

The COMPANY conducts all necessary Assessments, tests and evaluations, in accordance with Art. 32 of the General Data Protection Regulation (“GDPR”). Results of these inspections are reported to concerned managers and departments, and necessary improving activities for taken measures are carried out.

2.2. Ensuring Data subjects’ Rights, Providing Request Methods for Data subjects and Assessing These Requests

GOTREND manages the internal functioning, channels and Organizational and technical regulations, which are necessary to assess data subjects’ rights and notify data subjects in compliance with Art. 13 of GDPR. If the data subjects send requests concerning their below mentioned rights, depending on their qualification, they will be responded to without undue delay and at the latest within one month from the arrival to GOTREND.

Personal data subjects have right to;

• Where the legal basis of our processing is Consent, to withdraw that Consent at any time (Right to withdraw consent),
• To learn whether the personal data related to you are/have being processed,
• If it is processed, to request access to personal data being processed (Right of access),
• To learn purposes of the processing and whether your personal data has been used for the intended purpose (Right of information),
• To know the third parties within or outside the country to whom the personal data are transferred,
• To request correction of the personal data if the data is processed incompletely or inaccurately (Right of correction),
• o request deletion or destruction of the personal data without undue delay under the conditions set forth in Article 17 of General Data Protection Regulation (“GDPR”) (Right to be forgotten),
• To object to processing of your personal data if it impacts your fundamental Rights and freedoms (Right to object),
• To request your personal data in structured, commonly used and machine-readable format free of charge (Right to Data portability),
• To claim indemnification if you suffered damage due to illegal processing of your personal data (Right to file complaint),
• To be notified of a personal data breach which is likely to result in high risk to their rights and freedoms.

2.3. Protecting Sensitive Personal Data

General Data Protection Regulation gives a particular importance to certain type of personal data by the reason that their violation may cause to aggrievement and discrimination. Mentioned data types, as specified in Art 9 of the General Data Protection Regulation (“GDPR”) are data, concerning; ethnicity, race, political opinion, philosophical belief, religion, trade union membership, genetic data, biometric data, data concerning health, natural person’s sex life or sexual orientation. Personal data relating to criminal convictions and offences including the alleged commission of offences or proceedings for offences or alleged offences should be treated in the same way to special category data.

GOTREND pays attention to lawful processing and protection of above mentioned “special categories of personal data”. Within this scope, GOTREND in-house inspections and all technical and organizational measures, taken for personal data protection, are executed meticulously also for sensitive personal data.

2.4. Increasing and Controlling Company Departments’ Awareness of Personal Data Protection and Processing

GOTREND provides department training that is necessary to prevent unlawful processing of personal data, avoid illegal access to personal data and raise the awareness about data retention. Within this scope, systems, required to create the personal data protection awareness for company employees or incoming employees are formed.

The results of GOTREND training to raise the awareness for personal data protection and processing are reported to GOTREND authorities. Accordingly, the COMPANY assesses the participation in these training, seminars and informing sittings, and conducts necessary inspections. In addition to this, GOTREND updates and renews the training, in accordance with the update of personal data protection legislation and other legal regulations.

3. Personal Data Processing Matters

3.1. Processing Personal Data in Accordance with the Principles Stated by Legislation

3.1.1. Processing in Compliance With Law and Good Faith

GOTREND acts in compliance with the principles of legal regulations, general trust and good faith during the process of personal data. Within this scope, the COMPANY pays attention to proportionality and limitedness of data processing and does not use personal data out of their purpose.

3.1.2 Providing the Accuracy and Actuality of Personal Data

GOTREND ensures the actuality and accuracy of personal data, that are processed considering fundamental rights of data subjects and its own legitimate interests. It takes required precautions accordingly. Within this scope, personal data subjects may apply to the COMPANY any time they desire, in order to correct or confirm the accuracy of data. These applications are assessed by authorized departments of GOTREND and if the application is approved, requested deletion or confirmation is carried out.

3.1.3 Processing Personal Data for Specific, Legitimate and Explicit Purposes

GOTREND explicitly and precisely specifies the legitimate and lawful purpose of personal data processing. Within this scope, the COMPANY processes the amount of data that are necessary only for operating and commercial activities. The processing purpose is specified by the COMPANY before the process takes place.

3.1.4. Correlativity, limitedness and Proportionality with the Processing Purpose

GOTREND processes the data in a manner that is eligible for realizing the purpose and avoids to process data, which are irrelevant to purpose. Within this scope, personal data are not processed to meet probable future needs.

3.1.5. Preserving data, in accordance with the processing purpose and the duration stated in legislation

GOTREND preserves personal data only for the time specified in related legislation or the time required to serve the purpose. In this context, the COMPANY first determines if any retention period for personal data is specified via legislation and follows this time limitation, if there is no time specified here, preserves the data in compliance with the purpose. In the event that the specified period ends or the processing purpose disappears, personal data is deleted, destroyed or anonymized by the COMPANY

3.2. Clarification Of Data Subject

In accordance with Art. 13 General Data Protection Regulation (“GDPR”), GOTREND clarifies personal data subjects during personal data acquiring. Within this scope, GOTREND clarifies the following issues; purpose of personal data processing, to whom or for what purpose may the data be transferred, personal data acquiring method, legal reason and the rights of the data subject.

According to General Data Protection Regulation (“GDPR”), “requesting information” is one of the personal data subject’s rights in Art. 15 of General Data Protection Regulation (“GDPR”). In this context, the COMPANY provides the requested information to data subject in compliance with Art. 15 of General Data Protection Regulation (“GDPR”)

3.3. Processing General and Special Categories of Personal Data

The COMPANY is aware that the protection of personal data is a legal right and obligation. Special categories of personal data may only be processed in situations prescribed by law or with explicit consent of the individual. Accordingly, the COMPANY only processes data by constitutional means, in cases prescribed in Art. 9 of General Data Protection Regulation (“GDPR”).and other legislations or with explicit consent of the individual.

GOTREND complies with General Data Protection Regulation (“GDPR”), secondary legislations and binding legal resolutions related to the matter of processing personal data, which are mentioned as “special categories of personal data” by General Data Protection Regulation (“GDPR”). Special categories of personal data are processed by GOTREND in situations specified in Art. 9 of General Data Protection Regulation (“GDPR”), under the condition that all necessary measures for personal data security are taken.

3.4. Transfer of Personal Data to Third Countries or International Organizations

GOTREND may transfer the personal data and sensitive personal data of the data subject to third countries or international organizations in compliance with Art. 44 of General Data Protection Regulation (“GDPR”) and by taking precautions, which are necessary in line with lawful personal data processing purposes. The COMPANY may transfer personal data to foreign countries;

• If the transfer of personal data to third countries or international organizations takes place on the basis of an adequacy decision of the Commission (In compliance with Article 45 of GDPR),
• In the absence of an adequacy decision, if the controller or processor has provided appropriate safeguard and on condition that enforceable data subject rights and effective legal remedies for data subjects are available (In compliance with Article 46 and 47 of GDPR),
• Based on an international agreement between the requesting third party and the Union or a member state, if the transfer of personal data to third countries or international organization is not authorized by Union Law (In compliance with Article 48 of GDPR),
• If one of the exceptional situations as specified in Article 49 of GDPR takes place,

In this context, GOTREND complies with the regulations in Art. 44-49 of General Data Protection Regulation (“GDPR”).

4. Categorization Of Personal Data And Their Purposes

4.1. Categorization of Personal Data

Below categorized personal data are processed, by informing concerned persons in accordance with Art. 13 of General Data Protection Regulation (“GDPR”) within GOTREND. To perform this personal data processing, the COMPANY must have legitimate and lawful personal data processing purposes, one or more of the personal data processing conditions in Art. 6 of General Data Protection Regulation (“GDPR”) must exist, the processing must be limited and lastly, compliance with principles and obligations in General Data Protection Regulation (“GDPR”), particularly principles regulated in Art. 5, must be provided.

• Identity Information: Driver license, passport, identity card and suchlike documents, involving information such as; name-surname, identity number, nationality, mother’s name, father’s name, birthplace, birthdate, sexuality and other data like; tax number, social security number, signature, number plate, etc.
• Contact Information: Telephone number, address, e-mail address, fax number, IP address.
• Customer Operation: Call center records, invoice details, bill information, check information, information on pay-desk receipt, order information, request information etc.
• Process Security: IP address information, information about website entries and exits, password and code information etc.
• Financial Information: Bank account number, IBAN number, financial profile, asset data, income details, signatory circular and data, that are processed in regard to information, documents and records, which indicate all financial results created in accordance with the relation established with the personal data subject.
• Marketing: Previous shopping information, poll, cookie records, information provided through campaign etc.
• Audio/Visual Information: photo and camera records.
• Special Categories of Personal Data: medical reports, biometric data, blood type, compulsory reports in scope of occupational health and safety, documents for hard and dangerous works, that are asked to be collected by law etc
• Location Data: Travel data, airplane ticket, hotel reservations, vehicle tracking system, etc.
• Personnel Information: All kinds of personal data processed to obtain information, that will prevent the establishment of personal rights belonging to a natural person, who has a relation with the COMPANY.
• Legal Transaction: Information about correspondences with judicial authorities, information in case file etc.
• Risk Management: Information processed to manage commercial, technical and administrative risks etc.
• Security Information: Data acquired through records of entries and exits to physical location and the presence time there, camera records, fingerprint records, security records etc.
• Professional Experience: Diploma information, attended courses, vocational training details, certificates, transcript details etc.
• Medical Knowledge: Information about disability status, blood type, personal health data, used medical devices and prosthesis etc.

4.2. Purposes of Personal Data Processing

GOTREND processes the data limited to personal data processing purposes and conditions specified in Art. 6 and 9 of the General Data Protection Regulation (“GDPR”). These purposes and conditions are as follows;

• If the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• If processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• If processing is necessary for compliance with a legal obligation to which the controller is subject;
• If processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• If processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• If processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
• If any of the purposes specified for processing a special category of personal data in Art.9 of GDPR takes place.

Within this scope GOTREND processes your personal data for following purposes;

• Developing performance and execution of the purchase or services contract,
• Analyzing the usability and quality to improve GOTREND’s services,
• Improving the customer services,
• Planning and performing institutional sustainability actions,
• Management of requests and complaints,
• Planning and performing corporate communication operations,
• Management of relations with business associates and suppliers,
• Performing financial reporting and risk management operations of the COMPANY,
• Creating and monitoring visitor records,
• Activity and orientation management,
• Management of GOTREND’s employment procedures,
• Management of the COMPANY’s legal affairs,
• Performing corporate governance,
• Planning and performing inspections with the objective to assure the legislation-compliant management of GOTREND’s local and global procedures,
• Act for protection of GOTREND ‘s reputation,
• Management of investors relations,
• nforming public authorities in compliance with legislation,

In the event that processing with mentioned purposes does not meet any of the conditions stated by the of General Data Protection Regulation (“GDPR”), your explicit consent regarding the processing procedure is received by the COMPANY

5. Purposes Of Personal Data Transfer And Transeferd Third Parties

GOTREND, in accordance with the Art. 13 of General Data Protection Regulation (“GDPR”), informs the data subject on who personal data receivers are. GOTREND, in accordance with the Art. 6 and 44-49 GOTREND may transfer personal data of individuals who are directed by this Policy, to below mentioned categories.

1. Company partners,
2. Company suppliers/ service providers,
3. Company shareholders,
4. Company authorities,
5. Legally authorized public institutions and organizations,
6. Legally authorized private persons

Personal data are transferred to above mentioned receiver groups with the following objectives;

• Company partners; To ensure that the founding purpose of business partnership is accomplished
• Suppliers/Service Providers; To provide services, that are supplied by GOTREND to fulfil the COMPANY’s commercial operations
• Shareholders; To actualize GOTREND’s legislation-compliant operations in the fields of corporate law, activity management, corporate communication processes
• Company authorities; To strategize GOTREND’s commercial operations in compliance with legislation, to provide top management and to make inspections
• Legally authorized public institutions and organizations; For the purposes, requested by the related public institutions and organizations within their legal province
• Legally authorized private persons; For the purposes, requested by the related private persons within their legal province

6. Deletion, Destruction And Anonymization Personal Data

6.1. GOTREND’s Obligation to Delete, Destruct and Anonymize Personal Data

Despite the matter that personal data are processed in compliance with Art. 6 of General Data Protection Regulation (“GDPR”), they will be deleted or destructed or anonymized directly or on demand of the data subject if the processing purpose disappears. In this context, GOTREND fulfills its obligations through below specified methods.

6.2. Techniques of Personal Data Deletion, Destruction and Anonymization

6.2.1. Techniques of Personal Data Deletion and Destruction

Although GOTREND processes personal data in compliance with legislation, mentioned personal data will be deleted, destroyed or anonymized by GOTREND’s decision or on demand of the data subject if the processing purpose disappears. GOTREND’s commonly used deletion or destruction methods are as follows;

1. Physical Destruction: Personal data may also be processed by non-automatic ways on condition of being part of any data recording system. While such data is deleted/destroyed, a physical destruction system, that prevents their reuse, is used.
2. Secure Erasure From Software: While deleting/destructing personal data that are processed and preserved by completely or partially automatic ways, deletion methods preventing the reuse of personal data will be used.
3. Secure Outsource Erasure When Required: GOTREND may come to terms with an expert for deletion of personal data on its behalf. In such cases, personal data are securely deleted/destroyed by the expert in an irrecoverable way.

6.2.2. Techniques of Personal Data Anonymization

Anonymizing personal data means, preventing the data from being associable with a particular or identifiable natural person even by matching the data with others. GOTREND may anonymize lawfully processed personal data, if the processing purpose disappears. According to the General Data Protection Regulation (“GDPR”), anonymized personal data may be processed for purposes like research, planning or statistics. Such operations are out of the Law’s scope and do not require data subject’s explicit consent.

Anonymizing methods preferred by GOTREND are listed below;

1. Masking
2. Consolidation
3. Data Derivation

7. Rights Of The Data Subject, Exercise And Assesment Of These Rights

In compliance with Art. 13 of General Data Protection Regulation (“GDPR”) informs the data subject about his/her legal rights and how to exercise them

7.1. Data subject’s Rights and Exercise of these Rights

7.1.1. Rights of The Data subject

Personal data subject has following rights:

• Where the legal basis of our processing is Consent, to withdraw that Consent at any time (Right to withdraw consent),
• To learn whether the personal data related to you are/have being processed,
• If it is processed, to request access to personal data being processed (Right of access),
• To learn purposes of the processing and whether your personal data has been used for the intended purpose (Right of information),
• To know the third parties within or outside the country to whom the personal data are transferred,
• To request correction of the personal data if the data is processed incompletely or inaccurately (Right of correction),
• To request deletion or destruction of the personal data without undue delay under the conditions set forth in Article 17 of General Data Protection Regulation (“GDPR”) (Right to be forgotten),
• To object to processing of your personal data if it impacts your fundamental Rights and freedoms (Right to object),
• To request your personal data in structured, commonly used and machine-readable format free of charge (Right to Data portability),
• To claim indemnification if you suffered damage due to illegal processing of your personal data (Right to file complaint),
• To be notified of a personal data breach which is likely to result in high risk to their rights and freedoms.

7.1.2. Situations, in which the Data subject May Not Assert His/ Her Rights

Personal data subjects may not request above mentioned rights in situations which are kept out of General Data Protection Regulation (“GDPR”).

1. Processing anonymous information for statistical or research purposes
2. Processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.
3. Processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.
4. Processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller.
5. Process of personal data by judicial and executive authorities in relation to investigation, prosecution, judgment and execution operations.

7.1.3. Exercise of Data subject’s Rights

You may exercise your rights listed above through filling out and signing a form that you can obtain from us or [www.gotrend.com] and apply to the following address personally or with a notary approved power of attorney:

• Fill in the application form, which you can obtain from our website, for your rights listed above; signing with your wet-ink signature and pass it to [Block 18 ElNarges 5 - Fifth Settlement - New Cairo] by personal application, by certified mail or through a notary public.
• Sign with your electronic signature or mobile signature and send it to [Support@gotrend.com] or [info@gotrend.com] by using your Registered Electronic Mail (REM) address or the e-mail address registered to the data recording system of CMA.
• If the application is made by a third person on behalf of a personal data subject, notarial special power of attorney must be submitted.

7.2. Responses to Applications

t is only necessary to apply GOTREND in cases, where the COMPANY is indicated as data controller by General Data Protection Regulation (“GDPR”). This is possible when the COMPANY collects data directly from the related individual. Apart from these, applications for data processes in which other companies are deemed as data controllers, must be submitted to the related company.

7.2.1. Procedures and durations of Responses

GOTREND will provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. GOTREND will inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

Any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the COMPANY may either:

• Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
• Refuse to act on the request.

7.2.2. Information, Which May Be Requested From The Applicant Data Subject

If GOTREND has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

7.2.3. Right To Reject the Application of Data Subject

GOTREND may reject the application in following situations, by indicating its reason:

1. Process of personal data for purposes like research, planning and statistic by anonymizing through official statistics,
2. Process of personal data within preventive, protective and informative operations, that are conducted by legally authorized public organizations and institutions in order to ensure national defense, national security, public order, public safety and economic security.
3. Process of personal data by judicial and executive authorities in relation to investigation, prosecution, judgment and execution operations.
4. If processing personal data is necessary for crime investigation or avoiding crime commitment.
5. rocessing personal data, which are anonymized by data subject.
6. If the process of personal data by legally authorized public organizations, institutions and public professional organizations is necessary to conduct discipline investigations or prosecutions and inspection or regulation obligations.
7. If a personal data subject’s request has the possibility to violate others’ rights and freedoms.
8. If nonproportional effort requires requests are made.
9. If requested information is public