Vulnerability Disclosure Program (VDP)
Hall of Fame Privacy Notice

Who We Are

When we refer to “Company”, “we”, or “us”, we are referring to Arçelik A.Ş. and its affiliated companies responsible for managing the Vulnerability Disclosure Program (VDP) and maintaining the Hall of Fame section on our website.More information about Arçelik A.Ş. can be found here.

If you have questions about the processing operations of Arçelik A.Ş., you can view privacy policy here.

How to Contact Us

If you have any questions about how we use your personal data or this privacy notice in general, please contact us using this form

When Do We Collect Your Personal Data?

We collect your personal data when:

  • You contact us with questions or feedback about the program.

  • You submit a vulnerability report that includes personal data (though you should avoid including unnecessary personal data).

  • You voluntarily submit your name or nickname to be published on our website’s Hall of Fame page in recognition of your contribution to the VDP.

What Types of Personal Data Do We Collect?

The types of information we collect are limited to:

  • Your name or nickname (only if you voluntarily provide it for publication),

  • Contact details (such as email address) for verification or communication regarding your submission,

  • Any other information you voluntarily provide to us within your VDP submission.

We do not require or request sensitive personal data for the purposes of this program.

What Lawful Bases Do We Rely On for Processing Your Personal Data?

We process your personal data based on the following legal bases under applicable data protection laws:

  • Your explicit consent (Article 6(1)(a) GDPR; and Article 5/1 Turkish Personal Data Protection Law) for the publication of your name or nickname on the Hall of Fame page.

  • Our legitimate interest (Article 6(1)(f) GDPR Article 5/2(f) Turkish Personal Data Protection Law) to maintain and operate the VDP platform securely and efficiently.

  • Compliance with a legal obligation (Article 6(1)(c) GDPR; Article 5/2(ç)Turkish Personal Data Protection Law)) if required by applicable law or regulatory authority.

How and Why We Use Your Personal Data?

We use your personal data to:

  • Recognize and publicly acknowledge your contribution to improving the security of our systems,

  • Communicate with you about your VDP report or consent preferences,

  • Maintain a record of your consent for the Hall of Fame publication,

  • Ensure the integrity, confidentiality, and proper operation of our security program.

Who Do We Share Your Personal Data With?

We may share your personal data only with:

  • Internal teams managing the Vulnerability Disclosure Program,

  • Our IT and website service providers who host or maintain the Hall of Fame page,

  • Supervisory authorities or legal entities if required by law.

If you give your consent, your name will be publicly displayed under the Hall of Fame section.

All service providers are contractually bound to keep your personal data confidential and to use it only for the agreed purpose.

International Transfers of Your Personal Data

Since the Hall of Fame page is hosted on our global website, your published name or nickname may be accessible worldwide, including from countries outside the EEA, UK, and Türkiye. Such access constitutes a global data disclosure.

When we share your personal data with our affiliated companies or other companies with whom we contract (as described in ‘Who do we share your personal data with?’), these companies may be located outside the European Economic Area (“EEA”), Turkey, the UK or your country of residence, as applicable, in countries with different laws for protecting personal data than the laws in your country of residence.

If we transfer your personal data outside the EEA, Turkey, the UK or your country of residence, as applicable, we will take steps to ensure that your data will receive the same level of protection as if it was being processed within the EEA, Turkey, the UK or your country of residence, as applicable. For example, we may include standard contractual clauses adopted by the relevant authorities in our contracts with third parties or our affiliates to ensure there are safeguards in place to protect your personal data. Please contact us using the details in ‘How to contact us’ for more information about the specific measures we have taken.

Please note that Arçelik A.S. may further transfer your personal data to third parties located in countries that do not provide an adequate level of data protection. Such transfers will be carried out in accordance with applicable laws including where applicable, contractual requirements set out in standard contractual clauses.

How Long Do We Keep Your Personal Data?

Your personal data will remain published on the Hall of Fame page until you withdraw your consent or request deletion. Once withdrawn, your data will be removed without undue delay.Non-published data (e.g., contact information) will be retained only as long as necessary for program administration or legal compliance.

How Do We Keep Your Personal Data Secure?

We will take reasonable precautions to protect your personal data against loss, misuse or alteration. Among other measures, we ensure the security of your personal data by means of encryption, password protection and by otherwise restricting access to it.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data as required by law, we cannot guarantee the security of your personal data transmitted to us using unsecured means; any such transmission is at your own risk.

What are your rights relating to your personal data?

You have the following rights with respect to your personal data that we process, subject to conditions set out in the applicable laws:

  • to request access to your personal data (commonly known as a “subject access request”) and to certain additional information about our processing of your personal data that this privacy notice is designed to address,

  • to request the correction of any inaccurate or incomplete personal data,

  • to request the erasure of your personal data or the restriction of the processing of your personal data,

  • to object to our processing of your personal data,

  • to withdraw any consent you have given,

  • under certain circumstances to demand data portability,

  • to lodge a complaint with the applicable data protection supervisory authority; and

  • to contest certain automated decisions we make about you that have legal or otherwise similarly significant consequences. We do not typically carry out such automated decision-making but, if we do, we will make it clear where such decisions are being made.

To exercise your rights, please contact us using the contact details listed in ‘How to contact us’ or the relevant data protection authority as explained in the ‘Supervisory Authorities’ in case you would like to file a complaint.

Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices or legal requirements. The latest version will always be available on this page.



About Us Overview Management History Locations Reports & Presentations Privacy & Cookies Information Society Services Vulnerability Disclosure Procedure Vulnerability Disclosure Hall of Fame
Investor Relations Financial Summary Corporate Governance Greenbond 2021
Human Resources Career Campus To Career Join Us
Purchasing Supply Chain Supplier Portal Invoice Acceptance Criteria
Press Room Press Releases Logos Photos Videos
Contact Contact
linkedin_white-icon instagram_white-icon fb_white-icon x_white-icon youtube_white-icon
© 2025