KVKK DATA PROCESSING POLICY

PROTECTION OF PERSONAL DATA

POLICY ON PROCESSING AND PROTECTION OF PERSONAL DATA UNDER LAW NUMBER 6698

1. Purpose and Enforcement of the Policy

Personal Data Protection Law No. 6698 (“Kanun”) It entered into force on April 7, 2016. The law sets forth the procedures and principles regarding the processing of personal data by real or legal persons who are classified as "data controllers" and who determine the purposes and means of processing personal data and are responsible for the establishment and management of the data recording system.

Within the scope of the law, personal data is defined as "all kinds of information regarding an identified or identifiable natural person"; Processing is “obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system.” It is defined as “any action performed on data, such as preventing its use or use.”

In addition to its other regulations, the law imposes an obligation on data controllers to inform/enlighten data owners whose personal data will be processed during the collection of personal data. According to Article 10 of the Law, data controllers;

1. Identity of the data controller and his representative, if any,
2. For what purpose personal data will be processed,
3. To whom and for what purpose the processed personal data can be transferred,
4. Method and legal reason for collecting personal data,
5. He/she must be informed about other rights listed in Article 11 of the Law.

This document (“Politika”) has been written in order to inform the real persons whose personal data our Company processes as the data controller within the scope of the above-mentioned article.

2. Scope of the Law and Our Company's Rights and Obligations Arising from the Law

1. General Principles Concerning the Processing of Personal Data

In accordance with Article 4 of the Law, personal data must be processed in accordance with the procedures and principles stipulated in the Law and other relevant legislation. In this context, data controllers are obliged to comply with the following general principles regarding the processing of personal data, in addition to fulfilling the disclosure obligation specified in Section 1 above:

• Complying with the law and the rules of honesty.
• Be accurate and up to date when necessary.
• Processing for specific, explicit and legitimate purposes.
• Being related to the purpose for which they are processed, limited and proportionate.
• To be kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.

1. Personal Data Processing and Sharing Purposes Within the Scope of the Law
2. Purposes for Processing Personal Data

In accordance with the law, personal data cannot, as a rule, be processed without the explicit consent of the data owner. However, within the scope of Articles 5 and 6, the Law has determined certain situations in which data may be processed without explicit consent in terms of personal data and special categories of personal data.

5 Personal data in accordance with Article ,

• Data processing is clearly foreseen by law,
• It is mandatory to process the relevant data in order to protect the life or physical integrity of the person who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity, or the life or physical integrity of someone else,
• It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
• Data processing is mandatory for the data controller to fulfill its legal obligation,
• Personal data has been made public by the relevant person himself,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned,

In some cases, processing may be carried out even if there is no prior explicit consent of the data owner (provided that the necessary information is provided).

On the other hand, the Law provides biometric data regarding individuals' race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures. and genetic data as "special nature" or "sensitive" personal data and stipulates more severe conditions for their processing. Accordingly, special personal data can only be processed under the following conditions, except for cases where explicit consent has been obtained from the data owner:

• Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, criminal conviction and security measures, and biometric and genetic data may be processed in cases stipulated by law.
• Personal data regarding health and sexual life can only be processed by persons or authorized institutions and organizations who are under the obligation of confidentiality, for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing.

1. B. Purposes for Sharing Personal Data

In accordance with data processing, sharing (transfer) of personal data with a third party is also subject to obtaining explicit consent from the relevant data owner. However, according to Article 8 of the Law, data transfer can also be carried out under the conditions where data processing is permitted, and if the conditions specified in this regard are met, personal data or special personal data can be transferred even if the data owner does not consent.

Regarding the transfer of personal data to third parties, the law subjects the transfer abroad to special conditions. Accordingly, personal data;

• If there is explicit consent of the data owner, or
• In cases where there is no explicit consent of the data owner, but one or more of the other conditions mentioned above are met;
  • There is adequate protection in the country to which the data is transferred,
  • If there is not sufficient protection in the country to which the data is transferred, the data controller must undertake in writing to provide adequate protection together with the data controller in the relevant foreign country,
  • Provided that the permission of the Personal Data Protection Board is obtained

It can be transferred abroad.

Section 3. Processing of Personal Data by Our Company

1. I. Purposes of Processing Personal Data by Our Company

Our company processes personal data for the following purposes:

• Planning, auditing and execution of information security processes
• Establishing and managing information technology infrastructure
• Planning and execution of fringe benefits and benefits for employees
• Planning and/or execution of corporate communication for employees and/or corporate social responsibility and/or non-governmental organization activities in which employees participate
• Planning and execution of employees' access to information authorizations
• Monitoring and/or supervision of employees' work activities
• Follow-up of financial and/or accounting affairs
• Follow-up of legal affairs
• Planning human resources processes
• Planning and/or execution of activities to analyze the effectiveness/productivity and/or appropriateness of business activities
• Planning and execution of business activities
• Planning and execution of information access authorizations of business partners and/or suppliers
• Management of relationships with business partners and/or suppliers
• Planning and/or execution of occupational health and/or safety processes
• Planning and/or execution of business continuity activities
• Planning and execution of corporate communication activities
• Planning and execution of corporate governance activities
• Planning and execution of logistics activities
• Planning and execution of customer relationship management processes
• Planning and/or execution of customer satisfaction activities
• Follow-up of customer requests and/or complaints
• Carrying out personnel recruitment processes
• Fulfillment of obligations arising from employment contracts and/or legislation for company employees
• Planning and execution of company audit activities
• Planning and execution of external training activities
• Planning and execution of operational activities necessary to ensure that company activities are carried out in accordance with company procedures and/or relevant legislation.
• Planning and/or execution of in-company training activities
• Planning and execution of in-company orientation activities
• Ensuring the security of company operations
• Ensuring the security of company campuses and/or facilities
• Planning and/or execution of processes to create and/or increase loyalty to the products and/or services offered by the company
• Planning and/or execution of the company's production and/or operational risk processes
• Carrying out company and partnership law transactions
• Follow-up of contract processes and/or legal requests
• Execution of strategic planning activities
• Planning and execution of supply chain management processes
• Compensation Management
• Planning and execution of production and/or operation processes
• Planning and execution of market research activities for sales and marketing of products and services
• Planning and execution of marketing processes of products and/or services
• Planning and execution of sales processes of products and/or services
• Ensuring that data is accurate and up to date
• Providing information regarding legislation to authorized institutions
• Creating and tracking visitor records

1. Procedure for Processing Personal Data by Our Company

Our company, as the data controller, informs the data owners in accordance with Article 10 of the Law before obtaining personal data from the data owners, within the scope of its obligations arising from the Law. If any data processing process carried out by our company does not meet the conditions specified in the Law and detailed in Section 2.II.a and b above, explicit consent is obtained from the data owners and the relevant processes are continued within the framework of the said explicit consent.

Within the scope of the Law, explicit consent is defined as "consent regarding a specific subject, based on information and expressed with free will", and accordingly, our Company obtains the explicit consent of data owners after informing them in accordance with Article 10 of the Law.

Although no period is specified for the storage of personal data within the scope of the law, in accordance with general principles, it is essential that personal data be kept for the period stipulated in the relevant legislation or for the period required for the purpose for which they are processed. In order to determine retention periods in accordance with the said principle, our company makes an evaluation based on the legislation in force regarding each data processing process and the purpose of the process. Accordingly, our Company retains personal data at least for the period required by its legal obligations and, in any case, until the relevant statute of limitations expires.

Our company anonymizes, deletes or destroys personal data in accordance with the Law when the purpose of processing the relevant personal data disappears within the scope of any process, including the expiration of the mentioned periods. Anonymization within the scope of the law is defined as "Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data", and our Company's anonymization activities are carried out in accordance with the applicable legislation.

III. Personal Data Security

In order to ensure the security of personal data, our company takes reasonable technical and administrative measures to prevent unauthorized access risks, accidental data loss, intentional deletion or damage to data.

In this context, our Company takes at least the following actions:

• Taking software and hardware security measures appropriate to the personal data processed
• Carrying out the inspections stipulated within the scope of the law
• Ensuring compliance of the Company and employees with the Law through in-company training, policies and procedures
• Providing and recording access to information based on necessity through in-company authorizations
• Monitoring personal data processing activities on a process basis
• Obtaining contractual commitments regarding the protection and security of personal data in relations with suppliers

Section 4. Rights of Data Owners Arising from the Law

1. Rights of Data Owners

According to Article 11 of the Law, personal data owners;

• Learning whether personal data about him or her is being processed,
• Requesting information about personal data if it has been processed,
• Learning the purpose of processing personal data and whether they are used for their intended purpose,
• Knowing the third parties to whom personal data is transferred at home or abroad,
• Requesting correction of personal data if they are incomplete or incorrectly processed,
• Requesting the deletion or destruction of personal data in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the law and other relevant legal provisions,
• Requesting that transactions made as a result of correction, deletion and destruction requests be notified to third parties to whom personal data has been transferred,
• Objecting to the emergence of a result that is unfavorable to the individual by analyzing the processed data exclusively through automatic systems,
• Requesting compensation for the damage in case of damage due to illegal processing of personal data,

has the rights.

The second paragraph of Article 28 of the Law regulates that, in certain cases, the data owner cannot request anything other than compensation for damages from the data controller. According to this,

• Processing personal data is necessary for the prevention of crime or criminal investigation,
• Processing of personal data made public by the relevant person,
• Processing of personal data is necessary for the execution of auditing or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations that are public institutions, based on the authority granted by the law,
• Personal data processing is necessary to protect the economic and financial interests of the State regarding budget, tax and financial matters,

In these cases, the rights specified above cannot be exercised regarding the relevant data.

1. Exercise of Rights

Data subject requests submitted via one of the methods specified by KVKK are evaluated and answered by our Company within a maximum of thirty days. Our company reserves the right to request additional information and documents from the applicant, especially in order to evaluate whether the applicant is the relevant data owner.

As a rule, data owner applications are evaluated free of charge by our Company. However, if a fee is determined by the Personal Data Protection Board regarding the data owner's request, our Company will have the right to request payment based on this fee.