PERSONAL DATA PROCESSING AND PROTECTION POLICY

1. INTRODUCTION

1.1. Introduction

In accordance with the Personal Data Protection Law No. 6698, we place utmost importance on processing and protecting personal data lawfully and with due diligence. This awareness guides all our planning and activities. Therefore, we present this Personal Data Processing and Protection Policy to inform you about the administrative and technical measures we have taken in compliance with Article 10 of the Law and other regulations related to the processing and protection of personal data.

1.2. Purpose of the Policy

The primary purpose of this Policy is to provide explanations about systems designed for the lawful processing and protection of personal data, and to inform individuals whose personal data are processed by our company, including but not limited to Company Stakeholders, Company Officials, Business Partners, Employee Candidates, Visitors, Customers of the Company and Group Companies, Potential Customers, and Third Parties. Through this Policy, our aim is to ensure full compliance with the legislation and safeguard the rights of data subjects regarding their personal data.

1.3. Scope of the Policy and Data Subjects

This Policy applies to individuals whose personal data are processed by our company, whether automatically or manually as part of any data recording system. However, this Policy does not apply to legal entities or data pertaining to legal entities.

Our company provides this Policy on its website to inform data subjects about the Law. For company employees, a separate Employee Personal Data Processing Policy is in effect. If any data falls outside the scope of "Personal Data" or is not processed through the methods specified above, this Policy will not apply.

Data subjects covered under this Policy include:

Company Stakeholders: Natural persons who hold shares in the company.

Company Business Partners: Natural persons involved in any business relationship with the company.

Employees of Business Partners: Employees, shareholders, or officials of natural and legal persons with whom the company has a business relationship.

Company Officials: Members of the board of directors and other authorized natural persons within the company.

Employee Candidates: Natural persons who have applied for a job or provided resumes and related information for evaluation by the company.

Company Customers: Individuals who use or have used the company’s products and services, regardless of whether they have a contractual relationship with the company.

Group Company Customers: Individuals who use or have used products and services of group companies affiliated with the company.

Potential Customers: Individuals who have shown interest in using the company’s products and services or have been evaluated as potential customers based on commercial customs and good faith.

Visitors: Individuals who visit the company’s physical premises or websites for any purpose.

Third Parties: Other natural persons who do not fall under the above categories but whose data is processed in the context of the company’s policies.

1.4. Definitions

Terms used in this Policy are defined as follows:

Personal Data: Any information relating to an identified or identifiable natural person.

Special Categories of Personal Data: Sensitive personal data including race, ethnicity, political opinions, philosophical beliefs, religion, sect, dress and appearance, union memberships, health, sexual life, criminal convictions, and biometric and genetic data.

Processing of Personal Data: Any operation performed on personal data such as collection, recording, storage, alteration, disclosure, transfer, or destruction.

Data Subject: The natural person whose personal data is processed.

Group Company: The group of companies to which the company is affiliated.

Data Recording System: A system where personal data is processed and structured based on specific criteria.

Data Controller: The natural or legal person who determines the purposes and means of personal data processing and is responsible for the establishment and management of the data recording system.

Data Processor: A natural or legal person who processes personal data on behalf of the data controller.

Explicit Consent: A freely given, specific, and informed consent.

Anonymization: Rendering personal data incapable of being associated with an identified or identifiable person, even when combined with other data.

The Law: Refers to the Personal Data Protection Law No. 6698.

KVKK Board: The Personal Data Protection Board.

2. PROCESSING AND TRANSFER OF PERSONAL DATA

2.1. General Principles for Processing Personal Data

Personal data is processed by the Company in accordance with the procedures and principles set forth in the Law and this Policy. The Company adheres to the following principles when processing personal data:

• Personal data is processed in compliance with applicable legal rules and the principle of good faith.
• Personal data is kept accurate and up to date. This includes ensuring that the sources of data are identifiable, verifying their accuracy, and assessing the need for updates.
• Personal data is processed for specific, clear, and legitimate purposes. The purpose must be lawful and related to the Company's business or the services it provides.
• Personal data is processed only to the extent necessary to achieve the purposes determined by the Company. Data not related to or required for the achievement of these purposes is avoided. In this context, processed personal data is relevant, limited, and proportionate to the purpose for which it is processed.
• The retention period of personal data is determined in accordance with applicable laws. If no retention period is specified, personal data is stored only for the time necessary to achieve its intended purpose. Once the reason for its processing ceases to exist, the data is deleted, destroyed, or anonymized.

2.2. Conditions for Processing Personal Data

The Company does not process personal data without the explicit consent of the data subject. However, in the following cases, personal data may be processed without the explicit consent of the data subject:

1. If explicitly permitted by law. For example, under Article 230 of the Tax Procedure Law, the name of the relevant person may be included on an invoice without explicit consent.
2. If necessary to protect the life or physical integrity of the data subject or another person who cannot provide consent due to actual impossibility or whose consent is not legally valid.
3. If directly related to the establishment or performance of a contract, personal data of the contracting parties may be processed. For example, obtaining bank account details of a party for payment under a contract.
4. If processing is necessary for the Company to fulfill its legal obligations as a data controller.
5. If the data subject has publicly disclosed the personal data themselves.
6. If processing is necessary for the establishment, exercise, or protection of a legal right.
7. If processing is necessary to protect the legitimate interests of the Company, provided it does not violate the fundamental rights and freedoms of the data subject.

2.3. Conditions for Processing Special Categories of Personal Data

The Company does not process special categories of personal data without the explicit consent of the data subject. However, personal data other than health and sexual life may be processed without explicit consent if explicitly permitted by law. Health and sexual life data may only be processed without explicit consent for purposes such as public health, preventive medicine, medical diagnosis, treatment, and care services under conditions where confidentiality obligations are met. The Company takes the necessary measures prescribed by the Personal Data Protection Board for processing special categories of personal data.

2.4. Conditions for Transferring Personal Data

The Company may transfer personal data to third parties in accordance with the purposes of processing, ensuring confidentiality and security measures. Transfers are conducted in compliance with the provisions of the Law.

• Domestic Transfers: Personal data may be transferred domestically under the conditions specified in Article 5 of the Law.
• International Transfers: Personal data may be transferred to foreign countries that provide adequate protection as determined by the Personal Data Protection Board, or to countries where sufficient protection is guaranteed through written commitments by the data controllers in Turkey and the foreign country, provided that approval is obtained from the Board.

2.5. Conditions for Transferring Special Categories of Personal Data

The Company takes necessary care and security measures as determined by the Personal Data Protection Board to transfer special categories of personal data in accordance with legitimate and lawful processing purposes.

1. With Explicit Consent: Special categories of personal data may be transferred if the data subject has provided explicit consent.
2. Without Explicit Consent: Special categories of personal data, excluding health and sexual life data, may be transferred without explicit consent under circumstances permitted by law. Health and sexual life data may only be transferred without explicit consent for purposes such as public health, preventive medicine, medical diagnosis, treatment, and care services under conditions of confidentiality.

2.5.1. International Transfer of Special Categories of Personal Data

The Company may transfer special categories of personal data to foreign countries under the following conditions:

1. With Explicit Consent: If the data subject has provided explicit consent.
2. Without Explicit Consent: Special categories of personal data other than health and sexual life data may be transferred to foreign countries under circumstances permitted by law. Health and sexual life data may only be transferred for purposes such as public health, preventive medicine, medical diagnosis, treatment, and care services to authorized institutions or individuals under confidentiality obligations.

3. PURPOSES OF PROCESSING AND TRANSFERRING PERSONAL DATA, AND RECIPIENTS

3.1. Purposes of Processing and Transferring Personal Data

Personal data is processed in compliance with the law and the purposes outlined in the Personal Data Protection Law. The purposes include:

• Effective planning and implementation of human resources policies,
• Proper planning, execution, and management of commercial partnerships and strategies,
• Ensuring the legal, commercial, and physical security of the company and its business partners,
• Maintaining corporate operations, planning, and executing management and communication activities,
• Optimizing the use of the company's products and services by data subjects and tailoring them to meet their demands, needs, and preferences,
• Ensuring the highest level of data security,
• Establishing databases,
• Enhancing services offered on the company’s website and addressing any issues encountered,
• Communicating with data subjects who submit requests or complaints and managing these processes,
• Managing events,
• Managing relationships with business partners or suppliers,
• Conducting personnel recruitment processes,
• Supporting the personnel recruitment processes and legal compliance of group companies,
• Planning and executing audit activities to ensure group companies’ operations comply with applicable laws,
• Supporting processes for planning and executing fringe benefits and advantages for senior executives of the company and group companies,
• Supporting legal corporate transactions of group companies,
• Performing and monitoring financial reporting and risk management activities,
• Managing the company’s legal affairs,
• Conducting efforts to protect the company’s reputation,
• Managing investor relations,
• Providing information to authorized entities as required by legislation,
• Establishing and maintaining visitor records.

These purposes are limited to the data processing conditions specified in Articles 5 and 6 of the Law. If any processing activity does not meet the conditions specified in the Law, the company obtains the explicit consent of the data subject before proceeding.

3.2. Recipients of Personal Data

Personal data may be shared with business and solution partners, banks, and third parties who perform technical, logistical, and similar operations on behalf of the company to ensure the delivery of services in a complete and flawless manner. These third parties are limited to those who must access the relevant data to provide the services in question.

In addition to these, personal data may also be shared with other third parties in cases where such sharing is necessary for the complete and flawless provision of services, for the company to fulfill its legal obligations, where explicitly required by law, or in compliance with a judicial or administrative order issued lawfully. Such data transfers are strictly limited to the relevant individuals or institutions.

Some personal data may also be shared with advertisers in an aggregated and anonymized form to enable targeted advertisements.

Anonymized data consists of information that cannot be associated with you as a visitor or customer and does not include identifiable personal information. Your privacy remains secure in anonymized data.

4. METHODS AND LEGAL REASONS FOR COLLECTING, DELETING, DESTROYING, ANONYMIZING, AND RETAINING PERSONAL DATA

4.1. Methods and Legal Basis for Collecting Personal Data

In accordance with Article 1, which outlines the purpose of the Law, and Article 2, which defines its scope, personal data is collected through various verbal, written, and electronic means such as stores, sales points, call centers, the Company's website, mobile applications, and other channels. The collection is carried out to fulfill the purposes specified in this Policy and to ensure the complete and accurate fulfillment of legal obligations derived from laws, contracts, requests, and demands. Personal data is processed by the Company or by data processors authorized by the Company.

4.2. Deletion, Destruction, or Anonymization of Personal Data

Subject to provisions in other laws regarding the deletion, destruction, or anonymization of personal data, the Company deletes, destroys, or anonymizes personal data, either ex officio or upon the request of the data subject, if the reasons for processing such data cease to exist.

Deletion of personal data ensures that the data cannot be used or retrieved under any circumstances. For this purpose, data stored on documents, files, CDs, diskettes, hard drives, or other storage media is rendered irretrievable.

Destruction involves rendering data stored in various storage mediums—such as documents, files, CDs, diskettes, or hard drives—completely unusable and irretrievable.

Anonymization ensures that personal data can no longer be associated with an identified or identifiable individual, even when combined with other data.

4.3. Retention Period for Personal Data

The Company retains personal data for the period specified in the relevant legislation. If no specific retention period is mentioned in the legislation, personal data is retained for the duration required for the purposes for which it is processed, as dictated by the Company's practices and customary commercial practices. Afterward, the data is deleted, destroyed, or anonymized.

If the purpose of processing personal data has ceased and the retention period determined by the relevant legislation and the Company has expired, the data may still be retained solely for the purpose of serving as evidence in potential legal disputes or for exercising or defending a legal right linked to the data. In determining these retention periods, the statute of limitations for asserting rights and any relevant legal precedents are considered. During this period, the data is not accessed for any other purpose, and access is permitted only if it is necessary for a legal dispute. Once this retention period ends, the data is deleted, destroyed, or anonymized.

Detailed regulations regarding the storage, deletion, destruction, and anonymization of personal data are outlined in the Company’s Personal Data Retention and Destruction Policy.

5. PERSONAL DATA PROTECTION

The Company, in compliance with Article 12 of the Personal Data Protection Law, takes necessary technical and administrative measures to ensure an adequate level of security to prevent the unlawful processing, unauthorized access, and improper retention of personal data. Additionally, the Company conducts or commissions periodic audits to ensure these measures are effective.

5.1. Ensuring the Security of Personal Data

5.1.1. Technical and Administrative Measures to Ensure Lawful Processing of Personal Data

The Company implements technical and administrative measures to ensure the lawful processing of personal data, considering technological capabilities and application costs.

Technical Measures for Lawful Processing of Personal Data:

• The Company monitors personal data processing activities through established technical systems.
• Regular internal audits are conducted, and findings are reported to relevant parties.
• The Company employs personnel with technical expertise.

Administrative Measures for Lawful Processing of Personal Data:

• Employees are trained and informed about personal data protection laws and lawful data processing practices.
• All Company activities are analyzed comprehensively, and specific data processing activities are identified for each business unit.
• Business unit-specific legal compliance requirements are established, and awareness is raised to ensure adherence through internal policies and training.
• Contracts and documents governing the relationship between the Company and its employees include provisions preventing employees from processing, disclosing, or using personal data outside of Company instructions or legal exceptions. Awareness and compliance are monitored through audits.

5.1.2. Measures to Prevent Unauthorized Access to Personal Data

The Company takes technical and administrative measures to prevent unauthorized disclosure, access, transfer, or other forms of unlawful access to personal data.

Technical Measures to Prevent Unauthorized Access:

• Up-to-date technical safeguards are implemented and periodically revised.
• Access permissions are restricted and reviewed regularly.
• Security measures include antivirus systems and firewalls.
• Regular security scans are conducted to identify vulnerabilities, and issues are promptly addressed.
• Technical personnel are employed to oversee these systems.

Administrative Measures to Prevent Unauthorized Access:

• Employees are trained on technical safeguards to prevent unauthorized access.
• Access authorization processes are designed and implemented across the organization.
• Employees are required to provide undertakings that they will not disclose or misuse personal data learned during their employment, even after leaving the Company.
• Contracts with third parties include clauses requiring compliance with data protection standards.

5.1.3. Secure Storage of Personal Data

The Company ensures that personal data is stored securely and takes measures to prevent unlawful destruction, loss, or alteration.

Technical Measures for Secure Storage of Personal Data:

• Appropriate technological systems are used for secure storage.
• Access to data is restricted to authorized individuals, and logs are maintained for all access attempts.
• Data storage locations are equipped with technical security systems, and regular tests are conducted to identify vulnerabilities.

Administrative Measures for Secure Storage of Personal Data:

• Employees receive training on secure data storage.
• Legal and technical consultancy services are utilized to keep up with developments in information security and privacy.

5.1.4. Auditing Measures for Data Protection

The Company conducts or commissions audits to ensure compliance with the necessary data protection measures. Findings are reported internally, and improvements are implemented based on these evaluations.

5.1.5. Measures in Case of Unauthorized Disclosure

In the event that personal data is unlawfully accessed by third parties, the Company promptly informs the relevant data subject and the Personal Data Protection Board as required by Article 12 of the Law. If deemed necessary by the Board, the incident may also be announced publicly via its website or other methods.

5.2. Safeguarding the Legal Rights of Data Subjects

The Company upholds and protects the legal rights of data subjects, as outlined in the Policy and the Law, ensuring that all necessary precautions are taken. Detailed information about these rights is provided in Section 6 of this Policy.

5.3. Protection of Special Categories of Personal Data

The Law assigns special importance to certain types of personal data, which are at greater risk of causing discrimination or harm if unlawfully processed. These include data on race, ethnicity, political opinions, religion, union membership, health, sexual life, criminal convictions, and biometric or genetic data. The Company ensures the utmost diligence in protecting these special categories of personal data, applying all necessary technical and administrative measures.

6. RIGHTS OF THE DATA SUBJECT, EXERCISING RIGHTS, AND EVALUATION

6.1. Informing the Data Subject

In accordance with Article 10 of the Personal Data Protection Law, the Company informs data subjects at the time of collecting personal data. Within this context, the Company provides information about the identity of the Company representative (if applicable), the purpose for which personal data will be processed, the entities to which the processed data may be transferred and for what purpose, the method and legal basis of data collection, and the rights of the data subject.

6.2. Rights of the Data Subject Under the Personal Data Protection Law

Pursuant to Article 10 of the Law, the Company informs you about your rights, provides guidance on how to exercise them, and implements the necessary internal processes, administrative, and technical arrangements to facilitate the exercise of these rights. In line with Article 11 of the Law, individuals whose personal data is processed have the right to:

1. Learn whether their personal data has been processed.
2. Request information regarding the processing of their personal data.
3. Learn the purpose of processing their personal data and whether it is used in accordance with the intended purpose.
4. Learn the third parties to whom personal data has been transferred, whether domestically or abroad.
5. Request the correction of personal data if it has been processed inaccurately or incompletely.
6. Request the deletion or destruction of personal data within the scope of Article 7 of the Law, provided the processing conditions no longer exist.
7. Request notification of the third parties to whom the personal data was transferred about the processes carried out under items (5) and (6).
8. Object to the emergence of any unfavorable outcome for them as a result of processing their personal data exclusively through automated systems.
9. Request compensation for damages if they incur losses due to the unlawful processing of their personal data.

6.3. Cases Where Data Subject Rights Cannot Be Exercised

Under Article 28 of the Law, the following cases are excluded from the scope of the Law. As such, data subjects cannot exercise the rights listed in 6.2 in the following circumstances:

• Processing of personal data by natural persons solely for their personal activities or those related to their family members residing in the same household, provided the data is not shared with third parties and data security obligations are observed.
• Processing of personal data for official statistical purposes or through anonymization for purposes such as research, planning, and statistics.
• Processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights, or does not constitute a crime.
• Processing of personal data by public institutions and organizations authorized by law to protect national defense, national security, public security, public order, or economic security.
• Processing of personal data by judicial authorities or enforcement agencies related to investigations, prosecutions, trials, or enforcement proceedings.

Under Article 28/2 of the Law, data subjects cannot exercise the rights listed in 6.2, except for the right to seek compensation for damages, in the following cases:

• If personal data processing is required for the prevention of crime or for criminal investigations.
• If the personal data has been made public by the data subject themselves.
• If personal data processing is necessary based on legal authority granted to public institutions and organizations or public professional organizations to conduct supervisory or regulatory duties or for disciplinary investigations or prosecutions.
• If personal data processing is necessary for budgetary, tax, or financial matters related to the protection of the economic and financial interests of the State.

6.4. Exercising the Rights of the Data Subject

Data subjects may submit their requests concerning their rights listed in 6.2 along with information and documents that verify their identity, using the methods provided below or as specified by the Personal Data Protection Board:

• Filling out and signing the Application Form, which can be accessed via [Email Address], and delivering it in person or via notary to the address [Address].
• Completing and signing the Application Form with a secure electronic signature under the Electronic Signature Law No. 5070 and sending the securely signed form to [KEP Address] via registered electronic mail.
• Visiting the Company in person, verifying their identity with relevant documentation, and submitting the completed form via an email address registered in the Company's system.

For third parties to submit requests on behalf of data subjects, a notarized special power of attorney must be provided by the data subject authorizing the request.

6.5. Company’s Procedure and Timeline for Responding to Applications

The Company will evaluate the requests submitted by data subjects and finalize them free of charge within the shortest time possible, and no later than thirty days from the date of receipt, depending on the nature of the request. However, if processing the request incurs additional costs, fees may be charged according to the tariff determined by the Personal Data Protection Board. The Company may accept the request or reject it by providing justification and will inform the applicant of the response in writing or electronically. If the request is accepted, the Company will take the necessary actions.

6.6. Right to Lodge a Complaint with the Personal Data Protection Board

If the request is rejected, the response is deemed insufficient, or no response is provided within the prescribed period, the data subject has the right to file a complaint with the Personal Data Protection Board within thirty days of learning the response or, in any case, within sixty days of the application date.

7. MANAGEMENT STRUCTURE UNDER THE COMPANY’S PERSONAL DATA PROCESSING AND PROTECTION POLICY

Within the company, a Personal Data Committee has been established by decision of the senior management to manage this Policy and other related policies. The Personal Data Committee is authorized and responsible for ensuring that the personal data of Data Subjects are stored and processed in compliance with the law, this Policy, and other associated policies. Detailed regulations regarding the individuals assigned to the Personal Data Committee and their responsibilities are included in the Personal Data Retention and Destruction Policy, which is published on the company’s website.

8. UPDATES, COMPLIANCE, AND AMENDMENTS

8.1. Updates and Compliance

The company reserves the right to amend this Policy and other associated policies due to changes in the Law, decisions by the Personal Data Protection Board, or developments in the sector or the field of information technology. Any changes made to this Policy will be promptly incorporated into the text, and explanations regarding the changes will be provided at the end of the Policy.