Policy on Processing and Protection of Personal Data

Section 1. Purpose and Enforcement of the Policy

Personal Data Protection Law No. 6698 (“Law”) entered into force on April 7, 2016. The law sets forth the procedures and principles regarding the processing of personal data by real or legal persons who are classified as "data controllers" and who determine the purposes and means of processing personal data and are responsible for the establishment and management of the data recording system.

Within the scope of the law, personal data is defined as "all kinds of information regarding an identified or identifiable natural person"; Processing is defined as “obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automated or non-automatic means provided that it is part of any data recording system.” It is defined as “any action performed on data, such as preventing its use or use.”

In addition to its other regulations, the law imposes an obligation on data controllers to inform/enlighten data owners whose personal data will be processed during the collection of personal data. According to Article 10 of the Law, data controllers;

– Identity of the data controller and his representative, if any,
– For what purpose personal data will be processed,
– To whom and for what purpose the processed personal data can be transferred,
– Method and legal reason for collecting personal data, other rights listed in Article 11 of the Law,
should inform about the issues.

This document (“Policy”) has been written to inform the natural persons whose personal data our Company processes as the data controller within the scope of the above-mentioned article. The subject of this Policy is our Company's customers, corporate customers' shareholders, officials and employees, potential customers, shareholders, officials and employees of our business partners and suppliers, our employee candidates, former employees and interns of our Company, retired people from our Company, our visitors, company officials and shareholders, business Issues regarding the processing of personal data regarding our employees, who are our partner and supplier candidates and other third parties, are regulated within the scope of a separate policy text presented to employees in accordance with the Law.

Section 2. Scope of the Law and Our Company's Rights and Obligations Arising from the Law

In accordance with Article 4 of the Law, personal data must be processed in accordance with the procedures and principles stipulated in the Law and other relevant legislation. In this context, data controllers are obliged to comply with the following general principles regarding the processing of personal data, in addition to fulfilling the disclosure obligation specified in Section 1 above:

– Complying with the law and the rules of honesty.
– Be accurate and up to date when necessary.
– Processing for specific, explicit and legitimate purposes.
– Being related to the purpose for which they are processed, limited and proportionate.
– Preservation for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

II. Personal Data Processing and Sharing Purposes Within the Scope of the Law

In accordance with the law, personal data cannot, as a rule, be processed without the explicit consent of the data owner. However, within the scope of Articles 5 and 6, the Law has determined some situations in which data may be processed without explicit consent in terms of personal data and special categories of personal data.