Personal Data Protection and Processing Policy

SETAŞ SYSTEM INFORMATION TECHNOLOGY INDUSTRY TRADE INC.

PERSONAL DATA PROTECTION AND PROCESSING POLICY

Recipient:

All natural persons, other than the employees of Setaş System Information Technology Industry Trade Inc. whose personal data are processed by Setaş System Information Technology Industry Trade Inc.

Prepared by:

Setaş System Information Technology Industry Trade Inc.

Approved by:

Approved by the board of directors of Setaş System Information Technology Industry Trade Inc.

TABLE OF CONTENTS

INTRODUCTION

• Introduction
• Purpose of the Policy
• Scope of the Policy
• Definitions
• Effectiveness of the Policy

PROTECTION OF PERSONAL DATA

• Security of Personal Data
• Auditing
• Confidentiality
• Unauthorized Disclosure of Personal Data
• Compliance with the Legal Rights of Data Subjects
• Protection of Special Categories of Personal Data

PROCESSING AND TRANSFER OF PERSONAL DATA

• General Principles for the Processing and Transfer of Personal Data
  • Compliance with Law and Principles of Honesty
  • Accuracy and, Where Necessary, Currentness
  • Processing for Specified, Explicit, and Legitimate Purposes
  • Connection to the Purpose of Processing, Limitation, and Proportionality
  • Retention for the Period Required by Relevant Legislation or for the Purpose for Which They Were Processed
• Conditions for Processing Personal Data
  • Clearly Foreseen in Laws
  • Mandatory for Protecting the Life or Bodily Integrity of a Person Who is Incapable of Providing Consent Due to Physical Inability or Whose Consent is Not Legally Valid
  • Necessary for the Processing of Personal Data Belonging to the Parties to a Contract, Provided That It Is Directly Related to the Establishment or Performance of the Contract
  • Necessary for the Company to Fulfill Its Legal Obligation
  • Made Public by the Data Subject Themselves
  • Necessary for the Establishment, Exercise, or Protection of a Right
  • Necessary for the Legitimate Interests of the Company Provided That It Does Not Harm the Fundamental Rights and Freedoms of the Data Subjects
• Conditions for Processing Special Categories of Personal Data
  • Clearly Foreseen in Laws
  • For the Protection of Public Health, Preventive Medicine, Medical Diagnosis, Treatment, and Care Services, and Planning and Management of Health Services and Financing
• Conditions for Transferring Personal Data
  • Conditions for Transferring Personal Data Abroad

CATEGORIES OF PERSONAL DATA AND GROUPS OF DATA SUBJECTS

• Categories of Personal Data
• Groups of Data Subjects

METHOD OF COLLECTING PERSONAL DATA AND LEGAL BASIS

• Method of Collecting Personal Data
• Legal Basis for Collecting Personal Data

PURPOSES OF PROCESSING PERSONAL DATA

• Matching Processing Purposes with Categories of Personal Data for Groups of Data Subjects

PURPOSES OF TRANSFERRING PERSONAL DATA AND RECIPIENTS/ORGANIZATIONS TO WHOM DATA ARE TRANSFERRED

• Purposes of Transferring Personal Data

DESTRUCTION OF PERSONAL DATA AND RETENTION PERIODS

• Destruction of Personal Data
• Retention Periods for Personal Data

INFORMATION OF DATA SUBJECTS AND RIGHTS UNDER THE KVK LAW

• Informing the Data Subject
• Cases Where the Policy and the Law Will Not Be Fully or Partially Applied
• Rights of the Data Subject Under the KVK Law

INTRODUCTION

Introduction

Setaş System Information Technology Industry Trade Inc. (“Company”) places maximum importance on protecting the fundamental rights and freedoms of individuals, particularly the right to privacy as regulated in Article 20 of the Constitution, in the protection and processing of personal data. In this context, the Company ensures the lawful protection and processing of personal data in accordance with the Law on the Protection of Personal Data No. 6698 (“Law” or “KVK Law”), acting in this understanding in all planning and activities.

The Company does not consider the protection and processing of personal data, which is the basis of privacy, merely as compliance with legislation, but places the value it gives to humanity at the core of its approach. With this awareness, our Company takes all necessary administrative and technical measures for the lawful protection and processing of personal data.

Purpose of the Policy

The purpose of the Personal Data Protection and Processing Policy (“Policy”) is to maximize the protection of the fundamental rights and freedoms of individuals, particularly the right to privacy as regulated in Article 20 of the Constitution, in the protection and processing of personal data processed by fully or partially automated means or non-automated means as part of any data recording system, in accordance with the purpose of the Law, and to inform data subjects (relevant persons) about the obligations of the Company and the procedures and principles it will comply with under the Law. In line with the purpose of the Policy, the aim is to ensure full compliance with legislation in the activities of protecting and processing personal data carried out by our Company and to protect the privacy and data security rights of data subjects.

Scope of the Policy

This Policy applies to real persons including Job Candidates, Interns, Company Officials, Partner Officials, Partner Employees, Suppliers, Supplier Officials, Supplier Employees, Contractors, Contractor Employees, Company Shareholders/Partners, Service Provider Employees, Customers, Customer Officials, Customer Employees, Board Members, Participants, Visitors, and Third Parties. The Company informs these data subjects about the Law by publishing this Policy on its website. This Policy will not apply to legal entities regardless of their capacity. For our Company employees, the “Personal Data Processing Policy for Employees” will be applied.

This Policy will apply to the processing of personal data of the above-mentioned relevant persons by our Company, whether by fully or partially automated means or non-automated means as part of any data recording system. This Policy will not apply if the data does not fall within the scope of “Personal Data” as defined below or if the personal data processing activities carried out by our Company do not occur through the means specified above.

Definitions

The terms used in the application of this Policy have the following meanings:

• Explicit Consent: Consent related to a specific issue that is based on being informed and expressed freely.
• Public Disclosure: The concept of making known to everyone is defined in Article 5 of the Law No. 6698 as one of the exceptions to the requirement for obtaining explicit consent for the processing of personal data.
• Obligation to Inform: The obligation of the data controller to inform the individuals whose personal data they process about who processes their data, for what purposes, and based on what legal grounds, as well as to whom their data may be transferred and for what purposes.
• Relevant User: Individuals who process personal data within the data controller organization, other than the person or unit responsible for the technical storage, protection, and backup of the data, in accordance with the authority and instructions received from the data controller.
• Destruction: Refers to the deletion, destruction, or anonymization of personal data.
• Processing of Personal Data: Any operation performed on personal data, whether by automated means or not, including collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use.
• KVK Board: The Personal Data Protection Board.
• Relevant Person / Data Subject: Individuals whose personal data (including special categories of personal data) are processed, including Job Candidates, Interns, Company Officials, Partner Officials, Partner Employees, Suppliers, Supplier Officials, Supplier Employees, Contractors, Contractor Employees, Company Shareholders/Partners, Service Provider Employees, Customers, Customer Officials, Customer Employees, Board Members, Participants, Visitors, and Third Parties.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Institution: The Personal Data Protection Authority, consisting of the Board and the Presidency.
• Automated Data Processing: Processing activities that are carried out automatically, without human intervention, through pre-prepared algorithms via devices with processors, such as computers, phones, watches, etc.
• Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
• Registry: The Data Controllers Registry.
• Company / Our Company: Setaş System Information Technology Industry Trade Inc.
• Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted to them by the data controller.
• Data Recording System: A system in which personal data is processed in accordance with certain criteria.
• Data Category: A class of personal data belonging to a group or groups of data subjects, grouped according to their common characteristics.
• Data Subject Group: The group of relevant persons whose personal data is processed by the data controller.
• Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

Effectiveness of the Policy

This Policy organized by Setaş System Information Technology Industry Trade Inc. will enter into force on the date it is approved by the Board of Directors of our Company. Necessary works regarding amendments to the Policy and the enforcement of these amendments will be carried out by the KVK Committee, and the amendments will take effect after approval by the Board of Directors of the Company.

The Policy organized by Setaş System Information Technology Industry Trade Inc., which came into force on July 5, 2023, is made accessible to the relevant persons by being published on the Company’s website (https://www.setasbilisim.com.tr/).

PERSONAL DATA PROTECTION

Security of Personal Data

Our company takes all necessary administrative and technical measures to ensure an appropriate level of security in order to securely store personal data and prevent unlawful processing and access to personal data in accordance with the Law. The administrative and technical measures taken regarding the security of personal data are detailed in our Personal Data Retention and Destruction Policy.

To ensure compliance with the provisions of the Law and other relevant legislation, our company has established a "Personal Data Protection Management System" and created a Personal Data Protection Committee within its structure to ensure the implementation of the Policy and other related policies.

Audit

Our company conducts and ensures necessary audits to establish data security as described above and to maintain the regularity and continuity of the measures taken. The Personal Data Protection Committee audits the measures taken for the security of personal data.

Confidentiality

Our company takes all necessary administrative and technical measures, according to technological means and application costs, to ensure that relevant data controllers and processors do not disclose personal data they possess to others in violation of the Law and Policy provisions, and do not use it for purposes other than processing. In this context, information and training activities about the Law and Policy are carried out for company employees, and confidentiality agreements are signed as part of the recruitment process for relevant employees.

Unauthorized Disclosure of Personal Data

In cases where personal data processed by our company is obtained unlawfully by others, our company will carry out the necessary procedures to notify the data subject and the Personal Data Protection Authority within the timeframes determined by the Authority. If deemed necessary by the Authority, this situation will be announced on the Authority’s website or through another method deemed appropriate by the Authority.

Protection of the Legal Rights of Data Subjects

Our company respects all legal rights of data subjects regarding the implementation of the Policy and the Law and takes all necessary measures to protect these rights.

Protection of Special Categories of Personal Data

Personal data regarding an individual's race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and attire, membership in associations, foundations or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data, are classified as special categories of personal data. Our company is aware that the processing of such personal data can lead to harm to the individual or discrimination if disclosed by others. Therefore, we take the necessary precautions determined by the Authority to protect such legally processed personal data with utmost care. In this context, we have a separate policy (Special Categories of Personal Data Security Policy) and procedure that is systematic, clearly defined, manageable, and sustainable.

PROCESSING AND TRANSFER OF PERSONAL DATA

General Principles for Processing and Transferring Personal Data

Personal data is processed by our company in accordance with the procedures and principles outlined in the Law and this Policy. Our company adheres to the following principles when processing personal data.

Compliance with Law and Principles of Honesty

Our company processes personal data in accordance with the relevant legislation and the requirements of the principle of honesty, using it within those limits. According to the principle of honesty, our company considers the interests and reasonable expectations of data subjects while striving to achieve the goals of data processing. It acts preventively to avoid outcomes that the data subject does not expect or should not expect. Additionally, in accordance with this principle, our company ensures that the data processing activity is transparent for the data subject; it acts in compliance with the obligations to inform and warn.

Accuracy and Timeliness

Our company ensures that the personal data processed, considering the fundamental rights and legitimate interests of data subjects, is accurate and up to date. In this scope, it carefully considers matters such as ensuring the sources from which the data is obtained are specific, confirming the accuracy, and evaluating whether updates are needed. Our company maintains open channels to ensure that the information of the data subject is accurate and current in line with the active diligence obligation. Keeping personal data accurately and timely not only protects our company’s interests but is also necessary for the protection of the fundamental rights and freedoms of the data subject.

Processing for Specific, Explicit, and Legitimate Purposes

Our company clearly defines the purpose of data processing and ensures that it is legitimate. The legitimacy of the purpose means that the personal data processed by our company is related to its business or services and is necessary for them. Our company does not process personal data for purposes other than those stated. In this regard, it shows sensitivity in compliance with the principles of clarity and determination in legal documents and texts that declare the purposes of personal data processing.

Relevant, Limited, and Proportionate to the Purpose of Processing

Our company ensures that the personal data processed is suitable for achieving the defined purposes and refrains from processing data that is unrelated to or unnecessary for achieving the purpose. Our company does not collect or process personal data for purposes that do not currently exist or are later anticipated. To meet potential future needs, it processes data in accordance with the processing conditions regulated in the Law as if it is starting to process for the first time. Additionally, it restricts the processed data to what is necessary to achieve the purpose. Under the principle of proportionality, it maintains a reasonable balance between the intended purpose and data processing.

Retention for the Period Required by Relevant Legislation or Necessary for the Purpose of Processing

If there is a time period prescribed by the relevant legislation for data retention, our company complies with these periods; otherwise, personal data is retained only for the time necessary for the purpose for which it was processed. If there is no valid reason for retaining personal data longer, the data will be deleted, destroyed, or anonymized. The procedures for the retention and destruction of personal data are detailed in our Personal Data Retention and Destruction Policy.

Conditions for Processing Personal Data

Our company does not process personal data without the explicit consent of the relevant person. Personal data can only be processed without seeking the explicit consent of the relevant person in the presence of one of the following conditions:

1. Explicit Provision in Laws
   Our company can process personal data without seeking the explicit consent of the relevant person in situations explicitly provided in the laws.
2. Emergency Situations Where Consent Cannot be Given
   Our company can process personal data without seeking consent for the protection of the life or bodily integrity of the person or another individual if the consent cannot be given or is legally invalid.
3. Necessary for the Establishment or Performance of a Contract
   Our company can process personal data without seeking consent if it is necessary for the establishment or performance of a contract directly related to the parties of the contract.
4. Necessity for Legal Obligations
   Our company can process personal data without seeking consent in cases where it is necessary for fulfilling its legal obligations as a data controller.
5. Publicly Disclosed by the Relevant Person
   Our company can process personal data publicly disclosed by the relevant person, under the assumption that the legal benefit requiring protection has ceased, as long as it is limited to the purpose of public disclosure.
6. Necessary for Establishing, Using, or Protecting a Right
   Our company can process personal data without seeking consent when it is necessary for the establishment, use, or protection of a legally legitimate right.
7. Necessary for Legitimate Interests Without Compromising Rights and Freedoms
   Our company can process personal data when it is necessary for its legitimate interests, provided it does not compromise the fundamental rights and freedoms of the relevant person. Our company shows the necessary sensitivity to comply with the fundamental principles of personal data protection and to maintain the balance of interests between itself and the data subjects. The concept of legitimate interest refers to an interest that is legitimate, effective to the level that can compete with the fundamental rights and freedoms of the individual, specific, and currently existing. Our company takes additional protective measures to ensure that no harm comes to the rights of the data subject. A reasonable balance is established between the interests of our company and the fundamental rights and freedoms of the relevant person.

Conditions for Processing Special Categories of Personal Data

Our company does not process special categories of personal data without the explicit consent of the relevant person. Special categories of personal data can only be processed without seeking the explicit consent of the relevant person in the presence of one of the following conditions:

1. Explicit Provision in Laws
   Special categories of personal data, except for health and sexual life data, can be processed without seeking explicit consent in situations explicitly provided by the laws.
2. Protection of Public Health, Preventive Medicine, Medical Diagnosis, Treatment, and Care Services
   Special categories of personal data regarding health and sexual life can be processed by individuals or authorized institutions and organizations bound by a confidentiality obligation for the protection of public health, preventive medicine, medical diagnosis, treatment, and care services, and the planning and management of health services and financing.

Conditions for the Transfer of Personal Data

Our company may transfer personal data to third parties, based on one or more of the conditions for processing personal data stated in Article 8 of the Law, while taking necessary security measures:

• The data subject's explicit consent,
• There is a clear regulation regarding the transfer of personal data in the laws,
• The transfer of personal data is mandatory for the protection of the life or bodily integrity of the data subject or another person, and the data subject is unable to express their consent due to physical impossibility or their consent is not legally valid,
• The transfer of personal data belonging to the parties of a contract is necessary, provided it is directly related to the establishment or execution of the contract,
• The transfer of personal data is mandatory for our company to fulfill its legal obligations,
• The personal data has been made public by the data subject,
• The transfer of personal data is mandatory for the establishment, use, or protection of a right,
• The transfer of personal data is mandatory for our company's legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject.

Sensitive personal data can be transferred based on one of the following conditions and only if adequate measures are taken:

• The data subject's explicit consent,
• If the sensitive personal data concerns matters other than the data subject's health and sexual life, there must be a clear regulation in the laws regarding the transfer of such data.

If the sensitive personal data pertains to the data subject's health and sexual life, it may be transferred by individuals or authorized institutions that are bound by confidentiality obligations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, as well as the planning and management of health services and financing.

Conditions for the Transfer of Personal Data Abroad

Our company may transfer personal data abroad based on the explicit consent of the data subject in accordance with Article 9 of the Law, while taking necessary security measures.

However, our company may also transfer personal data without seeking the explicit consent of the data subject if one of the conditions specified in Article 5, paragraph 2, and Article 6, paragraph 3 of the Law is present. This is subject to the provisions of international treaties to which Turkey is a party, and only to foreign countries that the Personal Data Protection Authority has declared to provide adequate protection, or in cases where there is no adequate protection, to foreign countries whose data controllers in Turkey and the relevant foreign country have committed to provide adequate protection in writing and have received permission from the Personal Data Protection Authority.

Personal Data Categories and Groups of Data Subjects

Personal Data Categories

Personal data is categorized and processed by our company as follows:

Identity

Data containing information about the identity of personal data subjects: Name-surname, Turkish ID number, marital status, names of parents, place and date of birth, and other identity information, including copies of driver's licenses, national ID cards, and passports; tax number, social security number, signature information, etc.

Contact

Contact information of personal data subjects: Phone number, address, email address, registered electronic mail address (KEP), fax number, etc.

Personal Rights

Information processed to protect the personal rights of data subjects: CV, title information; records of employment documents; social security/pension information, payroll information, asset declaration information, details of disciplinary investigations, and performance evaluation reports, etc.

Legal Transactions

Data processed within the scope of the company’s legal claims and rights, including the determination, follow-up, and fulfillment of its obligations: Power of attorney information, court and administrative authority decisions, correspondence with judicial authorities, information in case files, etc.

Customer Transactions

Personal data arising from requests and contracts due to sales or service agreements between our company and our customers: Request/Complaint information, etc.

Physical Security

Personal data related to records and documents obtained during entry to and while inside the company’s physical premises: Entry-exit records, magnetic card records, security camera footage, vehicle license plates, etc.

Finance

Personal data processed related to information, documents, and records that demonstrate the results of any financial relationship established by the company with personal data subjects, including bank account information, credit information, balance sheet information, financial profile, assets, and insurance information, etc.

Professional Experience

Information recorded during the hiring process and after, including diploma, transcript, training/course/certificate information, license information, foreign language skills, reference information, etc.

Visual and Audio Records

Photos, video, and audio recordings that can be obtained outside of physical security measures, as well as other documents to which these data are transmitted: Photos attached to forms, video interviews, and meeting recordings, etc.

Family Members and Relatives Information

Identity and contact data concerning the family members of the employee, company shareholder, or authorized person.

Location

Information regarding the location of personal data subjects: Location data obtained while using company-owned vehicles or devices; location data obtained through systems such as OGS, vehicle recognition, and meal cards, etc.

SPECIAL CATEGORIES OF PERSONAL DATA

Health Information

Health data belonging to personal data subjects: Examination information, health reports, disability status, health leave, blood type information, etc.

Criminal Conviction and Security Measures

Documents containing information regarding the criminal convictions and security measure decisions related to personal data subjects: Criminal record certificates.

Race and Ethnic Origin Information

Information related to the citizenship, nationality, etc., of personal data subjects.

Biometric Information

Biometric data belonging to personal data subjects: Biometric data required for the use of fingerprint and facial recognition systems in company buildings.

Data Subject Groups

Only real persons can benefit from the protection of this Policy and the Law. The personal data subjects within this scope are categorized as follows:

Candidate

Individuals who have applied for a job with our company in any way or have opened their resume and related information for examination by our company.

Intern

Individuals studying in or graduated from the relevant departments of educational institutions participating in our internship programs.

Company Representative

Individuals who are representatives of Setaş Sistem Bilişim Sanayi Ticaret Anonim Şirketi.

Company Shareholder/Partner

Individuals who are shareholders/partners of Setaş Sistem Bilişim Sanayi Ticaret Anonim Şirketi.

Board of Directors Members

Members of the Board of Directors of Setaş Sistem Bilişim Sanayi Ticaret Anonim Şirketi.

Customer

Individuals such as dealers, distributors, or points of sale that deliver our services to the end consumer under a contractual relationship, as well as the real persons purchasing these services.

Customer Representative

Authorized individuals of real or legal entities such as dealers, distributors, or points of sale that deliver our products to the end consumer under a contractual relationship.

Customer Employee

Identifiable employees of real or legal entities such as dealers, distributors, or points of sale that deliver our products to the end consumer under a contractual relationship.

Service Provider Employee

Authorized or employee representatives of individuals or legal entities that are not included in the Customer, Contractor, and Supplier groups but are in a business relationship with our company.

Contractor

Individuals with whom our company has established a principal-employer/subcontractor relationship through a contract.

Contractor Employee

Identifiable employees of real or legal entities with whom our company has established a principal-employer/subcontractor relationship through a contract.

Business Partner Representative

Authorized individuals of real or legal entities that are not included in the Participant, Contractor, and Supplier groups but are in a business relationship with our company.

Business Partner Employee

Identifiable employees of real or legal entities that are not included in the Participant, Contractor, and Supplier groups but are in a business relationship with our company.

Supplier

Individuals providing inputs, raw materials, or products to our company for the purpose of supplying a product or service.

Supplier Representative

Authorized individuals of real or legal entities providing inputs, raw materials, or products to our company for the purpose of supplying a product or service.

Supplier Employee

Identifiable employees of real or legal entities providing inputs, raw materials, or products to our company for the purpose of supplying a product or service.

Participant

Individuals receiving EKB Specialist Training.

Third Parties

Individuals who do not have a direct legal relationship with our company and whose data has been obtained in a lawful manner through indirect means.

Visitor

All individuals who have entered the physical premises owned by our company for various purposes or visited our websites for any purpose.

METHOD OF COLLECTING PERSONAL DATA AND LEGAL BASIS

Method of Collecting Personal Data

Our company collects personal data partially or entirely through automated or non-automated means, in any form including verbal, written, and electronic channels, solely for the purposes specified in Article 6.1, including but not limited to:

• Job application forms,
• Various documents submitted to the company,
• Mail and emails sent to the company,
• Documents,
• Computers,
• The internet,
• Group companies and data subjects.

Legal Basis for the Collection of Personal Data

Our company collects personal data based on one of the legal grounds specified in Articles 5 and 6 of the Law:

• The explicit consent of the data subject,
• Explicit provision in laws,
• The personal data being made public by the data subject,
• Necessity for the processing of personal data belonging to the parties of a contract, provided it is directly related to the establishment or performance of the contract,
• It is mandatory for our company to fulfill its legal obligations,
• Necessity for the establishment, exercise, or protection of a right,
• Processing of data being mandatory for our legitimate interests, provided it does not infringe upon the fundamental rights and freedoms of the data subjects.

PURPOSES OF PROCESSING PERSONAL DATA

Mapping of Processing Purposes with Personal Data Categories of Data Subjects

The purposes for processing the personal data categories of the defined groups of data subjects are mapped as follows: (Natural persons can only belong to one group.)

1. Job Candidate
   • Data Categories: Identity, Communication, Employment, Physical Security, Professional Experience, Family Member and Close Relative Information, Health Information, Criminal Conviction and Security Measure Information, Race and Ethnic Origin Information.
   • Processing Purposes: Processing for the execution of selection and placement processes of job candidates/interns/students, conducting application processes of job candidates, ensuring activities comply with regulations, securing physical premises, and managing communication activities.
2. Company Shareholder/Partner
   • Data Categories: Identity, Communication, Legal Process, Physical Security, Finance.
   • Processing Purposes: Processing to ensure compliance with regulations, managing finance and accounting operations, securing physical premises, following up on and managing legal affairs, managing communication activities, executing and auditing business activities, ensuring business continuity, managing the procurement processes of goods/services, and managing organization and event activities.
3. Company Representative
   • Data Categories: Identity, Communication, Employment, Legal Process, Physical Security.
   • Processing Purposes: Processing for emergency management processes, fulfilling contractual and legal obligations for employees, managing employee benefits and rights processes, conducting audit/ethical activities, carrying out training activities, ensuring compliance of activities with regulations, securing physical premises, managing assignment processes, following up and managing legal affairs, conducting internal audits/investigations/intelligence activities, managing communication activities, executing occupational health and safety activities, collecting and evaluating suggestions for improving business processes, ensuring business continuity, managing procurement processes of goods/services, managing organization and event activities, managing risk management processes, executing contract processes, managing strategic planning activities, managing investment processes, and managing administrative activities.
4. Intern
   • Data Categories: Identity, Employment, Physical Security, Finance.
   • Processing Purposes: Processing for fulfilling contractual and legal obligations for employees, managing employee benefits and rights processes, conducting audit/ethical activities, ensuring compliance of activities with regulations, managing finance and accounting operations, securing physical premises, following up and managing legal affairs, planning human resources processes, executing and auditing business activities, managing compensation policy, providing information to authorized persons, institutions, and organizations.
5. Customer
   • Data Categories: Identity, Communication, Physical Security, Finance.
   • Processing Purposes: Processing for ensuring compliance with regulations, managing finance and accounting operations, securing physical premises, executing and auditing business activities, managing production and operation processes of goods/services, managing sales processes of goods/services, and managing customer relationship management processes.
6. Customer Representative
   • Data Categories: Identity, Communication, Legal Process, Physical Security.
   • Processing Purposes: Processing for conducting audit/ethical activities, ensuring compliance with regulations, managing finance and accounting operations, securing physical premises, managing legal affairs, conducting communication activities, executing and auditing business activities, ensuring business continuity, managing logistics activities, managing procurement processes of goods/services, managing after-sales support services, managing sales processes of goods/services, managing production and operation processes of goods/services, managing customer relationship management processes, managing activities aimed at customer satisfaction, executing contract processes, securing movable property and resources.
7. Customer Employee
   • Data Categories: Identity, Communication, Legal Process, Physical Security.
   • Processing Purposes: Processing for conducting audit/ethical activities, managing training activities, ensuring compliance of activities with regulations, managing finance and accounting operations, securing physical premises, managing assignment processes, conducting communication activities, executing and auditing business activities, ensuring business continuity, managing logistics activities, managing procurement processes of goods/services, managing after-sales support services, managing sales processes of goods/services, managing production and operation processes of goods/services, managing customer relationship management processes, and executing contract processes.
8. Service Provider Employee
   • Data Categories: Identity, Communication, Customer Transactions.
   • Processing Purposes: Processing for ensuring compliance with regulations, managing finance and accounting operations, executing and auditing business activities, managing contract processes.
9. Subcontractor
   • Data Categories: Identity, Finance, Physical Security.
   • Processing Purposes: Processing for ensuring compliance with regulations, managing finance and accounting operations, securing physical premises, executing and auditing business activities, and managing compensation policy.
10. Subcontractor Employee
    • Data Categories: Identity, Communication, Physical Security.
    • Processing Purposes: Processing for conducting audit/ethical activities, ensuring compliance with regulations, securing physical premises, managing legal affairs, conducting communication activities, ensuring business continuity, and securing movable property and resources.
11. Business Partner Representative
    • Data Categories: Identity, Employment, Physical Security.
    • Processing Purposes: Processing for emergency management processes, fulfilling contractual and legal obligations for employees, managing employee benefits and rights processes, conducting audit/ethical activities, managing training activities, ensuring compliance with regulations, securing physical premises, managing assignment processes, conducting internal audits/investigations/intelligence activities, executing and auditing business activities, managing occupational health and safety activities, collecting and evaluating suggestions for improving business processes, ensuring business continuity, managing organization and event activities, managing risk management processes, managing strategic planning activities, managing investment processes, and managing administrative activities.
12. Business Partner Employee
    • Data Categories: Identity, Communication, Physical Security.
    • Processing Purposes: Processing for conducting audit/ethical activities, ensuring compliance with regulations, securing physical premises, managing legal affairs, conducting communication activities, ensuring business continuity, managing contract processes, and securing movable property and resources.
13. Supplier
    • Data Categories: Identity, Communication, Finance, Physical Security.
    • Processing Purposes: Processing for ensuring compliance with regulations, managing finance and accounting operations, securing physical premises, executing and auditing business activities, managing contract processes, and managing compensation policy.
14. Supplier Representative
    • Data Categories: Identity, Communication, Physical Security.
    • Processing Purposes: Processing for ensuring compliance with regulations, managing finance and accounting operations, securing physical premises, executing and auditing business activities, ensuring business continuity, managing logistics activities, managing procurement processes of goods/services, managing after-sales support services, managing sales processes of goods/services, managing production and operation processes of goods/services, managing contract processes, and securing movable property and resources.
15. Supplier Employee
    • Data Categories: Identity, Communication, Customer Transactions, Physical Security.
    • Processing Purposes: Processing for ensuring compliance with regulations, managing finance and accounting operations, securing physical premises, executing and auditing business activities, ensuring business continuity, managing logistics activities, managing procurement processes of goods/services, managing after-sales support services, managing sales processes of goods/services, managing production and operation processes of goods/services, managing contract processes, and tracking requests/complaints.
16. Board of Directors Members
    • Data Categories: Identity, Employment, Physical Security.
    • Processing Purposes: Processing for ensuring compliance with regulations, securing physical premises, managing assignment processes, executing and auditing business activities, collecting and evaluating suggestions for improving business processes, ensuring business continuity, managing organization and event activities, managing risk management processes, managing strategic planning activities, managing investment processes, and managing administrative activities.
17. Participant
    • Data Categories: Identity, Communication, Employment, Visual and Auditory Information.
    • Processing Purposes: Processing for ensuring compliance with regulations, managing communication activities, managing assignment processes, and executing and auditing business activities.
18. Third Parties
    • Data Categories: Identity, Communication, Employment, Legal Process, Professional Experience, Physical Security.
    • Processing Purposes: Processing for managing training activities, ensuring compliance with regulations, securing physical premises, managing communication activities, executing and auditing business activities, collecting and evaluating suggestions for improving business processes.
19. Visitor

Data Categories: Physical Space Security

Processing Purposes: Processed for the purposes of ensuring physical space security and conducting activities in compliance with regulations.

Personal Data Processing Activities Carried Out in Physical Spaces

To ensure security within our buildings and facilities, entries and exits are recorded, and common areas are monitored by cameras. Notifications regarding areas monitored by cameras are provided.

Records related to internet access provided in our buildings and facilities are kept in accordance with Law No. 5651 on the Regulation of Publications Made on the Internet and the Fight Against Crimes Committed Through These Publications, as well as other relevant legislation. These records may be shared with authorized public institutions and organizations upon request and may be used to fulfill the relevant legal obligations during auditing activities when necessary.

Personal Data Processing Activities Carried Out on the Website

Traffic information of online visitors to our website is automatically processed for the purpose of conducting information security processes. Additionally, under Law No. 5651 and other relevant legislation, hosting providers have an obligation to record and store website traffic information.

Detailed explanations regarding personal data processed through the website are available on the relevant website.

Personal Data Processing Activities Conducted Through Communication Channels

Communications made through channels such as call centers, mail, and email are monitored and recorded by our Company for the purposes of conducting/monitoring business activities and tracking requests/complaints.

Relevant individuals must use these channels solely within the scope of business activities.

PURPOSES OF TRANSFER OF PERSONAL DATA AND RECIPIENTS/ORGANIZATIONS TO WHOM IT IS TRANSFERRED

Purposes of Transfer of Personal Data

Our Company transfers personal data limited to the following purposes under the conditions specified in Articles 8 and 9 of the Law:

Job Candidate

Transferred Data Category:

• Identity: Name and Surname, Marital Status, Father’s Name, Gender, Date of Birth, Place of Birth, Signature
• Contact: Phone Number, Address
• Personal Information: Resume, Termination Date, Termination Reason, Military Status, Driver’s License
• Professional Experience: Education Status-Diploma-Transcript Information, In-Service Training/Course/Certificate Information, Reference Information, Foreign Language Proficiency, Certificate and Competency Document
• Health Information: Health or Surgery Status
• Criminal Conviction and Security Measure Information: Criminal Record
• Race and Ethnic Origin Information: Nationality
• Family Members and Close Relations Information: Spouse’s Occupation, Workplace, Number of Children
• Physical Space Security: Camera Recordings

Purpose of Transfer: To conduct the selection and placement processes of job candidates/interns/students, manage application processes of job candidates, carry out communication activities, ensure physical space security, and conduct activities in compliance with regulations.

Transferred To: Group Companies, Authorized Public Institutions and Organizations

Company Shareholder/Partner

Transferred Data Category:

• Identity: Name and Surname, Signature, Passport Number, Marital Status, Parents’ Names, ID Number, Gender, Date of Birth, Place of Birth
• Contact: Phone Number, Email Address, Address, Fax
• Legal Transaction: Signature Circulars, Power of Attorney Information
• Finance: Bank Account Statements
• Physical Space Security: Camera Recordings

Purpose of Transfer: To ensure compliance with regulations in operations, manage finance and accounting activities, ensure physical space security, track and conduct legal affairs, carry out communication activities, conduct/monitor business activities, ensure business continuity, manage procurement processes, manage organization and event activities, carry out contract processes, ensure the security of movable assets and resources, implement the salary policy, and conduct management activities.

Transferred To: Individuals or Private Legal Entities, Authorized Public Institutions and Organizations, Group Companies (bank, consulate)

Company Representative

Transferred Data Category:

• Identity: Name and Surname, Signature, ID Number
• Contact: Email Address, Phone Number, Address, Fax
• Personal Information: Job Position/Title
• Legal Transaction: Signature Circulars
• Physical Space Security: Camera Recordings

Purpose of Transfer: To conduct emergency management processes, fulfill employment contracts and obligations arising from legislation for employees, manage employee benefits and interests processes, conduct audits/ethical activities, manage training activities, ensure compliance with regulations in activities, ensure physical space security, manage assignment processes, track and conduct legal affairs, carry out internal audits/investigations/intelligence activities, conduct communication activities, manage/monitor business activities, manage occupational health/safety activities, gather and evaluate suggestions for improving business processes, ensure business continuity, manage procurement processes, manage organization and event activities, conduct risk management processes, manage contract processes, conduct strategic planning activities, and manage investment processes.

Transferred To: Group Companies, Authorized Public Institutions and Organizations, Business Partners, Suppliers (Gediz Elektrik)

Personal Data Processing Activities on the Website

The traffic information of online visitors to our website is automatically processed for the purpose of executing information security processes. Additionally, under Law No. 5651 and other regulations, service providers are required to record and retain the traffic information of their websites.

Detailed explanations regarding personal data processed through the website can be found on the relevant site.

Personal Data Processing Activities Conducted via Communication Channels

Communications made through channels such as call centers, postal mail, and email are monitored and recorded by our company for the purpose of conducting and supervising business activities, as well as for tracking requests/complaints.

Relevant individuals must use these channels solely within the scope of business activities.

PURPOSES OF TRANSFERRING PERSONAL DATA AND RECIPIENTS/ORGANIZATIONS TO WHOM IT IS TRANSFERRED

Purposes of Transferring Personal Data

Our company transfers personal data within the framework of the conditions specified in Articles 8 and 9 of the Law for the following limited purposes:

Job Candidate

Transferred Data Categories:

• Identity (Name, Marital Status, Father's Name, Gender, Date of Birth, Place of Birth, Signature)
• Contact (Phone Number, Address)
• Personnel (Resume, Employment Termination Date, Reason for Termination, Military Status, Driver’s License)
• Professional Experience (Education Level-Diploma-Transcript Information, In-Service Training/Course/Certificate Information, Reference Information, Foreign Language Proficiency, Certificates and Competency Documents)
• Health Information (Health Conditions or Surgical History)
• Criminal Conviction and Security Measure Information (Criminal Record)
• Race and Ethnic Origin Information (Nationality)
• Family Members and Relatives Information (Spouse’s Occupation, Place of Employment, Number of Children)
• Physical Location Security (Camera Records)

Transfer Purpose: To conduct selection and placement processes for job candidates/interns/students, to manage the application processes of job candidates, to conduct communication activities, to ensure physical security, and to ensure compliance with regulations.

Transferred To: Group Companies, Authorized Public Institutions and Organizations.

Shareholder/Partner

Transferred Data Categories:

• Identity (Name, Signature, Passport Number, Marital Status, Parent’s Names, ID Information, Gender, Date of Birth, Place of Birth)
• Contact (Phone Number, Email Address, Address, Fax)
• Legal Process (Signature Circular, Power of Attorney Information)
• Finance (Bank Account Statement)
• Physical Location Security (Camera Records)

Transfer Purpose: To ensure compliance with regulations, to manage finance and accounting operations, to ensure physical security, to follow and manage legal matters, to conduct communication activities, to execute/supervise business activities, to ensure business continuity, to manage procurement processes, to manage organization and event planning, to conduct contract processes, to ensure the security of movable goods and resources, to manage compensation policies, and to conduct management activities.

Transferred To: Real persons or private legal entities, Authorized Public Institutions and Organizations, Group Companies (banks, consulates).

Company Authorized Person

Transferred Data Categories:

• Identity (Name, Signature, ID Number)
• Contact (Email Address, Phone Number, Address, Fax)
• Personnel (Job Position/Title)
• Legal Process (Signature Circular)
• Physical Location Security (Camera Records)

Transfer Purpose: To manage emergency response processes, to fulfill contractual and legal obligations for employees, to manage employee benefits, to conduct audits/ethical activities, to manage training activities, to ensure compliance with regulations, to ensure physical security, to manage assignment processes, to follow and manage legal matters, to conduct internal audits/investigations/intelligence activities, to conduct communication activities, and to ensure business continuity.

Transferred To: Group Companies, Authorized Public Institutions and Organizations, Business Partners, Suppliers (Gediz Elektrik).

Intern

Transferred Data Categories:

• Identity (Name, Marital Status, Parent’s Names, ID Information, Gender, Date of Birth, Place of Birth)
• Personnel (SGK Employment Notification)
• Finance (Bank Account Information)
• Physical Location Security (Camera Records)

Transfer Purpose: To fulfill contractual and legal obligations for employees, to manage employee benefits, to conduct audits/ethical activities, to ensure compliance with regulations, to manage finance and accounting operations, to ensure physical security, to follow and manage legal matters, to plan human resources processes, and to supervise business activities.

Transferred To: Group Companies, Authorized Public Institutions and Organizations, Real persons or private legal entities.

Customer

Transferred Data Categories:

• Identity (Name, SGK Number, Tax Number, Signature)
• Contact (Phone Number, Address, Email Address)
• Finance (Bank Account Information)
• Physical Location Security (Camera Records)

Transfer Purpose: To ensure compliance with regulations, to manage finance and accounting operations, to ensure physical security, to supervise business activities, to manage production and operational processes of goods/services, to manage sales processes of goods/services, and to manage customer relations.

Transferred To: Group Companies, Authorized Public Institutions and Organizations, Real persons or private legal entities (e-finance, Netsis, shipping companies).

Customer Representative

Transferred Data Categories:

• Identity (Name, ID Number)
• Contact (Phone Number, Email Address, Fax, Address)
• Legal Process (Signature Circular)
• Physical Location Security (Camera Records)

Transfer Purpose: To conduct audits/ethical activities, to ensure compliance with regulations, to manage finance and accounting operations, to ensure physical security, to manage legal matters, to conduct communication activities, to supervise business activities, and to ensure business continuity.

Transferred To: Real persons or private legal entities, Suppliers, Group Companies, Authorized Public Institutions and Organizations (shipping companies, cargo companies).

Customer Employee

Transferred Data Categories:

• Identity (Name)
• Contact (Phone Number, Email Address, Address)
• Legal Process (Signature Circular)
• Physical Location Security (Camera Records)

Transfer Purpose: To conduct audits/ethical activities, to manage training activities, to ensure compliance with regulations, to manage finance and accounting operations, to ensure physical security, to manage assignment processes, to conduct communication activities, and to ensure business continuity.

Transferred To: Real persons or private legal entities, Suppliers, Group Companies, Authorized Public Institutions and Organizations (shipping company, cargo company).

Service Provider Employee

Transferred Data Categories:

• Identity (Name, ID Information)
• Contact (Address)
• Customer Transaction (Invoice, Check, Promissory Note, Receipt Information)

Transfer Purpose: To ensure compliance with regulations, to manage finance and accounting operations, to supervise business activities, and to manage contract processes.

Transferred To: Group Companies, Authorized Public Institutions and Organizations, Real persons or private legal entities (tax office).

Subcontractor

Transferred Data Categories:

• Identity (Name)
• Finance (Bank Account Information)
• Physical Location Security (Camera Records)

Transfer Purpose: To ensure compliance with regulations, to manage finance and accounting operations, to ensure physical security, to supervise business activities, and to manage compensation policies.

Transferred To: Group Companies, Authorized Public Institutions and Organizations, Real persons or private legal entities.

Subcontractor Employee

Transferred Data Categories:

• Identity (Name, Signature)
• Contact (Phone Number)
• Physical Location Security (Camera Records)

Transfer Purpose: To conduct audits/ethical activities, to ensure compliance with regulations, to ensure physical security, to manage legal matters, to conduct communication activities, and to ensure business continuity.

Transferred To: Group Companies, Authorized Public Institutions and Organizations.

Business Partner Representative

Transferred Data Categories:

• Identity (Name, Signature)
• Personnel (Job Position/Title)
• Physical Location Security (Camera Records)

Transfer Purpose: To ensure compliance with regulations, to ensure physical security, to manage assignment processes, to supervise business activities, to gather and evaluate suggestions for improving business processes, to ensure business continuity, to manage organization and event planning, to conduct risk management processes, to carry out strategic planning activities, to manage investment processes, and to conduct management activities.

Transferred To: Group Companies, Authorized Public Institutions and Organizations.

Business Partner Employee

Data Categories Transferred:

• Identity: Name, Signature
• Contact: Phone Number, Email Address
• Physical Security of Premises: Camera Records

Purpose of Transfer: The data is transferred for the purposes of conducting audits/ethical activities, ensuring compliance with regulations, maintaining physical security of premises, monitoring and conducting legal affairs, managing communication activities, ensuring business continuity, managing contract processes, and securing movable assets and resources.

Transfer Locations: Community Companies, Authorized Public Institutions and Organizations

Supplier

Data Categories Transferred:

• Identity: Name, Social Security Number, Tax Number, Signature
• Contact: Phone Number, Address, Email Address
• Finance: Bank Account Information
• Physical Security of Premises: Camera Records

Purpose of Transfer: The data is transferred for the purposes of ensuring compliance with regulations, conducting finance and accounting operations, maintaining physical security of premises, managing/conducting business operations, managing contract processes, and implementing salary policies.

Transfer Locations: Community Companies, Authorized Public Institutions and Organizations, Individuals or Private Law Legal Entities (e-finance, Netsis, courier companies)

Supplier Representative

Data Categories Transferred:

• Identity: Name
• Contact: Phone Number, Address
• Physical Security of Premises: Camera Records

Purpose of Transfer: The data is transferred for the purposes of ensuring compliance with regulations, conducting finance and accounting operations, maintaining physical security of premises, managing/conducting business operations, ensuring business continuity, managing logistics activities, managing purchasing processes for goods/services, managing post-sale support services, managing sales processes for goods/services, managing production and operational processes for goods/services, managing contract processes, and securing movable assets and resources.

Transfer Locations: Individuals or Private Law Legal Entities, Suppliers, Community Companies, Authorized Public Institutions and Organizations (courier companies)

Supplier Employee

Data Categories Transferred:

• Identity: Name, National ID Information, Signature
• Contact: Address, Phone Number, Email Address
• Customer Transactions: Invoice, Check, Promissory Note, Receipt Information
• Physical Security of Premises: Camera Records

Purpose of Transfer: The data is transferred for the purposes of ensuring compliance with regulations, conducting finance and accounting operations, maintaining physical security of premises, managing/conducting business operations, ensuring business continuity, managing purchasing processes for goods/services, managing contract processes, and tracking requests/complaints.

Transfer Locations: Community Companies, Authorized Public Institutions and Organizations, Individuals or Private Law Legal Entities (tax office)

Board of Directors Members

Data Categories Transferred:

• Identity: Name, Signature
• Personal Data: Job Position/Title
• Physical Security of Premises: Camera Records

Purpose of Transfer: The data is transferred for the purposes of ensuring compliance with regulations, maintaining physical security of premises, managing assignment processes, managing/conducting business operations, receiving and evaluating suggestions for improving business processes, ensuring business continuity, managing organization and event activities, managing risk management processes, conducting strategic planning activities, managing investment processes, and conducting management activities.

Transfer Locations: Community Companies, Authorized Public Institutions and Organizations

Participant

Data Categories Transferred:

• Identity: Name, National ID Number, Place of Birth, Date of Birth, Chamber Registration Number, Signature
• Contact: Phone Number, Fax, Email Address, Address
• Personal Data: Job Position/Title
• Visual and Auditory Information: Photograph

Purpose of Transfer: The data is transferred for the purposes of ensuring compliance with regulations, managing communication activities, managing assignment processes, and managing/conducting business operations.

Transfer Locations: Community Companies, Authorized Public Institutions and Organizations

Third Parties

Data Categories Transferred:

• Identity: Name, Marital Status, Parent's Name, National ID Information, Gender, Date of Birth, Place of Birth, Signature
• Contact: Phone Number, Address, Email Address
• Personal Data: Job Position/Title, Department
• Legal Transaction: Signature Circular
• Professional Experience: Certificate Number
• Physical Security of Premises: Camera Records

Purpose of Transfer: The data is transferred for the purposes of conducting recruitment and placement processes for candidates/interns/students, managing application processes for candidates, conducting training activities, ensuring compliance with regulations, maintaining physical security of premises, managing assignment processes, monitoring and conducting legal affairs, managing communication activities, managing/conducting business operations, managing occupational health and safety activities, receiving and evaluating suggestions for improving business processes, ensuring business continuity, managing purchasing processes for goods/services, managing contract processes, tracking requests/complaints, and securing movable assets and resources.

Transfer Locations: Community Companies, Authorized Public Institutions and Organizations, Individuals or Private Law Legal Entities (Gediz Electricity)

Visitor

Data Categories Transferred:

• Physical Security of Premises: Camera Records

Purpose of Transfer: The data is transferred for the purposes of maintaining physical security of premises and ensuring compliance with regulations.

Transfer Locations: Community Companies, Authorized Public Institutions and Organizations

DISPOSAL OF PERSONAL DATA AND STORAGE PERIODS

Disposal of Personal Data

Subject to the provisions regarding the disposal of personal data in other laws, our Company shall delete, destroy, or anonymize the personal data it has processed in accordance with this Law and other legal provisions when the reasons necessitating the processing of such data no longer exist, in accordance with the Personal Data Storage and Disposal Policy, either ex officio or upon request from the data subject.

The deletion of personal data refers to the process of making personal data inaccessible and unusable for the relevant users in any way.

The destruction of data refers to the process of making personal data inaccessible, unrecoverable, and unusable in any way by anyone.

Anonymization of data refers to the process of making personal data unable to be associated with an identified or identifiable natural person, even when matched with other data through techniques such as masking, variable extraction, generalization, etc.

Storage Periods of Personal Data

Our Company retains personal data in accordance with the periods specified in laws and other regulations. If there is no specified storage period in laws and other regulations, personal data will be stored in accordance with the Company’s Personal Data Storage and Disposal Policy for as long as necessary to achieve the purpose of processing that personal data, after which it will be deleted, destroyed, or anonymized within the framework of periodic disposal periods.

INFORMATION TO THE DATA SUBJECT AND RIGHTS UNDER THE PERSONAL DATA PROTECTION LAW

Information of the Data Subject

In accordance with Article 10 of the Personal Data Protection Law (KVK Law), our Company provides information to the data subjects at the time of obtaining personal data. In this context, the identity of the Company representative, if any, the purpose for processing the personal data, to whom and for what purpose the processed personal data may be transferred, the method of collecting personal data and its legal basis, as well as the rights of the data subject are clarified.

Circumstances Where This Policy and Law Will Not Apply

The provisions of this Policy and Law will not apply in the following cases:

• The processing of personal data by natural persons concerning themselves or their family members living in the same household, provided that the data is not shared with third parties and data security obligations are complied with,
• The processing of personal data for research, planning, and statistical purposes by anonymizing official statistics,
• The processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided it does not violate national defense, national security, public safety, public order, economic security, privacy of private life, or personality rights,
• The processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations that are authorized and tasked by law to ensure national defense, national security, public safety, public order, or economic security,
• The processing of personal data by judicial authorities or enforcement agencies concerning investigation, prosecution, trial, or execution processes.

The provisions of Article 10, which regulate the obligation of the data controller to inform, and Article 11, which regulates the rights of the relevant person, excluding the right to seek compensation for damages, as well as Article 16 regarding the obligation to register in the Data Controllers Registry will not apply in the following cases:

• The processing of personal data is necessary for the prevention of crime or the investigation of a crime,
• The processing of personal data that has been made public by the relevant person,
• The processing of personal data by public institutions and organizations with duties and powers granted by law, necessary for the execution of their auditing or regulatory tasks or for disciplinary investigations or prosecutions,
• The processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budget, tax, and financial matters.

Rights of the Data Subject Under the KVK Law

In accordance with Article 10 of the Law, our Company informs data subjects of their rights, provides guidance on how to exercise these rights, and implements all necessary internal processes, administrative and technical regulations. The rights of individuals whose personal data are processed under Article 11 of the Law are as follows:

• To learn whether their personal data is being processed,
• To request information regarding the processing of their personal data if it has been processed,
• To learn the purpose of processing their personal data and whether it is used in accordance with its purpose,
• To know the third parties to whom personal data has been transferred domestically or abroad,
• To request the correction of personal data if it is incomplete or incorrectly processed,
• To request the deletion or destruction of personal data under the conditions set forth in Article 7 of the Law,
• To request the notification of the transactions (correction and destruction) conducted under Article 11(d) and (e) to the third parties to whom personal data has been transferred,
• To object to the emergence of a result against them by analyzing the processed data exclusively through automated systems,
• To request compensation for damages incurred due to the unlawful processing of personal data.

Requests and applications regarding the implementation of the Law can be submitted in writing by completing the application form available on our website (https://www.setasbilisim.com.tr/) and delivering it personally to “Mansuroğlu Mahallesi 283/6 Sokak No:2 Bayraklı/İZMİR,” or sending it via notary public or registered electronic mail (KEP) address (setasbilisim@hs01.kep.tr), or electronically using a secure electronic signature or mobile signature.

Requests and applications can also be sent to setas@setasbilisim.com.tr if there is an electronic mail address belonging to the relevant individual previously communicated to our Company and registered in the Company’s system.

In requests and applications, the following information is required:

• Name, surname, and signature if the application is written,
• Turkish Republic identification number for Turkish citizens, nationality, passport number, or identity number if applicable for foreigners,
• The residential or workplace address for notification purposes,
• The relevant electronic mail address, phone number, and fax number if available,
• Subject of the request.

It is necessary to attach relevant information and documents to the application.

Our Company will respond to the requests included in the application free of charge as soon as possible, and in any case, within thirty days, depending on the nature of the request. However, if the process incurs additional costs, a fee may be charged as determined by the Authority.

Our Company may accept the request it receives or reject it by explaining the reason and will notify the relevant person in writing or electronically. If the request made in the application is accepted, our Company will fulfill the requirement as soon as possible and inform the relevant person. If the application is due to an error on the part of our Company, the fee collected will be refunded to the relevant individual.

In cases of rejection of the application, finding the response insufficient, or failure to respond to the application within the time frame, the relevant individual has the right to complain to the Authority within thirty days from the date they learned the response, and in any case, within sixty days from the date of application.

VERSION: 1.0

Effective Date: 05.07.2023

© Setaş Sistem Bilişim Sanayi Ticaret Anonim Şirketi, 2023

No part of this document may be reproduced or distributed without the written permission of Setaş Sistem Bilişim Sanayi Ticaret Anonim Şirketi.