ALL PRODUCTS TRADITIONAL FOOD PRODUCTS FOOD SUPPLEMENTS HERBAL COSMETICS KIDS SERIES NEW PRODUCTS ADVANTAGEOUS PACKAGES

ZÜHRE ANA PERSONAL DATA PROTECTION POLICY

1. PURPOSE AND SCOPE

The Law on the Protection of Personal Data No. 6698 (the "PDPL Law"), which was prepared after many years of work within the framework of compliance with the European Union criteria, was published in the Official Gazette dated 07.04.2016 and entered into force. The PDP Law largely contains regulations in line with the European Union's directive numbered 95/46/EC, and with the entry into force of the PDP Law, the protection of individuals' personal data within a holistic regulation has been brought under legal regulation.

The protection of personal data is of great sensitivity for the ("Company"), and according to the Constitution of the Republic of Turkey, everyone has the right to request the protection of their personal data. The protection of personal data is among the priorities of our Company, and our Company shows the necessary care in protecting the personal data of job candidates, company officials, our visitors, institutions we cooperate with and their employees, officials and third parties, which are managed by this Personal Data Protection, Processing and Destruction Policy ("Policy").

Within the framework of the principles of superior service quality, respect for the rights of individuals, transparency and honesty adopted by our company, and in line with the new regulations foreseen by the PDP Law, the regulation of the internal operations of our company within the scope of the PDP Law, secondary regulations, decisions and regulations of the Personal Data Protection Board and other relevant legislation are among the priority issues of our company. Therefore, this Policy has been prepared and put into effect in order to enable our customers to benefit from the rights brought by the PDP Law and to ensure compliance with the PDP Law. In this context, the necessary administrative and technical measures are taken by our company to protect the personal data processed in accordance with the relevant legislation.

The aim of the Policy is to ensure that the regulations to be introduced by the Company within the framework of the principles specified above for compliance with the PDP Law are effectively implemented within the Company, by our Company employees and business partners; to make explanations about the personal data processing activities carried out by our Company in accordance with the law and the systems adopted for the protection of personal data, to ensure that all administrative and technical measures are taken for the processing and protection of personal data within the Company's operations, to establish the necessary internal procedures, to determine all necessary trainings to raise awareness, and to ensure that all necessary measures are taken for the compliance of employees and business partners with the PDP Law processes and that appropriate and effective control mechanisms are established.

Explicit Consent: Consent based on informed consent and expressed freely on a specific subject.

Anonymization of Personal Data: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching it with other data using techniques such as masking, aggregation, data corruption, etc.

Application Form: "Application Form for Applications to be Made to the Data Controller by the Relevant Person [Personal Data Owner] Pursuant to the Law No. 6698 on the Protection of Personal Data", which includes the application to be made by personal data owners to exercise their rights.

Employee Candidate: Real persons who have applied for a job in our Company by any means or have opened their CV and relevant information to our Company's review.

Employees, shareholders, and officials of the institutions with which we have a partnership: Individuals including employees of institutions with which our company has any business relationship (such as partners, suppliers, but not limited to these), as well as shareholders and officials of these institutions.

Business Partner: Parties with whom our company establishes partnerships for various purposes, such as carrying out various projects and receiving services while conducting its commercial activities.

Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making accessible, classifying, or preventing the use of data, structured according to specific criteria.

Data Subject: The natural person whose personal data is being processed.

Deletion of Personal Data: The act of deleting personal data; ensuring that personal data is rendered inaccessible and unusable in any way for the Relevant Users.

Destruction of Personal Data: The process of making personal data inaccessible, irretrievable, and unusable by anyone in any way.

Personal Data: Any information relating to an identified or identifiable natural person.

PDPC: Personal Data Protection Board.

Special Categories of Personal Data: Data related to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Periodic Destruction: The process of deletion, destruction, or anonymization that will be carried out ex officio at recurring intervals when all conditions for processing personal data specified in the Personal Data Protection Law have ceased to exist, as stated in the personal data retention and destruction policy.

Company Official: Members of our company's board of directors and other authorized natural persons.

Supplier: Parties that provide services to our company in accordance with the company's orders and instructions, either based on a contract or without any contractual relationship, while conducting our company's commercial activities.

Third Party: Natural persons whose personal data is processed under the Policy and who are not defined differently within the scope of the Policy.

Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Controller: The natural person (Company) responsible for determining the purposes and means of processing personal data and for establishing and managing the location where the data is systematically stored [data recording system].

Visitor: Natural persons who have entered the physical premises owned by our company for various purposes or who have visited our websites.

Data Recording System: A recording system in which personal data is processed according to specific criteria.

2. MATTERS REGARDING THE PROCESSING OF PERSONAL DATA

2.1 General

Our company, in accordance with Article 20 of the Constitution and Article 4 of the Personal Data Protection Law (KVK Law), engages in the processing of personal data in a manner that is lawful and in accordance with the principles of integrity, ensuring that the data is accurate and, when necessary, up to date; pursuing specific, explicit, and legitimate purposes; and processing personal data in a way that is relevant, limited, and proportionate to those purposes. Our company retains personal data for the duration prescribed by law or as required by the purpose of processing personal data. In accordance with Articles 20 of the Constitution and 5 of the KVK Law, our company processes personal data based on one or more of the conditions specified in Article 5 of the KVK Law regarding the processing of personal data.

Our company informs data subjects in accordance with Articles 20 of the Constitution and 10 of the KVK Law, and provides the necessary information if data subjects request it.

Our company acts in accordance with the regulations stipulated for the processing of special categories of personal data as per Article 6 of the KVK Law. Our company complies with the regulations set forth by the law and established by the Personal Data Protection Board regarding the transfer of personal data in accordance with Articles 8 and 9 of the KVK Law.

Processing of Personal Data in Compliance with the Principles Stipulated in Legislation.

2.1.1 Processing in Compliance with Law and the Principle of Integrity

Our company acts in accordance with the principles established by legal regulations and the general principles of security and integrity in the processing of personal data. In this context, our company considers the requirements of proportionality in the processing of personal data and does not use personal data beyond what is necessary for the intended purpose.

2.1.2. Ensuring that Personal Data is Accurate and, When Necessary, Up to Date

Our company ensures that the personal data it processes is accurate and up to date, taking into account the fundamental rights of data subjects and its own legitimate interests. In this regard, it takes the necessary measures.

2.1.3. Processing for Specific, Explicit, and Legitimate Purposes

Our company clearly and definitively defines the legitimate and lawful purpose of processing personal data. We process personal data only to the extent necessary and in connection with our commercial activities.

2.1.4. Being Relevant, Limited, and Proportionate to the Purpose for Which They Are Processed

Our company processes personal data in a manner suitable for achieving the defined purposes and avoids processing personal data that is unrelated to or unnecessary for the accomplishment of those purposes. For example, we do not engage in personal data processing activities aimed at addressing potential future needs.

2.1.5. Retaining for the Duration Required by Relevant Legislation or Necessary for the Purpose for Which They Are Processed

Our company retains personal data only for the duration specified in the relevant legislation or as necessary for the purpose for which they are processed. In this context, our company first determines whether a retention period is stipulated in the relevant legislation. If a period is specified, we act in accordance with that duration; if no period is established, we retain personal data only for as long as necessary for the intended purpose. Upon the expiration of the retention period or the cessation of the reasons requiring processing, personal data is deleted, destroyed, or anonymized by our company.

2.2. Processing Personal Data Based on One or More of the Personal Data Processing Conditions Specified in Article 5 of the Data Protection Law and Limited to These Conditions

The protection of personal data is a constitutional right. Fundamental rights and freedoms can only be restricted by law and based on the reasons specified in the relevant articles of the Constitution, without touching their essence. According to the third paragraph of Article 20 of the Constitution, personal data can only be processed in cases provided for by law or with the explicit consent of the individual. In this regard, our company processes personal data only in the cases stipulated by law or with the explicit consent of the individual, in compliance with the Constitution.

2.3. Informing and Educating the Data Subject

Our company informs Data Subjects during the acquisition of personal data in accordance with Article 10 of the Data Protection Law. In this context, our company provides information about the identity of the representative, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the legal basis for the method of collecting personal data, and the rights of the Data Subject.

Article 20 of the Constitution states that everyone has the right to be informed about their personal data. In this regard, Article 11 of the Data Protection Law includes the right to "request information" among the rights of the Data Subject. In this context, our company provides the necessary information when the Data Subject requests information, in accordance with Article 20 of the Constitution and Article 11 of the Data Protection Law.

2.4. Processing of Special Categories of Personal Data

Our company acts with great care in processing personal data designated as "special categories" under the Data Protection Law. Article 6 of the Data Protection Law identifies certain personal data as "special categories" that carry the risk of causing individuals to suffer harm or discrimination when processed unlawfully. These data include information related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

In accordance with the Data Protection Law, our company processes special categories of personal data in the following situations, provided that adequate measures determined by the Data Protection Authority are taken:

• If the Data Subject has given explicit consent, or

• If the Data Subject has not given explicit consent;

• Special categories of personal data, excluding the Data Subject's health and sexual life, are processed in the cases provided for by law.

2.5. Transfer of Personal Data

Our company may transfer the personal data and special categories of personal data of the Data Subject to third parties by taking the necessary security measures outlined in this Policy, in accordance with the legitimate purposes of personal data processing. In this regard, our company acts in compliance with the provisions set forth in Article 8 of the Data Protection Law.

2.5.1. Transfer of Personal Data

Our company can transfer personal data to third parties based on one or more of the personal data processing conditions specified in Article 5 of the Data Protection Law, in a limited manner, by establishing the necessary confidentiality conditions and taking security measures in line with legitimate and lawful purposes of personal data processing.

• If the Data Subject has given explicit consent,

• If there is a clear regulation in the laws regarding the transfer of personal data,

• If it is necessary to protect the life or bodily integrity of the Data Subject or another person, and the Data Subject is unable to express consent due to actual impossibility or if their consent is not legally valid;

• If it is necessary to transfer personal data belonging to the parties of a contract, provided that it is directly related to the establishment or performance of the contract,

• If the transfer of personal data is mandatory for our company to fulfill its legal obligations.

• If the personal data has been made public by the Data Subject,

• If the transfer of personal data is necessary for the establishment, use, or protection of a right.

• If the transfer of personal data is necessary for our company's legitimate interests, provided that it does not harm the fundamental rights and freedoms of the Data Subject.

2.6. Transfer of Personal Data Abroad

Regarding the transfer of personal data abroad, explicit consent from the Data Subject is required in accordance with Article 9 of the Data Protection Law. Social media companies (e.g., facebook.com, twitter.com, youtube.com, instagram.com, and similar platforms); internet search engine companies (e.g., google.com, yandex.com, and similar services); SMS sending companies; and third parties that provide support in areas such as storage, archiving, IT support (servers, hosting, software, cloud computing), and information security, both domestically and abroad, may share data on behalf of our company. This includes partners that process data for us, provide customer satisfaction measurement, profiling support, and solutions related to the processing of personal data in sales and marketing areas, as well as auditing companies.

3. CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY, PURPOSES OF PROCESSING, AND RETENTION PERIODS

Our company informs the Data Subject about which groups of Data Subjects it processes, which personal data is being processed, the purposes of processing the personal data, and the retention periods, in accordance with the obligation of disclosure under Article 10 of the Data Protection Law.

3.1. Categorization of Personal Data

Within our Company; in line with our Company’s legitimate and lawful personal data processing purposes, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the PDP Law, in compliance with the general principles specified in the PDP Law, especially the principles specified in Article 4 regarding the processing of personal data, and all obligations regulated in the PDP Law, and limited to the periods within the scope of this Policy (Business Partner, Visitor, Third Party, Employee Candidate, Company Official, Employees, Shareholders and Authorities of Institutions We Collaborate with], personal data in the categories specified below are processed by informing the relevant persons in accordance with Article 10 of the PDP Law.

DATA CLASS – DESCRIPTION

Personal Data: Personal data is any information related to a specific or identifiable person. Documents such as driver's license, identity card and passport that include information such as name-surname, Turkish Republic identity number, nationality information, mother's name-father's name, date of birth, gender, and information such as tax number, SSI number, signature information, vehicle license plate, etc.

Special Personal Data: Special Personal Data is data that, if learned, may cause discrimination or victimization regarding the relevant person. It is the data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures of the persons, and biometric and genetic data. Personal data that is clearly related to a specific or identifiable natural person is classified as follows:

PERSONAL DATA CATEGORIZATION EXPLANATION

Identity Information: Data containing information about the person's identity, documents such as driver's license, identity card and passport containing information such as name and surname, Turkish Republic identity number, nationality information, mother's name and father's name, date of birth, gender, and tax number, SSI number, signature information, vehicle license plate, etc.

Contact Information: Information such as telephone number, address, e-mail address, fax number, IP address

Financial Information: Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship our company has established with the personal data owner, and bank account number, IBAN number

Visual/Auditory Information: Photo and camera recordings [excluding records included in the scope of Physical Location Security Information], voice recordings and data included in documents that are copies of documents containing personal data.

PERSONAL DATA CATEGORIZATION EXPLANATION

Personal Information: All kinds of personal data processed to obtain information that will form the basis for the establishment of the personal rights of real persons who have a working relationship with our Company and for the evaluation of our Company's Employee Candidates

Professional Information: Diploma information, Courses attended, In-service training information, Certificates, Transcript information, etc.

Legal Transaction Information: Data processed within the scope of the determination, follow-up and fulfillment of debts of our Company's legal receivables and rights and legal obligations.

Criminal Conviction and Security Measures: Information regarding criminal convictions, information regarding security measures, etc. Race, Ethnicity Information: Data regarding the person's race and ethnicity.

Membership Information: Association membership information, etc. Foundation membership information, etc. Union Membership information, etc.

Health Information: Height, Weight, Surgery History, Active Treatment Information, Information on disability status, Blood group information, Personal health information, Information on devices and prosthesis used, Laboratory outputs/Analysis information, patient diagnosis and treatment information, etc.

Request / Complaint Management Information: Personal data regarding the receipt and evaluation of any request or complaint directed to our company.

PERSONAL DATA CATEGORIZATION EXPLANATION

Marketing Information: Survey, Cookie Records, Information obtained from social media platforms (such as Facebook, Instagram, Twitter, Whatsapp), etc.

Explicit Consent: The explicit consent of the relevant person will definitely be sought.

Public Health: Protection of public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services

3.2. Purposes of Processing Personal Data

Our company processes personal data limited to the purposes and conditions specified in the personal data processing conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 of the Personal Data Protection Law.

These purposes and conditions are;

• The relevant activity of our Company regarding the processing of your personal data is clearly foreseen in the Laws

• The processing of your personal data by our Company is directly related to and necessary for the establishment or execution of a contract

• The processing of your personal data is mandatory for our Company to fulfill its legal obligations

• Provided that your personal data is made public by you; processing by our Company in a limited manner for the purpose of making it public

• If the processing of your personal data by our Company is mandatory for the establishment, exercise or protection of the rights of our Company or you or third parties

• If the processing of personal data is mandatory for the legitimate interests of our Company, provided that it does not harm your fundamental rights and freedoms

• If the processing of personal data by our Company is mandatory for the protection of the life or physical integrity of the personal data owner or another person, and in this case, the personal data owner is unable to express his/her consent due to actual or legal invalidity

• It is foreseen in the laws for special personal data other than the health and sexual life of the personal data owner

In this context, our Company processes your personal data within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law, limited to the following purposes;

• Planning and execution of corporate sustainability activities

• Event management

• Management of relations with business partners

• Conducting our company's personnel recruitment processes

• Execution/follow-up of our company's financial reporting and risk management processes

• Execution/follow-up of our company's legal affairs

• Planning and execution of corporate communication activities

• Execution of corporate governance activities

• Determination, planning and implementation of our company's commercial policies

• Ensuring the legal and commercial security of our company and real or legal persons who have a business relationship with our company

• Ensuring the physical security and inspection of all locations such as offices, workplaces and similar belonging to our company

• Evaluating our company's customers, complaint management processes regarding products etc.

• Planning and implementing human resources policies in the best way possible

• Request and complaint management

• Planning and execution of inspection activities to ensure that our company's activities are carried out in accordance with the procedures and relevant legislation

• Carrying out activities to protect our company's reputation

• Providing information to authorized institutions based on legislation

• Creating and monitoring visitor records

If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the Personal Data Protection Law, your explicit consent is obtained by our Company for the relevant processing process.

3.3.Storage Periods of Personal Data

Our Company stores personal data for the period specified in the relevant laws and legislation, if it is foreseen in these legislations. If the legislation does not regulate the period for which personal data should be stored, Personal Data is processed for the period required by our Company's practices and commercial practices, depending on the activity carried out while processing that data, and then deleted, destroyed or anonymized. Detailed information on this subject is provided in Section 9 of this Policy.

If the purpose of processing personal data has ended; if the storage periods determined by the relevant legislation and our Company have also expired; personal data is deleted, destroyed or anonymized after the said period has expired.

4. CATEGORIZATION OF THE OWNERS OF PERSONAL DATA PROCESSED BY OUR COMPANY

While our Company processes the personal data of the categories of personal data owners listed below, the scope of application of this Policy is limited to Business Partners, Customers, Visitors, Third Parties, Employees, Candidates, Company Officials, Employees and Officials of Institutions We Collaborate With.

While the categories of persons whose personal data are processed by our Company are within the scope specified above, persons outside of these categories may also direct their requests to our Company within the scope of the Personal Data Protection Law; the requests of these persons will also be evaluated within the scope of this Policy. The personal data table in Article 3.1 defines the categories of personal data and the types of personal data of persons processed within these categories.

5. THIRD PARTIES TO WHICH PERSONAL DATA IS TRANSFERRED BY OUR COMPANY AND THE PURPOSES OF TRANSFER

Our company notifies the personal data owner of the groups of people to whom personal data is transferred in accordance with Article 10 of the Personal Data Protection Law.

Our company may transfer the personal data of data owners managed by the Policy to the following categories of people in accordance with Articles 8 and 9 of the Personal Data Protection Law:

• Our managers and personnel authorized by our company

• Legally authorized public institutions and organizations

• Legally authorized private law persons

The scope of the above-mentioned persons to whom the data is transferred and the purposes of data transfer are specified below.

Company Officials: Members of our company's board of directors and other authorized real persons. Limited to the design of strategies, ensuring the highest level of management and auditing purposes regarding our company's commercial activities in accordance with the relevant legislation,

Legally Authorized Public Institutions and Organizations: Public institutions and organizations authorized to receive information and documents from our company in accordance with the relevant legislation. Limited to the purpose requested by the relevant public institutions and organizations within the scope of their legal authority,

Legally Authorized Private Law Persons: Private law persons authorized to receive information and documents from our company in accordance with the relevant legislation. Limited to the purpose requested by the relevant private law persons within the scope of their legal authority.

6. PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT AT BUILDINGS, FACILITY ENTRANCES AND WITHIN BUILDINGS AND FACILITIES AND WEBSITE VISITORS

In order to ensure security by our Company, our Company may perform personal data processing activities in order to monitor guest entries and exits through security cameras in our office.

Our Company will perform personal data processing/protection of processed data by using security cameras and recording guest entries and exits.

6.1. Camera Monitoring Activities Conducted Within Our Company's Office

In this section, explanations will be made regarding our Company's camera monitoring system and information will be provided on how personal data, privacy and fundamental rights of the person are protected. Within the scope of our company's security camera monitoring activities; it aims to protect the interests of the company and other people regarding ensuring their security.

6.2. Monitoring of Guest Entrances and Exits at and Inside Our Company Buildings and Facilities

Our Company may process personal data to monitor guest entries and exits in our Company buildings and facilities for the purposes of ensuring security and as specified in this Policy.

6.3. Restriction of Internet Access Provided to Visitors in Our Office

In order to ensure security by our Company and for the purposes specified in this Policy; the Wi-Fi internet connection in our office has been closed to external access by our Company. It is not shared with our office visitors. In this way, external intervention into the internet network to which the computer accessing personal data is connected is prevented and data security is ensured in accordance with the provisions of Law No. 6698.

In the event that the Wi-Fi connection in our office is opened to our visitors in the future, the log records regarding your internet access will be recorded in accordance with the mandatory provisions of Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed through Such Publications and the legislation regulated in accordance with this Law, and these records will only be processed upon request by authorized public institutions and organizations or in order to fulfill our relevant legal obligations in the audit processes to be carried out within our Company. Feasibility and cyber security studies have been conducted regarding opening internet connection to our visitors, and implementation will be initiated after our company officials make a decision in this direction.

6.4. Website Visitors

Our company uses some add-ons and other technologies such as cookies, pixels, gifs and other technologies [in short, 'cookies'] to improve your experience on websites and applications. Cookies are small text files that are transferred to your hard drive by a web server and then stored on your computer. Some cookies help us better understand Customer/User behavior; provide information about the use of our website and visit data, and help us improve our website. Cookies are also used to remember customers' personal information when customers/users use the website or application. This makes it easier to use the website and applications.

Some information is collected automatically and stored in log files. This information includes Internet Protocol (IP) addresses, browser type and language, Internet service provider (ISP), referring and exit websites and applications, operating system, date/time stamp and clickstream data.

If you want to disable cookies, you can make the necessary settings on the web browser and mobile device you use. Based on the above information, cookies may be used on the web pages prepared by our company, depending on the technological infrastructure requirements used and as foreseen by the infrastructure used. As a company, we may stop using the cookies we use on the website we operate, change their types or functions or add new cookies. Therefore, we reserve the right to change the Cookie Information Text and the provisions of this protocol at any time.

The cookies we use on our website are active to perform the basic functions required for the operation of the site, to analyze the site and increase its performance, and to increase your ease of use. Information gathering technologies and cookies that are specifically developed / collected and operated by our company are not used.

6.5. Website Data Log

You, our valued customers, can access our company's website without being a member. As with many websites, your web browser is set to automatically transfer some technical data to our internet server on our company's website, and then some information is recorded in the data log records even without your consent; (For example, the date of entry to the website, the time of entry, IP address, the addresses of the pages viewed on the site, etc.)

This information is the information required for technical purposes so that the requested content can be delivered to you correctly over the internet when you connect to the website, and its collection is an inevitable technical aspect of the use of websites. In addition to this data, it detects and uses users' IP addresses and data log records to detect problems with the system and to resolve such problems as quickly as possible. IP addresses can be used to identify users in general when necessary and to collect comprehensive demographic information.

6.6. E-Mail Bulletins Made Within the Scope of Your Website Memberships

During your membership application or during your membership, you can choose to accept and/or reject marketing activities and update this preference. If you want to be removed from our daily e-mail list at any time, you can unsubscribe from the e-bulletin by clicking on the "Please click to unsubscribe from our e-bulletin list" link at the bottom of the e-mails we send. If the cancellation link does not work due to technical problems, you can call our Customer Services or send an e-mail to unsubscribe from these bulletins.

7. CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Although our Company has processed the data in accordance with the relevant provisions of the law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Law, if the reasons requiring processing are eliminated, personal data is deleted, destroyed or made anonymous based on our Company's own decision or upon the request of the personal data owner. Transactions are carried out in accordance with the personal data storage and destruction policy.

8. ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the Personal Data Protection Law, our company takes the necessary technical and administrative measures to prevent the unlawful processing of personal data it processes, to prevent unlawful access to data and to ensure the preservation of data, and to ensure the appropriate level of security, and to conduct or have the necessary inspections conducted within this scope.

Our institution has expanded the data/information protection processes it implements/operates within the scope of the quality and information security management systems it has established for the protection and storage of corporate information to include personal data.

8.1. Ensuring the Security of Personal Data

8.1.1. Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data

Data processing responsibilities have been determined and defined in the relevant job descriptions for the lawful processing of personal data in the institution. Data processing environments and processing conditions have been made suitable depending on the data processing responsibilities.

8.1.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

The access rights of users responsible for processing personal data in the institution are regulated according to the relevant applications. Users who are not responsible for processing data do not have the authority in the relevant applications. In this context, the passwords used by data processing officers are changed at regular intervals.

Administrative and technical measures include the following issues. Although our company is obliged to take these measures completely and prevent illegal access; if third parties still have illegal access to personal data; it takes all technical and administrative measures in accordance with the relevant legislation and Board decisions regarding the protection of personal data to prevent harm to the relevant persons. Technical measures are taken in accordance with the developments in technology and the measures taken are periodically updated and renewed.

• Access and authorization technical solutions are being put into operation.

• The technical measures taken are periodically inspected by our Company,

• Virus protection system software and hardware have been installed.

• The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.

• Corporate policies have been prepared and implemented on information security, storage and destruction.

• Awareness training on data security has been provided to personnel.

8.1.3. Storing Personal Data in Secure Environments

Personal data in the institution is stored in physical and electronic environments depending on their characteristics. Access to physical environments is under control. Cabinets containing personal data are kept locked. Data in electronic environments are processed according to access authorizations. Computers containing processed personal data are protected with advanced passwords consisting of 12-digit lower/upper case and number combinations that are changed periodically. Access to data by unauthorized persons is limited with the authorization matrix system.

8.1.4. Audit of Measures Taken for the Protection of Personal Data

In terms of technical measures taken within our company, it is periodically monitored and audited that the data recording systems used are created and used in accordance with the Personal Data Protection Law and relevant legislation.

8.1.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

In case personal data is obtained by others through illegal means, our company, as the data controller, is obliged to inform the persons whose personal data has been unauthorizedly disclosed and the Personal Data Protection Board.

If personal data is proven to be intentional and with clear/objective evidence, the "Personnel Disciplinary Regulation" will be immediately implemented and legal and administrative processes will be initiated urgently.

8.2. Observance of the Rights of the Data Owner and Evaluation of the Requests of the Data Owners

Our company carries out the necessary channels, internal operations, administrative and technical arrangements in accordance with Article 18 of the Personal Data Protection Law in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners. Detailed information is provided in Section 10 of this Policy.

8.3. Protection of Special Personal Data

The Personal Data Protection Law has given special importance to certain personal data due to the risk of causing victimization or discrimination when processed illegally. These data include data on race, ethnicity, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Our company does not receive your special personal data within the scope of its activities and does not store any data within this scope determined by law.

8.4. Increasing Awareness and Supervision of Our Company Departments on the Protection and Processing of Personal Data

Annual audits will be conducted with internal/external sources within the scope of Internal Audit/Quality practices to verify that the collection, processing, classification, deletion/destruction/removal of access rights/anonymization processes of personal data are effectively implemented.

The main administrative measures include at least the following:

• Employees are informed about the law on the protection of personal data and the processing of personal data in accordance with the law.

• All activities carried out by our company are analyzed in detail for all business units, and as a result of this analysis, personal data processing activities are revealed for the commercial activities carried out by the relevant business units.

• Personal data processing activities carried out by our company's business units; the requirements to be met to ensure that these activities comply with the personal data processing conditions sought by Law No. 6698 are determined for each business unit and the detailed activities it carries out.

• Awareness is created and application rules are determined for the relevant business units; the necessary administrative measures to ensure the control of these issues and the continuity of the application will be implemented through in-house policies and information, awareness training, warning mechanisms (boards, announcements, orientation, etc.).

9. RIGHTS OF PERSONAL DATA OWNERS; EXERCISE AND EVALUATION OF THESE RIGHTS

Our Company informs the personal data owner of their rights in accordance with Article 10 of the Personal Data Protection Law, guides the personal data owner on how to use these rights, and our Company carries out the necessary channels, internal operations, administrative and technical arrangements in accordance with Article 13 of the Personal Data Protection Law to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.

9.1. Rights of the Data Owner and the Exercise of These Rights

9.1.1. Rights of the Personal Data Owner

Personal data owners have the following rights:

• To learn whether personal data is being processed,

• To request information about personal data if it has been processed,

• To learn the purpose of processing personal data and whether it is being used in accordance with its purpose, To know the third parties to whom personal data is transferred domestically or abroad,

• Request correction of personal data if it is processed incompletely or incorrectly and request notification of the transaction made to third parties to whom personal data is transferred,

• Request deletion or destruction of personal data if the reasons requiring processing are eliminated despite the fact that it has been processed in accordance with the provisions of the Personal Data Protection Law and other relevant laws and request notification of the transaction made to third parties to whom personal data is transferred,

• Object to the emergence of a result against the person by analyzing the processed data exclusively through automated systems,

• Request compensation for the damages incurred due to the unlawful processing of personal data.

9.1.2. Cases Where Personal Data Owners Cannot Claim Their Rights

Personal data owners cannot claim their rights listed in 9.1.1. in these matters, since the following cases are excluded from the scope of the Personal Data Protection Law in accordance with Article 28 of the Personal Data Protection Law;

• Processing of personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.

• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy or personal rights or does not constitute a crime.

• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.

• Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial or execution proceedings.

According to Article 28/2 of the Personal Data Protection Law; in the cases listed below, personal data owners cannot assert their other rights listed in 9.1.1., except for the right to demand compensation for damages:

• Personal data processing is necessary for the prevention of crime or criminal investigation.

• Personal data processing made public by the personal data owner.

• Personal data processing is necessary for the performance of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institution, based on the authority granted by law.

• Personal data processing is necessary to protect the economic and financial interests of the state in relation to budget, tax and financial matters.

9.1.3. Use of Rights by Personal Data Owners

Personal Data Owners may submit their requests regarding their rights listed under heading 9.1.1 of this section to our Company through the Application Form with information and documents that will identify them and through the methods specified below or other methods determined by the Personal Data Protection Board:

In order to exercise the rights under the law, the conditions and methods specified in the circular published by the Personal Data Protection Authority must be followed. The application must be made with the form in the Application Form tab on the website.

By completely filling out the application form that you have obtained from the website, together with documents that prove your identity;

• You can deliver it to the address “...” with a signature.

• You can send the signed form to the address “...” via a Notary Public.

• You can send it to the addresses “...” or “...” with an electronic signature.

In order for third parties to request an application on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the person who will apply. Applications made without a power of attorney will be considered invalid.

9.1.4. Personal Data Owner's Right to Complain to the PDP Board

In cases where the application is rejected, the response is found insufficient or the application is not responded to in a timely manner, in accordance with Article 14 of the PDP Law, the personal data owner may complain to the PDP Board within thirty (30) days from the date of learning of our Company's response and in any case within sixty (60) days from the date of application.

9.2. Our Company's Response to Applications

Applications regarding personal data processing activities must be made to our Company. In your applications, it is mandatory to include name-surname, signature, Turkish Republic identity number, residence or workplace address, e-mail address, telephone and fax number, and the requested elements, as per the “Communiqué on the Procedures and Principles of Application to the Data Controller”. Applications that do not contain the said elements will be rejected by the Company.

9.2.1. Our Company's Procedures and Period for Responding to Applications

If the personal data owner submits his/her request to our Company in accordance with the procedure in section 9.1.3 of this section, our Company will finalize the relevant request free of charge within thirty (30) days at the latest, depending on the nature of the request. However, if a fee is foreseen by the Personal Data Protection Board, our Company will collect the fee from the applicant in the tariff determined by the Personal Data Protection Board.

9.2.2. Information Our Company May Request from the Applicant Personal Data Owner

In order to determine whether the person applying to our company is the personal data owner, we may request information from the relevant person. Our company may ask questions to the personal data owner regarding their application in order to clarify the issues included in the application of the personal data owner. The information and documents specified in this form and submitted to us may be collected in writing, verbally, electronically or physically as a result of the application made in accordance with Article 13 of the Law. The collected data will be processed by our company for the limited purposes of evaluating, responding to and finalizing. In line with the examination conducted within this scope, the relevant information may be shared with our company and third parties and companies such as law offices and consultancy companies from which services are received for the finalization of the application in question.

9.2.3. Our Company's Right to Reject the Application of the Personal Data Owner

Our Company may reject the application of the applicant by explaining the reason in the following cases.

• Processing of personal data for purposes such as research, planning and statistics by making it anonymous with official statistics.

• Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution procedures.

• Processing of personal data is necessary for the prevention of crime or criminal investigation.

• Processing of personal data made public by the personal data owner.

• Personal data processing is necessary to protect the economic and financial interests of the state in relation to budget, tax and financial matters.

• The request of the personal data owner is likely to impede the rights and freedoms of other persons.

• Requests requiring disproportionate effort have been made.

• The requested information is public information.

10. CHANGES AND UPDATES

... may make changes or updates to this policy in line with legal regulations and company policy. Necessary information is provided to the relevant persons about the new policy text reflecting all these changes and updates via the website or social media platform accounts.

11. RELATIONSHIP OF PERSONAL DATA PROTECTION AND PROCESSING POLICY WITH OTHER POLICIES

.... has created the principles set forth in this document based on policies regarding other data assets within the Company and sub-procedures for internal use regarding the protection and processing of personal data. With other protocols prepared within our Company and prepared in accordance with the provisions of the relevant Law that entered into force; the data security of our visitors, customers, employees, job candidates, business partners, suppliers, solution partners and partners of all degrees has been protected at the highest possible level.

12. ENFORCEMENT

This Policy entered into force on 27.01.2021 within the scope of the KVKK Compliance Project carried out within our company.