NUESTRA POLÍTICA DE LOPD

1. CHAPTER: INTRODUCTION

1. IMPORTANCE OF PROTECTION OF PERSONAL DATA

The protection of personal data is a constitutional right and is within the scope of our Company’s priorities. As a matter of fact, it is aimed to establish a system which is constantly updated in our Company and this policy has been established. Within the scope of the Personal Data Protection Law No. 6698, this Policy is made in order to fulfill the general disclosure obligation of HAUS Centrifuge Tech. (Company) as Data Responsible and to determine the basic principles of our Company’s personal data processing rules and in this context, the protection of the personal data of our customers, potential customers, employees, employee candidates, trainees and students, supplier / subcontractor employees and authorities, company shareholders and company partners, visitors and other data we process.

To implement the issues specified in this Policy, necessary procedures are organized within the Company enlightening texts are created compatible with Personal Data Processing Inventory specific to person categories, personal data protection and confidentiality agreements are made with Company employees and third parties that have access to personal data, job descriptions are revised, for the protection of personal data, administrative and technical measures are taken by HAUS Centrifuge Tech. and in this context, necessary evaluations performed or being performed. The protection of personal data is also under the responsibility of the top management, and the protection of personal data is managed through the establishment of a special Committee (the Company’s PDP Committee).

• THE PURPOSE OF POLICY

The main purpose of this Policy is to establish the principles of personal data processing and protection of personal data, which are carried out by HAUS Centrifuge Tech. in accordance with the law, and to ensure transparency by informing and informing the persons whose personal data is processed by our company.

• SCOPE

This Policy relates to all personal data of individuals categorized under the titles of “our customers, potential customers, employees, employee candidates, trainees and students, supplier / subcontractor employees and officials, company shareholders and company partners, visitors, parents / guardian / representative and other third parties” that we process in an automated or non-automated manner provided that they are part of any data recording system.

1. IMPLEMENTATION OF POLICY AND RELATED LEGISLATION

The relevant legal regulations in force regarding the processing and protection of personal data will primarily be applied. In case of any inconsistency between the current legislation and the Policy, our Company accepts that the current legislation will find its application.

1. ACCESS AND UPDATE

Policy is published on our Company’s website www.haus.com.tr and made available to the relevant persons upon request of the personal data owners and updated as necessary.

2. CHAPTER: PROCESSING PERSONAL DATA

Our Company, in the processing of personal data, conducts personal data processing proper with the law and the rules of honesty, accurate and up to date when necessary; for specific, clear and legitimate purposes; in a limited and measured manner, in accordance with Article 20 of the Constitution and Article 4 of the PDP Law. Our Company stores personal data for the period required by law or for the purpose of personal data processing.

Our Company processes personal data in accordance with Articles 20 of the Constitution and 5 of the PDP Law and based on one or more of the provisions of Article 5 of the PDP Law on the processing of personal data.

Pursuant to Article 419 of the Code of Obligations, our Company processes the personal data of employees and prospective employees based on their tendency to work and the performance of the employment contract reserving PDP Law No.6698.

Our Company enlightens personal data owners in accordance with Articles 20 and 10 of the PDP Law and provides the necessary information if personal data owners request information and apply to use their rights arising from the law and responds to the applications within the legal period.

Our company acts in accordance with the regulations envisaged for the processing of private personal data in accordance with Article 6 of the PDP Law.

Our Company complies with the rules stipulated in the Law on the transfer of personal data in accordance with Articles 8 and 9 of the PDP Law and performs the application by taking into consideration the decisions taken and published by the PDP Board and the safe country lists.

• PROCESSING PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES AND RULES PROVIDED IN THE LEGISLATION

1. Principles of Processing of Personal Data
2. Processing in Accordance with Law and Honesty Rule

Our company; acts in accordance with the principles brought by legal regulations and honesty in the processing of personal data. In this context, our Company identifies legal grounds that will require the processing of personal data, takes into account the requirements of proportionality, does not use personal data outside of the intended purpose and does not perform any processing without the knowledge of the persons.

1. Ensuring That Personal Data Is Accurate and Up to Date When Necessary

Our company; considering the fundamental rights of the personal data owners and their legitimate interests, it ensures that the personal data it processes are accurate and up-to-date and takes necessary measures in this direction. In this context, data on all categories of people are kept up to date. In particular, customer and potential customer data are carefully updated and e-mails and offers are not sent to individuals for marketing and promotional purposes contrary to their consent.

1. Processing for Specific, Clear and Legitimate Purposes

Our company clearly and accurately determines the purpose of processing legitimate and lawful personal data. Our company processes personal data in connection with the service it provides and processes it as necessary. The purpose of the processing of personal data is determined by our company before the processing activity and is also recorded in the “Personal Data Inventory”.

1. Being Affiliated, Limited and Restrained on The Purpose of Processing

Our Company processes the use of personal data in an appropriate manner and avoids the processing of personal use that is not or is not required to achieve the purpose. In this context, processes are constantly reviewed and the principle of minimalization of personal data is tried to be implemented.

1. Retention Time Required By The Relevant Legislation or For The Purpose For Which It Was Processed

Our Company maintains personal data only for the period required for the purpose specified in the relevant legislation or processed. In this context, our Company first determines whether a period is stipulated in the relevant legislation for the storage of personal data, if a period is determined, acts in accordance with this period, takes into account the statutory limitation periods and stores the personal data for the time required for the purpose for which they were processed. If the reasons for expiration or elimination of personal data are eliminated, personal data is deleted, destroyed or anonymized in accordance with our Company’s “Storage and Deletion of Personal Data” policy.

2. Rules for the Processing of General Personal Data

Protection of personal data is a constitutional right, and fundamental rights and freedoms may be restricted only by law, without being touched by the substance of the Constitution, solely for the reasons specified in the relevant articles of the Constitution. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may be processed only in cases provided for by law or with the express consent of the person. In the processing of personal data, our company only processes personal data without the express consent of the person concerned if there are any of the following conditions;

1. Explicitly stated in the law,
2. It is to be compulsory for the protection of the life or body integrity of the person who is unable to disclose his consent due to the impossibility of the person or whose consent is not granted legal validity,
3. If the processing of personal data of the parties to the contract is required, provided that it is directly related to the establishment or performance of a contract,

Ç) Obligation for the data responsible to fulfill his legal obligation,

1. Publication by the person concerned,
2. Data processing is mandatory for the establishment, use or protection of a right,
3. If data is compulsory for the legitimate interests of the data responsible, provided that they do not harm the fundamental rights and freedoms of the person concerned

In the absence of the above conditions, our Company uses the consent of the person concerned based on open, free will and information. Especially in the field of Human Resources and labor relations, taking into consideration the dependency relationship of the employee, the data is primarily based on the reasons for compliance with the law which is not consented, but in the absence of such reasons, explicit consent is applied. On the other hand, processing activities are carried out based on the consent of the person concerned in activities such as marketing. However, in all cases where personal data is processed, people are always “enlightened” and data processing is carried out.

3. Rules for the Processing of Private Personal Data

The Company complies with the regulations stipulated in the PDP Law for the processing of personal data designated as “private category by the PDP Law. In Article 6 of the PDP Law, several personal data that are at risk of causing exploitation or discrimination of persons when processed unlawfully are identified as “private category” and attention and sensitivity should be paid to the processing of such data. These include data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal convictions, and security measures, and biometric and genetic data. Pursuant to the KVK Law, personal data are processed by our Company in the following cases provided that the necessary precautions are taken:

ü Personal data, other than the health and sexual life of the personal data owner, are based on the circumstances provided for by law or if the personal data owner has explicit consent,

üPersonal data relating to the health and sexual life of the personal data owner may only be used by persons or authorized institutions who are under the obligation of secrecy for the purpose of protection of public are processed by organizations or with the express consent of the personal data owner.

ü Regardless of the reason, the general data processing principles are always considered in the processing processes and compliance with these principles is ensured. (Art. 4 of the KVK Law; see Chapter 2 above, I, 1.

As regards the protection of private data, the “Protection of Private Data Policy” has been put into effect in our company, and our business units act in accordance with the provisions of this policy and take the necessary measures.

4. Enlightening and Informing Related Persons Whose Data Processed

In accordance with Article 10 of the PDP Law, our Company informs the owners of personal data during the acquisition of personal data. In this context, the purpose of the processing personal data of the relevant person, the processed personal data can be transferred to whom and for what purpose, the method of collecting personal data and legal reasons and the rights of the person whose personal data is processed are explained and The relevant units of our Company fulfill the required procedures in accordance with our Company’s “Enlightening Principles Policy”. Again, in Article 11 of the PDP Law, “Requesting Information” is listed among the rights of the person whose personal data is processed and in accordance with Articles 20 of the Constitution and Article 11 of the PDP Law, our Company provides the necessary information if the person whose personal data is processed requests information and in this respect, the Company performs transactions in accordance with the «Concerned Person Application Procedure».

• PERSONAL DATA TRANSFER

Our company can transfer the personal data of the person whose personal data is processed to the third parties by taking necessary security measures in accordance with the legal data processing purposes. In this respect, our company acts in accordance with the regulations stipulated in article 8 of the PDP Law.

1. Principles of Transferring Personal Data

For legitimate and lawful personal data processing purposes, our Company may transfer personal data to third parties based on one or more of the personal data processing conditions set out in Article 5 of the Law following:

If the person whose personal data is processed has explicit consent, based upon this; or

• If there is a clear regulation in the law that personal data will be transferred,
• If it is compulsory for the protection of the life or body integrity of the personal data owner or someone else, if the personal data owner is unable to disclose his consent due to actual impossibility or his/her consent is not granted legal validity;

• If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
• If personal data transfer is mandatory for our company to fulfill its legal obligation,
• If the personal data are publicized by the person concerned,
• If personal data transfer is compulsory for the establishment, use or protection of a right,
• If personal data transfer is compulsory for the legitimate interests of our Company if it is necessary to transfer personal data provided that it does not harm the fundamental rights and freedoms of the person concerned, personal data could be transferred.

Regardless of the reason, the general principles of data processing are always considered in the transfer processes and compliance with these principles is ensured. (Article 4 of the PDP Law; see Chapter 2 above, I, 1).

2. Transfer of Private Personal Data

Our company is able to transfer the personal data of the person concerned whose private personal data is processed to third parties for legitimate and lawful personal data processing purposes in the following cases with due diligence, taking necessary security measures, Taking adequate measures foreseen by the PDP Board.

• if the person has explicit consent, based upon this or
• if the person has no explicit consent;
  • In cases prescribed by law, private personal data related to person other than personal health and sexual life (data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, criminal convictions, security measures, and biometric and genetic data),
  • Personal data relating to the health and sexual life of the person concerned may be processed by persons under the obligation of keeping secrets or authorized institutions and organizations for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing.

Regardless of the reason, the general principles of data processing are always considered in the transfer processes and compliance with these principles is ensured. (Article 4 of the KVK Law; see Chapter 2 above, I, 1).

3. Transferring Personal Data Abroad

Our company is able to transfer the personal data and private personal data it processes to third parties by taking the necessary security measures in accordance with the legal personal data processing purposes. Personal data  could be transferred by our company to foreign countries (Foreign Country with Adequate Protection ”) that have been declared by PDP Board to be sufficient in having protection  or in case of the lack of adequate protection if an adequate protection committed in writing by data responsible  in Turkey and in the foreign countries (Foreign Country in which the Data Responsible is Committed to Adequate Protection ”) where had the PDP Board’s permission.

For the purposes of legitimate and lawful personal data processing, if the person whose personal data is processed has explicit consent or does not have explicit consent, our Company may transfer the personal data to the Foreign Countries where has the Adequate Protection or the Data Responsible Committed to Sufficient Protection in the presence of one of the following situations:

• If there is a clear regulation in the law that personal data will be transferred,
• If it is compulsory for the protection of the life or body integrity of the personal data owner or someone else, if the personal data owner is unable to disclose his consent due to actual impossibility or his/her consent is not granted legal validity;
• If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
• If personal data transfer is mandatory for our company to fulfill its legal obligation,
• If the personal data are publicized by the person concerned,
• If personal data transfer is compulsory for the establishment, use or protection of a right,
• If personal data transfer is compulsory for the legitimate interests of our Company if it is necessary to transfer personal data provided that it does not harm the fundamental rights and freedoms of the person concerned.

4. Purposes of Transferring Personal Data by Our Company and Person Whose Data Transferred Categories
5. Data Transfer Objectives

Data transfer is carried out for the purposes such as ensuring the fulfillment of the objectives of our company’s activities and organizations, ensuring that the services provided by our Company from the supplier outsourced and necessary for carrying out the commercial activities of our Company are provided to our Company, ensuring the execution of human resources and employment policies of our company, ensuring the fulfillment of the obligations and the necessary measures to be taken within the framework of occupational health and safety of our company.

1. The Persons to Whom Data Transferred

In accordance with Articles 8 and 9 of the PDP Law, personal data can be transferred to the following categories of persons:

AUTHORIZED PUBLIC INSTITUTIONS	Public institutions and organizations authorized to receive information and documents from our company	Data is shared according to the relevant legislation.
AUTHORIZED PRIVATE LAW PERSON	Private law persons authorized to receive information and documents from our company	There is limited data sharing for the purpose requested by the relevant private law persons within the legal authority.
SUBSIDIARIES	Companies in which our company is a shareholder	Data sharing is limited in order to ensure the conduct of commercial activities of our Company which require the participation of subsidiaries.
SHAREHOLDER	Shareholders of the Company	Data sharing is limited for the purpose of designing strategies for the commercial activities of our Company and for evaluation purposes.
BUSSINESS PARTNERS	The parties that the Company establishes business partnerships for the purposes of sales, promotion and marketing of our company’s products and services, after-sales support, and the execution of joint customer loyalty programs while conducting commercial activities of our company.	Data sharing is limited in order to ensure that the business partnership aims to be established.
SUPPLIER	Our company’s commercial activities	Data sharing is limited in order to provide the necessary services for the Company to carry out its commercial activities provided by outsourcing of the Company from the supplier.
GROUP COMPANIES UNDER OUR SUBSIDIARY	Inside Our Company’s subsidiary or group	In order to conduct commercial activities of our company, data is shared with our subsidiary in a limited and measured manner. Personal data is shared due to the operational processes and support processes carried out together, and data is shared with other group companies in a limited and limited manner in order to conduct commercial activities of our Company.

Transactions made by our Company are in compliance with the principles and rules set forth in this Policy.

• PERSONAL DATA CATEGORIES

Persons whose data are processed in our company and the data processed within this scope are categorized as follows;

PERSON CATEGORIZATION

EMPLOYEE CANDIDATE	Real persons who have applied for a job in any way or have opened their CV and relevant information for review.
EMPLOYEE	Real persons working in our company
SHAREHOLDERS / PARTNERS	Real persons who are shareholders and partners of our company
POTENTIAL CUSTOMER	Natural persons who have requested or are interested in the use of our products and services or have been assessed in accordance with the rules of commercial custom and honesty to which they may have interest
INTERN /STUDENT	Persons who do internships in our company and who work under the Law on Vocational Training of Employees (VTEL)
SUPPLIER EMPLOYEES	Real persons who work in organizations (such as, but not limited to, business partners, suppliers) with which our Company has business relations
SUPPLIER AUTHORIZATION	Real persons in Our company’s business relationship with the institutions’ shareholders and officials
CLIENT	Real persons who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company
CUSTODIAN / GUARDIAN / REPRESENTATIVE	Real persons whose personal data are processed as custodians, guardians or representatives.
VISITOR	Real persons who have entered the physical campus of our Company for various purposes or who have visited our websites
MISCELLANIOUS	Third party real persons (eg family members and relatives) associated with the Company in order to ensure the security of commercial transactions with the above-mentioned parties or to protect the rights and interests of such persons.

DATA CATEGORIZATION

The ID INFO which is processed partially or fully automated or non-automated processing as part of the data recording system and obvious that it belongs to an identified or identifiable real person; Information on documents such as driver’s license, identity card, residence, passport, attorney ID, marriage certificate

The COMMUNICATION INFO which is processed partially or fully automated or non-automated processing as part of the data recording system and obvious that it belongs to an identified or identifiable real person; phone number, address, e-mail

LOCATION INFO	The INFO which is processed partially or fully automated or non-automated processing as part of the data recording system and obvious that it belongs to an identified or identifiable real person; such an information that identifies the location of the employee’s use of our products and services, or the location of employees of organizations with whom we collaborate with our employees while using our Company’s vehicles
PERSONNEL FILE	The INFO which is processed partially or fully automated or non-automated processing as part of the data recording system and obvious that it belongs to an identified or identifiable real person; such any personal data that is processed to obtain information that will constitute the basis for the personal rights of our employees or real persons in working relationship with our Company.
LEGAL PROCESS AND COMPLIANCE INFORMATION	The INFO which is processed partially or fully automated or non-automated processing as part of the data recording system and obvious that it belongs to an identified or identifiable real person; such personal data processed within the scope of determination, follow-up of our legal receivables and rights and performance of our debts and compliance with our legal obligations and policies of our company
CUSTOMER TRANSACTION INFORMATION	It is evident that the identity belongs to a certain or identifiable real person and is contained within the data recording system; such information on the use of our products and services, as well as instructions and requests required by the customer for the use of the products and services
PHYSICAL SPACE SAFETY INFORMATION	It is evident that the identity belongs to a certain or identifiable real person and is contained within the data recording system; such personal data on records and documents received during entry into the physical space, during the stay in the physical space
OPERATIONAL SAFETY INFORMATION	It is evident that the identity belongs to a certain or identifiable real person and is contained within the data recording system; such personal data processed to ensure technical, administrative, legal and commercial security while conducting activities.
RISK MANAGEMENT INFORMATION	It is evident that the identity belongs to a certain or identifiable real person and is contained within the data recording system; such personal data processed in accordance with generally accepted legal, commercial custom and honesty rules in these areas in order to manage our commercial, technical and administrative risks
FINANCIAL INFORMATION	The INFO which is processed partially or fully automated or non-automated processing as part of the data recording system and obvious that it belongs to an identified or identifiable real person; such personal data regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by our company’s personal data owner
PERFORMANCE AND CAREER DEVELOPMENT KNOWLEDGE (PROFESSIONAL EXPERIENCE KNOWLEDGE)	The INFO which is processed partially or fully automated or non-automated processing as part of the data recording system and obvious that it belongs to an identified or identifiable real person; such personal data processed to measure the performance of our employees or real persons in working relationship with our Company and to plan and conduct career developments within the scope of our company’s human resources policy
MARKETING INFORMATION	The INFO which is processed partially or fully automated or non-automated processing as part of the data recording system and obvious that it belongs to an identified or identifiable real person; personal data of our products and services in order to be customized and marketed according to the usage habits, tastes and needs of the personal data owner and the reports and evaluations created as a result of these processing results
VISUAL / AUDIO INFORMATION	The Personal Data which is processed partially or fully automated or non-automated processing as part of the data recording system and obvious that it belongs to an identified or identifiable real person; For example: photographs and camera recordings (except those included in the Physical Space Security Information), audio recordings and data contained in documents that are copies of documents containing personal data
PRIVATE DATA I(HEALTH / SEXUAL LIFE)	Data on health and sexual life
PRIVATE DATA II	data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, criminal conviction and security measures, and biometric and genetic data

3. CHAPTER: LEGAL BASIS AND PURPOSES OF PROCESSING PERSONAL DATA

1. LEGAL BASIS OF PROCESSING PERSONAL DATA

1. General Principles

Although the legal basis for the processing of personal data varies by our company, all kinds of personal data processing activities are carried out in accordance with the general principles in article 4 of the Law No. 6698. According to this; all kinds of data processing

1. Compliance with law and honesty,
2. Accuracy and up to date when necessary,
3. Processing for specific, clear and legitimate purposes,
4. Being connected, limited and restrained for the purpose they are processed,
5. e) The general principles of keeping for the period required for the purpose for which they are envisaged or processed are taken into consideration in the relevant legislation.
6. Reasons for Compliance with Law

1. Obtaining the Explicit Consent Of The Personal Data Owner

One of the conditions for the processing of personal data is the explicit consent of the owner. The explicit consent of the personal data owner should be disclosed on a particular subject, based on information and free will.

1. Clearly Stated in Laws

The personal data of the data owner may be processed in accordance with the law if explicitly provided for in the law.

For example, reporting the identity of our employees to the competent authorities in accordance with the Identity Legislation.

1. Failure to Obtain Explicit Consent of The Person Due to Actual Impossibility

Personal data of the data owner may be processed if it is necessary to process the personal data of the person who is unable to disclose his consent due to the actual impossibility or whose consent cannot be validated, or to protect the life or body integrity of another person. For example, sharing the blood group information of the fainted employee with the physician.

1. Direct Interest in The Establishment or Execution of the Contract

Provided that it is directly related to the establishment or execution of a contract, it is possible to process personal data if it is necessary to process the personal data of the parties to the contract. For example, obtaining CVs from the candidate for the establishment of the employment contract, obtaining an address for notification within the scope of the contract.

1. Fulfilling the Company’s Legal Obligation

If it is compulsory for our company to fulfill its legal obligations as data responsible, personal data of the data owner may be processed. For example, the processing of family information to benefit the Employee from the Minimum Living Allowance.

1. Publicization of Personal Data by Data Owner

If the data owner has publicized his/her personal data, the relevant personal data may be processed. For example, if our Company’s customers present their complaints, requests or suggestions on a public platform on the internet, they publicize their relevant information. In this case, it is possible for the authorized person of our Company to process the data provided that it is limited to respond to complaints, requests or suggestions.

1. G) Requiring Data Processing to Establish or Protect a Right

If it is necessary to process data for the establishment, use or protection of a right, the personal data of the data owner may be processed. For example, storage of proof data (sales contract, invoice) and use as needed.

1. Obligation of Data Processing for the Legitimate Benefit of Our Company

Personal data of the data owner may be processed if it is compulsory for the legitimate interests of our Company to process data provided that it does not harm the fundamental rights and freedoms of the personal data owner. For example, monitoring the Company’s critical points against theft or occupational safety with a security camera.

3. Processing of Private Personal Data and Reasons for Compliance with Law

If the personal data owner does not have explicit consent, private personal data can only be processed by our company, provided that enough measures are taken by the PDP Board. Personal data relating to the health and sexual life of the personal data owner may be processed by persons who are obliged to keep confidential information or by authorized institutions and organizations only for the purpose of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. Regardless of the reason, the general data processing principles are always considered in the processing processes and compliance with these principles is ensured (Article 4 of the PDP Law; see Chapter 2 above, I, 1).

• PURPOSE OF PERSONAL DATA PROCESSING

Our Company processes personal data limited to the purposes and conditions within the personal data processing conditions specified in article 5, paragraph 2, and paragraph 6 of article 6 of the Personal Data Protection Law No. 6698. In the process of data processing, the legal basis mentioned above is taken into consideration and the consent of the person is requested if there are no other reasons for compliance with the law. Here too, general principles are audited under Article 4, and above all, data processing is generally required to comply with the principles of lawfulness. The consent of the person concerned is obtained in an «open, informative and free will» manner. The purposes of processing personal data are also stated in the “Personal Data Inventory” of our Company.

Personal data are processed in the units of our Company especially for the following purposes;

• In order to fulfill the mutual obligations arising from the employment contract as an employer, the personal data of the employees must be processed. Personal data of employees; accurate and up-to-date when necessary; for specific, clear and legitimate purposes; are processed and stored in a connected, limited and measured manner. In this context, carrying out Establishment, execution and termination of the employment contract in accordance with the law, the fulfillment of legal obligations related to the employment of employees provided that it is not contrary to fundamental rights and freedoms, the Company’s legitimate interests, the conditions explicitly provided for in the law, In cases of legal follow-up, data processing is mandatory for the establishment, use and protection of the right and required the clear, informative, and free-will consent of the employees in other circumstances form the legal basis for personal data processing in order to ensure that employees are employed in accordance with the law.

• Within the scope of activities required by the Company’s field of activity, the legitimate interests of the employer require the processing of personal data of the employees. As a matter of fact, it is possible to carry out the processing of personal data of employees due to reasons such as prevention of abuse, prevention of theft, general security or ensuring occupational health and safety. However, great care is taken not to harm the fundamental rights and freedoms of the employees.

• Most of the personal data of the employees being processed is obtained from the information provided to the Company by the employees. Again, in some cases, personal data of employees may come to the Company from internal sources such as Company executives or from employees’ references or data from systems established by public institutions and organizations due to working life requirements.
• Personal data of employees being processed are formed of application forms and references of employees, employment contracts and changes, employee contact information, information required for payroll, family or close information such as persons to be contacted in case of emergency, employee training records, performance evaluation records, discipline records, camera records.

• There are rules in many Company policies and procedures regarding the processing of personal information of employees. In this regard, the “Personal Data Policy” which is available on the Company’s website, may be examined. This document can also be accessed from the Company’s intranet / QDMS system and can also be obtained from the Human Resources Department in paper / hard copy environment.

• Employee health information is also included in the processed personal data. Information on the health and sexual life of employees is generally processed by persons or authorized institutions and organizations under the obligation to preserve public health, conduct preventive medicine, medical diagnosis, treatment and care services, and plan and manage health services and financing. In this context, the health data of the employees and the details related to these are as a rule in the occupational physician and health unit.

• “In the event that the employee becomes a member of the union after the status of employee (not requested in the employee candidate category), union membership can also be processed in accordance with the explicit provisions of the law in order to meet the requirements of legal legislation. Apart from this, unless the data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and dress, and biometric and genetic data of the employees are explicitly stipulated in the law as a rule, they are not included in the processed personal data, requirements are carefully evaluated before processing personal data.

• The company has control and oversight of information communication tools (telephone, mobile phones, computers and the Internet). Law no. 5651 and the legitimate interests of our Company constitute the legal basis of these practices.
• Vehicle tracking system can be applied in the vehicles of our company on the grounds of security and more effective management of vehicles and personnel». The aforementioned activity is based on the legitimate interests of our company, but it does not harm the fundamental rights and freedoms of the employees.

• In line with the aim of ensuring the execution of human resources policies of our company; Personnel recruitment in accordance with the human resources policies of our company, recruitment of personnel suitable for open positions, conducting human resources operations in accordance with the human resources policies of our company, selection of employee candidates, management of personal affairs, determination of training and career plans, fulfillment of obligations in the framework of occupational health and safety and taking necessary measures form the purposes of data processing.

• The personal data of supplier / subcontractor employees can also be processed by our Institution. Thus Law No. 6331 provides the principal employer with documents and information to be checked regarding occupational health and safety from employees from another workplace. Likewise, in the Labor Law No. 4857 and the Social Insurance and General Health Insurance Law No. 5510, obligations related to subcontractor workers and temporary workers have been imposed on the principal employer and the issues that need to be controlled are stated. Accordingly, the processing of the personal data of the employees working in our workplace depending on the supplier and other employers is based on the legitimate interests of our company, in particular the legal improvements in question.

• Personal data may also be processed in our related departments for the purposes of:

• Execution of emergency management processes
• Conducting information security processes
• Conducting evaluation / ethical activities
• Conducting training activities
• Conduction of access privileges
• Conducting activities in accordance with the legislation
• Finance and accounting
• Conducting loyalty processes to companies / products / services
• Ensuring the security of physical space
• Carrying out the assignment processes
• Monitoring and execution of legal affairs
• Carrying out internal audit / investigation / intelligence activities
• Conducting communication activities
• Execution of goods / services / production and operation processes
• Carrying out customer relations processes
• Conducting customer satisfaction activities
• Organization and event management
• Conducting marketing analysis studies
• Conducting performance evaluation processes
• Carrying out advertising / campaign / promotion processes
• Execution of risk management processes
• Storing and archiving activities
• Social responsibility and civil society activities
• Conduct of contract processes
• Carrying out sponsorship activities
• Carrying out strategic planning activities
• Tracking of requests / complaints
• Ensuring security of movable goods and resources
• Conducting supply chain management processes
• Carrying out marketing processes of products / services
• Ensuring the security of data responsible operations
• Foreign personnel work and residence permit procedures
• Execution of investment processes
• Giving information to authorized persons, institutions and organizations
• Carrying out management activities
• And for the purpose of creating and monitoring visitor records.
• For the purposes of occupational health and safety, general security and product safety, camera monitoring in the workplace is carried out on the condition that it does not harm the fundamental rights and freedoms of our visitors, the persons whose data are processed within this scope and especially the employees, taking into consideration the legitimate interests of the Company.

4. CHAPTER: STORAGE, DELETION, DISPOSAL AND ANONIMIZATION OF PERSONAL DATA

Although our Company has processed in accordance with the provisions of the relevant law as provided for in Article 138 of the Turkish Penal Code and Article 7 of the PDP Law, personal data will be deleted upon the decision of our Company or upon the request of the personal data holder, in case the reasons that require it are eliminated or anonymous.

• STORAGE OF PERSONAL DATA AND STORAGE PERIOD

If required by the relevant laws and regulations, our Company stores its personal data for the period specified in the related legislation. If the legislation on how long personal data should be stored is not regulated for a period of time, personal data is processed, then deleted, destroyed or anonymized for the period required to be processed in accordance with the practices and commercial practices of our Company in connection with the services provided by our company while processing that data. If the purpose of processing personal data has expired and the storage period determined by the relevant legislation and the company has been reached; personal data may only be stored in order to provide evidence in case of possible legal disputes or to assert the relevant right to personal data or to establish defense. Although the statute of limitations and the statute of limitations for the exercise of the right mentioned in the establishment of these periods have passed, retention periods are determined based on the examples in the requests submitted to our Company on the same subjects. In this case, the stored personal data is not accessed for any other purpose and is only accessible when it is required to be used in the relevant legal dispute. Here too, after the expiry of this period, personal data is deleted, destroyed or anonymized.

• PERSONAL DATA DELETION, DISPOSAL AND ANONIMIZATION

Although it has been processed in accordance with the provisions of the relevant law as provided for in Article 138 of the Turkish Penal Code and Article 7 of the KVK Law, personal data are deleted, destroyed or anonymized upon the decision of our Company or upon the request of the personal data owner, in case the reasons requiring processing are eliminated. In this context, our Company fulfills its obligation with the methods explained in this section.

1. Deleting Personal Data
2. Deletion of Personal Data

Although our company has processed in accordance with the provisions of the relevant law, personal data may be deleted in accordance with its decision or upon the request of the personal data owner in case the reasons requiring processing are eliminated. Deletion of personal data is the process of making personal data inaccessible and reusable for the users concerned. Our Company takes all kinds of technical and administrative measures to ensure that deleted personal data cannot be accessed and reused for the relevant users.

1. Process of Deleting Personal Data

• Determination of personal data that will be subject to deletion.
• Identify relevant users for each personal data using an access authorization and control matrix or similar system.
• Determination of the authorization and methods of access, retrieval, reuse, etc.
• Closing and eliminating the access, retrieval, reuse authorization and methods of the relevant users within the scope of personal data.

1. Methods for Deleting Personal Data

Since personal data can be stored in various recording media, it is deleted by appropriate methods.

2. Disposal of Personal Data
3. Personal Data Disposal Process

Although our company has processed in accordance with the provisions of the relevant law, personal data may be disposed in accordance with its decision or upon the request of the personal data owner in case the reasons requiring processing are eliminated. Disposal of personal data is the process by which personal data cannot be accessed, retrieved or reused by anyone in any way. Our company takes all kinds of technical and administrative measures necessary for the disposal of personal data.

1. The Methods of Personal Data Disposal

For the disposal of personal data, all copies of the data are detected and the systems in which the data is found are destroyed individually.

3. The Anonymization of Personal Data
4. Personal Data Anonymization Process

The anonymization of personal data means that personal data cannot be associated with a certain or identifiable natural person, even by pairing it with other data. Our company is able to anonymize the personal data when the reasons that require the processing of personal data processed in accordance with the law are eliminated. Personal data is anonymized by making it unrelated to a specific or identifiable natural person, even through the use of appropriate techniques for the recording medium and the field of activity, such as the return of data by the data responsible or recipient groups and / or the mapping of data to other data. Our company takes all kinds of technical and administrative measures necessary to anonymize personal data.

Personal data, which has been anonymized in accordance with Article 28 of the PDP Law, may be processed for research, planning and statistics purposes. Such transactions are outside the scope of the KVK Law and will not require the express consent of the personal data owner.

1. The Methods of Personal Data Anonymization

The anonymization is that by removing or changing all direct and / or indirect identifiers in a data set, the identity of the person is prevented from being identified, or he or she loses its distinguishability in a group or crowd so that it cannot be associated with a real person. Data that does not indicate a particular person as a result of blocking or losing these features is considered anonymized data. The purpose of anonymizing is to break the link between the data and the person whom this data defines. All the relation breaking operations carried out by means of automatic or non-automatic grouping, masking, derivation, generalization, randomization, etc. are applied to the records in the data recording system where personal data is kept. The data obtained as a result of the application of these methods should not be able to identify a particular person.

5. CHAPTER: RIGHTS OF RELATED PERSONS

1. THE SCOPE OF THE RIGHTS OF THE RELATED PERSONS AND THE USE OF THESE RIGHTS

1. Rights of Related Persons

Persons whose personal data are processed by our company have the rights listed below:

• Find out if personal data is being processed,
• Request information if personal data has been processed,
• Learning the purpose of processing personal data and whether they are used properly,
• Knowing the third parties to whom personal data is transferred at home or abroad,
• Request correction of personal data if missing or incorrectly processed and request that the transaction carried out in this context be notified to third parties to whom the personal data has been transferred,
• Although it has been processed in accordance with the provisions of the PDP Law and other related law, to request the deletion or destruction of personal data in case the reasons requiring processing are eliminated and request that the transaction carried out in this context be notified to third parties to whom the personal data has been transferred ,
• Object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,
• Request for damages in case of damage due to unlawful processing of personal data.

2. The Use of Rights by Related Persons

It is necessary and enough for the concerned persons to submit their requests regarding the use of the rights mentioned above in accordance with article 13 paragraph 1 of the PDP Law to our Company in the following ways;

Application Method	Address of Application	Information to be specified in application submission
Personal Application(Application by the applicant personally with a document proving his identity)	Ata OSB Mah. ASTİM Denizli Cad. No: 12, 09010 Organize Sanayi Bölgesi/Aydın, Turkey	«Request for Information within the Scope of the Personal Data Protection Law» will be written on the envelope.
Notification through a notary public	Ata OSB Mah. ASTİM Denizli Cad. No: 12, 09010 Organize Sanayi Bölgesi/Aydın, Turkey	«Request for Information within the Scope of the Law on Protection of Personal Data» shall be written in the notification envelope.
Through Signed with “Secure Electronic Signature” by Registered Electronic Mail (REM)	[email protected]	«Information Request for Personal Data Protection Law “will be written in the subject part of the e-mail.

In application;

It is obligatory to have the place of Name, Surname, if application is written T.R. ID Number for Turkish citizens, nationality, passport number or identification number (if any) for foreigners, residence or business address subject to the notification, the electronic mail address, telephone and fax number, the subject of the request, if any. Information and documents related to the subject are also added to the application.

It is not possible to request by third parties on behalf of personal data owners. In order for a person other than the personal data owner to make a request, there must be a special power of attorney issued by the personal data owner on behalf of the applicant. In your application as a personal data owner, which contains your explanations of the rights you have made and which you would like to use to exercise your rights mentioned above; your request must be clear and understandable, if you are acting on behalf of yourself or you are acting on behalf of someone else, you must be specifically authorized and document your authority, the application must include identification and address information, and the documents confirming your identity must be attached to the application.

It is not possible to request by third parties on behalf of personal data owners. In order for a person other than the personal data owner to make a request, there must be a special power of attorney issued by the personal data owner on behalf of the applicant.

The application form for data owners is available on the Company website.

3. Responding to Applications

In the event that the personal data owner submits the request to our Company in accordance with the prescribed procedure, our Company shall conclude the request free of charge within the shortest time and within thirty days at the latest according to the nature of the request. However, in case the transaction requires a separate cost, the applicant will be charged by the Company from the tariff determined by the PDP Board. Our company may request information from the person concerned to determine whether the applicant has personal data. In order to clarify the issues in the application of the personal data owner, our company may ask questions about the application of the personal data owner. Applications are managed within the Company according to the “Related Person Application Procedure” in of our Company.

6. CHAPTER: ENSURING SECURITY OF PERSONAL DATA

1. İ. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO PROVIDE PROPER PROCESSING OF PERSONAL DATA

Our company takes all necessary technical and administrative measures to ensure that personal data is processed in accordance with the law. In this context,

ü Within the scope of our company, Data Inventory (Data Mapping), which is compatible with VERBIS system, is prepared and compliance audits are carried out here.

üIn order to fulfill our company’s obligation of disclosure in a complete and correct manner, the «Enlightening Principles of Processing Personal Data Policy» has been put into effect.

ü Employees are informed about the law on the protection of personal data and the processing of personal data in accordance with the law.

üAll activities carried out by our company are analyzed in detail in all business units, and as a result of this analysis, personal data processing activities are revealed in relation to the activities performed by the relevant business units.

üThe personal data processing activities carried out by the business units of our Company, and the requirements to be fulfilled in order to ensure the compliance of these activities with the personal data processing requirements sought by Law No. 6698 are determined in each business unit and the detail activity it carries out.

üIn the contracts and documents governing the legal relationship between the Company and the employees, records are put into the obligation not to process, not to disclose and not to use personal data, except for the Company’s instructions and exceptions brought by law, and awareness of the employees is created and audits are carried out.

ü In the contracts and documents governing the legal relationship between the Company and the third parties that process the data that the Company is responsible for, except for the exceptions provided by law and the Company’s exceptions, records that impose an obligation not to process, disclose and not to use personal data are made and «Principles of Privacy and Protection of Personal Data with Third Parties Policy» has been put into effect.

• TECHNICAL AND ADMINISTRATIVE MEASURES IN THE PROCESSING OF PRIVATE DATA

The PDP Law places particular importance on personal data, because of the risk of victimization or discrimination when committed in violation of the law. These data include data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. Our Company treats the personal data that is designated as “private” by PDP Law and processed in accordance with the law. In this context, technical and administrative measures taken by our Company for the protection of personal data are carefully implemented and necessary controls are provided in terms of special personal data. In this perspective;

• A “Private Data Processing Policy” has been prepared with regard to the security and processing principles of private personal data.
• Employees who are involved in the processing of personal data are provided with regular trainings on the subject of private personal data security with the Law and related regulations, confidentiality agreements are made, authorization scopes and durations of the users who are authorized to access the data are defined clearly and authorization controls are performed, The authority of the employees who have changed their jobs or leave their jobs in this field is immediately removed and the inventory assigned to them by the data responsible is returned.
• The mediums in which special personal data are processed, stored and / or accessed, and electronic media are maintained using cryptographic methods. Cryptographic keys are kept in secure and different mediums, transaction records of all transactions performed on the data are logged as secure, security updates of the environments in which data is available are monitored and necessary security tests are performed and test results are recorded.

• In case the data is accessed through a software, user authorizations of this software are made, security tests of these software are performed regularly, and the test results are recorded. If remote access to data is required, at least a two-factor authentication system is provided.
• If Mediums where private personal data are processed, stored and / or accessed, is a physical environment, adequate security measures (against electrical leakage, fire, flood, theft, etc.) are taken according to the nature of the environment where private personal data is available, and physical security of these environments is taken by preventing unauthorized entry and exit.

• If private personal data is to be transferred, it is ensured that the data is transferred in encrypted form by corporate e-mail address or by using the Registered Electronic Mail (REM) account if it is required to be transferred by e-mail.
• If Private Data needs to be transferred through media such as Memory, CD, DVD, it is encrypted by cryptographic methods and the cryptographic key is kept in different media.
• If private data is being transferred between servers in different physical environments, data transfer is performed by establishing VPN between servers or by sFTP method. If it is necessary to transfer private data via paper, necessary precautions are taken against risks such as theft, loss or being viewed by unauthorized persons and the documents are sent in «confidential documents»

• In addition to the above-mentioned measures, technical and administrative measures to ensure the appropriate level of security specified in the Personal Data Security Guidelines published on the website of the Personal Data Protection Authority are also taken into consideration.

• TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO PREVENT ILLEGAL ACCESS OF PERSONAL DATA

Our Company takes technical and administrative measures to prevent unlawful or unauthorized disclosure, access, transmission or otherwise unlawful access to personal data.

1. Technical Measures to Prevent Illegal Access to Personal Data

The main technical measures taken by our Company to prevent unlawful access to personal data are listed below:

1. Ensuring Cyber Security

Cyber security products are used primarily to provide personal data security, but measures are not limited to this. Measures such as firewall and gateway are taken. Unused software and services are removed from the devices.

1. Software updates

Patch management and software upgrades ensure that the software and hardware work properly and that the security measures taken for the systems are enough to check regularly.

1. Access Restrictions

Access to systems containing personal data is also restricted. In this context, employees are granted access authorization to the extent necessary for their work and duties and their powers and responsibilities, and access to related systems is provided by using username and password. When creating these passwords and passwords, combinations of uppercase and lowercase letters, numbers and symbols are preferred instead of numbers or letter sequences related to personal information that can be easily guessed. Accordingly, the access authorization and control matrix are established.

1. Passwords

In addition to the use of strong passwords and passwords, access is restricted with methods such as limitation of the number of attempts to enter the password, keyword and password change at regular intervals to ensure that the administrator account and admin authority to be used only when needed, and to delete or to disable account of employees who have quitted with the coordination with data responsible.

1. Antivirus Software

In order to protect against malware, products such as antivirus, antispam, which regularly scans the information system network and detect hazards, are kept up to date and the required files are regularly scanned. If personal data will be obtained from different internet sites and / or mobile application channels, the connections are provided through SSL or more secure way.

1. Monitoring of Personal Data Security

• Checking which software and services are working in information networks,
• Determining whether there is infiltration in the information networks or a movement that should not be,
• Keeping a record of the transactions of all users on a regular basis (such as log records),
• Reporting security issues as quickly as possible,

A formal reporting procedure is set up for employees to report security weaknesses in systems and services or threats using them.

Evidence is collected and stored securely in the event of undesired events such as information system crash, malicious software, out-of-service attack, incomplete or incorrect data entry, violations of privacy and integrity, abuse of information system.

1. G) Securing Personal Data Environments

If personal data is stored on devices or paper in the campus of the data responsible, physical security measures are taken against threats such as theft or loss of these devices and paper. The physical environments containing personal data are protected against external risks (fire, flood, etc.) by appropriate methods and the entrances / exits to these environments are controlled.

If personal data is electronically available, access between network components can be restricted or separated to prevent personal data security breach.

Measures at the same level are also taken for paper media, electronic media and devices (laptops, mobile phones, flash drives) containing personal data of the Company located outside the Company’s campus. Personal data to be transmitted by e-mail or mail is sent carefully and with sufficient precautions.

Sufficient security measures are also taken in case employees provide access to the information system network with their personal electronic devices.

The use of access control authorization and / or encryption methods is applied in case of loss or theft of devices containing personal data. In this context, the password key is stored only in the environment accessible to authorized persons and unauthorized access is prevented.

Documents on paper media containing personal data are also stored in a locked and accessible environment only, and unauthorized access to such documents is prevented.

1. Storing Personal Data in the Cloud

Applications of storing personal data in the cloud can also be used when necessary. In this case, the Company should also assess whether the security measures taken by the cloud storage service provider are adequate and appropriate. In this context, the measures specified in the guidelines and recommendations of the PDP Board are taken into consideration.

İ)            Supply, Development and Maintenance of Information Systems

The security requirements are taken into consideration when determining the requirements for the procurement, development or improvement of existing systems by the Company.

1. Back Up Personal Data

If personal data is damaged, destroyed, stolen or lost due to any reason, the Company ensures that it is operational as soon as possible using the backed-up data. The backed up personal data is accessible only by the system administrator, and the data set backups are excluded from the network.

2. Administrative Measures to Prevent Illegal Access to Personal Data

The main administrative measures taken by our Company to prevent unlawful access to personal data are listed below:

• Employees are informed and trained on technical measures to prevent unlawful access to personal data.
• Employees are informed that they will not be able to disclose the personal data they have learned in contradiction with the provisions of the PDP Law and that they cannot use it for any purpose other than for processing purposes, and that this obligation will continue after their resignation and necessary commitments are taken accordingly.
• Personal Data Security Policies and Procedures are determined, controls are regularly conducted within the scope of policies and procedures, controls are documented and issues that need to be developed are determined. Again, the risks that may arise for each category of personal data and how to manage security breaches are clearly defined.

• Reducing Personal Data as Much as Possible: Personal data must be accurate and up-to-date, and maintained for the time period required by the relevant legislation or for the purpose for which it was processed. However, it is assessed whether data that is inaccurate, outdated and does not serve any purpose is still needed, and unneeded personal data is deleted, destroyed or anonymized by personal data retention and destruction policy.
• Relationships with Data Processors: When the company receives services from data processors to meet the IT need, the process is performed by making sure that the data processors are provided with at least the level of security provided by them. Within this scope, protective arrangements related to the protection of personal data are introduced in the contracts signed with the data processor.

1. STORAGE OF PERSONAL DATA IN SAFE MEDIUMS

Our company takes the necessary technical and administrative measures in accordance with technological opportunities and application costs in order to prevent personal data from being stored, kept in safe environments and destroyed, lost or changed for illegal purposes.

1. Technical Measures to Keep Personal Data in Safe Mediums

The main technical measures taken by our Company for the storage of personal data in safe environments are listed below:

• In order to store personal data in secure environments, systems in line with technological developments are used.
• Technical security systems are established for the storage areas, the technical measures taken are periodically audited by the audit mechanism determined by our Company, and the risk-related issues are re-evaluated, and the necessary technological solutions are produced.
• All necessary infrastructures are used in accordance with the law to ensure the safe storage of personal data.

2. Administrative Measures for Storing Personal Data in Safe Mediums

The main administrative measures taken by our Company for the storage of personal data in secure environments are listed below.:

ü Employees are informed about the safe storage of personal data.

üIn the event that an external service is received by our Company due to technical requirements for the storage of personal data, the contracts concluded with the relevant companies in which the personal data are transferred in accordance with the law, the provisions regarding that the persons to whom the personal data are transferred shall take the necessary security measures for the protection of the personal data and ensure that these measures are complied with in their own institutions in accordance with the provisions of the «Company’s Principles for the Protection of Personal Data in Relations with Third Parties ”.

1. TRAINING

ü Our Company provides its employees with the necessary trainings regarding the protection of Personal Data within the scope of Policy and PDP Procedures and PDPL Regulations.

• In the trainings, the definitions and applications of Private Personal Data are especially mentioned.
• If the Company employee accesses Personal Data physically or on a computer, the relevant employee of our Company is trained on these accesses (eg computer program accessed).

1. EVALUATION
2. Increasing Awareness and Evaluation of Business Units on Protection and Processing of Personal Data

Our Company ensures that business units are notified in order to raise awareness to prevent unlawful processing of personal data, to prevent unlawful access to data and to maintain data.

2. Increasing Awareness and Evaluation of Business Partners and Suppliers on Protection and Processing of Personal Data

Our Company provides necessary information to business partners in order to prevent unlawful processing of personal data, to prevent unlawful access to data, and to raise awareness in order to protect data.

3. Evaluation of Measures for Protection of Personal Data

Our Company has the right to make audits regularly and without any prior notification in order to ensure that all employees, departments and contractors of the Company comply with this Policy and PDP Regulations and carries out the necessary routine audits. The results of these audits are evaluated within the scope of the Company’s internal operation and necessary actions are taken to improve the measures taken.

Measures to be taken in the case of Unauthorized Disclosure of Personal Data and personal data processed in accordance with Article 12 of the PDP Law to be gathered by others , our company operates a system that enables the relevant personal data owner and the PDP Board to be notified as soon as possible.