PROFAGRO
PERSONAL DATA PROTECTION, PROCESSING AND PRIVACY POLICY

1- Our Company, Profagro (“Company”), hereby sets forth, with this (“Policy”), the procedures and principles it will comply with and the obligations it is subject to in the collection, processing, deletion, destruction or anonymization of the personal data of all its counterparts.

Accordingly, within the scope of Law No. 6698 on the Protection of Personal Data (“Law”), job applicants, customers, company shareholders, company officials, visitors, employees/shareholders/officials of institutions we cooperate with, subcontractors and suppliers, and third parties in particular have the status of (“Data Subject”) in terms of personal data.

Pursuant to the Law, conditions and requirements regarding personal data processing activities carried out by the Company (“Data Controller”) are included; it is aimed to ensure transparency by informing data subjects and to obtain their explicit consent within the scope of the situations set forth below. This Privacy Policy is published on our Company’s website (https://profagro.com.tr) and is made available to data subjects upon request.

Accordingly, this Privacy Policy (“Policy”) has been prepared to process personal data in full compliance with Law No. 6698 (“Law”) and to inform data subjects in this context. Separately from this Policy, a “Policy on the Processing of Profagro Employees’ Personal Data” has been prepared for Company employees.

2- This Policy relates to all personal data processed, by automatic means or by non-automatic means provided that it forms part of any data recording system, primarily concerning job applicants, customers, company shareholders, company officials, visitors, employees/shareholders/officials of institutions we cooperate with, subcontractors and suppliers, and third parties.

For the personal data subject groups in the categories stated above, the scope of application of this Policy may be the entire Policy or only certain provisions thereof.

3- Applicable legal regulations in force regarding the processing and protection of personal data shall primarily apply. In the event of any inconsistency between the legislation in force and this Policy, the Company accepts that the legislation in force shall apply.

4- Data subjects whose personal data are processed within the scope of this Policy are categorized as follows:

5- In the implementation of this Policy;

means.

6- Matters regarding the processing of personal data relating to job applicants, customers, company shareholders, company officials, visitors, employees/shareholders/officials of institutions we cooperate with, subcontractors and suppliers, and third parties are regulated within this Policy text in compliance with the Law.

7- Personal data obtained with the consent of the data subject or due to other lawful grounds listed in the Law are processed only to the extent required by the purpose stated in this Policy and in the informed consent of the data subject, or limited to the extent required by the legal basis. After the legal basis ceases to exist, and in cases where there is no consent or consent is withdrawn, all your personal data will be deleted, destroyed or anonymized.

8- With the Privacy Policy, it is aimed to:

• Reveal which information belonging to the Data Subject is collected and what is and is not done with such data,
• Identify responsibilities of the Data Subject, the Data Controller and third parties in protecting rights and privacy within the scope of the Law,
• Explain how information shared in order to provide functional and useful service is used.

9- With this text, data subjects acknowledge that they have been informed about the processing of their personal data and the privacy policy, and that they consent to their personal data being used as stated herein.

10- Personal data processed by the Data Controller are categorized as follows in compliance with the Law. Unless explicitly stated otherwise, within the scope of this Privacy Policy, the term “Personal Data” includes the information listed below.

11- Pursuant to Articles 3 and 7 of the Law, data that are anonymized will not be regarded as personal data, and processing activities regarding such data shall be carried out without being bound by the provisions of this Privacy Policy.

12- Our Company processes personal data in compliance with the fundamental principles in Article 4 of the Law and the principles set forth in this Policy. In addition, personal data are processed, limited to the purposes and conditions within the personal data processing conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the Law. These purposes and conditions are:

• Expressly provided for in laws,
• Being mandatory for the protection of the life or physical integrity of the person who is unable to express consent due to actual impossibility or whose consent is not legally recognized, or of another person,
• Being necessary for the establishment or performance of a contract, provided that it is directly related to the contract between the data subject and the data controller,
• Expressly provided for in laws,
• Being mandatory for the data controller to fulfill its legal obligations,
• The data subject has made it public,
• Being mandatory for the establishment, exercise or protection of a right,
• Being mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

On the other hand, the Law defines data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data as “special categories” or “sensitive” personal data, and stipulates stricter conditions for their processing. Accordingly, special categories of personal data may be processed only under the conditions below, except for cases where the explicit consent of the data subject has been obtained:

• Special categories of personal data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or unions, criminal convictions and security measures, and biometric and genetic data may be processed in cases provided for by law.
• Personal data related to health and sexual life may be processed only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing, by persons under an obligation of confidentiality or authorized institutions and organizations.

13- In the absence of the conditions stated above, the Company seeks the explicit consent of personal data subjects to carry out personal data processing activities. Within this scope, personal data may be processed for the following purposes, without limitation:

• To enable personal data subjects to benefit from products and services provided by the Company; follow-up of contract processes, customer relations, execution of sales processes, conducting legal proceedings, follow-up of customer requests and/or complaints,
• To conduct necessary work for the realization of the Company’s commercial activities; planning corporate communication activities, ensuring business continuity, establishing IT infrastructure, following up financial affairs, carrying out corporate governance activities, performing analyses related to business activities, planning and executing access authorizations of business partners and suppliers, planning and executing business activities, planning and executing R&D activities,
• To plan and execute the Company’s human resources policies and processes; fulfillment of obligations arising from employment contracts and legislation for employees and job applicants, procurement of products and services required to carry out business activities, monitoring and auditing of business activities, planning and execution of fringe benefits and interests, conducting recruitment processes, planning performance evaluation processes, planning and execution of in-house training activities, planning HR processes, planning and execution of workforce needs for production,
• To ensure the legal and commercial security of persons who have a business relationship with the Company; planning and execution of operational activities required to ensure Company activities are carried out in accordance with Company procedures and relevant legislation, planning and execution of occupational health and safety processes, providing information to authorized institutions as required by legislation, follow-up of legal affairs, creation and follow-up of visitor records, ensuring security of Company campuses and/or facilities, ensuring security of Company operations, planning and execution of audit activities, ensuring data are accurate and up-to-date, planning and execution of the Company’s financial risk processes.

The Company essentially aims to obtain individuals’ explicit consent in order to realize the purposes described above. In cases where exceptions under the Law exist, personal data are kept in a limited and proportionate manner pursuant to such exceptions. Where there is no explicit consent, personal data are processed within the framework of exceptions stipulated in the Law. If the exceptions in the Law do not permit processing and there is no explicit consent, personal data are not processed.

14- Such personal information may also be used to contact the Data Subject or to carry out various statistical evaluations, create databases and conduct market research without disclosing the identity of the Data Subject.

15- The Company may process its employees’ personal data without seeking consent to the extent necessary for performance of the service/employment contract, fulfillment of mutual obligations, and performance of other legal obligations. The Company ensures confidentiality and protection of employees’ data. In this context, separately from this Policy, a “Policy on the Processing of Profagro Employees’ Personal Data” has been prepared for Company employees.

Regarding applications and requests made by prospective employees, the Company processes all personal data, including CVs submitted by applicants, without seeking consent until the application/request is finalized. Processing after the application process is completed negatively depends on the consent of the data subject. If the data subject gives consent, personal data may be transferred to third parties. Otherwise, after the request/application process is conclusively finalized negatively, data are deleted, destroyed or anonymized. In cases where the request/application is partially or wholly finalized positively, retention and processing of personal data are carried out according to the conditions of the newly established legal relationship.

16- The camera monitoring activity carried out by our Company is conducted in compliance with the Law on Private Security Services and the personal data processing conditions listed in the Law.

In accordance with Article 10 of the Law, the Company informs the personal data subject. The Company provides notification regarding camera monitoring through more than one method. For camera monitoring, a notification sign indicating that monitoring is carried out is posted at the entrances of the relevant areas. Thus, it is aimed to prevent harm to the fundamental rights and freedoms of personal data subjects and to ensure transparency and informing of personal data subjects.

In accordance with Article 4 of the Law, the Company processes personal data in a manner that is connected to, limited and proportionate to the purposes for which they are processed.

The purpose of continuing video camera monitoring is limited to the purposes stated in this Policy. Accordingly, the monitoring areas, number of security cameras and time periods of monitoring are implemented sufficiently and limited to the security purpose. Areas where monitoring may lead to interference with privacy beyond security purposes are not subject to monitoring.

In accordance with Article 12 of the Law, the Company takes necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring.

Only a limited number of Company employees have access to live camera images and records that are digitally recorded and stored.

For ensuring security and for the purposes stated in this Policy, the Company carries out personal data processing activities for tracking the entry and exit of visitors. The name-surname information of persons visiting our Company is processed solely for the purpose of tracking entries and exits, and the relevant personal data are recorded in a registration system in physical and electronic environments.

To ensure the security of the places where it conducts commercial activities, the Company carries out personal data processing activities in its headquarters buildings and facilities by means of security camera monitoring, recording, card access, identity registration and tracking of guest entries and exits. Camera monitoring and identity checks at entrances, card access and their recording serve the purpose of protecting the Company’s and others’ interests related to ensuring security. In accordance with Article 12 of the Law, the Company takes necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring and identity registration.

17- The data controller may share personal data, and new data obtained through the use of such personal data, with third parties such as outsourced service providers (including those providing e-mail and SMS sending services), (hosting services), law offices, Company officials, business partners, legally authorized public institutions and organizations, private institutions, for the purposes stated under the Privacy Policy and the Personal Data Processing Information Notice and Consent Text, in order to enable beneficiaries to benefit from the services offered, to conduct commercial activities and related business processes, to ensure security, to detect fraudulent or unauthorized use, and to investigate operational assessments.

18- Personal data collected on the legal grounds stated above may be processed and transferred in accordance with the legislation in force and for the purposes stated in this Privacy Policy. In line with lawful and legitimate personal data processing purposes, the Company may transfer personal data to third parties in a limited manner based on one or more of the personal data processing conditions in Article 5 of the Law as follows:

• If the personal data subject has explicit consent,
• If there is an explicit provision in the laws regarding the transfer of personal data,
• If it is mandatory for the protection of the life or physical integrity of the personal data subject or another person, and the personal data subject is unable to express consent due to actual impossibility or consent is not legally valid,
• If transfer of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract,
• If personal data transfer is mandatory for the Company to fulfill its legal obligation,
• If the personal data have been made public by the personal data subject,
• If personal data transfer is mandatory for the establishment, exercise or protection of a right,
• If personal data transfer is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the personal data subject.

By exercising due care, taking the necessary security measures and ensuring adequate safeguards stipulated by the Board, the Company may transfer special categories of personal data to third parties in the following cases, in line with lawful and legitimate personal data processing purposes:

• If the personal data subject has explicit consent; or
• If the personal data subject does not have explicit consent: special categories of personal data other than health and sexual life (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or unions, criminal convictions and security measures, biometric and genetic data) may be transferred in cases provided for by law; special categories of personal data related to health and sexual life may be transferred only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing, by persons under an obligation of confidentiality or authorized institutions and organizations.

19- In line with lawful and legitimate personal data processing purposes, the Company may transfer personal data to foreign countries where the Data Controller has Adequate Protection or undertakes to provide Adequate Protection, if the data subject has explicit consent or, if there is no explicit consent, provided that one of the following conditions exists:

• If there is an explicit provision in the laws regarding the transfer of personal data,
• If it is mandatory for the protection of the life or physical integrity of the personal data subject or another person, and the personal data subject is unable to express consent due to actual impossibility or consent is not legally valid,
• If transfer of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract,
• If personal data transfer is mandatory for the Company to fulfill its legal obligation,
• If the personal data have been made public by the personal data subject,
• If personal data transfer is mandatory for the establishment, exercise or protection of a right,
• If personal data transfer is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the personal data subject.

20- By exercising due care, taking the necessary security measures and ensuring adequate safeguards stipulated by the Board, the Company may transfer special categories of personal data to foreign countries where the Data Controller has Adequate Protection or undertakes to provide Adequate Protection, in the following cases, in line with lawful and legitimate personal data processing purposes:

• If the personal data subject has explicit consent; or
• If the personal data subject does not have explicit consent: special categories of personal data other than health and sexual life (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or unions, criminal convictions and security measures, biometric and genetic data) may be transferred in cases provided for by law; special categories of personal data related to health and sexual life may be transferred only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing, by persons under an obligation of confidentiality or authorized institutions and organizations.

21- Personal data collected on the legal grounds stated above may be processed and transferred for the purposes specified in Articles 5 and 6 of Law No. 6698 and in this Privacy Policy.

22- Pursuant to Article 11 of the Law, personal data subjects have the rights to:

• Learn whether personal data relating to them are processed,
• If personal data have been processed, request information regarding such processing,
• Learn the purpose of processing personal data and whether they are used in accordance with the purpose,
• Know the third parties to whom personal data are transferred in Turkey or abroad,
• Request correction of personal data if they are incomplete or incorrectly processed,
• Request deletion or destruction of personal data in case the reasons requiring processing cease to exist, although they have been processed in accordance with the Law and other relevant laws,
• Request notification of the actions taken as a result of correction, deletion and destruction to third parties to whom personal data have been transferred,
• Object to the occurrence of a result against them by analyzing the processed data solely through automated systems,
• Request compensation for damages in case they suffer damage due to unlawful processing of personal data.

23- Pursuant to paragraph 1 of Article 13 of the Law, you must submit your request regarding the exercise of the rights specified above to our Company in writing or by other methods determined by the Personal Data Protection Board.

In this context, in your applications to our Company within the scope of Article 11 of the Law, you may submit your request, together with the necessary information to identify your identity and your explanations regarding the right you wish to exercise, also specifying which right under Article 11 you are exercising, by registered mail with return receipt to the following address:

PROFAGRO
ADDRESS: ETİLER NEIGHBORHOOD ADNAN MENDERES BOULEVARD ASKEROĞLU BUSINESS CENTER NO:63/303 MURATPAŞA/ANTALYA

Third parties cannot submit requests on behalf of personal data subjects. For someone other than the personal data subject to submit a request, there must be a special power of attorney issued by the personal data subject for the applicant.

24- In accordance with Article 13 of the Law, our Company finalizes the application requests made by the personal data subject as soon as possible and within 30 (thirty) days at the latest, free of charge, depending on the nature of the request. However, if the process requires an additional cost, it is possible to charge the fee in the tariff determined by the Board.

Our Company may accept the personal data subject’s request or may reject it by explaining its reason, and may notify the relevant person in writing or electronically for the reasons listed below:

• Preventing the rights and freedoms of others,
• Requiring disproportionate effort,
• The information is publicly available,
• Jeopardizing the privacy of others.

In cases where one of the situations excluded under the Law exists, the personal data subject’s application is rejected, the response is deemed insufficient, or no response is provided in due time, the personal data subject has the right to lodge a complaint with the Board within thirty days from the date of learning the response of the data controller and in any case within sixty days from the date of application.

The Company takes the necessary technical and administrative measures to prevent unlawful processing of personal data, prevent unlawful access to personal data, and ensure the safeguarding of personal data, under the conditions set forth in the relevant legislation and this Privacy Policy. In addition, the data controller does not disclose the personal data obtained from the data subject to others contrary to this Privacy Policy and the provisions of the Law, and does not use them outside the processing purpose.

25- This Privacy Policy may be updated from time to time in order to adapt to changing conditions and legislation.

26- Although no specific period is determined under the Law for the retention of personal data, pursuant to general principles it is essential that personal data are retained for the period prescribed in the relevant legislation or for the period necessary for the purpose for which they are processed. In order to determine retention periods in accordance with this principle, the Data Controller Company evaluates each data processing process based on the legislation in force and the purpose of the process. Accordingly, personal data are retained at least for the period required by legal obligations and until the statute of limitations periods relevant to the Law expire.

Personal data may be retained for the purpose of making the necessary defenses in the event of any dispute that may arise between you and the Data Controller. Upon the elimination of the processing purpose for the relevant personal data in any process, including the expiration of the aforementioned periods, personal data are anonymized, deleted or destroyed in accordance with the Law.

27- Your personal data that we collect must be accurate and, where necessary, up to date. Therefore, if any change occurs in your personal data, you may notify the relevant unit of our Company.

28- Our Company makes the necessary assignments within the Company and creates procedures accordingly in order to fulfill the obligations under the Law and to implement the matters set forth in this Policy.

The policy containing the above articles is presented to the personal data subject together with other relevant information notice and consent texts, especially the “Information Notice and Consent Text on Profagro Personal Data Protection, Processing and Privacy Policy”. In addition, upon the request of personal data subjects, this policy is provided and access is enabled.

PROFAGRO
PERSONAL DATA RETENTION AND DISPOSAL POLICY

1- The Personal Data Retention and Disposal Policy (“Policy”) has been prepared by Profagro (“Company”), as the data controller, in order to determine the procedures and principles regarding our obligations pursuant to Law No. 6698 on the Protection of Personal Data (“KVKK”) and the Regulation on Deletion, Destruction or Anonymization of Personal Data (“Regulation”), and to inform data subjects about the principles for determining the maximum retention period required for the purposes of processing personal data, as well as deletion, destruction and anonymization processes.

2- Within the scope of this Policy, data subjects processed by automatic means or by non-automatic means provided that it forms part of any data recording system include customers, prospective customers, job applicants, employees, company shareholders, company officials, visitors, business partners, employees/shareholders/officials of institutions we cooperate with, subcontractors and suppliers, and third parties.

This Policy is implemented in all personal data processing and protection activities managed by our Company.

3- This Policy is published on our Company’s website (https://profagro.com.tr) and is made available to data subjects upon request.

4- In the implementation of this Policy, the following refer to:

• Relevant Person: Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data,
• Disposal: Deletion, destruction or anonymization of personal data,
• Law: Law No. 6698 on the Protection of Personal Data,
• Recording medium: Any medium containing personal data processed by fully or partially automatic means or by non-automatic means provided that it forms part of any data recording system,
• Personal data: Any information relating to an identified or identifiable natural person,
• Personal data subject: The natural person whose personal data are processed,
• Processing of personal data: Any operation performed on personal data such as obtaining, recording, storing, safeguarding, altering, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing use, by fully or partially automatic means or by non-automatic means provided that it forms part of a data recording system,
• Personal data processing inventory: The inventory created by data controllers by associating their personal data processing activities depending on business processes with processing purposes, data category, recipient group and data subject group, and detailing the maximum period required for the purposes of processing personal data, the personal data intended to be transferred abroad, and the measures taken regarding data security,
• Board: Personal Data Protection Board,
• Authority: Personal Data Protection Authority,
• Special categories of personal data: Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data,
• Periodic disposal: The deletion, destruction or anonymization process to be carried out ex officio at recurring intervals specified in the personal data retention and disposal policy when all conditions for processing personal data specified in the Law cease to exist,
• Personal Data Retention and Disposal Policy: This Policy, which data controllers rely on as a basis for determining the maximum period required for the purposes of processing personal data and for deletion, destruction and anonymization operations,
• Personal Data Protection, Processing and Privacy Policy: The policy on the Company’s website determining procedures and principles related to the management of personal data,
• Registry: The registry of data controllers kept by the Personal Data Protection Authority Presidency,
• Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller,
• Data recording system: The recording system in which personal data are structured according to specific criteria,
• Data controller: The natural or legal person responsible for establishing and managing the data recording system and determining the purposes and means of processing personal data.

Definitions not included in this Policy shall have the meanings set forth in the Law.

5- All unit managers of the Company provide effective support for proper implementation of technical and administrative measures related to processing, retention and disposal of personal data in their units. For this purpose, unit managers increase awareness and provide training of unit employees, monitor and audit processes, help prevent unlawful processing and unlawful access, and assist in taking and implementing technical and administrative measures for data security.

By increasing the knowledge and awareness of relevant users regarding protection of personal data, active support is provided for carrying out processing, retention and disposal operations in compliance with legislation.

Titles, units and job descriptions of those involved in personal data retention and disposal processes are as follows:

• General Manager: As the representative of the data controller, responsible for carrying out all processes related to protection and disposal of personal data and for implementing the policy.
• Human Resources Manager: Responsible for preparing, developing and executing the Policy, publishing it in relevant environments, updating it, ensuring processes under their duty comply with retention periods, managing personal data disposal processes according to the periodic disposal period, and training and informing.
• Accounting Manager: Responsible for preparing, developing and executing the Policy, publishing it in relevant environments, updating it, ensuring processes under their duty comply with retention periods, and managing personal data disposal processes according to the periodic disposal period.
• Information Systems Manager: Responsible for technical storage, protection and backup of data, and for determining and implementing technical solutions needed for implementation of the policy.
• Other Unit Managers: Responsible for implementing, monitoring and auditing the policy in their units, ensuring processes under their duty comply with retention periods, and managing personal data disposal processes according to the periodic disposal period.
• Relevant Users and Data Processors: Responsible for ensuring processing and retention operations are carried out in accordance with procedures and law.
• Specially Authorized Relevant User: Responsible for protecting and retaining deleted personal data until their destruction, and ensuring they cannot be accessed by relevant users, upon procedure or at the request of the relevant person.

6- Personal data retained within the Company are kept in a recording medium suitable for the nature of the relevant data. Recording media used for retention of personal data are listed below. Personal data may also be stored in a different medium than those listed here due to their nature. In any case, the data controller Company processes and protects personal data in accordance with the Law, the Personal Data Protection, Processing and Privacy Policy, and this Personal Data Retention and Disposal Policy, within the framework of international data security principles.

Electronic media: Servers, portable disks, software, information security devices, employee computers, optical disks, removable media, printers, scanners and photocopiers and other digital media.

Physical media: Paper, manual data recording systems, written/printed/visual media and other media where data are kept on paper or microfilms.

Cloud media: Media not located within the Company but used by the Company, where encrypted internet-based systems are used.

7- In order to ensure secure retention of your personal data, prevent unlawful processing and access, and dispose of data lawfully, the Company takes all administrative and technical measures within the framework of the principles in Article 12 of the KVKK, as stated below.

Technical Measures

The Company takes the following technical measures for all media where personal data are stored, appropriate to the nature of the relevant data and the medium where the data are stored:

• Only up-to-date and secure systems compliant with technological developments are used in environments where personal data are stored.
• Security systems are used for environments where personal data are stored.
• Security tests and studies are carried out to detect vulnerabilities in information systems, and any existing or potential risky issues identified are eliminated.
• Access to personal data is restricted so that only authorized persons can access the data, limited to the purpose of retention, and all accesses are logged. Whether the data are special categories of personal data and the level of importance are also considered when restricting access.
• The Company employs sufficient technical personnel to ensure the security of environments where personal data are stored. It ensures that access authorizations of employees in IT units to personal data are kept under control.
• Destruction of personal data is ensured in a way that is irreversible and leaves no audit trail.
• Pursuant to Article 12 of the Law, any digital environment where personal data are stored is protected by encrypted methods to meet information security requirements.

Administrative Measures

The Company takes the following administrative measures for all media where personal data are stored, appropriate to the nature of the relevant data and the medium where the data are stored:

• Efforts are made to increase awareness and consciousness of all Company employees who have access to personal data regarding information security, personal data and privacy.
• Legal and technical consultancy services are obtained to follow developments in information security, privacy and personal data protection and to take necessary actions.
• If personal data are transferred to third parties due to technical or legal requirements, protocols are signed with such third parties to protect personal data, and due care is taken to ensure third parties comply with their obligations under these protocols.
• In case personal data are obtained by others through unlawful means, the Company notifies the relevant person and the Board as soon as possible.
• The Company conducts and commissions necessary audits to ensure application of the provisions of the Law and eliminates confidentiality and security vulnerabilities identified as a result of audits.

8- Personal data of data subjects are retained securely by the Company in physical or electronic environments, within the limits specified in the KVKK and other relevant legislation, especially for maintaining commercial activities, fulfilling legal obligations, planning and performance of employee rights and benefits, managing customer relations and other purposes stated in the Personal Data Protection, Processing and Privacy Policy. Personal data held by the Company are deleted, destroyed or anonymized upon the request of the relevant person or ex officio pursuant to this disposal policy when the reasons listed in Articles 5 and 6 of the Law cease to exist. The reasons listed in Articles 5 and 6 of the Law are as follows:

• Expressly provided for in laws.
• Being mandatory for the protection of the life or physical integrity of the person who is unable to express consent due to actual impossibility or whose consent is not legally recognized, or of another person.
• Being necessary for the establishment or performance of a contract, provided that it is directly related to the contract.
• Being mandatory for the data controller to fulfill its legal obligations.
• The relevant person has made it public.
• Being mandatory for the establishment, exercise or protection of a right.
• Being mandatory for the legitimate interests of the relevant person, provided that it does not harm fundamental rights and freedoms.

9- Procedures and principles regarding techniques for deletion and destruction of personal data are stated below.

DELETION OF PERSONAL DATA

Redaction of Personal Data in Paper Form: A method of physically cutting out personal data from the relevant document or rendering it invisible using indelible ink in a way that cannot be read back or decoded with technological solutions.

Secure Deletion from Software: A method of deleting personal data stored in cloud environments or local digital environments so that it cannot be accessed again.

DESTRUCTION OF PERSONAL DATA

Physical Destruction: A system is implemented where personal data are physically destroyed so that they cannot be used afterward. Documents in paper form are destroyed with shredders so they cannot be reassembled. Optical and magnetic media containing personal data are physically destroyed by melting, burning or pulverizing.

Degaussing: A method of corrupting data on magnetic media beyond readability by passing them through special devices that expose them to strong magnetic fields.

Overwriting: A destruction method that eliminates readability and recoverability of old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media via special software.

ANONYMIZATION OF PERSONAL DATA

Removing variables: After aggregating collected data, removing highly descriptive variables from the dataset to render it anonymous.

Regional masking: If a single data point creates a very easily visible combination and is identifying, masking that data enables anonymization. It is the deletion of information that may be distinctive for exceptional data.

Generalization: Aggregating personal data of many individuals and removing distinguishing information to transform them into statistical data.

Top and Bottom Coding: Anonymization by combining values within a data group that contains predefined categories according to a certain criterion.

Micro-aggregation: First, all data are ordered meaningfully and divided into groups; then the average of each group is calculated and the obtained value is written in place of the relevant data in that group to achieve anonymization.

Data shuffling and perturbation: Direct or indirect identifiers in personal data are mixed with other values or perturbed so that the link with the relevant person is broken and identifiers lose their identifying characteristics.

10- Retention and Disposal Periods

11- Although no specific period is determined under the Law for the retention of personal data, pursuant to general principles it is essential that personal data are retained for the period prescribed in the relevant legislation or for the period necessary for the purpose for which they are processed. In order to determine retention periods in accordance with this principle, the Data Controller Company evaluates each data processing process based on the legislation in force and the purpose of the process. If a longer period is regulated under legislation or longer periods are stipulated for limitation periods, forfeiture periods, retention periods, etc., such periods in the legislation are accepted as the maximum retention period. Accordingly, personal data are retained at least for the period required by legal obligations and until the statute of limitations periods relevant to the Law expire.

Personal data may be retained for the purpose of making the necessary defenses in the event of any dispute that may arise between you and the Data Controller. Upon the elimination of the processing purpose for the relevant personal data in any process, including the expiration of the aforementioned periods, personal data are anonymized, deleted or destroyed in accordance with the Law.

12- Personal data whose retention period has expired or whose retention purpose has ceased are deleted, destroyed or anonymized by periodic disposal at six-month intervals specified in this Personal Data Retention and Disposal Policy. Periodic disposal is additionally carried out in January and July of each year.

13- Our Company makes the necessary assignments within the Company and creates procedures accordingly in order to fulfill the obligations under the KVKK and to implement the matters set forth in this Policy.

14- Changes that may occur in Company activities and the processed personal data groups, amendments to legislation, and principle decisions of the Personal Data Protection Board are monitored, and this Policy is reviewed accordingly; necessary sections are updated, amended or re-created based on the need that arises.