PDPL

Meter Electronics Inc. and its subsidiaries’ Privacy Policy and Personal Data Processing Policy

The protection of personal data is one of the most important priorities of METER ELEKTRONİK A.Ş. and its subsidiaries. The most important part of this issue is the protection and processing of personal data of our job applicants, company shareholders, company officials, visitors, employees, shareholders and officials of institutions we cooperate with, and third parties, which are governed by this Policy.

In accordance with the Constitution of the Republic of Turkey, everyone has the right to demand the protection of their personal data. In terms of the protection of personal data, which is a right guaranteed by the Constitution, the company takes the necessary care to protect the personal data of employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of institutions that it cooperates with, and third parties, which are managed by this Policy, and makes it a Company policy.

In this context, the company takes the necessary administrative and technical measures to protect personal data processed within the framework of legal legislation.

The company’s basic principles adopted in the processing of personal data in this Policy are as follows;

· Processing personal data in accordance with the law and the principles of fairness,

· Processing personal data for specific, clear and legitimate purposes,

· Limited and measured processing of personal data in connection with the purpose for which they are processed,

· Keeping personal data for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed,

· Enlightening and informing personal data owners,

· Establishing the necessary system for personal data owners to exercise their rights,

· Taking necessary precautions to preserve personal data,

· Acting in accordance with the relevant legislation and KVK Board regulations in transferring personal data to third parties in line with the requirements of the processing purpose,

· To show the necessary sensitivity to the processing and protection of special personal data.

ARTICLE 1: PURPOSE OF THE POLICY The main purpose of the policy is the personal data processing activity carried out by the company in accordance with the law, and in this context, personal data processing activities, especially our customers, employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with and third parties. To ensure transparency and trust by informing people whose data is processed by our company.

ARTICLE 2: CONTENT AND DEFINITIONS This Policy; It relates to all personal data of our employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties processed automatically or non-automatically as part of any data recording system. The scope of application of this Policy for groups of personal data owners in the above-mentioned categories may be the entire Policy; It could be just some of it. The definitions of the concepts included in this policy text are as follows:

recipient group: Category of natural or legal person to whom personal data is transferred by the data controller.

Explicit consent:Consent regarding a specific issue, based on information and expressed with free will

Anonymization : Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data

Employee: Company personnel

Electronic media: Environments where personal data can be created, read, modified and written with electronic devices

Non-electronic media: All written, printed, visual, etc. other than electronic media. other media

Service provider: Natural or legal person who provides services within the framework of a specific contract with the institution

Relevant person: Natural person whose personal data is processed

Relevant user: Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.

Destruction : Deletion, destruction or anonymization of personal data

Law: Personal Data Protection Law No. 6698

Recording medium: Any environment containing personal data that is processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system.

Personal data: Any information regarding an identified or identifiable natural person

Personal data processing inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory they create by associating the personal data with the purposes and legal reason for processing personal data, data category, transferred recipient group and data subject person group, and detailing the maximum retention period required for the purposes for which personal data are processed, personal data envisaged to be transferred to foreign countries and measures taken regarding data security.

Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any action taken on the data, such as preventing its use or

Board: Personal Data Protection Board

Personal data of special nature: Data regarding people’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric data and genetic data

Periodic destruction: In case all the processing conditions for personal data specified in the law are eliminated, the deletion, destruction or anonymization process specified in the personal data storage and destruction policy and to be carried out ex officio at recurring intervals.

Policy : Personal Data Storage and Destruction Policy

Company: METER ELEKTRONİK A.Ş.

Data processor: Natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.

Data recording system: Recording system in which personal data is structured and processed according to certain criteria

Data controller: Natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

Data controllers registry information system: The information system created and managed by the Presidency, accessible over the internet, to be used by data controllers in applying to the Registry and other relevant transactions related to the Registry.

VERBIS: Data Controllers Registry Information System

Regulation: Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017

ARTICLE 3: IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION The relevant legal regulations in force regarding the processing and protection of personal data will primarily be applied. In case of incompatibility between the current legislation and the Policy, our Company accepts that the current legislation will apply. The policy is created by concretizing and regulating the rules set forth by the relevant legislation within the scope of Company practices.

MADDE 4: POLİTİKA’NIN YÜRÜRLÜĞÜ Şirketimiz tarafından düzenlenen bu Politika, internet sitemizde yayımlandığı gün yürürlüğe girer. Politikada yenilik ya da değişiklik olursa yürürlük tarihi güncellenecektir. Politika Şirketimizin internet sitesinde yayımlanır ve kişisel veri sahiplerinin talebi üzerine ilgili kişilerin erişimine sunulur.

ARTICLE: 5 ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA In accordance with Article 12 of the KVKK, our company takes all the necessary administrative, technical and legal measures to prevent the unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure appropriate security to ensure the preservation of the data, and carries out all necessary inspections in this context. provides.

ARTICLE 6: ENSURING THE SECURITY OF PERSONAL DATA

6.1 Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data

Our company takes technical and administrative measures according to technological possibilities and implementation costs to ensure that personal data is processed in accordance with the law.

6.1.1 Technical Measures Taken to Ensure Lawful Processing of Personal Data

The main technical measures taken by our company to ensure the lawful processing of personal data are listed below: a. Personal data processing activities carried out within our company are audited by established technical systems. b. The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism. c. Technically knowledgeable personnel are employed.

6.1.2 Administrative Measures Taken to Ensure Lawful Processing of Personal Data

The main administrative measures taken by our company to ensure the lawful processing of personal data are listed below:

a. Employees are informed and trained about personal data protection law and the lawful processing of personal data.

b. All activities carried out by our company are analyzed in detail for all business units, and as a result of this analysis, personal data processing activities are revealed specific to the commercial activities carried out by the relevant business units.

c. Personal data processing activities carried out by our company’s business units; The requirements to be fulfilled to ensure that these activities comply with the personal data processing conditions required by Law No. 6698 are determined for each business unit and the detailed activity it carries out.

D. In order to ensure that our business units meet the legal compliance requirements, awareness is created and implementation rules are determined for the relevant business units; Necessary administrative measures to ensure the control of these issues and the continuity of the application are implemented through internal policies and trainings.

to. Records that impose the obligation not to process, disclose or use personal data, except for the Company’s instructions and exceptions imposed by law, are included in the contracts and documents governing the legal relationship between our Company and employees, and employees’ awareness on this issue is created and inspections are carried out.

6.2 Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

Our company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and implementation costs in order to prevent personal data from being disclosed, accessed, transferred without caution or unauthorized, or any other unlawful access.

6.2.1 Technical Measures Taken to Prevent Unlawful Access to Personal Data

The main technical measures taken by our company to prevent unlawful access to personal data are listed below:

a. Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed.

b. Access and authorization technical solutions are implemented in accordance with legal compliance requirements determined on a business unit basis.

c. The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, and the issues that pose a risk are re-evaluated and the necessary technological solutions are produced.

D. Software and hardware including virus protection systems and firewalls are installed.

to. Technically knowledgeable personnel are employed.

6.2.2 Administrative Measures Taken to Prevent Unlawful Access to Personal Data

The main administrative measures taken by our company to prevent unlawful access to personal data are listed below:

a. Employees are trained on the technical measures to be taken to prevent unlawful access to personal data.

b. Access to personal data and authorization processes are designed and implemented within the Company in accordance with business unit-based legal compliance requirements.

c. Employees are informed that they cannot disclose the personal data they have learned to anyone else in violation of the provisions of the Personal Data Protection Law or use it for purposes other than the purpose of processing, and that this obligation will continue after they leave office, and the necessary commitments are taken from them in this regard.

D. Contracts concluded by our company with persons to whom personal data is transferred in accordance with the law; Provisions are added stating that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.

6.3 Storing Personal Data in Secure Environments

Our company takes the necessary technical and administrative measures, according to technological possibilities and implementation costs, to store personal data in secure environments and to prevent their destruction, loss or alteration for unlawful purposes.

6.3.1 Technical Measures Taken to Store Personal Data in Secure Environments

The main technical measures taken by our company to store personal data in secure environments are listed below:

a. Systems compatible with technological developments are used to store personal data in secure environments.

b. Personnel specialized in technical matters are employed.

c. Technical security systems are established for hiding areas, the technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, risky issues are re-evaluated and the necessary technological solutions are produced.

D. Backup programs are used in accordance with the law to ensure that personal data is stored safely.

6.3.2 Administrative Measures Taken to Store Personal Data in Secure Environments

The main administrative measures taken by our company to store personal data in secure environments are listed below:

a. Employees are trained to ensure that personal data is stored securely.

b. In case our company outsources the storage of personal data due to technical requirements, the contracts concluded with the relevant companies to which the personal data are transferred in accordance with the law; Provisions are included stating that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.

6.4 Audit of Measures Taken for the Protection of Personal Data

Our company carries out or has the necessary inspections carried out within its own structure in accordance with Article 12 of the KVKK. These audit results are reported to the relevant unit within the scope of the internal functioning of the company and the necessary activities are carried out to improve the measures taken.

6.5 Measures to be Taken in Case of Unauthorized Disclosure of Personal Data Our company will ensure that if personal data processed in accordance with Article 12 of the KVKK is obtained by others through illegal means, this situation will be reported to the relevant personal data owner and the KVK Board as soon as possible. If deemed necessary by the KVK Board, this situation may be announced on the KVK Board’s website or by another method.

ARTICLE 7: RESERVATION OF DATA OWNER’S RIGHTS; CREATION OF CHANNELS TO TRANSMIT THESE RIGHTS TO OUR COMPANY AND EVALUATION OF DATA SUBJECTS’ REQUESTS

Our company carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the KVKK in order to evaluate the rights of personal data owners and provide the necessary information to personal data owners.

If personal data owners submit their requests regarding their rights listed below to our Company in writing, our Company finalizes the request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, our Company will charge the fee in the tariff determined by the KVK Board. Personal data owners;

a. Learning whether personal data is processed or not,

b. Requesting information if personal data has been processed,

c. Learning the purpose of processing personal data and whether they are used for their intended purpose,

D. Knowing the third parties to whom personal data is transferred at home or abroad,

to. Requesting correction of personal data in case personal data has been processed incompletely or incorrectly and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,

f. Requesting the deletion or destruction of personal data in case the reasons requiring processing no longer exist, even though it has been processed in accordance with the KVK Law and other relevant legal provisions, and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,

g. Objecting to the emergence of a result that is unfavorable to the individual by analyzing the processed data exclusively through automatic systems,

h. In case of damage due to unlawful processing of personal data, they have the right to demand compensation for the damage.

More detailed information about the rights of data owners is included in this Policy.

ARTICLE:8 PROTECTION OF SPECIAL PERSONAL DATA

With the Personal Data Protection Law, special importance has been attached to certain personal data due to the risk of causing victimization or discrimination to individuals if processed unlawfully.

These data; Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.

Our company acts with care in protecting special personal data, which are determined as “special nature” by the Personal Data Protection Law and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company to protect personal data are carefully implemented in terms of special personal data and the necessary inspections are provided within the company.

Detailed information about the processing of sensitive personal data is included in this Policy.

ARTICLE: 9 INCREASING THE AWARENESS AND AUDIT OF BUSINESS UNITS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

Our company organizes the necessary training for business units to raise awareness on preventing unlawful processing of personal data, unlawful access to data, and ensuring the preservation of data.

Necessary systems are established to raise awareness of the current employees of the company’s business units and the newly recruited employees about the protection of personal data, and we work with professionals if necessary.

ARTICLE 10: INCREASING AWARENESS AND INSPECTION OF BUSINESS PARTNERS AND SUPPLIERS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

Our company organizes trainings and seminars for business partners to prevent unlawful processing of personal data, prevent unlawful access to data, and raise awareness about ensuring the preservation of data.

The trainings carried out for the company’s business partners are repeated periodically, the necessary systems are established to raise the awareness of the current employees of the business partners and the newly recruited employees of the business unit about the protection of personal data, and we work with professionals if necessary.

The results of the training carried out to raise awareness of the company’s business partners about the protection and processing of personal data are reported to the holding. In this regard, our company evaluates the participation in relevant trainings, seminars and information sessions and carries out the necessary inspections or has them carried out. Our company updates and renews its training in parallel with the update of the relevant legislation.

ARTICLE 11: ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

Our company, in accordance with Article 20 of the Constitution and Article 4 of the KVK Law, regarding the processing of personal data; In accordance with the law and the rules of honesty; accurate and up to date when necessary; Pursuing specific, clear and legitimate purposes; engages in personal data processing in a limited and measured manner in connection with the purpose. Our company retains personal data for the period stipulated by law or required by the purpose of processing personal data.

In accordance with Article 20 of the Constitution and Article 5 of the KVK Law, our company processes personal data based on one or more of the conditions in Article 5 of the KVK Law regarding the processing of personal data.

Our company informs personal data owners in accordance with Article 20 of the Constitution and Article 10 of the Personal Data Protection Law and provides the necessary information if personal data owners request information.

Our company complies with the regulations stipulated in the processing of special personal data in accordance with Article 6 of the KVK Law.

In accordance with Articles 8 and 9 of the KVK Law, our company complies with the regulations stipulated in the law and put forward by the KVK Board regarding the transfer of personal data.

ARTICLE 12: PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES PROVIDED IN THE LEGISLATION

12.1 Processing in accordance with the Law and the Rules of Honesty

Our company; It acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, our Company takes into account the proportionality requirements in the processing of personal data and does not use personal data for purposes other than what is required.

12.2 Ensuring Personal Data is Accurate and Up-to-Date Where Necessary Our company; It ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and their own legitimate interests. It takes the necessary measures in this regard.

12.3 Processing for Specific, Clear and Legitimate Purposes

Our company clearly and precisely determines the purpose of processing personal data that is legitimate and lawful. Our company processes personal data in connection with the service it offers and as much as is necessary for them.

12.4 Being Related to the Purpose for Processing, Limited and Proportionate

Our company processes personal data in a manner suitable for achieving the specified purposes and avoids the processing of personal data that is not relevant or needed to achieve the purpose. For example, personal data processing activities are not carried out to meet needs that may arise later.

12.5 Preservation for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose for which they are Processed

Our company retains personal data only for the period specified in the relevant legislation or necessary for the purpose for which they are processed. In this context, our Company first determines whether a period of time is prescribed for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period, and if a period is not determined, it stores personal data for the period necessary for the purpose for which they are processed. If the period expires or the reasons requiring processing disappear, personal data is deleted, destroyed or anonymized by our Company. Personal data is not stored by our Company for possible use in the future. Detailed information on this subject is included in this Policy.

ARTICLE 13: PROCESSING OF PERSONAL DATA BASED ON ONE OR MORE OF THE PERSONAL DATA PROCESSING CONDITIONS SPECIFIED IN ARTICLE 5 OF KVKK AND LIMITED TO THESE TERMS

Protection of personal data is a Constitutional right. Fundamental rights and freedoms can only be limited by law, without affecting their essence, and only for the reasons specified in the relevant articles of the Constitution. In accordance with the third paragraph of Article 20 of the Constitution, personal data can only be processed in cases stipulated by law or with the explicit consent of the person. Our company, in this direction and in accordance with the Constitution; It processes personal data only in cases stipulated by law or with the express consent of the person. Detailed information on this subject is included in this Policy.

ARTICLE 14: CLARIFICATION AND INFORMATION OF THE PERSONAL DATA OWNER

Our company informs personal data owners during the collection of personal data in accordance with Article 10 of the KVK Law. In this context, it clarifies the identity of the Holding and its representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the personal data owner. Detailed information on this subject is included in this Policy.

Article 20 of the Constitution states that everyone has the right to be informed about their personal data. In this regard, Article 11 of the KVK Law includes “requesting information” among the rights of the personal data owner. In this context, our company provides the necessary information if the personal data owner requests information in accordance with Article 20 of the Constitution and Article 11 of the KVK Law. Detailed information on this subject is included in this Policy.

ARTICLE 15: PROCESSING OF SPECIAL PERSONAL DATA

Our company strictly complies with the regulations stipulated in the KVK Law in the processing of personal data determined as “special nature” by the KVK Law.

In Article 6 of the KVK Law, some personal data that poses the risk of causing victimization or discrimination when processed unlawfully are designated as “special nature”. These data; Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.

By our Company in accordance with the KVK Law; Special categories of personal data are processed in the following cases, provided that adequate measures are taken to be determined by the KVK Board:

a. If the personal data owner has explicit consent or

b. If there is no explicit consent of the personal data owner;

1) Special categories of personal data, other than the health and sexual life of the personal data owner, in cases stipulated by law,

2) Special personal data regarding the personal data owner’s health and sexual life can only be used by persons or authorized institutions under the obligation of confidentiality for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. and processed by organizations.

ARTICLE 16: TRANSFER OF PERSONAL DATA

Şirketimiz hukuka uygun olan kişisel veri işleme amaçları doğrultusunda gerekli güvenlik önlemlerini alarak kişisel veri sahibinin kişisel verilerini ve özel nitelikli kişisel verilerini üçüncü kişilere (üçüncü kişi şirketlere, iş ortaklarına, üçüncü gerçek kişilere) aktarabilmektedir. Şirketimiz bu doğrultuda KVK Kanunu’nun 8. maddesinde öngörülen düzenlemelere uygun hareket etmektedir. Bu konu ile ilgili ayrıntılı bilgiye bu Politikada yer verilmiştir.

16.1 Transfer of Personal Data

Our company may transfer personal data to third parties in line with legitimate and lawful personal data processing purposes, based on one or more of the personal data processing conditions specified in Article 5 of the Law listed below:

a. If the personal data owner has explicit consent;

b. If there is a clear regulation in the law regarding the transfer of personal data,

c. If it is necessary to protect the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to express his/her consent due to actual impossibility or if his/her consent is not given legal validity;

D. If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,

to. If personal data transfer is mandatory for our company to fulfill its legal obligations,

f. If personal data has been made public by the personal data owner,

g. If personal data transfer is mandatory for the establishment, exercise or protection of a right,

h. If personal data transfer is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

16.2 Transfer of Special Personal Data

Our company takes the necessary care, takes the necessary security measures and takes the adequate precautions prescribed by the KVK Board; In line with legitimate and lawful personal data processing purposes, the personal data owner’s special data may be transferred to third parties in the following cases.

a. If the personal data owner has explicit consent or

b. If there is no explicit consent of the personal data owner;

1) Special personal data other than the health and sexual life of the personal data owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, criminal conviction and security measures). relevant data and biometric and genetic data), in cases stipulated by law,

ARTICLE 17: TRANSFER OF PERSONAL DATA ABROAD

Our company can transfer the personal data and sensitive personal data of the personal data owner to third parties by taking the necessary security measures in line with the legal personal data processing purposes. Personal data by our company; To foreign countries that have been declared to have adequate protection by the KVK Board (“Foreign Country with Adequate Protection”) or, in case there is no sufficient protection, to foreign countries where the data controllers in Turkey and the relevant foreign country have committed in writing to adequate protection and have the permission of the KVK Board. (“Foreign Country Where the Data Controller Committed to Adequate Protection is Located”) is transferred. In this regard, our company acts in accordance with the regulations stipulated in Article 9 of the KVK Law. Detailed information on this subject is included in this Policy.

17.1 Transfer of Personal Data Abroad

Our company may transfer personal data to Foreign Countries Where the Data Controller Has Adequate Protection or Commits to Adequate Protection, if there is the express consent of the personal data owner in line with legitimate and lawful personal data processing purposes, or if there is no explicit consent of the personal data owner, in case of one of the following situations:

If there is a clear regulation in the law regarding the transfer of personal data,

a. If it is necessary to protect the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to express his/her consent due to actual impossibility or if his/her consent is not given legal validity;

b. If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,

c. If personal data transfer is mandatory for our company to fulfill its legal obligations,

D. If personal data has been made public by the personal data owner,

to. If personal data transfer is mandatory for the establishment, exercise or protection of a right,

f. If personal data transfer is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

17.2 Transfer of Special Personal Data Abroad

Our company takes the necessary care, takes the necessary security measures and takes the adequate precautions prescribed by the KVK Board; In line with legitimate and lawful personal data processing purposes, the special data of the personal data owner may be transferred to Foreign Countries Where the Data Controller Has Sufficient Protection or Undertakes Adequate Protection is located in the following cases.

a. If the personal data owner has explicit consent or

b. If there is no explicit consent of the personal data owner;

ARTICLE 18: CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY, PURPOSES OF PROCESSING AND STORAGE PERIOD

In accordance with Article 10 of the KVK Law, our company informs the personal data owner which personal data owner groups it processes, the purposes of processing the personal data of the personal data owner and the storage periods within the scope of the obligation to inform.

ARTICLE 19: CATEGORIZATION OF PERSONAL DATA

Before our company, the relevant persons are informed in accordance with Article 10 of the KVK Law, and based on one or more of the personal data processing conditions specified in Article 5 of the KVK Law, in line with our Company’s legitimate and lawful personal data processing purposes, primarily in accordance with the KVK Law. Personal data in the following categories are processed, limited to the subjects within the scope of this Policy, in compliance with the general principles specified in the KVK Law, including the principles specified in Article 4 regarding the processing of personal data, and all obligations regulated in the KVK Law. This Policy also states which data owners the personal data processed in these categories are associated with and which are regulated within the scope of this Policy.

IDENTITY INFORMATION; Processed partially or fully automatically or non-automatically as part of the data recording system, clearly belonging to an identified or identifiable natural person; All information contained in documents such as Driving License, Identity Card, Residence, Passport, Lawyer ID, Marriage Certificate.

COMMUNICATION INFORMATION; Processed partially or fully automatically or non-automatically as part of the data recording system, clearly belonging to an identified or identifiable natural person; Information such as phone number, address and e-mail.

CUSTOMER INFORMATION; Processed partially or fully automatically or non-automatically as part of the data recording system, clearly belonging to an identified or identifiable natural person; Information obtained and produced about the relevant person as a result of our commercial activities and the operations carried out by our business units within this framework.

PHYSICAL SPACE SECURITY INFORMATION; Personal data related to records and documents taken during the entrance to the physical location and during the stay in the physical location, which are clearly belonging to an identified or identifiable natural person and are included in the data recording system.

PROCESSING SAFETY INFORMATION; Clearly belongs to an identified or identifiable natural person and is included in the data recording system; Your personal data processed to ensure our technical, administrative, legal and commercial security while carrying out our commercial activities.

RISK MANAGEMENT INFORMATION; It is clear that it belongs to an identified or identifiable natural person and is included in our data risk recording system; Data that can be used and processed in accordance with generally accepted legal, commercial customs and honesty rules in these areas so that we can manage our commercial, technical and administrative management.

FINANCIAL INFORMATION: Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship our company has established with the personal data owner.

PERSONAL INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; All kinds of personal data processed to obtain information that will be the basis for the formation of the personal rights of our employees or natural persons who have a working relationship with our Company.

EMPLOYEE CANDIDATE INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Personal data processed regarding individuals who have applied to become employees of our Company or who have been evaluated as employee candidates in line with the human resources needs of our company in accordance with commercial practices and honesty rules, or who are in a working relationship with our Company.

EMPLOYEE TRANSACTION INFORMATION;

Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Personal data processed regarding any business-related transactions carried out by our employees or natural persons who have a working relationship with our company.

WORK PERFORMANCE AND CAREER DEVELOPMENT INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Data processed for the purpose of measuring the performance of our employees or real persons who have a working relationship with our Company and planning and executing their career development within the scope of our company’s human resources policy.

SIDE RIGHTS AND BENEFITS INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Your personal data processed for planning the fringe rights and benefits we offer and will offer to employees or other real persons who have a working relationship with our Company, determining objective criteria for entitlement to these, and tracking their progress payments.

LEGAL PROCEDURES AND COMPLIANCE INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Your personal data processed within the scope of determining and pursuing our legal receivables and rights and fulfilling our debts, as well as compliance with our legal obligations and our company’s policies.

AUDIT AND INSPECTION INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Your personal data processed within the scope of our company’s legal obligations and compliance with company policies.

SPECIAL PERSONAL DATA; Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Data specified in Article 6 of Law No. 6698.

REQUEST/COMPLAINT MANAGEMENT INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Personal data regarding the receipt and evaluation of any requests or complaints directed to our company.

ARTICLE 20: PURPOSES OF PROCESSING PERSONAL DATA

According to the categorization prepared by our Company, the main purposes for processing personal Data are shared below:

a. Carrying out the necessary work by our relevant business units in order to realize the commercial activities carried out by our company and carrying out the related business processes,

b. Planning and execution of our company’s commercial and/or business strategies,

c. Carrying out the necessary work by our business units and carrying out the relevant processes to enable relevant people to benefit from the products and services offered by our company,

D. Planning and executing our company’s human resources policies and processes,

to. Ensuring the legal, technical and commercial occupational safety of the relevant persons who have a business relationship with our Company.

The data processing purposes within the scope of the main purposes listed above are as follows:

1. Event Management

2. Planning and Execution of Research and Development Activities

3. Planning and Execution of Business Activities

4. Planning and Execution of Corporate Communication Activities

5. Planning and Execution of Information Security Processes

6. Creating and Managing Information Technologies Infrastructure

7. Planning and Execution of Business Partners and/or Suppliers’ Access Authorizations to Information and Facilities

8. Planning and Execution of Fringe Benefits and Benefits for Supplier and/or Business Partner Employees

9. Follow-up of Finance and/or Accounting Affairs

10. Planning and Execution of Logistics Activities

11. Management of Relationships with Business Partners and/or Suppliers

12. Carrying out activities to determine customers’ financial risks

13. Planning and Execution of Customer Relationship Management Processes

14. Follow-up of Contract Processes and/or Legal Requests

15. Tracking of Customer Requests and/or Complaints

16. Planning Human Resources Processes

17. Conducting Personnel Recruitment Processes

18. Follow-up of Legal Affairs

19. Planning and Execution of Operational Activities Necessary to Ensure Company Activities Are Conducted in Compliance with Company Procedures and/or Relevant Legislation

20. Collection of Entry and Exit Records of Business Partner/Supplier Employees

21. Creation and Tracking of Visitor Records

22. Planning and Execution of Company Audit Activities

23. Planning and/or Execution of Occupational Health and/or Safety Processes

24. Ensuring that Data is Accurate and Up to Date

25. Management and/or Supervision of Relationships with Affiliates

26. Ensuring the Security of Company Campuses and/or Facilities

27. Ensuring the Security of Company Assets and/or Resources

28. Planning and/or Execution of Company Financial Risk Processes

Our Company requests the explicit consent of personal data owners in order to process personal data within the scope of personal data processing purposes other than the cases stated above; The following personal data processing activities are carried out by the relevant business units in accordance with the explicit consent of the personal data owners. In this context; In the absence of the above-mentioned conditions, personal data processing purposes requiring the express consent of personal data owners;

I. Planning and Execution of Business Partners and/or Suppliers’ Access Authorizations to Information and Facilities

II. Planning and Execution of Logistics Activities

III. Management of Relationships with Business Partners and/or Suppliers

IV. Follow-up of Contract Processes and/or Legal Requests

V. Planning of Human Resources Processes

VI. Conducting Personnel Recruitment Processes

VII. Planning and/or Execution of Customer Satisfaction Activities

VIII. Planning and Execution of Operational Activities Necessary to Ensure Company Activities Are Conducted in Compliance with Company Procedures and/or Relevant Legislation

IX. Collecting Entry and Exit Records of Business Partner/Supplier Employees

X. Planning and Execution of Company Audit Activities

XI. Planning and/or Execution of Occupational Health and/or Safety Processes

XII. It can be listed as Ensuring the Security of Company Campuses and/or Facilities.

ARTICLE 21: STORAGE PERIOD OF PERSONAL DATA Our company stores personal data for the period specified in the relevant laws and legislation, if required. If a period of time is not regulated in the legislation regarding how long personal data should be stored, personal data is processed for a period of time that requires processing in accordance with our Company’s practices and commercial life practices, depending on the services our company offers while processing that data, and then deleted, destroyed or anonymized. Detailed information on this subject is included in this policy. The purpose of processing personal data has expired; If the storage periods determined by the relevant legislation and the company have come to an end; personal data is used only to constitute evidence in possible legal disputes or to assert the relevant right based on personal data or to establish a defense.

ARTICLE 25: TECHNIQUES FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA 25.1 Deletion and Destruction Techniques of Personal Data Our Company may delete or destroy personal data based on its own decision or upon the request of the personal data owner, in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the provisions of the relevant law. The deletion or destruction techniques most commonly used by our company are listed below: 25.1.1 Physical Destruction Personal data can also be processed by non-automatic means, provided that it is part of any data recording system. When such data is deleted/destroyed, a system of physical destruction of personal data in such a way that it cannot be used later is applied. 25.1.2 Secure Deletion from Software While data processed wholly or partially automatically and stored in digital media is deleted/destroyed; Methods are used to delete the data from the relevant software so that it cannot be recovered again. 25.1.3 Secure Deletion by an Expert In some cases, the Company may agree with an expert to delete personal data on its behalf. In this case, personal data is securely deleted/destroyed by an expert in this field so that it cannot be recovered again. 25.2 Techniques for Anonymizing Personal Data Anonymization of personal data refers to making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data. Our company can anonymize personal data when the reasons requiring the processing of personal data processed in accordance with the law are eliminated. In accordance with Article 28 of the KVK Law; Anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the Personal Data Protection Law and the express consent of the personal data owner will not be required. Since personal data processed by anonymization will be outside the scope of the KVK Law, the rights set out in the Policy will not apply to this data. The anonymization techniques most used by our company are as follows; a- Masking Data masking is the method of anonymizing personal data by removing the basic identifying information of personal data from the data set. b- Aggregation With the data aggregation method, many data are aggregated and personal data is made unable to be associated with any person. c- Data Derivation With the data derivation method, a more general content is created from the content of personal data and it is ensured that personal data cannot be associated with any person. d- Data Mixing With the data mixing method, the connection between values and individuals is broken by mixing the values in the personal data set. Our Company informs the personal data owner of his or her rights in accordance with Article 10 of the KVK Law, guides the personal data owner on how to use these rights, and our Company complies with Article 13 of the KVK Law in order to evaluate the rights of personal data owners and provide the necessary information to personal data owners. It carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with the article. ARTICLE 26: RIGHTS OF THE DATA OWNER AND HIS USE OF THESE RIGHTS 26.1 Rights of the Personal Data Owner Personal data owners have the following rights: a. Learning whether personal data is being processed or not b. Requesting information if personal data has been processed c. Learning the purpose of processing personal data and whether they are used for their intended purpose d. Knowing third parties to whom personal data is transferred at home or abroad e. Requesting correction of personal data in case personal data has been processed incompletely or incorrectly and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred f. Requesting the deletion or destruction of personal data in case the reasons requiring processing no longer exist, even though it has been processed in accordance with the KVK Law and other relevant legal provisions, and requesting that the transaction carried out in this context be notified to third parties to whom the personal data has been transferred g. Objecting to the emergence of a result that is unfavorable to the person by analyzing the processed data exclusively through automatic systems. h. Requesting compensation of the damage in case of damage due to personal data being processed unlawfully 26.2 Situations in which the Personal Data Owner Cannot Assert Their Rights Personal data owners have the following rights in these matters, since the following situations are excluded from the scope of the KVK Law in accordance with Article 28 of the KVK Law: They cannot claim: a. Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics b. Personal data protects national defence, national security, public safety, public order, economic security,