Personal Data Processing and Protection Policy

PERSONAL DATA PROCESSING AND PROTECTION POLICY

Table of Contents

FIRST CHAPTER .......................................................................................... 4

 1. INTRODUCTION ...................................................................................... 4

1.1. Introduction .......................................................................................... 4

1.2. Purpose of the Policy ....................................................................... 4

1.3. Scope of the Policy and Data Subjects .................................. 4

1.4. Definitions ............................................................................................. 6

1.5. Enactment of the Policy .................................................................. 7

SECOND CHAPTER ..................................................................................... 7

§ 2. PROCESSING AND TRANSFER OF PERSONAL DATA ............... 7

2.1. General Principles in the Processing of Personal Data...... 7

2.2. Conditions for Processing Personal Data ............................... 7

2.3. Conditions for Processing Sensitive Personal Data............ 8

2.4. Conditions for Transferring Personal Data ............................. 8

2.4.1. Conditions for Transferring Personal Data Abroad ......... 9

2.5. Conditions for Transferring Sensitive Personal Data ......... 9

2.5.1. Transfer of Sensitive Personal Data Abroad ......................... 10

THIRD CHAPTER ............................................................................................... 10

§ 3. CLASSIFICATION, PROCESSING AND TRANSFER PURPOSES OF PERSONAL DATA, AND THE PERSONS TO WHOM DATA WILL BE TRANSFERRED ................... 10

3.1. Classification of Personal Data ........................................................ 10

3.2. Purposes for Processing and Transferring Personal Data .. 13

3.3. Persons to Whom Personal Data Will Be Transferred ............ 15

FOURTH CHAPTER ............................................................................................. 15

§ 4. METHOD OF COLLECTING PERSONAL DATA, LEGAL BASIS, DELETION, DESTROYING, ANONYMIZATION AND STORAGE PERIOD ................................................. 15

4.1. Method of Collecting Personal Data and Legal Basis .............. 15

4.2. Deletion, Destruction or Anonymization of Personal Data ..... 16

4.3. Storage Period of Personal Data ....................................................... 16

FIFTH CHAPTER ..................................................................................................... 17

§ 5. MATTERS RELATING TO THE PROTECTION OF PERSONAL DATA . 17

5.1. Ensuring the Security of Personal Data .............................................. 17

5.1.1. Technical and Administrative Measures Taken to Ensure the Legal Processing of Personal Data ........................................................................................................ 17

5.1.2. Technical and Administrative Measures Taken to Prevent Unauthorized Access to Personal Data ......................................................................................................... 18

5.1.3. Storing Personal Data in Secure Environments ............................ 19

5.1.4. Auditing Measures Taken to Protect Personal Data .................. 20

5.1.5. Measures to Be Taken in Case of Unauthorized Disclosure of Personal Data .......20

5.2. Protection of the Legal Rights of Data Subjects ..................................................................   20

5.3. Protection of Sensitive Personal Data ........................................................................................ 20

SIXTH CHAPTER ......................................................................................................... .....................................20

§ 6. RIGHTS OF THE DATA SUBJECT, USE OF RIGHTS, AND ASSESSMENT ................................ 20

6.1. Informing the Data Subject .............................................................................................................. 20

6.2. Rights of the Data Subject under the Personal Data Protection Law .......................... 21

6.3. Circumstances Where the Data Subject Cannot Exercise Their Rights ..................... 21

6.4. Exercising Rights by the Data Subject ....................................................................................... 22

6.5. Company’s Procedure and Timeline for Responding to Applications ....................... 22

6.6. Right of the Data Subject to File a Complaint with the Personal Data Protection Board ................................................................................................................................................................. 23

SEVENTH CHAPTER ....................................................................................................................................... 23

§ 7. COMPANY’S MANAGEMENT STRUCTURE ACCORDING TO THE PERSONAL DATA PROCESSING AND PROTECTION POLICY ............................................................................................ 23

EIGHTH CHAPTER ......................................................................................................................................... 23

§ 8. UPDATES, COMPLIANCE, AND CHANGES ................................................................................... 23

8.1. Updates, Compliance, and Changes ....................................................................................... 23

FIRST CHAPTER

1. INTRODUCTION

1.1. Introduction

As AIRONN VENTILATION INDUSTRY INC. ("Company"), we attach the utmost importance to processing and protecting personal data in accordance with the law, in compliance with Law No. 6698 on the Protection of Personal Data ("Law"). We act with this awareness in all our planning and activities. With this in mind, we present this Personal Data Processing and Protection Policy ("Policy") for your information, in order to fulfill our obligation to inform under Article 10 of the Law, as well as to notify the administrative and technical measures we have taken regarding the processing and protection of personal data.

1.2. Purpose of the Policy

The main purpose of this Policy is to provide explanations about the systems for processing and protecting personal data in accordance with the law and the purpose of the Law, and to inform individuals whose personal data are processed by the Company, including Company Stakeholders, Company Authorities, Company Business Partners, Our Job Candidates, Employees, Institutions with which we have a contractual relationship, Visitors, Company Customers, Potential Customers, and Third Parties. By doing so, the aim is to ensure full compliance with the legislation in the personal data processing and protection activities carried out by our Company, and to protect all the rights of personal data owners arising from the legislation concerning their personal data.

1.3. Scope of the Policy and Data Subjects

This Policy applies to individuals whose personal data are processed by our Company, including but not limited to Company Stakeholders, Company Authorities, Company Business Partners, Our Job Candidates, Employees, Former Employees/Retirees, Institutional Authorities/Employees with whom we have a contractual relationship, Press, Visitors, Company Customers, Potential Customers, Suppliers/Supplier Candidates, and Third Parties. The Policy does not apply to legal entities or legal entity data.

Our Company informs the Data Subjects about the Law by publishing this Policy on its website. A separate Personal Data Processing Policy for Employees will apply to our employees. If the data is not included within the scope of "Personal Data" as defined below, or if the personal data processing activity is not carried out by our Company through the methods outlined above, this Policy will not be applied.

The personal data subjects within the scope of this Policy are as follows:

Company Stakeholder:

The Company Stakeholder is a real person.

Company Real Person Business Partner:

These are real persons with whom the Company is engaged in any type of business relationship.

Company Business Partner Stakeholder, Authorized Representative, Employee:

Employees, Stakeholders, and Authorities of Legal and Real Persons (such as business partners, suppliers) with whom the Company has any type of business relationship, including employees, stakeholders, and authorized representatives, are considered real persons.

Company Authority:

These are real persons who are members of the Board of Directors and other authorized persons of the Company.

Job Candidate:

Real persons who have applied for a job at the Company or have opened their CV and related information for the Company's review.

Employee Family Members:

Refers to family members and relatives of individuals who have established an employment contract with our Company.

Former Employee:

Real persons whose employment contract with the Company has been terminated for any reason.

Reference:

Real persons whose information has been shared for reference checks when a candidate has applied for a job with the Company.

Person Named on the Invoice:

Refers to the person whose details are written on the invoice as a result of a transaction with the Company.

Company Customer:

Real persons who use or have used the products and services offered by the Company, regardless of whether there is a contractual relationship with the Company.

Potential Customer:

Real persons who have expressed interest in or requested to use the Company's products and services or are assessed in line with commercial practices and rules of good faith.

Potential Business Partner Authority/Employee/Shareholder:

Real persons who are shareholders, authorities, or employees of legal entities (companies) with whom the Company intends to establish future cooperation, business partnerships, or program partnerships.

Supplier Employee/Authority/Shareholder:

Real persons who are shareholders, authorities, or employees of companies providing goods and/or services to the Company under an existing contract.

Potential Supplier Authority/Employee/Shareholder:

Real persons who are shareholders, authorities, or employees of companies that may enter into a future contract with the Company to provide goods and/or services.

Delivery Recipient:

Real persons to whom the relevant product is to be delivered in transactions made with the Company.

Visitor:

All real persons who enter the Company's physical premises for various purposes or visit the Company’s website for any reason.

Member Customer:

Real persons who use or have used the products and services offered by the Company by joining our loyalty program.

Third Party:

Other real persons who do not fall under any category of personal data owner in this Policy and who are not included under the scope of the Personal Data Protection and Processing Policy prepared for Company Employees.

________________________________________

1.4 Definitions

The terms used in this Policy have the following meanings:

The document appears to be related to a Personal Data Protection Policy implemented by Aironn Havalandırma Sanayi A.Ş.. It outlines various definitions, principles, and conditions for the processing of personal data in compliance with Law No. 6698 on the Protection of Personal Data (KVK Law). Here’s a brief breakdown of some of the terms and principles mentioned:

Key Terms:

1. Şirket/Şirketimiz (Company): Refers to Aironn Havalandırma Sanayi Anonim Şirketi.

2. Kişisel Veri (Personal Data): Refers to any information that relates to an identified or identifiable individual.

3. Özel Nitelikli Kişisel Veri (Special Categories of Personal Data): Includes sensitive data such as race, ethnicity, political views, religious beliefs, health data, etc.

4. Kişisel Verilerin İşlenmesi (Processing of Personal Data): Involves actions like collection, storage, modification, transmission, or destruction of personal data.

5. Veri Sorumlusu (Data Controller): The entity responsible for determining the purposes and means of processing personal data, which in this case is Aironn Havalandırma.

6. Veri İşleyen (Data Processor): A party who processes personal data on behalf of the data controller.

7. Açık Rıza (Explicit Consent): The freely given, informed, and unambiguous consent of the individual to process their personal data.

General Principles for Data Processing:

• Lawful Processing: Personal data must be processed in accordance with applicable laws and integrity.

• Accuracy and Currency: Personal data must be accurate and kept up to date.

• Purpose Limitation: Data is collected for specific, legitimate purposes and not processed further in a manner incompatible with those purposes.

• Data Minimization: Personal data processed should be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.

• Retention Period: Personal data must be retained for no longer than necessary and deleted or anonymized when no longer needed for the specified purpose.

Conditions for Processing Personal Data:

1. Explicit Consent: Personal data will be processed based on the consent of the individual unless otherwise required by law.

2. Contractual Necessity: Personal data can be processed for the fulfillment of a contract.

3. Legal Obligation: Personal data can be processed to comply with legal obligations.

4. Vital Interests: Data can be processed to protect someone's life or bodily integrity if they cannot give consent.

5. Publicly Available Data: Personal data previously made public by the individual may be processed without explicit consent.

6. Legitimate Interests: Personal data can be processed if necessary for the legitimate interests of the company, ensuring it does not infringe on the data subject's rights.

These principles and conditions highlight the company's commitment to the protection of personal data while ensuring it can carry out its business activities effectively.

The text you provided discusses the conditions under which personal data, including sensitive personal data, can be processed and transferred, as well as the categorization of personal data in line with relevant laws, particularly the Turkish Personal Data Protection Law (KVKK).

Here is a summary of the main points:

2.3. Processing Conditions for Sensitive Personal Data:

• The company processes sensitive personal data only with the explicit consent of the data subject. However, personal data other than health and sexual life may be processed without explicit consent if permitted by law.

• Health and sexual life-related data may be processed without consent in situations like public health protection, medical diagnoses, treatment, and healthcare management, under confidentiality obligations.

• The company follows the necessary steps to ensure adequate safeguards as determined by the Personal Data Protection Authority (KVKK).

2.4. Conditions for Transferring Personal Data:

• Personal data can be transferred to third parties in compliance with legal requirements and under confidentiality and security measures.

• The transfer of personal data may occur in the following cases:

o With the explicit consent of the data subject.

o If there is a legal provision requiring the transfer.

o If it is necessary to protect the life or bodily integrity of the data subject or another person.

o If the data subject is unable to provide consent due to impossibility or legal incapacity.

o If the transfer is necessary for fulfilling a contract.

o If the transfer is required for the company to fulfill its legal obligations.

o If the data subject has already made the data public.

o If it is necessary for the establishment, exercise, or protection of a legal right.

2.4.1. Conditions for Transferring Personal Data Abroad:

• Personal data may be transferred abroad to countries that provide adequate protection, as determined by the KVKK. If no adequate protection exists, transfers can occur if the data controller in the foreign country provides written assurances for adequate protection and receives approval from the KVKK.

2.5. Conditions for Transferring Sensitive Personal Data:

• Sensitive personal data (e.g., health, sexual life, racial, ethnic, and other such data) can only be transferred under strict conditions:

o With the explicit consent of the data subject, or

o In cases where the transfer is required by law or to protect public health, medical treatment, or other health-related services, under strict confidentiality obligations.

3.1. Categorization of Personal Data:

• Personal data is classified into categories, and each category is handled according to the purpose of processing and legal requirements. Categories include:

o Identity Information: Personal identification details such as name, ID number, and other official documents.

o Contact Information: Details like phone numbers, email addresses, and postal addresses.

o Location Data: GPS coordinates and travel data related to the data subject’s location.

o Security Data: Data related to security measures, including internet passwords and access codes.

o Family and Close Relations: Information about family members and emergency contacts.

o Physical Security Information: Data related to physical entry and surveillance, like camera recordings.

o Financial Information: Data related to the financial transactions of the data subject, including bank details and credit information.

o Visual/Audio Information: Photographs, audio recordings, and other media.

o Employment Information: Data related to employment relationships

Corporate Communication Activities

▪ Planning and execution of corporate communication activities,

▪ Planning and execution of supply chain management processes,

▪ Ensuring the legal, commercial, and physical safety of oneself and business partners,

▪ Ensuring the corporate operation, planning and execution of management and communication activities,

▪ Ensuring that Personal Data Owners benefit in the best way from the products and services and recommending them in a personalized way based on their demands, needs, and desires,

▪ Planning and execution of after-sales support service activities,

▪ Planning and execution of reporting activities,

▪ Monitoring contract processes and legal claims,

▪ Ensuring the highest level of data security,

▪ Creating databases,

▪ Improving and troubleshooting services offered on the website and various social platforms,

▪ Communicating with Personal Data Owners who submit requests and complaints, ensuring request and complaint management,

▪ Event management,

▪ Managing relationships with business partners or suppliers,

▪ Managing personnel recruitment processes,

▪ Planning and execution of human resources needs for production,

▪ Monitoring and supervising employees' work activities,

▪ Supporting the planning and execution of benefits and rights for senior managers,

▪ Execution/follow-up of financial reporting and risk management processes,

▪ Execution/follow-up of company legal matters,

▪ Conducting activities to protect the company’s reputation,

▪ Planning market research activities for the sales and marketing of products and services,

▪ Planning product and service marketing processes,

▪ Planning and execution of customer satisfaction activities,

▪ Identifying and/or evaluating individuals based on consumer behavior criteria for marketing activities,

▪ Planning personalized marketing and/or promotional activities,

▪ Designing and/or executing advertising and/or promotion, and marketing in digital or other media,

▪ Designing and/or executing activities aimed at customer acquisition and/or value creation in existing customers,

▪ Planning and/or executing data analytics activities for marketing purposes,

▪ Organizing competitions, sweepstakes, and ensuring customer satisfaction for marketing purposes,

▪ Planning and execution of activities aimed at improving user experience for products and services,

▪ Managing investor relations,

▪ Monitoring legal affairs,

▪ Providing information to authorized institutions as required by the law,

▪ Performing corporate and partnership legal transactions,

▪ Planning and execution of company audit activities,

▪ Planning and executing operational activities necessary for ensuring that company operations comply with company procedures and relevant legislation,

▪ Planning and execution of internal audit and investigation processes,

▪ Planning and execution of occupational health and safety processes,

▪ Ensuring the security of company campuses and facilities,

▪ Ensuring the security of company assets and resources,

▪ Planning and execution of financial risk processes,

▪ Planning and execution of the company's production and/or operational risk processes,

▪ Creating and tracking visitor records.

These activities are processed under the provisions of Articles 5 and 6 of the Law, within the scope of the conditions of Personal Data processing. If the data processing activity does not meet any of the conditions set forth in the Law, explicit consent is obtained from the data subject for the relevant processing process.

3.3. Individuals to Whom Personal Data Will Be Transferred

Your Personal Data may be transferred to the following categories of persons managed by the Policy, in compliance with the law and the purpose of the Law:

Individuals to Whom Data Can Be Transferred

• Business Partners

Personal data may be transferred to fulfill the purposes of establishing business partnerships with other companies or Group Companies, conducting various projects, or receiving services.

• Company Stakeholders

Personal data may be transferred within the scope of the activities carried out by the company according to the applicable regulations, limited to the purposes of corporate law, event management, and corporate communication.

• Company Authorities

Personal data may be transferred to company authorities for the purpose of designing business strategies, ensuring management at the highest level, and auditing, as required by applicable regulations.

• Business/Service Partners

Personal data may be transferred to third parties cooperating with the company for the sale, promotion, marketing of products and services, after-sales support, and joint customer loyalty programs.

• Suppliers

Suppliers providing goods or services for the commercial activities of the company under the company's instructions and in accordance with the agreement.

• Legally Authorized Public Institutions and Organizations

Personal data may be transferred to relevant public institutions within their legal authority for the purpose specified by the institution.

• Legally Authorized Private Law Persons

Personal data may be transferred to relevant private law persons within their legal authority for the purpose specified by the institution.

FOURTH SECTION

4. PERSONAL DATA COLLECTION METHOD AND LEGAL BASIS, DELETION, DESTRUCTION, AND ANONYMIZATION, STORAGE PERIOD

4.1. Method and Legal Basis of Personal Data Collection

In accordance with Article 1 of the Law regulating the purpose of the Law and Article 2 regulating the scope of the Law, Personal Data is collected through verbal, written, electronic means, or technical and other methods via various channels such as call centers, the company's website, and mobile applications. The data is collected for the purposes stated in this Policy, based on legal obligations, contracts, requests, and consent, to fulfill responsibilities under the law, and is processed by the Company or data processors appointed by the Company.

4.2. Deletion, Destruction, or Anonymization of Personal Data

Personal data is deleted, destroyed, or anonymized by the Company upon request by the data subject or if the reasons for processing the data no longer exist, in compliance with the Law and other relevant regulations. Personal data is irrevocably deleted from storage media like documents, files, CDs, disks, and hard disks. Destruction involves removing data storage materials in such a way that data cannot be recovered or used again.

4.3. Storage Period of Personal Data

Personal data is stored for the period specified by law. If no specific period is determined by the applicable law, personal data is processed for the duration necessary based on the activity being carried out and the practices of the company. If the purpose for processing personal data ceases, the data will be deleted, destroyed, or anonymized after the relevant statutory period or the period set by the Company.

When the purpose for processing Personal Data has ended, and the retention periods set by relevant legislation and the Company have expired, Personal Data may only be retained for the purpose of serving as evidence in possible legal disputes or to assert a right related to the personal data or to establish a defense. The duration of this retention is determined based on the statutes of limitations for asserting such rights and examples from previous requests made to the Company on the same matters, even after the expiration of the statutes of limitations. In this case, personal data is not accessed for any other purpose and can only be accessed when necessary for use in the relevant legal dispute. After the mentioned period ends, the personal data is deleted, destroyed, or anonymized.

Detailed regulations regarding the Company’s techniques for the storage, deletion, destruction, and anonymization of Personal Data are outlined in the Company’s Personal Data Storage and Disposal Policy, published on its website.

FIFTH SECTION

5. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the Law, the Company takes the necessary technical and administrative measures to prevent the unlawful processing of Personal Data, prevent unlawful access to data, and ensure data retention, while performing the necessary audits as part of this process.

5.1. Ensuring the Security of Personal Data

5.1.1. Technical and Administrative Measures Taken to Ensure the Lawful Processing of Personal Data

The Company takes technical and administrative measures according to technological possibilities and application costs to ensure the lawful processing of Personal Data.

(i) Technical Measures Taken to Ensure the Lawful Processing of Personal Data

The main technical measures taken by the Company to ensure the lawful processing of Personal Data are listed below:

▪ Personal Data processing activities within the Company are monitored with established technical systems.

▪ The technical measures taken are periodically reported to the relevant parties as part of the internal audit mechanism.

▪ Personnel with expertise in technical matters are employed.

(ii) Administrative Measures Taken to Ensure the Lawful Processing of Personal Data

The main administrative measures taken by the Company to ensure the lawful processing of Personal Data are listed below:

▪ Employees are informed and trained on the law of protection of Personal Data and the lawful processing of Personal Data.

▪ All activities carried out by the Company are analyzed in detail by each business unit, and based on this analysis, Personal Data processing activities specific to each business unit are identified.

▪ Personal Data processing activities carried out by the Company’s business units are defined in accordance with the legal requirements of the Law, and the necessary steps for each unit and specific activity are determined.

▪ Awareness is raised for the legal compliance requirements of each business unit, and rules for application are set; administrative measures are implemented through company policies and training to ensure the monitoring and continuity of these measures.

▪ Contracts and documents governing the legal relationship between the Company and its employees impose obligations not to process, disclose, or use Personal Data, except under instructions from the Company or legal exceptions. Employees are made aware of this and audits are conducted to ensure compliance with the Law.

5.1.2. Technical and Administrative Measures Taken to Prevent Unauthorized Access to Personal Data

The Company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities, and application costs to prevent unauthorized disclosure, access, transmission, or other forms of unlawful access to Personal Data.

(i) Technical Measures Taken to Prevent Unauthorized Access to Personal Data

The main technical measures taken by the Company to prevent unlawful access to Personal Data are as follows:

▪ Technical measures are taken in accordance with technological developments, and the measures are periodically updated and renewed.

▪ Access and authorization technical solutions are implemented in accordance with legal compliance requirements set for each business unit.

▪ Access rights are limited, and permissions are regularly reviewed.

▪ The technical measures taken are periodically reported as part of the internal audit mechanism, and risk factors are reassessed to produce the necessary technological solutions.

▪ Virus protection systems and firewall software and hardware are installed.

▪ Personnel with expertise in technical matters are employed.

▪ Applications that collect Personal Data are regularly subjected to security scans to detect vulnerabilities, and any identified vulnerabilities are addressed.

(ii) Administrative Measures Taken to Prevent Unauthorized Access to Personal Data

The main administrative measures taken by the Company to prevent unlawful access to Personal Data are as follows:

▪ Employees are trained on the technical measures to prevent unlawful access to Personal Data.

▪ Personal Data access and authorization processes are designed and implemented within the Company in accordance with the legal compliance requirements for each business unit.

▪ Employees are informed that they cannot disclose or use Personal Data in ways that contravene the provisions of the Law, even after leaving their positions, and necessary commitments are obtained from them in this regard.

▪ Contracts made with persons to whom Personal Data is lawfully transferred include provisions requiring the recipients to take necessary security measures for the protection of Personal Data and ensure compliance within their organizations.

5.1.3. Storing Personal Data in Secure Environments

The Company takes the necessary technical and administrative measures, based on technological possibilities and application costs, to ensure that Personal Data is stored securely and to prevent unlawful destruction, loss, or alteration.

(i) Technical Measures Taken to Store Personal Data in Secure Environments

The main technical measures taken by the Company to ensure the secure storage of Personal Data are as follows:

▪ Technological systems are used to store Personal Data in secure environments, in line with technological developments.

▪ Personnel with expertise in technical matters are employed.

▪ Technical security systems are established for storage areas, and security tests and investigations are conducted to detect vulnerabilities in IT systems. Any identified existing or potential risks are eliminated. The technical measures taken are periodically reported to the relevant parties as part of the internal audit mechanism.

▪ Backup programs are used to securely store Personal Data in accordance with legal requirements.

▪ Access to data storage areas is restricted to authorized personnel, and access logs are kept. Unauthorized access attempts or access are immediately reported to the relevant parties.

(ii) Administrative Measures Taken to Store Personal Data in Secure Environments

The main administrative measures taken by the Company to ensure the secure storage of Personal Data are as follows:

▪ Employees are trained on ensuring the secure storage of Personal Data.

▪ Legal and technical consultancy services are obtained to follow developments in information security, privacy, and personal data protection and to take the necessary actions.

▪ In cases where external services are obtained for technical requirements related to Personal Data storage, contracts are made with the relevant companies to ensure they take necessary security measures for the protection of Personal Data.

Fifth Section: Protection of Personal Data

5.1. Measures Taken to Protect Personal Data

The Company is committed to ensuring the security of Personal Data in compliance with the Law on Personal Data Protection (the "Law"). The Company implements necessary technical and administrative measures to prevent any unauthorized access to Personal Data, as well as to ensure its proper processing. These measures are regularly reviewed and updated to maintain high standards of data security.

5.1.1. Supervision of Security Measures

The Company carries out necessary checks and assessments to verify the effectiveness of the measures taken to protect Personal Data. The results of these audits are reported to the relevant departments within the Company's internal processes, and activities are conducted to improve the measures as necessary.

5.1.2. Measures in the Event of Unauthorized Disclosure

In case Personal Data is obtained by unauthorized individuals through unlawful means, the Company ensures that this situation is reported to the relevant Data Subject and the Personal Data Protection Board (KVK Board) as per the Law. If necessary, the KVK Board may publicly announce this breach through its website or other methods.

5.2. Protection of the Rights of Data Subjects

The Company fully respects the rights of Data Subjects in relation to the implementation of this Policy and the Law, and takes all necessary precautions to safeguard those rights. Further details about the rights of Data Subjects are provided in the sixth section of this Policy.

5.3. Protection of Special Categories of Personal Data

Certain types of Personal Data, such as race, ethnic origin, political opinions, religious beliefs, health data, and others, are classified as "special" under the Law due to the potential risk of harm or discrimination. The Company takes utmost care to protect these types of data and applies the same technical and administrative security measures to special categories of Personal Data as it does to other types of Personal Data.

________________________________________

Sixth Section: Rights of the Data Subject

6.1. Information to be Provided to the Data Subject

As required by Article 10 of the Law, the Company informs Data Subjects at the time their Personal Data is collected. This information includes details such as the identity of the representative of the Company, the purpose of processing the Personal Data, the recipients to whom the Personal Data may be transferred, the method and legal basis for collecting the data, and the rights of the Data Subject.

6.2. Rights of Data Subjects under the Personal Data Protection Law

As per Article 11 of the Law, Data Subjects have the following rights:

• To learn whether their Personal Data is being processed,

• To request information about how their Personal Data is being processed,

• To learn the purpose of processing their Personal Data and whether it is being used in accordance with its intended purpose,

• To be informed about the third parties to whom their Personal Data has been transferred, both domestically and abroad,

• To request correction if their Personal Data is inaccurate or incomplete,

• To request deletion or destruction of their Personal Data under certain conditions,

• To request that any corrections made to their Personal Data be communicated to third parties to whom their Personal Data has been transferred,

• To object to the processing of their Personal Data through automated systems that lead to decisions affecting them negatively,

• To request compensation for any damages caused by the unlawful processing of their Personal Data.

6.3. Exemptions to Data Subject Rights

According to Article 28 of the Law, certain situations are exempt from the application of the rights mentioned in this Policy, including:

• Personal Data processed solely for personal activities by individuals themselves or their immediate family members,

• Data processed for statistical purposes and anonymized for research and planning,

• Personal Data processed for national security, public safety, and other specified purposes.

6.4. Exercising Data Subject Rights

Data Subjects can exercise their rights by submitting their requests to the Company through the following methods:

• Sending a signed application form in person or by mail to the address specified in the Policy,

• Sending the application form electronically with a secure e-signature to the designated email address,

• Sending the application via a registered email or mobile signature from the registered email address.

6.5. Company's Response to Applications

The Company will respond to Data Subject requests within thirty days. If the process incurs additional costs, a fee may be charged based on the rate set by the KVK Board.

6.6. Right to File a Complaint with the KVK Board

If a Data Subject's request is denied, the response is deemed insufficient, or no response is given within the specified time, the Data Subject has the right to file a complaint with the KVK Board within thirty days of learning of the decision.

________________________________________

Seventh Section: Management Structure for Personal Data Processing and Protection

The Company has established a Personal Data Committee, which is responsible for managing this Policy and ensuring compliance with related laws. The Committee oversees the lawful collection and processing of Personal Data and ensures proper internal monitoring.

________________________________________

Eighth Section: Updates, Compliance, and Changes

The Company reserves the right to make changes to this Policy in response to amendments in the Law, decisions by the KVK Board, or developments in technology. Updates to the Policy will be immediately incorporated, and changes will be explained at the end of the document.