PERSONAL DATA PROTECTION AND PROCESSING POLICY

Contents

1. PURPOSE AND SCOPE
2. DEFINITIONS
3. PRINCIPLES FOR PROTECTING PERSONAL DATA
4. PRINCIPLES OF PROCESSING PERSONAL DATA
5. CATEGORIZATION OF PERSONAL DATA AND PERSONAL DATA SUBJECTS WHOSE PERSONAL DATA HAS BEEN PROCESSED BY OUR COMPANY
6. PURPOSES OF PROCESSING PERSONAL DATA 10
7. DOMESTIC AND/OR CROSS BORDER TRANSFER OF PERSONAL DATA
8. PROTECTION OF PERSONAL DATA
9. RIGHTS OF PERSONAL DATA SUBJECTS; METHODOLOGY FOR THE EXERCISE AND EVALUATION OF THESE RIGHTS
10. EFFECTIVENESS AND UPDATEABILITY

1. PURPOSE AND SCOPE

According to the Constitution of the Republic of Turkey, everyone has the right to require the protection of his/her personal data. This right includes getting information about personal data, accessing these data, requesting to correct or delete them and learning whether personal data are being used in accordance with its purposes.

The protection of fundamental rights and freedoms of individuals concerning personal data processing obligations of real and legal persons who process personal data, and procedures and principles to be complied with, are set forth in the Personal Data Protection Law numbered 6698 (“PDPL” or the “Law”).

The protection of personal data is one of the main priorities of Tezmaksan Makine ve Ticaret Anonim Şirketi (“Tezmaksan” or the “Company”). In order to inform personal data subjects, Tezmaksan Data Protection and Processing Policy (the “Policy”) regulates the principles adopted on processing personal data by our Company and fundamental principles adopted to make activities of our Company in compliance with the PDPL. With the awareness of our responsibility in this context, your personal data is processed and protected within the scope of this Policy.

The main purpose of this Policy is to make statements about personal data processing conducted lawfully by Tezmaksan and systems adopted for personal data protection, within this scope, to ensure the transparency by informing personal data subjects.

The Policy relates to all personal data processed by the Company fully or partially automatic or non-automatic means provided that personal data is a part of data registry.

2. DEFINITIONS

EXPLICIT CONSENT Consent related to a specific issue, based on information and expressed with free will.
PERSONNEL Employee of Tezmaksan.
PERSONAL DATA SUBJECT/RELEVANT PERSON The real person whose personal data has been processed.
PERSONAL DATA PERSONNEL People who are responsible for storing, protection and back-up of personal data technically or process personal data within the organization-excluding the unit- of the data controller or in line with the authorization and instruction received from the data controller.
PERSONAL DATA All information relating to a real person whose identity is known or could be identified.
SENSITIVE PERSONAL DATA Race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership of associations, foundations or trade-unions, information relating to health, sexual life, convictions and security measures, and the biometric and genetic data.
PROCESSING OF PERSONAL DATA Processing of personal data is the series of operations that are carried out on personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or through non-automatic means only for the process which is a part of any data registry system set out in the Law.
PERSONAL DATA PROCESSOR A person who processes personal data upon receiving authorization and instruction from data controller.
PERSONAL DATA CONTOLLER A real or legal person who determines purposes and means of personal data processing and is responsible for establishment and management of the data recording system.
THE LAW OR PDPL Personal Data Protection Law No. 6698.
THE BOARD Personal Data Protection Board.
THE AUTHORITY Personal Data Protection Authority.
THE POLICY Tezmaksan Personal Data Protection and Processing Policy.

3. PRINCIPLES FOR PERSONAL DATA PROTECTION

3.1. Ensuring the Protection of Personal Data

Our Company, according to Article 12 of the Law, takes the necessary measures considering the nature of the data to prevent the unlawful disclosure, access and transfer of personal data or security gaps that may occur in other ways.

In this context, our Company takes technical and administrative measures to provide the essential security for personal data, carries out audits or have them performed in compliance with the guidelines published by the Personal Data Protection Board (the “Board”). Results of these audits are being reported to the relevant department within the Company.

In the event processed personal data are illegally obtained by others, our Company conducts a system ensuring that this situation is reported to the personal data subject and the Board as soon as possible.

3.2. Observing the Rights of the Data Subject

Our Company conducts necessary administrative and technical coordinates according to Article 13 of the PDPL to evaluate the rights of personal data subjects and provide the necessary information to personal data subjects.

Detailed information regarding the rights of the personal data subjects is specified in Section 9 of this Policy.

3.3. The Protection of Sensitive Personal Data

Race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership of associations, foundations or trade unions, information relating to health, sexual life, convictions and security measures, and the biometric and genetic data are deemed to be sensitive data in the Law. Our Company acts responsibly towards the protection of sensitive personal data processed in line with the Law. Technical and administrative measures taken by our Company are being implemented carefully in terms of sensitive personal data, and necessary audits are conducted within Tezmaksan.

3.4. Raising Awareness and Audit of the Working Units Concerning the Protection and Processing of Personal Data

Our Company provides the necessary trainings and seminars to the working units, business partners and suppliers to raise awareness about preventing personal data from being processed unlawfully, preventing illegal access to the data and ensuring the protection of the personal data.

To raise awareness on the protection of personal data of the current employees of Tezmaksan and employees who have recently joined the business unit, business partners and suppliers, necessary systems are being established and our Company works with professional people if needed.

Trainings conducted by our Company to raise awareness about the protection of personal data are being reported to the relevant department. Accordingly, our Company evaluates the participation in the relevant trainings, seminars and informing sessions, and carries out necessary audits or have them done. Trainings of our Company are being kept up-to-date in parallel with the update of the relevant legislation.

4. PRINCIPLES FOR PROCESSING PERSONAL DATA

Our Company, in compliance with the Constitution of the Republic of Turkey and Articles 20 and 4 of the PDPL, has been processing personal data as per the principles of; (i) lawfully and fairly, (ii) accurate and up-to-date when necessary; (iii) with specified, explicit and legitimate purposes; (iv) relevant, limited and proportioned to the purpose; (v) retained for the period determined by the relevant legislation or the period deemed necessary for the processing.

Our Company has been processing personal data according to Article 20 of the Constitution of the Republic of Turkey and the conditions set out under Article 5 of the PDPL.

Our Company has been acting in compliance with Article 6 of the PDPL in terms of processing sensitive personal data.

Our Company has been conducting its services with regards to transferring personal data in accordance with Articles 8 and 9 of the PDPL and regulations of the Board.

4.1. Processing Personal Data According to Principles Set Out in The Law

4.1.1. Processing Lawfully and Fairly

Our Company acts in compliance with the principles set forth in the relevant legislation and the principle of trust and good faith. In this context, personal data are being lawfully and fairly processed by our Company taking into account being proportionate while processing personal data.

4.1.2. Ensuring Personal Data To Be Accurate and Up-To-Date When Necessary

Our Company ensures that the personal data processed are accurate and up-to-date by taking the fundamental rights of the personal data subjects and legitimate interests of the Company into account. Accordingly, it takes the necessary measures and sets appropriate mechanisms up.

4.1.3. Processing For Specified, Explicit and Legitimate Purposes

Our Company clearly and precisely determines the purpose of legitimate and lawful personal data processing and processes personal data in connection with the commercial activity it carries out.

4.1.4. Being Relevant, Limited and Proportionate To The Purposes For Which They Are Processed

Our Company conveniently processes the personal data to achieve the specified purposes and avoids the processing of personal data that is not related to purposes or not needed.

4.1.5. Retained For The Period Determined By The Relevant Legislation Or The Period Deemed Necessary For The Purpose Of The Processing

Our Company maintains personal data only to the extent specified in the relevant legislation or for the time required for the purpose for which they are processed and determines whether a period is foreseen for the storage of personal data in the relevant legislation first and, if a period has been determined, it acts accordingly to this period. If no period has been set, it retains personal data for the time required for the purpose for which they were processed. After the causes that require the expiration or processing of the period disappears, personal data is being deleted, removed or anonymized by our Company.

4.2. Conditions For Processing Personal Data

Protection of personal data is a constitutional right. Fundamental rights and freedoms may only be restricted by law, depending on relevant articles of the Constitution of The Republic of Turkey. According to Article 20 of the Constitution of The Republic of Turkey, personal data may only be processed in cases specified in the law or with the explicit consent of the personal data subject. Personal data is being processed by our Company within the framework of these restrictions.

Personal data processing may be based upon one of the following conditions whereas it may be based upon more than one of these conditions.

Personal data can be processed in case;

a) The data subject has provided its explicit consent,

One of the conditions of personal data processing is the explicit consent of personal data subject. The explicit consent should be related to a specified issue, declared by free will and based on information.

If the purpose of personal data processing is not based on at least one of the conditions stated in the headings (b), (c), (d) (e), (f), (g) and (h) of this section, it is required to take explicit consent of the data subject for data processing.

b) It is explicitly provided for by the laws.

c) It is mandatory for the protection of life or to prevent the physical injury of a person, in cases where that person cannot express consent due to the physical disability or whose consent is legally invalid.

d) Processing of personal data belonging to the parties of a contract is required provided that it is directly related to the conclusion or fulfilment of that contract.

e) The controller must fulfil its legal obligations.

f) The data is made manifestly public by the data subject.

g) Data processing is mandatory for the establishment, exercise or protection of any right.

h) It is mandatory for the legitimate interests of the controller, provided that such processing shall not violate the fundamental rights and freedoms of the data subjects.

Even though there are different legal basis regarding personal data processing, our Company processes personal data in accordance with Article 4 of the Law.

4.3. The Processing of Sensitive Personal Data

Under the PDPL, sensitive data can be processed in following cases:

• With the explicit consent of the personal data subject; or

• Without the explicit consent of the personal data subject;

– Sensitive data excluding those relating to health and sexual life, only in the conditions set out by the Law,

– Personal data relating to health and sexual life may only be processed by persons under an obligation of confidentiality or by authorized institutions and establishments for protection of public health, protective medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

4.4. Clarifying and Informing the Personal Data Subject

Our Company informs personal data subjects during procuring of personal data, according to Article 10 of the Law. In this context, as a data controller, personal data subjects are being informed about who processes personal data and the purposes of the processing, to whom and for what purpose the processed personal data can be transferred, and the method and legal purpose of collecting personal data, and the rights of the personal data subject. Detailed information on this subject is provided in Section 9 of this Policy. It is outlined in Article 20 of the Constitution of the Republic of Turkey that everyone has the right to be informed about personal data about themselves. The right of “requesting information” is also stated in Article 11 of the PDPL among other rights of the personal data subject. Within this scope, if the personal data subject requests information, the necessary information is being provided by our Company in accordance with Article 20 of Constitution of the Republic of Turkey and Article 11 of the PDPL. Detailed information about this subject is provided in Section 9 of this Policy.

4.5. Transferring Personal Data Inside Turkey

Our Company can transfer the personal data and sensitive personal data of the data subject to third parties within Turkey by taking the necessary security measures and it acts in accordance with the regulations stipulated under Article 8 of the PDPL.

4.5.1 International Transfer of Personal Data

Our Company can transfer the personal data of the personal data subject to third parties outside of Turkey in the following cases based on legitimate and lawful personal data processing purposes and one or more of the conditions stated under Article 5 of the Law, by taking the necessary care and security measures including the necessary precautions stipulated by the Board. In case,

• the data subject has given his explicit consent,

• it is explicitly provided for by the laws,

• it is mandatory for the protection of life or to prevent the physical injury of a person, in cases where that personal data subject cannot express consent due to the physical disability or whose consent is legally invalid,

• it is necessary to process personal data belonging to the parties of a contract, provided that it is directly related to the conclusion or fulfilment of that contract,

• our Company must fulfil its legal obligations,

• the data is made manifestly public by the personal data subject, limited to the purpose of the publicizing,

• the data processing is mandatory for the establishment, exercise or protection of any right, and

• it is mandatory for the legitimate interests of the controller, provided that such processing shall not violate the fundamental rights and freedoms of the personal data subjects.

In addition, personal data can be transferred to foreign countries where the data controller undertakes adequate protection in case one of the conditions mentioned above occurs. If there is inadequate protection, personal data can be transferred to the countries approved by the Board as “Adequate Country”, in which data controllers in Turkey and abroad commit in writing to provide an adequate level of protection then under data transfer conditions outlined in the relevant legislation.

4.5.2 Transfer of Sensitive Personal Data

Our Company, by taking all necessary technical and administrative measures and measures stipulated by the Board, can transfer the sensitive personal data of the data subject to third parties in following cases;

• With the explicit consent of the personal data subject; or

• Without the explicit consent of the personal data subject;

– Sensitive data excluding those relating to health and sexual life, only in the conditions set out by the Law,

– Personal data relating to health and sexual life may only be transferred by persons under an obligation of confidentiality or by authorized institutions and establishments for protection of public health, protective medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing

In addition, personal data can be transferred to foreign countries where the data controller undertakes adequate protection in case one of the conditions mentioned above occurs. If there is inadequate protection in the country, personal data can be transferred under data transfer conditions outlined in the relevant legislation.

5. PERSONAL DATA SUBJECTS WHOSE PERSONAL DATA IS BEING PROCESSED BY OUR COMPANY AND CATEGORIZATION CONCERNING PERSONAL DATA

Although the personal data of the following categories of personal data subjects are processed by our Company, this Policy is only applicable to our customers, potential customers, Employees, employee candidates, Company shareholders, Company executives, visitors and officials of the institutions we cooperate with, and third parties.

While the categories of personal data subjects are within the scope of categories mentioned above, persons outside of these categories may also direct their requests to our Company within the scope of PDPL. Requests of these persons will also be evaluated within the scope of this Policy.

Within the scope of the Policy, personal data belonging to the relevant persons in the following categories are being processed by Tezmaksan:

Employee / Subcontractor Employee / Intern:

ID, Contact Information, Residence, Personnel File, Legal Transaction, Physical Place Security, Process Security, Finance, Professional Experience, Audio&Visual Records, Appearance, Health Information, Penalty Conviction and Security Measures.

Employee Candidate:

ID, Contact Information, Physical Place Safety, Process Security, Professional Experience, Audio&Visual Records, Personality Inventory Records.

Shareholder/Partner:

ID, Contact Information, Residence, Personnel File, Legal Transaction, Physical Place Safety, Transaction Safety, Financial Information, Professional Experience, Audio&Visual Records, Appearance, Health Information, Penalty Conviction and Security Measures, Information of Case Files.

Potential Customer or Customer Employee/Executive:

ID, Contact Information, Residence, Physical Place Safety, Financial Information, Transaction Safety, Audio&Visual Records.

Supplier Employee/Executive:

ID, Contact Information, Residence, Physical Place Safety, Financial Information, Transaction Safety, Audio&Visual Records.

Parent/ Guardian / Representative / Scholar / Persons Subject To The Third Party:

ID, Contact Information, Financial Information.

Physical Visitor:

ID, Contact Information, Residence, Physical Place Safety, Transaction Safety, Audio&Visual Records.

Web Site Visitor:

Transaction Safety.

6. PURPOSES OF PERSONAL DATA PROCESSING

6.1. Purposes of Personal Data Processing

Your personal data and special category personal data can be processed by our Company for the following purposes in compliance with the conditions of personal data processing specified by the Law and the relevant legislation;

7. DOMESTIC AND/OR CROSS BORDER TRANSFER OF PERSONAL DATA

Our Company notifies personal data subjects about persons whom his/her personal data transferred to in accordance with Article 10 of the Law.

Our Company may transfer personal data which has been processed according to Articles 8 and 9 of the Law to categories of persons as follows:

People Whom the Personal Data Can Be Transferred To Definition Purpose of the Transfer
Business Partner Parties with which the Company has established a business partnership while carrying out its commercial activities to conduct the sale, advertisement and marketing of the products and services of our Company, support after sales, and customer loyalty programs. Limited to the fulfillment of the purposes for the establishment of the business partnership.
Supplier Parties that provide services to the Company to continue its commercial activities following the instructions received from the Company and based on a contract. Limited to ensure that the services outsourced from the supplier and services that are necessary to carry out commercial activities of our Company are provided to our Company.
Customer Real and legal persons who benefit from the products and services offered by the Company while carrying out its commercial activities. Limited to ensure that the supply of products and services offered by our Company to its customers.
Our Subsidiaries Subsidiaries of our Company. Limited to ensure that the execution of commercial activities requiring the participation of subsidiaries of our Company.
Our Shareholders Our shareholders are authorized to design strategies and audit activities regarding our Company's commercial activities according to the provisions of the relevant legislation. Limited to the purposes of designing the strategies and auditing of the commercial activities of our Company according to the provisions of the relevant legislation.
Legally Authorized Public Institutions and Organizations Public institutions and organizations who are authorized to receive information and documents from our Company according to the provisions of relevant legislation. Limited to the purpose requested by the relevant public institutions and organizations within their legal authority.
Legally Authorized Private Legal Persons Private legal persons who are authorized to receive information and documents from our Company according to the provisions of relevant legislation. Limited to the purpose requested by the relevant private legal persons within their legal authority.

8. PROTECTION OF PERSONAL DATA

Our Company takes all the necessary technical and administrative measures to ensure the appropriate level of security to prevent the unlawful processing and access to personal data that it processes under Article 12 of the Law.

8.1. Technical Measures Taken to Process Personal Data Lawfully

Technical measures taken by our Company to ensure the processing of personal data lawfully are set forth below:

8.2. Administrative Measures Taken to Process Personal Data Lawfully

Administrative measures taken by our Company to prevent accessing personal data unlawfully are set forth below:

9. RIGHTS OF PERSONAL DATA SUBJECTS; METHODOLOGY OF EXERCISE AND EVALUATION OF THESE RIGHTS

Our Company informs the rights of the personal data subject under Article 10 of the PDPL and guides the personal data subject on how to use these rights. In order to evaluate the rights of the personal data subject and to provide the necessary information to personal data subject, our Company carries out necessary internal operations, and administrative and technical regulations in accordance with Article 13 of the PDPL.

9.1. RIGHTS OF PERSONAL DATA SUBJECT AND EXERCISING THESE RIGHTS

9.1.1. Rights of The Personal Data Subject

Personal data subjects have the following rights:

9.1.2. Situations Where The Personal Data Subject Cannot Claim His/Her Rights

Since according to Article 28 of the PDPL the following situations are excluded from the scope of the Law, personal data subjects cannot claim the rights of personal data subjects listed in Clause 9.1.1. above:

According to Article 28/2 of the Law, personal data subjects cannot claim their other rights listed in Clause 9.1.1., except for the right to demand the compensation for the damage that occurred in the cases listed below:

9.1.3. Exercise of Personal Data Subject’s Rights

Personal data subjects can convey their demands regarding the rights defined under the heading 9.1.1 of this Section with procedures determined by the Board by filling the “Relevant Person (Personal Data Subject) Application Form” provided on the website www.tezmaksan.com. Furthermore, the method of application is explained in detail in this form.

Third parties cannot request on behalf of personal data subjects unless a proxy is issued by the personal data subject on behalf of such third party.

9.1.4. Right of Personal Data Subject to Complain to The Board

If the request as per Article 14 of the Law is refused, the response of the controller is found unsatisfactory or the response is not given by the controller within the period given, the data subject may file a complaint. The data subject may file a complaint with the Board within thirty days starting when he/she learns about the response of the controller, or within sixty days as of the application date, in any case.

9.2. TEZMAKSAN’S RESPONSE TO REQUESTS

9.2.1. The Way and The Period of Tezmaksan’s Response

Tezmaksan shall conclude the request of the personal data subject within the shortest time by taking into account the nature of the request and at the latest within thirty days and free of charge if the personal data subject conveys his/her request to Tezmaksan following the procedure stated in the heading 9.1.3 of this Section.

However, if the action requires an extra cost, Tezmaksan may charge the personal data subject for the fee in the tariff determined by the Board.

9.2.2. Information Which Can Be Requested From Personal Data Subject By Tezmaksan

Tezmaksan may request information to determine whether the applicant is a personal data subject or not.

Tezmaksan may pose a question to clarify the aspects of the application made by the personal data subject.

9.2.3. The Right of Refusing The Personal Data Subject’s Request

The Company may refuse the request of the personal data subject in the following cases by explaining the reason:

10. EFFECTIVENES AND UPDATEABILITY

This Policy became effective on 16.12.2019. The Policy may be updated for purposes of complying with the changing conditions, the PDPL and other applicable laws. The relevant update is deemed to become effective after being announced via www.tezmaksan.com.