Erdemoğlu Holding A.Ş. Personal Data Processing And Protection Policy

The protection of personal data is among the top priorities of Erdemoğlu Holding Anonim Şirketi (“Erdemoğlu Holding” or “Company”), and the Company makes every effort to comply with all applicable legislation in this regard. Within the framework of, Erdemoğlu Holding Personal Data Protection and Processing Policy (“Policy”) the principles adopted in the execution of personal data processing activities carried out by the Company and the fundamental principles adopted in terms of compliance of the Company's data processing activities with the regulations in the Law are explained, in this way the necessary transparency is ensured by informing personal data owners. With full awareness of our responsibility in this context, your personal data is processed and protected under this Policy.

In this context, the personal and/or special categories of personal data of all real persons, including employee candidates, employees, interns, customers, customer employees, company partners, business partners, suppliers, supplier employees and officials, visitors, third-party employees, website visitors, consultants, potential product/service buyers, or anyone whose personal and/or special categories of personal data is held by the Company for any reason, are managed within the framework of this Policy. As part of its legal responsibility, the Company implements personal data protection, processing, and destruction processes in accordance with the PDPL and applicable legislation.

The protection of personal data and the safeguarding of the fundamental rights and freedoms of individuals whose personal data is collected is the core principle of our personal data processing policy. Therefore, we conduct all our activities involving the processing of personal data by respecting the protection of privacy, the confidentiality of communication, freedom of thought and belief, and the right to use effective legal remedies. We take all necessary administrative and technical measures in accordance with legislation and current technology, as required by the nature of the relevant data, to protect personal data.

2. SCOPE

This Policy applies to the personal and/or special categories of personal data of company job candidates, employees, interns, customers, customer employees, company partners, business partners, suppliers, supplier employees and officials, visitors, third-party employees, website visitors, trade fair company officials/staff, consultants, potential product/service buyers, or any other individuals. It covers all recording media where personal and/or special categories of personal data obtained or managed by the Company are processed, as well as all activities related to the processing of personal data.

This Policy relates to all personal data processed by fully or partially automated means or by non-automated means, provided that they form part of a data recording system.

3. IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION

The legal regulations in force regarding the processing and protection of personal data will primarily apply. In case of any inconsistency between the legislation in force and the Policy, the Company acknowledges that the legislation in force will prevail. The Policy concretizes and regulates the rules set forth by the relevant legislation within the scope of Company practices.

4. DEFINITIONS

This Policy;

Anonymization: Making personal data impossible to associate with an identified or identifiable natural person, even by matching them with other data.

Authority: The Personal Data Protection Authority.

Board: The Personal Data Protection Board.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data Processor: The person who processes personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.

Data Recording System: The recording system where personal data is processed by structuring according to specific criteria

Data Subject: The natural person whose personal data is processed

Destruction: The deletion, destruction, or anonymization of personal data.

Deletion of Personal Data: Making personal data inaccessible and unusable for relevant users in any way.

Destruction of Personal Data: Making personal data inaccessible, irretrievable, and unusable by anyone in any way.

Explicit Consent: Consent based on information regarding a specific subject and expressed with free will.

Information Security: Preventing unauthorized or unauthorized access, use, alteration, disclosure, destruction, transfer and damage to information.

Law: The Law on the Protection of Personal Data No. 6698 dated 24.03.2016.

Network: A structure where multiple computers are connected for various reasons such as information sharing, software and hardware sharing, centralized management, and support convenience.

Personal Data: Any information relating to an identified or identifiable natural person.

Personal Data Retention and Destruction Policy: The policy that data controllers base their determination of the maximum period necessary for the purpose for which personal data is processed and the deletion, destruction, and anonymization processes.

Policy: This Special Categories of Personal Data Policy.

Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, fully or partially by automated means or by non-automated means, provided that they form part of a data recording system.

Recipient Group: The category of natural or legal persons to whom personal data is transferred by the Data Controller.

Recording Medium: Any medium where personal data processed by fully or partially automated means or by non-automated means, provided that they form part of a data recording system, is found.

Special Categories of Personal Data: Data relating to individuals' race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

5. PRINCIPLES TO BE FOLLOWED IN PERSONAL DATA PROCESSINGS

Personal data can be processed in accordance with the procedures and principles stipulated in Article 4 titled "general principles" of the Law and other laws, and the Company carries out processing activities in compliance with the Law and other relevant legislation. These principles are:

a) Lawfulness and fairness

b) Being accurate and kept up to date where necessary.

c) Being processed for specified, explicit and legitimate purposes.

d) Being relevant, limited and proportionate to the purposes for which they are processed.

e) Being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

6. PERSONAL DATA

Personal data is defined in Article 3/1-d of the Law and refers to any information relating to an identified or identifiable natural person. The protection of personal data is only related to natural persons, and information belonging to legal entities that do not contain data related to a natural person is excluded from personal data protection. Therefore, this Policy does not apply to data of legal entities. This Policy applies to data that directly identifies a person, such as the person's name, surname, and Turkish ID Number, as well as data through which the relevant person can be indirectly identified.

7. PURPOSES OF PROCESSING PERSONAL DATA

Pursuant to at least one of the personal data processing conditions specified in Article 5 of the Law and limited to these, personal data is processed by the Company in accordance with the general principles specified in the Law, especially the principles specified in Article 4 of the Law regarding the processing of personal data. The Company processes this data in accordance with the purposes of personal data processing announced by the Board, and these purposes are as follows:

Conducting Access Authorizations
Conducting Activities in Compliance with Legislation
Conducting After-Sales Support Services for Goods / Services
Conducting Assignment Processes
Conducting Audit / Ethical Activities
Conducting Business Continuity Activities
Conducting Communication Activities
Conducting Contract Processes
Conducting Customer Relationship Management Processes
Conducting Emergency Management Processes
Conducting Employee Candidate / Intern / Student Selection and Placement Processes
Conducting Employee Satisfaction and Loyalty Processes
Conducting Finance and Accounting Works
Conducting Goods / Services Procurement Processes
Conducting Goods / Services Production and Operation Processes
Conducting Goods / Services Sales Processes
Conducting Information Security Processes
Conducting Internal Audit / Investigation / Intelligence Activities
Conducting Investment Processes
Conducting Management Activities
Conducting Marketing Processes of Products / Services
Conducting Logistics Activities
Conducting Processes of Employee Benefits and Rights
Conducting Performance Evaluation Processes
Conducting Risk Management Processes
Conducting / Supervising Business Activities
Conducting Storage and Archive Activities
Conducting Occupational Health / Safety Activities
Conducting Training Activities
Conducting Wage Policy
Creating and Tracking Visitor Records
Ensuring Physical Space Security
Ensuring the Security of Movable Property and Resources
Following and Conducting Legal Affairs
Fulfilling Obligations Arising from Employment Contracts and Legislation for Employees
Organization and Event Management
Other - Pursuant to the Turkish Commercial Code
Planning Human Resources Processes
Providing Information to Authorized Persons, Institutions, and Organizations
Tracking Requests / Complaints

8. TRANSFER OF PERSONAL DATA

Personal data is processed by the Company in accordance with Article 8 of the Law, without obtaining explicit consent in the presence of one of the conditions specified in Article 5(2) of the Law; in other cases, explicit consent of the data subject is obtained and the data is transferred to:

Affiliates and subsidiaries
Authorized public institutions and organizations
Business partners
Real persons or private legal entities
Shareholders
Subsidiary and affiliate companies
Suppliers

9. TRANSFER OF PERSONAL DATA ABROAD

The Company transfers personal data abroad in the presence of one of the conditions specified below, in accordance with Article 9 of the Law:

-The presence of one of the processing conditions specified in the Law and the existence of an adequacy decision regarding the country to which the transfer will be made, sectors within the country, or international organizations

-In the absence of an adequacy decision, the presence of one of the processing conditions specified in the Law, and the existence of appropriate safeguards provided that the data subject has the opportunity to exercise their rights and access effective legal remedies in the country where the transfer will be made; (i) The existence of an agreement that is not of an international treaty nature between public institutions and organizations abroad or international organizations and public institutions and organizations in Turkey or professional organizations with public institution status, and the Board's permission for the transfer, (ii) The existence of binding corporate rules that include provisions on the protection of personal data, which companies within a group of undertakings engaged in joint economic activity are obliged to comply with and approved by the Board, (iii) The existence of a standard contract announced by the Board, which includes issues such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures for special categories of personal data, (iv) The existence of a written undertaking containing provisions that will ensure adequate protection and the Board's permission for the transfer.

-Data controllers and data processors may transfer personal data abroad only in the presence of one of the following conditions, provided that it is incidental, in the absence of an adequacy decision and if none of the appropriate safeguards specified in the Law are provided; (i) The data subject's explicit consent to the transfer, provided that they are informed about the possible risks, (ii) The transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the data subject's request, (iii) The transfer is necessary for the conclusion or performance of a contract made in the interest of the data subject between the data controller and another real or legal person, (iv) The transfer is necessary for a superior public interest, (v) The transfer of personal data is necessary for the establishment, exercise, or protection of a right, (vi) The transfer of personal data is necessary for the protection of the life or physical integrity of the person who is unable to express consent due to actual impossibility or whose consent is not legally valid, or another person, (vii) The transfer is made from a register that is open to the public or accessible by persons with a legitimate interest, provided that the conditions required to access the register in the relevant legislation are met and the person with a legitimate interest requests it.

10. SPECIAL CATEGORIES OF PERSONAL DATA

In the event of discovery, the Company exercises diligence in the processing and protection of special categories of personal data that may lead to discrimination against the data subject, in accordance with the Law, which designates certain data as 'special categories' and processes them lawfully. In this context, the technical and administrative measures taken by the Company for the protection of personal data are carefully implemented with respect to special categories of personal data, and necessary audits are conducted within the Company.

The definition of special categories of personal data is provided in Article 6 of the Law. According to this, special categories of personal data include information on individuals' race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

11. PURPOSES OF PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

Special categories of personal data are processed by the Company in accordance with the general principles specified in the Law, particularly the principles stated in Article 4 of the Law regarding the processing of personal data, based on and limited to at least one of the personal data processing conditions specified in Article 6 of the Law. The Company processes these data in line with the personal data processing purposes announced by the Board, and these purposes include;

Conducting Emergency Management Processes
Conducting Information Security Processes
Conducting Occupational Health and Safety Activities
Conducting Recruitment and Placement Processes for Candidates/Interns/Students
Conducting Storage and Archiving Activities
Conducting/Monitoring Business Activities
Ensuring Compliance of Activities with Legislation
Ensuring Physical Security of Locations
Ensuring the Security of Movable Assets and Resources
Fulfilling Employment Contract and Legal Obligations for Employees
Managing Access Authorizations
Managing Application Processes for Candidates
Planning Human Resources Processes
Providing Information to Authorized Persons, Institutions, and Organizations

12. TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA

Special categories of personal data are processed by the Company in accordance with Article 8 of the Law, with adequate precautions taken, in the presence of one of the conditions specified in Article 6/3 of the Law:

Affiliates and subsidiaries
Authorized Public Institutions and Organizations
Business Partners
Group Companies
Real persons or private law legal entities
Shareholders
Suppliers

13. TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA ABROAD

The Company transfers personal data abroad in the presence of one of the conditions listed below within the framework of Article 9 of the Law:

-The presence of one of the processing conditions specified in the Law and the existence of an adequacy decision regarding the country to which the transfer will be made, the sectors within the country, or international organizations

-In the absence of an adequacy decision, personal data may be transferred abroad if one of the processing conditions specified in the Law is present, and the data subject has the opportunity to exercise their rights and access effective legal remedies in the country to which the transfer will be made, provided that the following appropriate safeguards are in place: (i) The existence of an agreement that is not an international treaty between public institutions and organizations abroad or international organizations and public institutions and organizations in Turkey or professional organizations with the status of public institutions, and the transfer is permitted by the Board, (ii) The existence of binding corporate rules containing provisions on the protection of personal data, which companies within a group of enterprises engaged in joint economic activity are obliged to comply with, and which are approved by the Board, (iii) The existence of a standard contract announced by the Board, which includes matters such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures for special categories of personal data, (iv) The existence of a written undertaking containing provisions that ensure adequate protection and the transfer is permitted by the Board.

-In the absence of an adequacy decision and if none of the appropriate safeguards stipulated in the Law can be provided, data controllers and data processors may transfer personal data abroad only on an incidental basis, provided that one of the following conditions is met: (i) The data subject gives explicit consent to the transfer, provided that they are informed about the potential risks, (ii) The transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the data subject's request, (iii) The transfer is necessary for the conclusion or performance of a contract made in the interest of the data subject between the data controller and another natural or legal person, (iv) The transfer is necessary for an overriding public interest, (v) The transfer of personal data is necessary for the establishment, exercise, or protection of a right, (vi) The transfer of personal data is necessary for the protection of the life or physical integrity of the person who is unable to express consent due to actual impossibility or whose consent is not legally valid, or another person, (vii) The transfer is made from a register that is open to the public or to persons with a legitimate interest, provided that the conditions stipulated in the relevant legislation for accessing the register are met and the person with a legitimate interest requests it.

14. RECORDING MEDIUM

The Data Controller stores personal and/or special categories of personal data, which are processed by fully or partially automated means or by non-automated means provided that they are part of any data recording system, in the environments specified in the table below in accordance with the law.

15. MEASURES TAKEN BY THE COMPANY TO PREVENT ILLEGAL PROCESSING OF PERSONAL DATA

In order to prevent the unlawful processing and protection of personal data, the Data Controller implements certain technical and administrative measures.

15.1 Techincal Measures

A closed system network is used for personal data transfers via the network.
Access logs are kept regularly.
An authorization matrix is created for employees.
Cybersecurity measures are taken and their implementation is continuously monitored.
Data loss prevention software is used.
Data masking measures are applied when necessary.
Encryption is performed.
Extra security measures are taken for personal data transferred via paper, and the relevant documents are sent in a classified document format.
Firewalls are used.
If special categories of personal data are to be sent via email, they are sent encrypted and using REM or a corporate email account.
Intrusion detection and prevention systems are used.
Key management is implemented.
Log records are kept in a way that prevents user intervention.
Necessary security measures are taken regarding the entry and exit of physical environments containing personal data.
Network and application security are ensured.
Penetration testing is conducted.
Personal data is backed up, and the security of backed-up personal data is also ensured.
Personal data is minimized as much as possible.
Personal data security is monitored.
Personal data security issues are reported quickly.
Physical backup is done in the backup system.
Secure encryption/cryptographic keys are used for special categories of personal data and are managed by different units.
Security measures are taken within the scope of procurement, development, and maintenance of information technology systems.
Special categories of personal data transferred via portable memory, CD, or DVD are encrypted.
The authorities of employees who have changed roles or left the job are revoked in this area.
The security camera operates on a separate VLAN (a separate internet line is available).
The security of environments containing personal data is ensured.
The security of personal data stored in the cloud is ensured.
The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
Up-to-date antivirus systems are used.
User account management and authorization control systems are implemented and monitored.

15.2 Administrative Measures

Awareness of data security is ensured among service providers processing data.
Confidentiality agreements are made.
Corporate policies on access, information security, usage, storage, and destruction have been prepared and implemented.
Disciplinary regulations containing data security provisions are in place for employees.
Existing risks and threats have been identified.
Internal periodic and/or random audits are conducted and commissioned.
Personal data security policies and procedures have been established.
Protocols and procedures for the security of special categories of personal data have been established and are being implemented.
Service providers processing data are audited at regular intervals regarding data security.
Signed contracts include data security provisions.
Training and awareness activities on data security are conducted for employees at regular intervals.

16. REASONS FOR STORAGE AND DESTRUCTION OF SPECIAL CATEGORIES OF PERSONAL DATA

Personal and/or special categories of personal data belonging to all natural persons, including job candidates, employees, interns, customers, customer employees, company partners, business partners, suppliers, supplier employees and officials, visitors, third-party employees, website visitors, trade fair company officials/staff, consultants, potential product/service buyers, or anyone whose personal and/or special categories of personal data are held by the Company for any reason, are stored and destroyed in accordance with the Law. Within the framework of Erdemoğlu Holding's activities, personal data are stored for the duration stipulated in the relevant legislation or for a period appropriate to our processing purposes.

In this context, detailed explanations regarding storage and destruction are also addressed in our Personal Data Retention and Destruction Policy, and for matters not regulated in this Policy, the provisions in our Personal Data Retention and Destruction Policy shall apply.

17. RIGHTS OF THE DATA SUBJECT

During the conduct of our Data Controller activities, data subjects whose personal and/or special categories of personal data are obtained may apply to us in accordance with the procedures set forth in the Law and the Communique on the Procedures and Principles of Application to the Data Controller published in the Official Gazette on March 10, 2018, and exercise their rights specified in Article 11 of the Law as follows:

To learn whether his/her personal data are processed or not,
To demand for information as to if his/her personal data have been processed,
To learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,
To know the third parties to whom his personal data are transferred in country or abroad,
To request the rectification of the incomplete or inaccurate data, if any,
To request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,
To request reporting of the operations carried out pursuant to, notification of the transactions regarding the correction, deletion, or destruction of personal data to third parties to whom the data has been transferred,
To object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,
To claim compensation for the damage arising from the unlawful processing of his/her personal data.

18. PUBLICATION AND STORAGE OF THE PERSONAL DATA PROCESSINGS AND PROTECTION POLICY

This Policy is published and stored electronically.

19. UPDATE PERIOD OF THE POLICY

This Policy is reviewed at least annually and updated if deemed necessary.

Our Holding