DEFINITIONS

WHAT PERSONAL DATA CAN WE PROCESS?

Depending on the legal-commercial-contractual relations between you and the Batı Anadolu Group of Companies, we may process one or more of your data listed below , according to the type of relationship, legislation and businessatı ana need. The personal data we process varies depending on the type of business relationship between us ( e.g. customer, supplier, business partner, etc.) and the method you use to contact us ( e.g. telephone, e-mail, via website, printed documents, etc.).

Personal Information

All kinds of personal data processed to obtain information that will be the basis for the formation of personal rights of real persons who are in a working relationship as personnel in accordance with the service contract established with the company.

Education and Occupation Information about the work history and educational background

Legal Transaction Information

of employees, candidates, and customers.

Data processed within the scope of the follow-up of the Company's legal processes, determination and follow-up of its receivables and rights, fulfillment of its debts and legal obligations.

Customer Transaction Information

Marketing Data

Special Personal Data

Performance Information

Information such as records regarding the use of products and services and the customer's instructions and requests necessary for the use of products and services.

Personal data processed for the marketing of products and services by customizing them according to the shopping history of the Relevant Person, and reports and evaluations created as a result of this processing.

These are the data specified in Article 6 of the Law and whose processing and protection are subject to more special conditions due to their nature ( e.g. health data, union membership, etc. ).

This data category is all the data processed for personnel within the company for the purpose of internal auditing and improving operability, and outside the company for the purpose of performance auditing of business partners.

We mainly collect your personal data in the following cases:

• When you purchase or use our products and services,
• When you apply for a job and/or start a job
• When you sell goods or provide services to us,
• When you sign a contract with our company or submit/receive offers
• When you visit or use electronic applications and pages prepared for our customers and suppliers
• When you contact us through our website or by phone,
• When you attend our company events and organizations,
• When you contact us for any purpose as a potential customer/supplier/business partner/subcontractor.

WHAT ARE OUR PERSONAL DATA PROCESSING PRINCIPLES?

All personal data processed by our company is processed in accordance with KVKK and relevant legislation. The basic principles and principles that we pay attention to when our company processes your personal data in accordance with Article 4 of the KVKK are explained below:

• Processing in accordance with the Law and the Rules of Honesty : Our Company; It acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, our Company takes into account the proportionality requirements in the processing of personal data and does not use personal data for purposes other than what is required.
• Ensuring that Personal Data is Accurate and Up to Date when Necessary : Our Company; It makes every effort to ensure that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and its own legitimate interests.

• Processing for Specific, Clear and Legitimate Purposes : Our company clearly and precisely determines the legitimate and lawful purpose of processing personal data. Our company processes personal data in connection with the products and services it offers and as much as is necessary for them.
• Being Relevant, Limited and Proportionate to the Purpose for which they are Processed

: Our company processes personal data in a manner suitable for the achievement of the specified purposes and avoids the processing of personal data that is not relevant or needed to achieve the purpose.

• Preservation for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose of Processing : Our Company retains personal data only for the period specified in the relevant legislation or necessary for the purpose for which they are processed. In this context, our Company first determines whether a period of time is prescribed for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period, and if a period is not determined, it stores personal data for the period necessary for the purpose for which they are processed. If the period expires or the reasons requiring processing disappear, personal data is destroyed by our Company.

WHAT ARE THE CONTACT PERSON CATEGORIES?

THE PERSONAL DATA COLLECTION METHODS AND LEGAL REASONS?

We process your personal data within the framework of the following legal reasons in accordance with Article 5 of the KVKK. Due to our company's field of activity, it establishes commercial relations with many manufacturers, dealers-distributors and sales points for CEMENT production and wholesale business and provides product supply, storage and delivery services between these parties. Although the company does not establish a direct sales relationship with the end user/real person customer through retail sales , it may, from time to time, directly contact real person customers for reasons such as manufacturer and warranty responsibilities, follow-up of demands and complaints, and customer satisfaction. As part of their operations, our companies establish relationships with traders, called Merchants or Tradesmen, in all of their commercial business processes. Personal data is basically reserved for the establishment and execution of commercial relations and contracts between the parties, the fulfillment of obligations in accordance with the relevant legislation, especially tax, debts and commercial law legislation, and the mandatory legitimate use of our company, provided that it does not harm fundamental rights and freedoms. Their interests are processed for legal reasons. In our personal data processing processes, when there are issues that do not fall within one of the legal grounds specified here, permission is also requested from the data subject to provide the EXPRESS CONSENT justification.

BATI ANATOLIA GROUP COMPANIES , within the framework of the purposes detailed below and based on the 2nd paragraph of Article 5 of Law No. 6698 and the following legal compliance reasons, or if there is no such reason, with your express consent. Based on; Your Personal Data is collected directly from you by BATI ANADOLU GROUP OF COMPANIES (contract, order form, offer request or form, e-mail correspondence, business card sharing, recruitment processes, website messages, social media messages, call center records, workplace visits, shares of our business partners. can be collected and processed from areas such as During your visits to our workplaces, for security reasons, your identity information and your image via security cameras are recorded and processed on a limited basis with this operation.

• BATI ANATOLIA GROUP COMPANIES is subject,
• Provided that it is directly related to the establishment or performance of a contract, it is necessary to process personal data of the parties to the contract, to provide the requested products and services or to fulfill the requirements of the contracts you have concluded,
• BATI ANADOLU GROUP OF COMPANIES to fulfill its legal obligations,
• It has been made public by you,

• Data processing is mandatory for the establishment, exercise or protection of a right in accordance with the legislation or internal practice of BATI ANADOLU GROUP OF COMPANIES ,
• Data processing is mandatory for the legitimate interests of the BATI ANADOLU GROUP OF COMPANİESGROUP COMPANIES , provided that your fundamental rights and freedoms are not harmed .

FULFILLMENT OF THE DISCLOSURE OBLIGATION

BATI ANADOLU GROUP OF COMPANIES informs all data subjects on a process basis during the process of obtaining personal data from the data subject, in accordance with Law No. 6698 and relevant legislation, for all data processing processes. Within the scope of this information and specific to the area in which the data subject is contacted, by written/printed or electronic means;

• Identity of the data controller and his representative, if any,
• For what purpose personal data will be processed,
• To whom and for what purpose personal data can be transferred,
• Method and legal reason for collecting personal data,
• Rights of the data subject

Information is given on this subject. This information may be detailed depending on the nature of the work, or it may be based on the layered lighting principle and is provided by making reference and guidance to this policy from time to time.

OUR PURPOSES OF PROCESSING PERSONAL DATA

BATI ANADOLU GROUP OF COMPANİESCOMPANIES' personal data processing purposes are expressed in general terms in this table. Specific purposes specific to the data subject will be explained below.

Our company's data processing purposes in the DATA SUBJECT (DATA OWNER) breakdown are explained below.

1. For customers;

, carries out data processing activities for the following purposes in accordance with the purchase and sale relationship established with customers, regarding the products it manufactures and sells

• Execution of Goods/Service Purchasing, Production and Sales Processes
• Organization and execution of Dealer/Distributor processes
• Research and Development activities for Products and Services
• Execution of Customer Relationship Management Processes
• Carrying out Activities for Customer Satisfaction
• Ensuring Physical Space Security
• Carrying out transactions and activities within the scope of commercial/contractual relationships and fulfilling financial and legal obligations
• Tracking of Requests/Complaints
• Fulfillment of legal obligations
• Fulfillment of warranty obligations within the scope of manufacturer responsibility
• Conducting legal processes
• Promotion and marketing activities

2. For Potential Customers;

Your identity and contact information obtained directly from you through your visits to our website, your written or verbal requests for orders and quotes, e-mails you send, and business card sharing; It is processed in accordance with Article 5/2 of the Law in order to create an offer for the requested products, to establish a contract, and to manage your requests and complaints.

3. For Employee Candidates;

By the company as data controller; Personal data of employee candidates (identity, contact, education, profession, wage, military status, work history, data regarding references) received through the CVs shared by the candidates within the scope of job applications or the completed application form are stored in the automatic systems or physical environments of the relevant company. and are processed and stored for a limited period of time, in accordance with the company's written standards, in order to establish business relationships with prospective employees. The purpose here is to re-evaluate the employee candidate during this period and keep

them in the system for a certain period of time for a possible employment relationship to be established. If a business relationship is not established with the candidate within this period, these data are destroyed in the first periodic destruction process at the end of the period specified in the inventory. In case the candidate is hired, this information is stored in the personnel file.

BATI ANATOLIA GROUP COMPANIES, by using the personal data obtained by the candidates through the CVs shared or filled out application forms within the scope of job applications made either through the web address, career sites or at the company headquarters, as specified in Article 5 of the Law; It can be processed and stored for a certain period of time based on the legal justification of explicit consent.

General data processing purposes for employee candidates are listed below:

• Employee Candidate / Intern / Student Selection and Placement Processes
• Carrying out the application processes of employee candidates
• Conducting human resources operations and especially recruitment processes,
• Carrying out Business Continuity Ensuring Activities

4. For employees;

BATI ANADOLU GROUP OF COMPANIES carries out data processing activities for the following purposes, within the scope of the management right and legitimate interest of BATI ANADOLU GROUP OF COMPANIES , to create a personnel file of its employees' personal data for reasons arising from the relevant legislation, to conclude a service contract with you:

• Execution of Information Security Processes
• Employee Satisfaction and Loyalty Processes
• Fulfillment of Employment Contract and Legislation Obligations for Employees
• Fringe Benefits and Benefits Processes for Employees
• Conducting Audit / Ethics Activities
• Conducting Educational Activities
• Execution of Access Authorizations
• Conducting Activities in Compliance with Legislation
• Finance and Accounting Affairs
• Ensuring Physical Space Security

• Execution of Assignment Processes
• and Execution of Legal Affairs
• Planning Human Resources Processes
• Execution/Audit of Business Activities
• Carrying out Occupational Health / Safety Activities
• and Evaluating Suggestions for Improving Business Processes
• Carrying out Business Continuity Ensuring Activities
• Conducting Performance Evaluation Processes
• Providing Information to Authorized Persons, Institutions and Organizations
• Carrying out Union Activities
• Conducting Management Activities
• Official Institutions, to Benefit from Incentives in Official Institutions, to Notify Relevant Authorities Within the Scope of Official Institutions Audits
• Conducting Human Resources Operations and Especially Personnel Activities,
• Ensuring Employee Supervision and Carrying out Necessary Data Processing Activities Within the Scope of the Employer's Management Right

5. For Suppliers/Business Partners;

Within the scope of commercial activities carried out by the Company, personal information (Identity data, Contact data, Financial data, Signature data) belonging to real or legal person merchants and tradesmen with whom we have commercial or legal relations are processed. These data are specified in Article 5/2 of the Law; It is processed in accordance with the basic principles stipulated in the Law and within the specified personal data processing conditions within the scope of the establishment and execution of our contracts, fulfillment of legal obligations and the legitimate interests of the Company. Personal data is collected and processed by the Company within the scope of the purposes listed above by directly transmitting it to Suppliers and Business Partners in physical and electronic media.

Data processing purposes;

• Execution of Contract Processes
• Finance and Accounting Affairs
• Execution and Follow-up of Responsibilities Arising from Legislation and Legal Processes

• Conducting Company Internal Operations
• Strategy Planning & Business Partners/Supplier Management
• Ensuring Physical Space Security
• Conducting Logistics Activities
• Managing Supply Chain Management Processes
• Preservation of Your Information Required to be Kept According to the Relevant Legislation; Copying and Backing Up to Prevent Information Loss; Ensuring the Consistency of Your Information ; Taking Necessary Technical and Administrative Precautions for the Security of Our Databases and Information

6. For Visitors ;

Within the scope of your visits to our company, our website and other workplaces, in order to ensure the security of our company and you, as well as to fulfill our legal obligations and depending on our legitimate interests, your name and surname at the main entrances, your visual data with security cameras in physical environments, your visual data with security cameras in physical environments, within the scope of the internet access offered to you during your visit to our workplace. Your identity and contact data and digital traces obtained are processed for the following purposes:

• Carrying out Audit and Security Activities
• Execution of Information Security Processes
• Creation and Tracking of Visitor Records
• Ensuring Physical Space Security
• Providing Information to Authorized Persons, Institutions and Organizations
• Ensuring the Security of Data Controller Operations
• Providing Internet Access and Ensuring Access Security

SPECIAL PERSONAL DATA PROCESSING TERMS

Special categories of personal data are data that, if learned, may cause discrimination or victimization of the relevant person. Therefore, they need to be protected much more strictly than other personal data. Special categories of personal data may be processed with the express consent of the relevant person or in limited cases listed in the Law.

In the law, special categories of personal data are determined by limited enumeration. These; Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. It is not possible to expand special personal data by comparison.

As a rule, our company tends not to include sensitive personal data in data processing processes. However, considering our field of activity, the nature of the work and some legal obligations, special personal data may also need to be processed. For example, within the scope of health services or occupational medicine activities provided in workplaces, the health declarations of personnel or personnel candidates during recruitment processes may have to be processed by the human resources department other than the workplace physician. In such cases, explicit consent is requested from the relevant persons. It obtains the express consent of the Relevant Persons in writing. Again, in accordance with the current union activities in the workplace, employees' information regarding their union membership may be compulsorily processed. Data regarding union membership can be processed for the management of existing union processes in the workplace, as it is regulated by law. KVKK m. In accordance with Article 6/3, KVKK art. In case of the existence of any of the conditions specified in 5/2, the express consent of the Relevant Persons is not required.

of the KVKK , our Company informs the Relevant Persons during the acquisition of sensitive personal data . Special categories of personal data are processed by taking measures in accordance with the KVKK and by carrying out the necessary inspections.

Our company takes special measures to ensure the security of sensitive personal data. In accordance with the data minimization principle, special personal data are not collected unless necessary for the relevant business process and are processed only when necessary. In this context and as stated above, our companies do not process special personal data other than health data and union membership data obtained when necessary.

PARTIES TO WHICH PERSONAL DATA IS TRANSFERRED AND PURPOSES OF TRANSFER

is responsible for acting in accordance with the decisions and relevant regulations stipulated in the KVKK and taken by the Board regarding the transfer of personal data . Our company may transfer personal data to third parties in Turkey and to companies under the umbrella of BATI ANADOLU GROUP OF COMPANİESwhose titles are stated below, in accordance with the conditions stipulated in the KVKK and other relevant legislation and by taking all security measures specified in the legislation.

BATI ANADOLU GROUP OF COMPANIES may transfer your personal data to the following domestic recipient groups for the purposes set out in this Policy , within the scope of the Law and other legislation and to the extent necessary for the execution of the services we receive.

• BATI ANADOLU GROUP, in which we are a part (Batıbeton Sanayi A.Ş., Batıliman Liman İşletmeleri A.Ş., Batısöke Söke Çimento Sanayii TAŞ., Batıçim Enerji Elektrik Üretim A.Ş., Batıçim Energy Wholesale Inc., ASH Plus Yapı Malzemeleri Industry and Trade Inc.) companies
• Service providers and business partners; Trusted third parties such as information and communications technology providers, consulting services providers, courier companies
• Our business partners, supplier companies, banks and financial institutions with whom we cooperate and/or receive services for the presentation, promotion of goods and services and similar purposes.
• Agencies from which we receive services for the management of our website and social media accounts
• Lawyers, auditors, consultants and service providers
• Your attorneys, guardians and representatives authorized by you
• Institutions or organizations authorized to request personal data, such as regulatory and supervisory institutions, courts and enforcement offices, and persons designated by them

Our company does not transfer personal data ABROAD.

ENSURING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA

The Company takes all necessary precautions, within the means possible, depending on the nature of the data to be protected, to prevent unlawful disclosure, access, transfer of personal data or security deficiencies that may occur in other ways.

In this context, the Company takes all necessary (i) administrative and (ii) technical measures, (iii) an audit system is established within the company and (iv) in case of illegal disclosure of personal data, the measures foreseen in the Personal Data Protection Law are acted upon.

AND DESTRUCTION OF PERSONAL DATA

Personal your data hiding their duration while determining the following criteria into consideration we get :

• Relating to data of category processing purpose in the scope of data responsible for activity it shows in the industry general custom as required acceptance made duration ,
• Relating to data in the category place area personal of data to be processed necessary that makes And relating to with person facility made legal your relationship continue will duration ,
• Relating to data of category processing to your goal connected aspect data responsible for get will legitimate your interest to law And honesty to the rules suitable aspect valid will happen duration
• Relating to data of category processing to your goal connected aspect hiding risk , cost And your responsibilities legally continue will duration ,
• To be determined maximum of the duration relating to data of category TRUE And when necessary current to be kept convenient is is not ,
• Data controller by , related data in the category place area personal to data connected One your right forward expulsion for       set timeout time .

Company by prepared detailed personal data processing each in your inventory data to type And as long as related storage times detailed aspect is stated .

BATI ANADOLU GROUP OF COMPANIES personal of data Destruction of your methods has been determined has prepared a PERSONAL DATA STORAGE AND DESTRUCTION POLICY And Company inside published . All destruction processes This to politics suitable aspect is being carried out . Article 7 of the Law in accordance with to law suitable aspect finished to happen Although , processing requiring your reasons from the middle getting up in case of personal data by ex officio or Relating to person request over company , this work for special aspect prepared Data protection located And Destruction policy , legislation And Organisation by published to the guide suitable aspect destruction it does .

BATI ANATOLIA GROUP COMPANIES prepared And all data processing processes organizer personal data each in your inventory data Type And period STORAGE PERIODS for clearly set and destruction in their processes This deadlines basis is taken .

ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA

BATI ANADOLU GROUP OF COMPANİESCOMPANIES; In accordance with Article 12 of the KVK Law, it takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes, unlawful access to the data and to ensure the preservation of the data, and carries out the necessary inspections or has them carried out in this context.

BATI ANADOLU GROUP OF COMPANIES takes all necessary technical and administrative measures, according to technological possibilities and implementation costs, to ensure that personal data is processed in accordance with the law.

can be transferred to the physical archives and information systems of our Company and/or our suppliers and kept in both digital and physical environments.

Secure to protect the personal information collected socket It uses generally accepted standard technologies and operational security methods, including the standard technology called Layer

(SSL). Depending on the current state of technology, the cost of technological application and the nature of the data to be protected , it takes technical and administrative measures to protect your data from risks such as destruction, loss, falsification, unauthorized disclosure or unauthorized access. In this context, contracts regarding data security are made with the service providers we work with.

TECHNICAL MEASURES

BATI ANADOLU GROUP OF COMPANIES to ensure the lawful processing of personal data are listed below:

• Network security and application security are ensured.
• A closed system network is used for personal data transfer via the network.
• Key management is implemented.
• Security measures are taken within the scope of supply, development and maintenance of information technology systems .
• The security of personal data stored in the cloud is ensured.
• Access logs are kept regularly.
• Data masking measures are applied when necessary.
• Data loss prevention software is used.
• Intrusion detection and prevention systems are used.
• Cyber security measures have been taken and their implementation is constantly monitored.
• Encryption is done.
• Personal data processing activities carried out within Batı Anadolu Group of Companies are regularly audited.
• The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
• Departments on technical issues have been established and staff knowledgeable in this field is employed.

• New technological developments are followed and technical measures are taken on systems, especially in the field of cyber security, and the measures taken are periodically updated and renewed.
• Access and authorization solutions are put into operation within the framework of legal compliance requirements determined specifically for each department within the BATI ANADOLU GROUP OF COMPANIES .
• Access authorizations are limited and authorizations are reviewed regularly. Access restrictions are imposed on former employees and accounts are closed.
• BATI ANADOLU GROUP OF COMPANIES Technical measures taken in accordance with the internal operation of the company are reported to the relevant users, risky issues are re- evaluated and the necessary technological solutions are produced.
• Software and hardware including up-to-date virus protection systems, data vulnerability security and firewalls are installed.
• Personnel specialized in technical matters are employed.
• All information systems, including applications where personal data is collected, are regularly subjected to external impact testing to detect security vulnerabilities, and the vulnerabilities found are closed based on the results of this test.

ADMINISTRATIVE MEASURES

BATI ANADOLU GROUP OF COMPANIES for the lawful processing of personal data:

• BATI ANADOLU GROUP OF COMPANIES employees are informed and trained on the law of protection of personal data and the legal processing of personal data.
• All personal data processing activities carried out by BATI ANADOLU GROUP OF COMPANIES

; It is carried out in accordance with the personal data inventory and attachments created by analyzing all business units in detail.

• Personal data processing activities carried out by the relevant departments within the BATI ANATOLIA GROUP COMPANIES ; Obligations to be fulfilled to ensure that these activities comply with the personal data processing conditions required by KVKK have been bound to written policies and procedures by BATI ANATOLIA GROUP COMPANIES , each business unit

has been informed about this issue and the issues to be taken into consideration specific to the activity it carries out have been determined.

• The signed contracts contain data security provisions.
• paper and the relevant documents are sent in confidential document format.
• Personal data security policies and procedures have been determined.
• Personal data security issues are reported quickly.
• Personal data security is monitored.
• Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
• The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
• The security of environments containing personal data is ensured.
• Personal data is reduced as much as possible.
• BATI ANADOLU GROUP OF COMPANIES regarding personal data security are organized by Information Security Committees. Awareness is created to ensure that the legal requirements determined on a business unit basis are met, and the necessary administrative measures are implemented through in-company policies, procedures and training to ensure the control of these issues and the continuity of the implementation.
• Records containing information about personal data and data security are included in the service contracts and related documents between BATI ANADOLU GROUP OF COMPANIES and employees, and additional protocols are made. Studies have been carried out to raise the necessary awareness for employees on this issue.
• There are disciplinary regulations for employees that include data security provisions.
• Training and awareness activities are carried out for employees at regular intervals regarding data security.
• BATI ANADOLU GROUP OF COMPANİESOF COMPANIES applies legal compliance, access to personal data and authorization processes within the company, taking into account personal data processing processes for each department within the company.

• Employees for authority matrix has been created .
• Security letters of undertaking is being done .
• Duty change the one which... or from work leaving your employees This in the field powers is being removed .

WHAT ARE THE RIGHTS RELATED TO PERSONAL DATA?

KVKK m. pursuant to article 11 data owners / data those concerned aspect personal to your data related the following to rights you have :

• Personal your data Our company by processed and not processed learning ,
• Personal your data related to this if it has been committed information request don't ,
• Personal your data processing your purpose And these to your goal suitable is used not used learning ,
• Domestically or abroad personal your data transferred third contacts don't know ,
• Personal your data missing or wrong finished to be in case of these to be corrected don't want And This in scope made of the transaction personal your data transferred third to people to be notified don't want 
• KVKK and relating to other legal provisions suitable aspect finished to happen Although , processing requiring your reasons from the middle getting up in case of personal your data to be deleted or be destroyed don't want And This in scope made of the transaction personal your data transferred third to people to be notified don't want ,
• Processed of data exclusively automatic systems by analysis to be by against you One of the result emerge to come out objection don't ,
• Personal your data to the law against aspect processing due to at a loss stop by in case of you stopped by of the damage to be eliminated request don't .

These demands below stated methods with your identity confirmation can be in the form to our company You can forward it .

COMMUNICATION

( 1 ) with wet signature at our company's Ankara Cad. No: 335 Bornova/İzmir or via registered mail.

( 2 ) After signing with your “secure electronic signature” within the scope of the Electronic Signature Law No. 5070, baticim@baticim.hs03.kep.tr via registered e-mail address

(3 ) by e-mail to the e-mail address kvkk@baticim.com.tr, using the e-mail address previously communicated to our company and registered in our company databases.

In order for a third party to exercise your right to information on your behalf, the signed and notarized original of the special power of attorney issued specifically for the person who will apply to you must be submitted.

In case the data owners (relevant persons) submit their requests regarding their personal data to our Company in writing, the Company, as the data controller, will take the necessary processes to ensure that the request is concluded as soon as possible and within thirty (30) days at the latest, in accordance with Article 13 of the KVK Law. is carrying out.

Within the scope of ensuring data security, the Company may request information to determine whether the applicant is the owner of the personal data subject to the application. Our company may also ask questions about the Relevant Person's application in order to ensure that his/her application is finalized in accordance with the request.

Application of the relevant person; In cases where there is a possibility of hindering the rights and freedoms of other persons, if it requires disproportionate effort, or if the information is public information, the request may be rejected by explaining the reason.

MANAGEMENT STRUCTURE ACCORDING TO THE COMPANY'S PROCESSING AND PROTECTION OF PERSONAL DATA POLICY

A "Personal Data Protection Committee" has been established by the Company, which will provide the necessary coordination within each Company within the scope of ensuring, preserving and maintaining compliance with the personal data protection legislation. This Committee is responsible for ensuring unity among company units and executing and improving the systems established to

ensure that the activities carried out comply with the personal data protection legislation. In this context, the main duties of the KVK Committee are stated below:

• To prepare and enforce basic policies regarding the protection and processing of personal data within the company
• To decide how to implement and supervise the policies regarding the protection and processing of personal data within the company and to assign and ensure coordination within the Company within this framework.
• To determine the matters that need to be done to ensure compliance with KVKK and relevant legislation; overseeing and coordinating the implementation
• To raise awareness within the Company and among the institutions we cooperate with regarding the protection and processing of personal data.
• To identify risks that may occur in the Company's personal data processing activities and to ensure that necessary precautions are taken; offer improvement suggestions
• Designing and ensuring the execution of trainings on the protection of personal data and implementation of policies
• To decide on the applications of personal data subjects
• Personal data subjects; Coordinating the execution of information and training activities to ensure that they are informed about the Company's personal data processing activities and legal rights.
• To prepare and put into effect changes in basic policies regarding the protection and processing of personal data
• To follow the developments and regulations regarding the protection of personal data; To advise senior management on what needs to be done in the Company's operations in accordance with these developments and regulations.
• Managing relations with the Institution and the Board

ENFORCEMENT OF THE POLICY

This Policy was put into effect in 2021. This Policy is published on the website and made available to relevant persons upon the request of personal data owners.