1. INTRODUCTION

The protection of personal data belonging to clients, customers, employees, and other natural and legal persons with whom it is in a relationship is of great importance for SYJ Danışmanlık Hizmetleri Anonim Şirketi (hereinafter referred to as “SYJ”, “Company” or “Data Controller”) as the data controller. The objective of this SYJ Personal Data Protection and Processing Policy (“Policy”) for personal data processing and protection processes is the lawful processing and protection of personal data of our product or service buyers, employees, employee candidates, visitors, employees of institutions we cooperate with, and third parties who establish a relationship with SYJ. In this context, necessary administrative and technical measures are taken by the Company for the processing and protection of personal data in accordance with the Personal Data Protection Law No. 6698 (“Law”) and relevant legislation.

2. PURPOSE AND SCOPE OF THE POLICY

The primary purpose of this Policy is to provide explanations regarding the personal data processing activities carried out by SYJ in accordance with the law and the systems adopted for the protection of personal data, to provide transparency towards the persons with whom SYJ is associated in this context, and to enlighten and inform the relevant persons in detail about the processing of personal data. The scope of this Policy relates to the personal data of our clients, product or service buyers, employees, employee candidates, visitors, employees of institutions we cooperate with, and third parties, processed in accordance with the Personal Data Protection Law No. 6698. Definitions regarding the terms used in this policy are explained in the section titled “Definitions” presented in ANNEX-1.

3. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

3.1 Protection of Personal Data In accordance with Article 12 of the Law, our Company takes necessary technical and administrative measures to provide the appropriate level of security in order to prevent unlawful processing of the personal data it processes, to prevent unlawful access to the data, and to ensure the preservation of the data, and in this context, it carries out or commissions necessary audits. In this framework, our Company takes administrative and technical measures and conducts audits to ensure the necessary level of security in accordance with the guides published by the Personal Data Protection Board (“Board”).

3.2 Protection of Special Quality Personal Data Special importance has been attributed to sensitive personal data under the Law due to the risk of causing victimization or discrimination when processed unlawfully. According to Article 6 of the Law, “special quality” personal data is determined as: race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, membership to associations, foundations or trade unions, data concerning criminal convictions and security measures (“Special quality personal data other than health and sexual life”) and health, sexual life, biometric and genetic data (“Special quality personal data regarding health and sexual life”). Technical and administrative measures taken by our Company for the protection of personal data are taken for special quality personal data within the scope explained in the Special Quality Personal Data Protection Policy, including the adequate measures stipulated in the Board’s Decision dated 31/01/2018 and numbered 2018/10, and studies carried out in this direction are followed and audited within the framework of audits performed within our company.

3.3 Audit of Measures Taken Regarding the Protection of Personal Data and Training of Company Personnel A Personal Data Protection Committee exists within SYJ. The Committee, on behalf of the company as the data controller and as required by its duty arising from Article 12 of the Law, personally conducts necessary audits and, if needed, has them conducted by obtaining support from competent organizations, in order to ensure the implementation of the provisions of the Law in its own institution or organization. According to these audit results, identified violations, negativities, and non-compliances are reported to the responsible persons within the committee, and necessary measures are taken regarding these matters. In cases where personal data is transferred by the Company to natural or legal persons from whom an external service is received, additional contracts are made with the relevant firms to which personal data is lawfully transferred, containing provisions that the persons to whom the personal data is transferred will take necessary security measures for the protection of personal data and ensure compliance with these measures in their own organizations. Along with these, SYJ makes contracts with its personnel in internal discipline policies regarding compliance with personal data protection measures. SYJ ensures that necessary trainings are organized for its employees to increase awareness regarding the prevention of unlawful processing of personal data, preventing unlawful access to data, and ensuring the preservation of data.

4. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA

SYJ carries out personal data processing activities in accordance with Article 20 of the Constitution and Article 4 of the Law. SYJ preserves personal data for the period stipulated in the laws or required by the purpose of personal data processing. In accordance with Article 10 of the Law, our Company informs the relevant persons whose personal data is processed and requests the consent of the relevant persons in cases where consent is required, and processes this personal data in line with their consent based on the criteria specified below.

4.1. Processing in Accordance with the Law and Rules of Honesty SYJ acts in accordance with the principles brought by legal regulations and the rule of trust and honesty in the processing of personal data. In accordance with the principle of being in compliance with the rule of honesty, the company takes the rights of the relevant persons into account while trying to achieve its goals in data processing.

4.2. Ensuring Personal Data is Accurate and Up-to-Date When Necessary Keeping personal data accurate and up-to-date is necessary for SYJ in terms of protecting the fundamental rights and freedoms of the relevant person. The company fulfills its obligation of maximum care in ensuring that personal data is accurate and up-to-date when necessary. For this reason, all communication channels are open for the information of the relevant persons whose personal data is processed by SYJ to be kept accurate and up-to-date, and it takes the necessary measures in these matters.

4.3. Processing for Specific, Explicit, and Legitimate Purposes SYJ clearly and precisely determines the legitimate and lawful purpose for processing personal data. Our Company processes as much personal data as is necessary for the services it offers and in connection with the activities it carries out.

4.4. Being Relevant, Limited, and Proportionate to the Purpose for Which They are Processed SYJ processes personal data within the purposes that are relevant and necessary for the conduct of its business. For this reason, the company processes personal data in a manner suitable for the realization of the determined purposes and avoids processing personal data that is not relevant or needed for the realization of the purpose.

4.5. Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for Which They are Processed SYJ preserves personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed per company policies. In this context, the Company first determines whether a period is stipulated for the storage of personal data in the relevant legislation; if a period is determined, it acts in accordance with this period; if a period is not determined, it stores the personal data for the period necessary for the purpose for which they are processed and as specified in SYJ’s storage policy. SYJ takes the storage periods in the personal data inventory as a basis, and at the end of the periods specified here, personal data is deleted, destroyed, or anonymized according to the nature of the data and the purpose of use within the framework of obligations under the Law.

5. PROCESSING OF PERSONAL DATA

The explicit consent of the relevant person whose personal data is processed is only one of the legal bases that make it possible to process personal data lawfully. Other than explicit consent, personal data may also be processed in the presence of one of the conditions specified in the law. The basis for personal data processing activities can be only one of the conditions listed below, or more than one of these conditions may be the basis for the same personal data processing activity. If the processed data is special quality personal data, the conditions in section 5.2 of this Policy (“Processing of Special Quality Personal Data”) will apply.

5.1 Conditions for Processing Personal Data

• a) Presence of Explicit Consent of the Relevant Person: One of the conditions for processing personal data is the explicit consent of the relevant person. The explicit consent of the relevant person must be regarding a specific subject, based on information, and declared with free will. In the presence of the personal data processing conditions listed below, personal data may be processed without the need for the explicit consent of the relevant person.
• b) Expressly Provided for in the Laws: If the personal data of the relevant person is expressly provided for in the law, in other words, if there is a clear provision regarding the processing of personal data in the relevant law, the existence of this data processing condition can be mentioned.
• c) Inability to Obtain Explicit Consent Due to Actual Impossibility: Personal data of the relevant person may be processed if it is mandatory to protect the life or physical integrity of the person or another person who is unable to disclose their consent due to actual impossibility or whose consent cannot be granted validity.
• d) Direct Relation to the Establishment or Performance of a Contract: This condition may be considered fulfilled if the processing of personal data is necessary, provided that it is directly related to the establishment or performance of a contract to which the relevant person is a party.
• e) SYJ Fulfilling its Legal Obligation: Personal data of the relevant person may be processed if processing is mandatory for SYJ to fulfill its legal obligations.
• f) The Relevant Person Making Their Personal Data Public: If the relevant person has made their personal data public, the relevant personal data may be processed limited to the purpose of making it public.
• g) Data Processing Being Mandatory for the Establishment or Protection of a Right: Personal data of the relevant person may be processed if data processing is mandatory for the establishment, exercise, or protection of a right.
• h) Data Processing Being Mandatory for the Legitimate Interest of SYJ: Personal data of the relevant person may be processed if data processing is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the relevant person.

5.2 Processing of Special Quality Personal Data Special quality personal data is processed by our Company in accordance with the principles specified in this Policy and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:

• a) Special quality personal data other than health and sexual life may be processed without seeking the explicit consent of the relevant person if expressly provided for in the laws, in other words, if there is a provision allowing the processing of personal data in the relevant law. Otherwise, the explicit consent of the relevant person will be obtained.
• b) Special quality personal data regarding health and sexual life may be processed without seeking explicit consent by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment, and care services, and planning and management of health services and their financing. Otherwise, the explicit consent of the relevant person will be obtained.

6. PURPOSES OF PROCESSING PERSONAL DATA

SYJ processes personal data limited to the purposes within the personal data processing conditions specified in Article 5, Paragraph 2, and Article 6, Paragraph 3 of the KVK Law. Detailed information on this subject can be accessed from the ANNEX-2 (“ANNEX 2- Personal Data Processed by SYJ and Their Purposes”) document of this Policy. Additionally, the general purposes regarding processed personal data are also mentioned in the Data Controllers Registry where the company is registered.

7. ENLIGHTENING AND INFORMING THE RELEVANT PERSON

SYJ, in accordance with Article 10 of the KVK Law, enlightens the relevant persons whose personal data is processed during the acquisition of personal data. In this context, SYJ provides clarification regarding the identity of the data controller, the identity of its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for personal data collection, and the rights of the relevant persons whose personal data is processed, according to the nature of the relevant person and the data processing process. Along with this policy, a process and person-based clarification text, cookie policy, and application form are also published on the SYJ website.

8. TRANSFER OF PERSONAL DATA

SYJ may transfer the personal data of the relevant person to third parties by taking necessary security measures in line with lawful personal data processing purposes. In this context, data is transferred:

• If there is an explicit regulation in the laws regarding the transfer of personal data,
• If the transfer of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the establishment or performance of a contract,
• If personal data transfer is mandatory for the Company to fulfill its legal obligation,
• If personal data transfer is mandatory for the establishment, exercise, or protection of a right,
• If personal data transfer is mandatory for the legitimate interests of SYJ, provided that it does not harm the fundamental rights and freedoms of the relevant person,
• For special quality personal data other than health and sexual life, if the cases stipulated in the laws exist;
• For personal data regarding health and sexual life, only if there is a necessity to share it with authorized persons, institutions, and organizations within the scope of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, and the planning and management of health services and their financing.

9. THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED BY SYJ AND PURPOSES OF TRANSFER

SYJ may transfer the personal data and special quality personal data of the relevant person to third parties by taking necessary security measures in line with lawful personal data processing purposes. Our Company acts in accordance with the regulations stipulated in Articles 8 and 9 of the Law in this direction. Detailed information on this subject can be accessed from the ANNEX-3 (“ANNEX 3- Third Parties to Whom Personal Data is Transferred by SYJ and Purposes of Transfer”) document of this Policy.

10. CLASSIFICATION OF PERSONAL DATA PROCESSED WITHIN SYJ

Personal data in the categories specified below are processed at SYJ by informing the relevant persons, in line with the legitimate and lawful personal data processing purposes of the Company, based on and limited to one or more of the personal data processing conditions specified in Articles 5 and 6 of the Law, and by complying with the general principles and all obligations regulated in the Law. SYJ has created a personal data inventory in accordance with the Regulation on the Data Controllers Registry enacted by the Personal Data Protection Authority. This data inventory includes data categories, the source of the data, data processing purposes, the data processing process, recipient groups to whom the data is transferred, and storage periods. In this context, personal data in the following data categories exist within SYJ:

• Identity Data: Data group containing information about the person’s identity. (e.g., name-surname, T.R. identity number, place of birth, date of birth, gender, tax number, etc.)
• Contact Data: Data group that can be used to reach the person. (e.g., phone number, address, e-mail address, fax number, etc.)
• Visual and Auditory Data: Data group containing visual and auditory data of the person. (e.g., data clearly belonging to a natural person such as photographs and camera records, copies of documents containing personal data.)
• Location: Information such as GPS location and travel data belonging to the person.
• Personnel Data: This data category refers to data types such as payroll information, property declaration information, and resume information. (e.g., SSI number, payroll info, SSI service breakdown.)
• Financial Data: Data group containing the person’s financial information. (e.g., bank account number, credit card information, IBAN number, etc.)
• Professional Experience: Data group containing information about the person’s profession, professional experiences, and education information. (e.g., certificates, diplomas.)
• Customer Transaction Data: This data category refers to data types such as call center records, receipts, acknowledgment documents, valuable document information, and invoice information.
• Legal Action Data: This data category refers to data types such as information in the lawsuit file, salary attachment, and debt information.
• Transaction Security Data: Data group containing transaction security data such as IP information, log records and cookies, username and password.
• Association, Foundation, Union Membership: Contains the information of the organization where the person has a membership.
• Marketing: Refers to data types such as the person’s shopping history, surveys, cookie records, and campaign work.
• Criminal Conviction Data: Data group regarding criminal sanctions received by the person in the past.
• Health Data: Data group regarding the health status of the person. (e.g., Health report, medication information, vision information, examination information.)

11. RETENTION PERIODS OF PERSONAL DATA

SYJ stores personal data for the period specified in these legislations in cases stipulated in relevant laws and legislations. If a period is not regulated in the legislation regarding how long personal data should be stored, personal data is stored for the period requiring storage in accordance with the practices of SYJ and the customs of the sector, depending on the activity SYJ carries out while processing that data. In accordance with Article 138 of the Turkish Penal Code, Article 7 of the KVK Law, and the “Regulation on the Deletion, Destruction, and Anonymization of Personal Data” enacted by the Personal Data Protection Authority, personal data processed in accordance with the relevant law provisions are deleted, destroyed, or anonymized upon the request of the relevant person or based on SYJ’s policies in the event that the reasons requiring processing disappear. SYJ has created a policy on this matter according to the provisions of the regulation and acts in accordance with this policy. In addition, general information regarding storage periods is also specified in the Registry of Data Controllers.

12. RIGHTS OF THE RELEVANT PERSONS; EXERCISE OF THESE RIGHTS

SYJ, in accordance with Article 10 of the KVK Law, informs the relevant person of their rights and guides the relevant person whose personal data is processed on how to use these rights regulated in Article 11; and SYJ operates necessary channels, internal functioning, and administrative and technical regulations in accordance with Article 13 of the KVK Law for the evaluation of the rights of the relevant persons and providing the necessary information to the relevant persons.

12.1 Rights of relevant persons whose personal data is processed Relevant persons whose personal data is processed have the following rights:

• To learn whether personal data is processed or not,
• If personal data has been processed, to request information regarding this,
• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
• To know the third parties to whom personal data is transferred domestically or abroad,
• To request correction of personal data if it is incomplete or incorrectly processed,
• To request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear,
• To object to the occurrence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,
• To demand the compensation of the damage in case of loss due to unlawful processing of personal data.

12.2. Cases Where the Relevant Person Cannot Assert Their Rights Relevant persons whose personal data is processed cannot assert their rights listed in 12.1 regarding these matters, as the following cases are kept outside the scope of the KVK Law per Article 28 of the Law:

• Processing for research, planning, and statistics by anonymizing them with official statistics,
• Processing for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, security, public order, or privacy of private life,
• Processing within the scope of preventive, protective, and intelligence activities carried out by public institutions authorized by law to ensure national security,
• Processing of personal data by judicial authorities in relation to investigation, prosecution, trial, or execution proceedings.

According to Article 28/2 of the KVK Law; in the cases listed below, relevant persons cannot assert their other rights listed in 12.1, except for the right to demand compensation for damages:

• Personal data processing being necessary for the prevention of crime or for crime investigation,
• Processing of personal data made public by the relevant person himself/herself,
• Personal data processing being necessary for the execution of auditing or regulation duties or disciplinary investigation/prosecution,
• Personal data processing being necessary for the protection of the State’s economic and financial interests.

12.3. Exercise of Rights by the Relevant Person Relevant persons may submit their requests to the Company free of charge by filling out and signing the application form with identifying documents. The relevant person may use their rights by:

• Sending a wet-signed copy of the form found at _______________ after filling it out, in person or in writing via registered mail with return receipt or via notary to the address “15063 Sok. No:22 Doğa Evleri Sitesi Bademler, Urla, İzmir”, or,
• Sending the form with a secure electronic signature to the ____________ KEP address, or using the e-mail address previously notified to SYJ and registered in SYJ’s system to the address ______________.

In order for the application to be accepted as a valid application, the relevant person must specify:

• a) Name, surname and signature if the application is in writing,
• b)R. identity number for citizens, nationality for foreigners, passport number or identity number if any,
• c) Residential or workplace address for notification,
• d) E-mail address, telephone and fax number for notification, if any,
• e) Subject of the request. Otherwise, the application will not be evaluated as a valid application. In order for third parties to make an application request, there must be a special power of attorney issued through a notary by the relevant person.

Data Controller Title: SYJ DANIŞMANLIK HİZMETLERİ ANONİM ŞİRKETİ Address: 15063 SOK. NO:22 DOĞA EVLERİ SİTESİ, BADEMLER, URLA, İZMİR

ANNEX-1 DEFINITIONS

• Explicit Consent: Consent regarding a specific subject, based on information and declared with free will.
• Anonymization: Changing personal data in a way that it loses its quality as personal data and cannot be reversed.
• Application Form: The form containing the application to be made by the relevant person to exercise their rights per Law No. 6698.
• Employees, Shareholders, and Officials of Institutions in Cooperation: Natural and legal persons in institutions (business partner, supplier, etc.) with which SYJ has a business relationship.
• Business Partner: Parties with whom SYJ establishes a business partnership for various projects or services.
• Processing of Personal Data: Any operation performed on data such as obtaining, recording, storing, changing, disclosing, or transferring personal data.
• Relevant Person (Data Subject): The natural person whose personal data is processed.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Special Quality Personal Data: Data regarding race, ethnic origin, political opinion, philosophical belief, religion, dress, membership to associations, health, sexual life, criminal convictions, and biometric/genetic data.
• Supplier: Parties providing services to SYJ on a contract basis.
• Data Processor: The person who processes personal data on behalf of the data controller.
• Data Controller: The person who determines the purposes and means of processing personal data.
• Deletion of Data: Encrypting personal data to prevent access by relevant users.
• Destruction of Data: Physically or technologically eliminating personal data completely.

ANNEX 2- PERSONAL DATA PROCESSED BY SYJ AND THEIR PURPOSES

ANNEX 3- THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED BY SYJ AND PURPOSES OF TRANSFER