Personal Data Protection Law

Law No. 6698 on the Protection of Personal Data (“Law”), which entered into force after being published in the Official Gazette on April 7, 2016, stipulates important regulations regarding the processing and protection of personal data within the scope of such processing.

AKKANAT HOLDING Personal Data Protection, Processing and Destruction Policy (“Policy”) contains the procedures and principles of AKKANAT HOLDING regarding the processing, destruction and anonymization of personal data of real persons in the categories listed below by AKKANAT HOLDING within the scope of the Law.

This Policy may be updated if deemed necessary by AKKANAT HOLDING in order to adapt to changing conditions and legislation. In case the Policy is updated, the updated text is announced.

1.1 Purpose and Scope of the Policy

The Policy aims to ensure that the personal data processed by AKKANAT HOLDING in accordance with the Constitution of the Republic of Turkey, international conventions, the Law No. 6698 on the Protection of Personal Data and other relevant legislation and to ensure that the data owners use their rights effectively. The main purpose of the policy is to provide information to the data owner regarding the processing, protection and operation of personal data with the principle of transparency. In this way, it is intended to protect all rights and freedoms of both individuals and AKKANAT HOLDING in the context of personal data protection.

The Policy has been prepared by AKKANAT HOLDING in order to determine the rules to be followed in the processing, transfer and destruction of the personal data of the data owners and to inform the data owners within the scope of these rules. This Policy is applied in relation to the personal data of the data owners which are processed automatically or non-automatically provided that they are part of any data recording system.

1.2 Abbreviations and Definitions

Explicit Consent:

It refers to consent on a specific subject, based on information and expressed with free will.

Anonymization:

It refers to making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Relevant Person:

It refers to the real person whose personal data is processed.

Relevant User:

It refers to persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.

Destruction:

It refers to the deletion, destruction or anonymization of personal data.

Law:

It refers to the Law No. 6698 on the Personal Data Protection.

Personal Data:

It refers to any information relating to an identified or identifiable natural person.

Personal Data Processing Inventory:

It refers to the inventory that data controllers create by associating the personal data processing activities they carry out depending on their business processes with the purposes and legal reason for processing personal data, data category, transferred recipient group and data owner group, and detail the maximum retention period required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries, if any, and the measures taken regarding data security.

Processing of Personal Data:

It refers to all kinds of operations performed on personal data such as obtaining, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Board:

It refers to the Personal Data Protection Board.

Authority:

It refers to the Personal Data Protection Authority.

Sensitive Personal Data:

It refers to data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Periodic Destruction:

It refers to the deletion, destruction or anonymization process to be carried out ex officio at recurring intervals specified in this Policy in the event that all of the conditions for processing personal data specified in the Law disappear.

Policy:

It refers to the Personal Data Processing, Protection and Destruction Policy.

Data Transfer:

It refers to the transfer of personal data to third parties.

Data Processor:

It refers to the natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.

Data Recording System:

It refers to the recording system where personal data is structured and processed according to certain criteria.

Data Owner

It refers to the data owners whose personal data are processed.

Data Controller:

It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data Controllers Registry Information System: It refers to the information system created and managed by the Presidency, accessible over the internet, which data controllers will use in the application to the Registry and other related transactions regarding the Registry.

VERBİS:

It refers to the Data Controllers Registry Information System.

Regulation:

It refers to the Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

Data Sharing:

It refers to the sharing of personal data by the relevant persons within the data controller.

2. OBLIGATIONS

All units and employees of AKKANAT HOLDING actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law by properly implementing the technical and administrative measures taken by the responsible units within the scope of the Policy, training and raising awareness of the unit employees, monitoring and continuous auditing.

AKKANAT HOLDING Human Resources Unit is responsible for ensuring that employees act in accordance with the Law and the Policy, preparing, developing, executing, publishing and updating the Policy in relevant environments, providing technical solutions needed in the implementation of the Policy, and taking technical and administrative measures.

All other units are obliged to comply with and execute the KVKK and the Policy in accordance with their duties.

3. PROCESSED PERSONAL DATA

Personal data provided by the relevant person and specified below as an example will be processed by AKKANAT HOLDING for the purposes and reasons specified in this Policy.

DATA CATEGORY

PERSONAL DATA

Identity Information

Documents such as Driver's License, Identity Card and Passport containing information such as Name-Surname, Turkish ID Number, Place of Birth, Date of Birth, Place of Registration, Family Sequence No, Volume No, Mother's Name-Father's Name, Gender, Marital Status

and Tax Number, Social Security Number, Signature Information, etc.

Contact Information

Phone Number (Fixed and/or Mobile), Address, E-Mail Address, KEP, Fax, Form, etc.

Employee Relative Information

Photocopy of Identity Card of Family Relatives and Identity Information, Copy of Civil Registration, Contact Information, etc.

Financial Data

Financial and Salary Details, Payrolls, Premium Entitlements, Premium Amounts, File and Debt Information on Enforcement Proceedings, Bank Passbook, Minimum Living Allowance Information, Private Health Insurance Amount, Balance Sheet Information, Receipt / Invoice Information, Receipt, Waybill, Quantity of Goods and Services Received / Provided, Unit Price of Goods and Services Received / Provided, VAT Amount Related to Goods and Services Received / Provided, Total Price of Goods and Services Received, Debit Amount, Credit Amount, Account Name, Account Code, Balance Sheet and Commercial Ledger Information, Bank Information, IBAN, etc.

Professional Experience

CV, Name of Previous Workplace(s), Date of Starting and Ending Work at Previous Workplace(s), Position at Previous Workplace(s), Educational Background, Certificate and Diploma Information, Foreign Language Information, Education and Skills, Courses Taken, Institution/Company Position, etc.

Audio and Visual Recordings

Photograph, Closed Circuit Camera Recording Image, Camera Recording etc.

Physical Space Security Information

Personal Data Regarding Records and Documents Taken at the Entrance to the Physical Space and During the Stay in the Physical Space; Camera Records, Closed Circuit Camera System Image, Vehicle License Plate Information, Records Taken at the Security Point, Entry-Exit Information, etc.

Process Security

Data such as website login-exit information, information such as passwords and passwords, IP addresses, etc.

Personal File

All kinds of information and documents (e.g. Salary Amount, SSI Premiums, Data, Payrolls, etc.) that must be included in the personnel file in accordance with the legislation. ); Leave Seniority Base Date, Leave Seniority Additional Days, Leave Group, Departure/Return Date, Reason for Leave, Address/Telephone to be on Leave, Registration No, Position Name, Department and Unit, Title, Last Date of Employment, Entry and Exit Dates, Insurance Entry/Pension, Social Security Number, Number of Working Days, Projects Worked, Monthly Total Working Hours, Severance Pay Base Date, Severance Pay Additional Days, Days on Strike, Employee Internet Access Logs, Entry-Exit Logs, etc.

Legal Process Data

Contracts, Case Files, Enforcement Proceedings, Payment and Execution Orders, Power of Attorney, etc.

Location Data

Location information, vehicle tracking system, etc.

Vehicle and License Plate Information

Vehicle license plate information

Customer Transaction Data

Invoice, Check, Bond, Policy Information, Order Information, Request Information, etc.

Clothing Data

(Sensitive Data)

Clothing Size Number, Shoe Size Number

Biometric Data

(Sensitive Data)

Fingerprinting under Restricted Area Access

Criminal Convictions and Security Measures Data

(Sensitive Data)

Criminal Record

Health Data

(Sensitive Data)

Health Certificates and Reports and Health Information (Blood Type, device and prosthesis information) Documents or Reports on Disability Status and Forensic Medicine Institution Reports, Physician Reports on Pregnancy Status, etc.

4. GROUPS OF PERSONS WHOSE PERSONAL DATA ARE PROCESSED

The groups of persons whose personal data will be processed by AKKANAT HOLDING as the data controller in line with the purposes, procedures and principles specified in the KVKK and the Policy are as follows:

· Employee

· Employee Candidate

· Employee Relative

· Shareholder/Partner

· Customer

· Intern

· Supplier

· Supplier Employee

· Supplier Official

· Product or Service Recipient

· Product or Service Recipient Employee

· Authorized Person Receiving Product or Service

· Visitor

5. PROCESSING OF PERSONAL DATA

AKKANAT HOLDING, in its capacity as data controller, shall process the personal data of data owners within the scope of the purposes, procedures and principles specified in the KVKK and this Policy; in accordance with the law and honesty rules, accurate and up-to-date, for specific, clear and legitimate purposes, in connection with the purpose for which they are processed, limited and measured in the manner specified in the KVKK and this Policy, preserve them for the period stipulated in the relevant legislation and Policy or required for the relevant purpose, transfer them to third parties in cases permitted by the legislation and in the manner specified in this Policy and limited to the purpose for which they are processed, and share them with the relevant persons within the company.

5.1 Legal Grounds for Processing Personal Data

Personal data are processed in accordance with the personal data processing conditions specified in the KVKK. In this direction; personal data will be processed by applying for the explicit consent of the data owner if one or more of the following conditions exist or if necessary: In case it is clearly stipulated in the laws, in case it is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid, in case it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract, if it is mandatory for the data controller to fulfill its legal obligation, if it has been made public by the data owner himself/herself, if data processing is mandatory for the establishment, exercise or protection of a right, if data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner.

In this context;

· Income Tax Law No. 193

· Law No. 2004 on Execution and Bankruptcy

· Tax Procedure Law No. 213

· Law No. 2547 on Higher Education,

· Law No. 2828 on Social Services

· Law No. 3071 on the Exercise of the Right to Petition

· Turkish Civil Code No. 4721

· Public Procurement Law No. 4734

· Labor Law No. 4857

· Law No. 4982 on Access to Information

· Law No. 5018 on Public Financial Management

· Law No. 5188 on Private Security Services

· Turkish Penal Code No. 5237

· Law No. 5434 on Retirement Health

· Law No. 5510 on Social Security and General Health Insurance

· Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through These Publications

· Turkish Code of Obligations No. 6098

· Turkish Commercial Code No. 6102

· Law No. 6183 on Collection Procedure of Public Receivables

· Law No. 6331 on Occupational Health and Safety

· Law No. 6563 on the Regulation of Electronic Commerce

· Law No. 6698 on the Protection of Personal Data

· Regulation on Archive Services

· Other secondary regulations and other legislative provisions in force pursuant to these laws

· Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes

Personal data will be processed and stored in accordance with the above, but not limited to the provisions of other relevant legislation.

5.2 Methods of Collection and Purposes of Processing of Personal Data

Personal data will be processed by AKKANAT HOLDING in accordance with the law and the rule of honesty, accurately and up-to-date, for specific, explicit and legitimate purposes and in connection with the purposes of processing, limited and measured. In line with the legitimate interests of AKKANAT HOLDING, personal data are requested, collected and otherwise processed through written, verbal and electronic media.

Personal data will be collected only for the purposes for which they are collected, will be stored for the periods required by the purposes for which they are processed, will not be processed in excess of the rules specified in the law and will be deleted, destroyed or anonymized ex officio or upon your request as the relevant person, without prejudice to the cases where there is a retention obligation arising from other applicable legislation, in the event that the reasons requiring its processing disappear. Within the framework of its activities, AKKANAT HOLDING processes personal data for the following purposes:

· Execution of Emergency Management Processes

· Execution of Information Security Processes

· Execution of Employee Candidate / Intern / Student Selection and Placement Processes

· Execution of Employee Candidate Application Processes

· Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees

· Execution of Fringe Benefits and Benefits Processes for Employees

· Conducting Audit / Ethics Activities

· Conducting Training Activities

· Execution of Access Authorizations

· Execution of Activities in Compliance with the Legislation

· Execution of Finance and Accounting Affairs

· Ensuring Physical Space Security

· Execution of Assignment Processes

· Follow-up and Execution of Legal Affairs

· Execution of Communication Activities

· Planning Human Resources Processes

· Execution / Supervision of Business Activities

· Execution of Occupational Health / Safety Activities

· Receiving and Evaluating Suggestions for Improvement of Business Processes

· Execution of Business Continuity Ensuring Activities

· Execution of Logistics Activities

· Execution of Goods / Service Procurement Processes

· Execution of Goods / Service Sales Processes

· Execution of Goods / Services Production and Operation Processes

· Execution of Customer Relationship Management Processes

· Execution of Organization and Event Processes

· Execution of Performance Evaluation Processes

· Execution of Storage and Archive Activities

· Execution of Contract Processes

· Tracking Requests / Complaints

· Ensuring the Security of Movable Property and Resources

· Execution of Supply Chain Management Processes

· Execution of Wage Policy

· Execution of Marketing Processes of Products / Services

· Ensuring the Security of Data Controller Operations

· Foreign Personnel Work and Residence Permits

· Execution of Talent / Career Development Activities

· Providing Information to Authorized Persons, Institutions and Organizations

· Execution of Management Activities

· Fulfillment of Legal Obligations Arising from Applicable Legislation

· Creating and Tracking Visitor Records

5.3.Methods of Collection and Purposes of Processing of Sensitive Personal Data

Articles 5 and 6 of the Law No. 6698 on the Protection of Personal Data regulate the conditions for processing personal data and sensitive personal data. In this context, Article 5 of the law regulates the processing of personal data that are not considered to be of special nature, and Article 6 of the law regulates the processing of personal data of special nature. Within the scope of KVKK, data owners' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction data, biometric and genetic data are personal data of special nature. It is prohibited to process these data without explicit consent. For example; data such as health reports, religion, blood type, disability status are special categories of personal data. However, consent is not required for the processing of data other than health and sexual life in cases stipulated by law. Special categories of personal data of employees shall be processed by AKKANAT HOLDING in accordance with the law and the rule of honesty, accurately and up-to-date, for specific, explicit and legitimate purposes and in connection with, limited and proportionate to the purposes of processing, by obtaining explicit consent.

In this respect:

· Biometric Data; only fingerprint data of employees who are allowed access to restricted areas are processed for the purposes of conducting and auditing business activities,

· Criminal Conviction and Security Measures Data; Criminal Registry Record and / or Criminal Registry Archive Record submitted by the employees and issued by the Authorized Institutions, for the purposes of fulfilling the obligations arising from the employment contract and legislation for the employees, fulfilling the obligations arising from the legislation in force, carrying out the activities in accordance with the legislation, providing information to authorized persons, institutions and organizations,

· Health Information Data; health information contained in health certificates and reports submitted by employees and received from authorized institutions, documents or reports regarding disability status, Forensic Medicine Institution reports, physician reports regarding pregnancy status are processed by means of emergency management processes, fulfillment of obligations arising from the employment contract and legislation for employees, execution of fringe benefits and benefits processes for employees, carrying out activities in accordance with the legislation, carrying out occupational health / safety activities, informing authorized persons, institutions and organizations, fulfilling obligations arising from the legislation in force,

· Clothing Data; through the clothing size size number and shoe size number provided by the employees and in order to carry out occupational health / safety activities and accordingly to determine the appropriate size for work clothes.

are processed.

In the event that AKKANAT HOLDING is required to process any data considered as special categories of personal data under the Law, the data owner will be applied for explicit consent. If explicit consent is not given by the data owner or if no exception is stipulated within the scope of the law for the processing of the special quality data in question, the relevant data will not be processed by AKKANAT HOLDING in any way.

Special categories of personal data, if processed, will be collected only for the specified purposes of collection, will be stored for the periods required by the purposes of processing specified in the Policy and other legislation, will not be processed in excess of the rules specified in the law and will be deleted, destroyed or anonymized ex officio or upon the request of the person concerned, without prejudice to the cases where there is a retention obligation arising from other applicable legislation, in the event that the reasons requiring its processing disappear.

Personal data will be retained for the maximum period specified in the relevant legislation or required for the purpose for which they are processed, and in any case for the legal statute of limitations.

6. TRANSFER OF PERSONAL DATA

6.1 Transfer of Personal Data to Domestic Third Parties

Personal data may be transferred to our shareholders, business partners, fulfillment assistants, consultants and service providers; to the relevant institutions or organizations, public legal entities to the extent permitted and required by the provisions of the legislation; to the relevant public / private law legal / real persons for the legitimate interests of the data controller; to domestic persons for reasons such as travel, education, e-mail sending; persons specified as reference for the purpose of confirming the declared information; our business partners and service providers who provide, operate or provide services to our information infrastructure; to security companies from which data such as camera recordings are obtained in order to ensure the security of company premises; occupational health and safety experts, workplace physicians, hospitals and health institutions in order to fulfill emergency medical interventions and occupational health and safety obligations; to our relevant business partners, consultants and service providers for the management of finance and accounting processes; to banks, financial advisors, accountants, customs brokers; to banks to make salary payments; to cargo and courier companies for physical delivery of contracts, invoices, documents or related products; to infrastructure providers for the purpose of storing physical and electronic employee data; lawyers, auditors, forensic informatics experts, cyber security consultants, tax consultants and other official authorities, judicial and administrative authorities such as regulatory and supervisory institutions, courts and enforcement offices in order to fulfill legal obligations; to other public institutions or organizations, private real/legal persons or organizations and third parties authorized to request your personal data; to legally authorized public institutions and private persons or organizations and third parties; to the customer and/or its auditor, third party legal entities conducting audits and their employees performing the audit task, to whom a site visit will be made / will be made for the purpose of proving professional competence; to e-invoice business partner for sending e-invoice to the customer electronically; to personnel transportation companies and/or their employees who provide services for the transportation of personnel; notaries in contract and queue determination processes; to security companies from which data such as camera recordings are obtained in order to ensure the security of company premises; to tax offices for the fulfillment of tax obligations, invoices and collection receipts to representatives and/or officials of the Ministry of Finance and/or Tax Office during tax audits within the scope of the purposes specified in the law and this Policy, in accordance with the legislation in force, by taking the necessary security measures in line with the purposes of personal data processing, limited to the purposes specified in this Policy, and will be processed domestically. Accordingly, there is a transfer to the extent permitted and required by the provisions of the Labor Law, Occupational Health and Safety Law, Social Security and General Health Insurance Law, Turkish Commercial Code, Personal Data Protection Law, Identity Notification Law, Turkish Criminal Code, Criminal Procedure Law, Enforcement and Bankruptcy Law, Turkish Code of Obligations, Turkish Civil Code, and other legislation, including but not limited to; relevant institutions or organizations; Personal Data Protection Authority, Ministry of Finance, Ministry of Family, Labor and Social Services, Turkish Employment Agency (İş-Kur), SSI, General Directorate of Security, Judicial and Administrative Authorities and authorized and relevant public legal entities including but not limited to.

6.2 Transfer of Personal Data to Third Parties Abroad

Personal data is not currently transferred to third parties abroad. Within the scope of the purposes specified in the Law and this Policy, in accordance with the applicable legislation, personal data may be transferred to third parties abroad, provided that there is adequate protection in the country where the data is transferred in line with the purposes of personal data processing, and in the absence of adequate protection in the country where the data is transferred, the data controller in the relevant foreign country undertakes adequate protection in writing and obtains the permission of the Personal Data Protection Board. In case your personal data is transferred abroad, AKKANAT HOLDING will inform the data owner.

6.3 Transfer of Sensitive Personal Data to Domestic Third Parties

Within the purposes specified in the law and this Policy, in accordance with the applicable legislation and your explicit consent, in line with the purposes of personal data processing and in accordance with the Personal Data Protection Board's decision dated 30.01.2018, Decision No. 2018/10, 2018/3 Meeting Sequence No. “Adequate Precautions to be Taken by Data Controllers in the Processing of Sensitive Personal Data” dated 30.01.2018, by taking the necessary security measures to the extent permitted and required by the provisions of the legislation , sensitive personal data of employees may be transferred to the relevant institutions or organizations and public and private legal entities, real person third parties; to the independent auditors, private law legal entity auditors, regulatory and supervisory bodies, judicial and administrative authorities; to the customer and/or auditor who will make a site visit for the purpose of proving professional competence, to third party legal entities conducting audits and their employees performing audit duties; to lawyers, auditors, forensic IT experts, cyber security consultants, tax consultants, judicial and administrative authorities in order to fulfill legal obligations; to our business partners and service providers who provide, operate or provide services to our IT infrastructure; to the occupational health and safety experts, workplace physicians, hospitals and health institutions for emergency medical interventions and to fulfill occupational health and safety obligations; to the other public institutions or organizations authorized to request your personal data. In this context, sensitive personal data of the employees processed by AKKANAT HOLDING may be transferred to the relevant or authorized institutions or organizations, public and private legal entities and real persons to the extent permitted and required by the provisions of the Labor Law, Occupational Health and Safety Law, Social Insurance and General Health Insurance Law, Turkish Commercial Code, Personal Data Protection Law, Identity Notification Law, Turkish Criminal Code, Criminal Procedure Law and other legislation provisions including but not limited to this.

Accordingly, sensitive personal data shall be transferred;

· - To occupational health and safety experts/companies, hospitals and health institutions, workplace physicians for emergency medical interventions and to fulfill occupational health and safety obligations,

· - To business partners, forensic informatics experts and consultants, lawyers who provide services in this field in order to ensure information security and fulfill legal and technical obligations,

· - To relevant service providers, hospitals, health institutions, workplace physicians for the purposes of preparing incapacity reports and conducting periodic health screenings

· - To suppliers for the purpose of carrying out occupational health/safety activities and accordingly providing workwear,

· - To fulfill the obligations and legal responsibilities arising from the legislation, to the Courts, Execution Offices, lawyers,

· - To the workplace physician, occupational health and safety specialist in order to fulfill the obligations arising from the legislation and to carry out occupational health and safety activities,

· - To the customer and / or its auditors, third party real / legal persons who carry out regulation and / or audit, and their employees who perform audit duties for the purposes of fulfilling contractual obligations, conducting / auditing business activities in accordance with the legitimate interests of the data controller,

· - To authorized and relevant public legal entities such as, but not limited to, the Personal Data Protection Authority, the Ministry of Finance, the Ministry of Family, Labor and Social Services, the Turkish Employment Agency (İş-Kur), the Social Security Institution (SGK), the Directorate General of Public Security (EGM), if stipulated by the provisions of the legislation.

6.4 Transfer of Sensitive Personal Data to Third Parties Abroad

Sensitive personal data of employees processed by AKKANAT HOLDING are not transferred to third parties abroad. Within the scope of the purposes specified in the Law and this Policy, in accordance with the applicable legislation, in accordance with the applicable legislation, in line with the purposes of personal data processing, provided that there is adequate protection in the country where the data is transferred and in the absence of adequate protection in the country where the data is transferred, it may be transferred to third parties abroad, provided that the data controller in the relevant foreign country undertakes adequate protection in writing and obtains the permission of the Personal Data Protection Board. In case your personal data is transferred abroad, the data owner will be informed and his/her explicit consent will be applied.

7. RIGHTS ON PERSONAL DATA

As a personal data owner, in accordance with Article 11 of the KVKK, you have the right to inquire whether your personal data has been processed, to request information if it has been processed, to learn the purpose of processing your personal data and whether it is used in accordance with its purpose, whether it is transferred domestically or abroad, to request correction if it is incomplete or incorrectly processed, to request compensation for your damage if you suffer damage due to unlawful processing of your personal data, and to request the deletion, destruction or anonymization of your personal data in accordance with Article 7 of the KVKK. In this respect, you have the right to request an examination of the data inventory processed by AKKANAT HOLDING.

In order to exercise these rights, you may apply in writing to AKKANAT HOLDING in accordance with Article 13 of the KVKK by adding the necessary information and documents to determine your identity in the following ways. The data owner who will make an application can contact kvkk@arikbey.com.tr to apply to AKKANAT HOLDING in accordance with the “Communiqué on the Procedures and Principles of Application to the Data Controller” or you can make the application by obtaining the application form from https://www.arikbey.com.tr/ or from our company. Your application will be evaluated by AKKANAT HOLDING and finalized free of charge within thirty days.

In this context, applications can be made in the following ways:

Application Method	Application Addresses
The applicant may come to AKKANAT HOLDING in person and apply in writing with the necessary information and documents to establish your identity.	Akçaburgaz Mah.Uğur Mumcu Cad.No:47 A Blok Esenyurt/İstanbul
The applicant may apply to AKKANAT HOLDING in person or by a proxy authorized to represent him/her through a notary public or by registered mail with return receipt requested.	Akçaburgaz Mah.Uğur Mumcu Cad.No:47 A Blok Esenyurt/İstanbul
The applicant can apply via secure electronic signature and registered electronic mail.	örnek@hs02.kep.tr

7.1 Exceptions to the Right of Application

Pursuant to Article 28 of the KVKK, personal data owners will not be able to assert their rights in the following cases; the processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics; the processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime; the processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, economic security; the processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution procedures.

Pursuant to Article 28/2 of the KVKK, except for claiming compensation for damages, personal data owners will not be able to assert their rights in the following cases; the processing of personal data is necessary for the prevention of crime or criminal investigation; the processing of personal data made public by the personal data owner himself/herself; the processing of personal data is necessary for the execution of supervisory or regulatory duties and disciplinary investigations and prosecutions by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law; the processing of personal data is necessary for the protection of the economic and financial interests of the state in relation to budgetary, tax and fiscal matters.

8. PROCESSING MEDIA OF PERSONAL DATA

AKKANAT HOLDING processes personal data in electronic and/or non-electronic media. Accordingly;

8.1 Electronic Media Where Personal Data is Processed: Servers (domain, backup, e-mail, database, web, file sharing, etc.), software (office software, portal, etc.), information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.), personal computers (desktop, laptop) mobile devices (phone, tablet, etc.), optical disks (cd, dvd, etc.), removable memories (usb, memory card, etc.).

8.2 Non-Electronic Media Where Personal Data is Processed: Paper, manual data recording systems (file archives), written, printed, visual media.

9. TECHNICAL AND ADMINISTRATIVE MEASURES

Technical and administrative measures are taken by AKKANAT HOLDING in accordance with Article 12 of the Law and in line with all measures to be taken within the scope of the Policy in order to protect and store personal data processed by AKKANAT HOLDING, to prevent unlawful processing, access and sharing, and to destroy personal data in accordance with the law.

9.1 Technical Measures

The technical measures taken by AKKANAT HOLDING regarding the protection of personal data processed by AKKANAT HOLDING are listed below:

· Network security and application security are ensured.

· A closed system network is used for personal data transfers via the network.

· Destruction processes are defined and implemented in accordance with Akkanat Holding Personal Data Protection, Processing and Destruction Policy.

· Information systems are kept up-to-date.

· Security measures are taken within the scope of procurement, development and maintenance of information technology systems.

· Up-to-date anti-virus system is applied on computers.

· Necessary measures are taken for the physical security of information systems equipment, software and data.

· Security of personal data stored in the cloud is ensured.

· An authorization matrix has been established for employees.

· Employees and visitors are allocated separate internet networks.

· Access logs are kept regularly.

· The authorizations of employees who change their duties or leave their jobs are removed.

· Security vulnerabilities are monitored and appropriate security patches are installed.

· Firewalls are used.

· Personal data security issues are reported quickly.

· Personal data security is monitored.

· Necessary security measures are taken for entry and exit to physical environments containing personal data.

· Physical environments containing personal data are secured against external risks (fire, flood, etc.).

· Security of environments containing personal data is ensured.

· Personal data is backed up and the security of backed up personal data is also ensured.

· Backup programs that ensure the secure storage of personal data are used.

· Strong passwords are used in electronic media where personal data is processed and secure logging systems are used.

· Log records are kept without user intervention.

· Existing risks and threats have been identified.

· Intrusion detection and prevention systems are used.

· Penetration testing is applied.

· Cyber security measures have been taken and their implementation is constantly monitored.

· Encryption is performed.

· Network security and application security are provided within the data controller.

9.2 Administrative Measures

The administrative measures taken by AKKANAT HOLDING regarding the protection of personal data processed by AKKANAT HOLDING are listed below:

· Akkanat Holding Personal Data Protection, Processing and Destruction Policy has been established.

· Training and awareness raising activities on data security are carried out for employees at regular intervals.

· “Confidentiality Agreements” are signed by employees.

· Employment Contracts of Definite/Indefinite Duration contain provisions regarding the protection of personal data, data privacy and security.

· Trainings are provided on improving the qualifications and technical knowledge and skills of employees, preventing unlawful processing of personal data, preventing unlawful access to personal data, ensuring the protection of personal data, communication techniques and relevant legislation.

· Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.

· Confidentiality undertakings are made.

· The authorizations of employees who change their duties or leave their jobs in this area are removed.

· The obligation to inform the relevant persons is fulfilled.

· Signed contracts contain provisions on personal data legislation.

· Signed contracts contain data security provisions.

· Extra security measures are taken for personal data transferred via paper.

· Personal data security policies and procedures have been determined.

· Personal data security issues are reported quickly.

· Physical environments containing personal data are secured and personal data is minimized as much as possible.

· Personal data is minimized as much as possible.

· User account management and authorization control system is implemented and monitored.

· Internal periodic and/or random audits are carried out and conducted.

· Akkanat Holding disciplinary procedure is applied for employees who do not comply with the KVKK and the Policy.

· In case of data transfer, a “Confidentiality Agreement” is signed with third parties.

· Data processing service providers are periodically audited on data security.

· Awareness of data processing service providers on data security is ensured.

10. DESTRUCTION OF PERSONAL DATA

Personal data are stored by AKKANAT HOLDING for the retention period required for the purpose for which they are processed and in accordance with the minimum retention periods stipulated by the relevant legislation. In this direction, AKKANAT HOLDING first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed. At the end of the period stipulated in the relevant legislation or at the end of the retention period required for the purpose for which they are processed, personal data are destroyed by AKKANAT HOLDING ex officio or upon the application of the relevant person by the techniques specified in this Policy in accordance with the provisions of the relevant legislation.

10.1 Reasons for Destruction

The personal data shall be deleted, destroyed or ex officio deleted or anonymized by AKKANAT HOLDING upon the request of the relevant person in cases where the provisions of the relevant legislation that constitute the basis for processing are amended or abolished,where the purpose requiring its processing or storage disappears, where the processing of personal data takes place only on the basis of explicit consent, in cases where the data owner withdraws his/her explicit consent, where the application made by the data owner for the deletion and destruction of his/her personal data within the framework of his/her rights pursuant to Article 11 of the Law is accepted by the Authority, where AKKANAT HOLDING rejects the application made by the person concerned with the request for deletion, destruction or anonymization of his personal data, finds the answer insufficient or does not respond within the period stipulated in the law, he makes a complaint to the Board and this request is approved by the Board, where the maximum period for which the personal data is required to be retained has elapsed and there are no circumstances that would justify retaining the personal data for a longer period of time.

10.2 Deletion of Personal Data

Personal data is deleted by the methods specified in the table below.

Personal Data on Servers

For the personal data on the servers, deletion is made by the system administrator by removing the access authorization of the relevant users for those whose retention period has expired.

Personal Data in Electronic Media

The personal data stored in electronic media that expire after the period of time required for their retention are rendered inaccessible and non-reusable in any way for employees (relevant users) other than the database administrator.

Personal Data in Physical Media

For the personal data kept in physical media, it is made inaccessible and non-reusable in any way for other employees, except for the unit manager responsible for the document archive, for those whose period of storage has expired. In addition, the blackout process is also applied by scratching/painting/erasing in such a way that it cannot be read.

Personal Data on Portable Media

The personal data kept in USB-based storage media and those that expire after the period of time required for storage are encrypted by the system administrator and stored in secure environments with encryption keys, with access authorization given only to the system administrator.

10.3 Destruction of Personal Data

In terms of personal data in physical media, AKKANAT HOLDING destroys the personal data in paper media in an irreversible manner in paper shredding machines; in terms of personal data in optical and/or magnetic media, the physical destruction process such as melting, incineration or pulverization of the personal data in optical and/or magnetic media is applied.

10.4 Anonymization of Personal Data

Anonymization of personal data means making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data. In this context, personal data is rendered unassociable with an identified or identifiable natural person even through the use of appropriate techniques in terms of the environment in which it is processed and the relevant field of activity, such as the return of personal data by the data controller or third parties and / or matching the data with other data.

11. STORAGE AND DESTRUCTION PERIODS OF PERSONAL DATA

Personal data are stored by AKKANAT HOLDING for the retention period required for the purpose for which they are processed and in accordance with the minimum retention periods stipulated by the relevant legislation. In this direction, AKKANAT HOLDING first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, and if a period of time is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed. At the end of the period stipulated in the relevant legislation or at the end of the storage period required for the purpose for which they are processed, personal data are destroyed by AKKANAT HOLDING ex officio, in accordance with the periodic destruction periods or upon the application of the person concerned, in accordance with the provisions of the relevant legislation, by the techniques specified in this Policy.

Regarding the personal data being processed by AKKANAT HOLDING within the scope of its activities; retention periods on the basis of personal data related to all personal data within the scope of activities carried out depending on the processes are included in the Personal Data Processing Inventory; retention periods on the basis of data categories are included in VERBIS records.

11.1 Periodic Destruction Period

Pursuant to Article 11 of the Regulation, AKKANAT HOLDING has determined the periodic destruction period as 6 months. Accordingly, AKKANAT HOLDING carries out periodic destruction in June and December every year..

12. PUBLICATION AND STORAGE OF THE POLICY ON THE PROCESSING, PROTECTION AND DESTRUCTION OF PERSONAL DATA

The Policy is prepared in two different media, printed paper and electronic media, and published publicly on the website. The printed paper copy is kept in its file by AKKANAT HOLDING Human Resources.

13. UPDATING THE POLICY ON PROCESSING, PROTECTION AND DESTRUCTION OF PERSONAL DATA

The Policy is updated by AKKANAT HOLDING when necessary and published on its website.

14. EFFECTIVE DATE AND ABROGATION OF THE POLICY ON PROCESSING, PROTECTION AND DESTRUCTION OF PERSONAL DATA

The Policy shall be deemed to have entered into force upon its publication on the website of AKKANAT HOLDING. In case it is decided to abolish the Policy, the old copies of the Policy with wet signatures shall be canceled and signed by AKKANAT HOLDING (by stamping or writing cancellation) and kept by AKKANAT HOLDING Human Resources for at least 5 years.