KVKK info • Borataş

PERSONAL DATA PROCESSING INFORMATION TEXT

“Information Text”

As BORATAŞ TUR.MAK.İNŞ.TAAH.SAN VE TİC LTD.ŞTİ ("Employer/COMPANY"), Bağyurdu Organize Sanayi Bölgesi Anadolu Cad. No:8 Kemalpaşa-İZMİR, as the data controller,

-we hereby declare that your personal data, which we obtain in the following ways,

-as the case may be, within the scope of our commercial/service relations or within our business relationship with you;

-within the framework of the purpose requiring their processing and in a limited and proportionate manner in connection with this purpose,

-by preserving the accuracy and most up-to-date form of the personal data as notified or notified to us,

-will be recorded, stored, preserved, rearranged, shared with institutions legally authorized to request such personal data, and transferred, assigned, classified to domestic or foreign third parties under the conditions stipulated by the KVKK, and processed in other ways listed in the KVKK.

PURPOSES AND LEGAL REASONS FOR PROCESSING PERSONAL DATA

Establishment of business/service/commercial relationship, performance and fulfillment of contract provisions, use in services we can offer you; recording identity, address, tax number and other necessary information including personal health data to identify the person performing/having the transaction performed; preparing all records and documents that will form the basis of the transaction in electronic (internet/mobile etc.) or paper format; complying with information storage, reporting and information obligations stipulated by legislation, authorized institutions and other authorities; being able to increase service quality through marketing and statistical activities, and being able to offer requested/other products/services. Sensitive personal data is processed due to communication, providing information and similar processes within the contractual relationship.

The scopes in which your personal data may be processed are as follows: HR operations, Intra-company operations, Activities with legal, technical and administrative consequences, Strategy, planning and business partner/supplier, customer management, Planning and execution of corporate communication activities and events, Planning and execution of in-company training programs, Company Workplace Safety, Protection of Worker and Occupational Health and Safety, Performance of after-sales services, Performance of Technical Service Services, Fulfillment of the requirements of dealership agreements, Performance of collection transactions, To customers; product-service promotion, information, personalized advertising, campaigns and other benefits, sending commercial electronic messages, survey and tele-sales applications, providing various advantages through statistical analyses, carrying out studies to improve service quality and providing better service, issuing invoices in return for our services, purchasing services from external sources, offering customers the benefits of expert organizations in order to receive services on issues that are not within its field of expertise and to receive technology services, utilizing them due to the requirements of company activities, confirming identity, responding to questions and complaints, taking necessary technical and administrative measures within the scope of data security, ensuring financial agreement with relevant business partners and other third parties regarding the products and services offered, providing the necessary information in line with the requests and audits of regulatory and supervisory institutions and official authorities, preserving information regarding data that must be kept in accordance with the relevant legislation, ensuring auditing regarding the consistency of information, measuring customer satisfaction, in terms of employees; Creating a personnel file, determining whether the person is capable of fulfilling the requirements of the job continuously, making private health insurance, creating a health file, taking work safety measures, making travel plans. In terms of employee candidates: Managing and planning the process of evaluating the suitability for open positions. Publishing the visual and audio data of the Company and its employees and stands obtained in competitions, organizations, fairs, studies and other activities within the scope of the field of activity for the purpose of developing and sharing the business, Harmonizing the dealer operations and policies in the dealer chain, Fulfilling legal obligations, Execution/follow-up of the company financial reporting and risk management transactions, Execution/follow-up of legal affairs, Creation and follow-up of visitor records. Planning and execution of the use of machinery and equipment by employees. Planning and execution of sales transactions. Planning and execution of supply transactions. Planning and execution of collection transactions. Planning and execution of the use of the company's internet, shared network and computers in accordance with the laws. planning and execution of fairs, activities, social projects, products and corporate promotions,

The above mentioned purposes are for informational purposes, and any additional additions that may be made by us so that the Company can carry out its future business activities will be announced with the updates to be made.

Article 5/2 of the KVKK regulates exceptions that enable the lawful processing of personal data. In this context, the Company may process personal data in the presence of one of the other conditions (exceptions) listed below, in addition to explicit consent. The basis for the personal data processing activity may be only one of the conditions listed below, or more than one of these conditions may be the basis for the same personal data processing activity.

These are: It is explicitly provided for in the law, It is mandatory to process personal data in order to protect the life or physical integrity of the person who is unable to give his/her consent due to a de facto impossibility or whose consent cannot be recognized as valid, or of another person, It is directly related to the establishment or performance of a contract, The clinic fulfills its legal obligation, The personal data owner makes his/her personal data public, Data processing is mandatory for the establishment or protection of a right, Data processing is mandatory for the legitimate interests of the clinic, provided that it does not harm the fundamental rights and freedoms of the data owner.

In order to carry out our activities within the scope of business/commercial service relationship: Identity Information (Name, surname, marital status, place of registration, gender, SSI number, T.C. Identity number, tax number & registered tax office, identity card serial number, mother's name, father's name, date of birth), Contact Information (Address, Telephone number, E-mail Address), Physical Location Security (camera recording), Other data required for the provision of the Service (signature etc.) are processed in relation to the following matters:

Updating the information provided to us and verifying its accuracy, ✓ Ensuring that the obligations within the scope of the contractual relationship are duly fulfilled, ✓ Conducting the Activities in Accordance with the Legislation, ✓ Conducting and Supervising Business Activities, ✓ Conducting Business Continuity Activities, ✓ Conducting Service Procurement Processes, ✓ Conducting the Supply Chain, ✓ Conducting Communication Activities, ✓ Following up and Conducting Legal Affairs, ✓ Conducting Contract Processes, ✓ Conducting Finance and Accounting Affairs, ✓ Conducting Loyalty Processes to Companies and Services, ✓ Planning and executing corporate sustainability, corporate governance, strategic planning and information security processes, ✓ Controlling power of attorney and signature circulars.

PERSONS/ORGANISATIONS TO WHICH PERSONAL DATA MAY BE TRANSFERRED:

Persons, public institutions and organizations, suppliers, related services, real persons and private law legal entities and institutions and organizations permitted by the provisions of the legislation. Sensitive personal data may be transferred to companies, suppliers, related services, real persons and private law legal entities and institutions located in Turkey and abroad from whom we receive services in order to carry out activities subject to the purposes specified in the legislation we are subject to and secured by confidentiality agreements. Personal and special personal data are stored in a secure environment that is not open to general use and are never shared with third parties unless there is an unauthorized or legal obligation.

STORAGE OF PERSONAL DATA

The method of collecting personal data; your personal data can be collected verbally, in writing or electronically through all digital channels such as questions sent to our website, messages, phone calls.

The personal data we obtain is stored securely in a physical or electronic environment for an appropriate period of time in order for the Company to carry out its activities. Within the scope of these activities, the Company complies with the obligations stipulated in all relevant legislation, especially the KVKK, regarding the protection of personal data.

In accordance with the relevant legislation, except for cases where the storage of personal data for a longer period is permitted or required, in the event that the purposes for which personal data is processed are terminated, the data will be deleted, destroyed or anonymized by the Company ex officio or upon the request of the data owner and upon the request of the data owners using different techniques that can be used. In the event that personal data is deleted through these methods, these data will be destroyed in a way that they cannot be used again and cannot be retrieved.

In cases where the data controller has a legitimate interest, personal data may be stored, provided that the purpose of processing and the periods specified in the relevant laws have expired, provided that this is permitted by law, and provided that the fundamental rights and freedoms of the data owners are not violated. After the expiration of the aforementioned limitation period, personal data will be deleted, destroyed or anonymized in accordance with the procedure specified above.

MEASURES TAKEN FOR DATA SECURITY

The Company takes all necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data. The measures stipulated in Article 12(1) of the KVKK are as follows: To prevent the unlawful processing of personal data, To prevent unlawful access to personal data, To ensure the preservation of personal data.

PROCESSING OF IMAGE RECORDINGS

In order to ensure the general and commercial security of its facilities and businesses, the Company records images of visitors, employees and other relevant persons in accordance with the basic principles stipulated in the KVKK and these records are stored securely in a physical or electronic environment for a period appropriate to the purposes of processing.

A notice stating that image recording is being taken is visibly placed at the entrances to the place where image recording is being taken in order to inform data owners. Images are absolutely not taken in areas where privacy is required. Within the scope of these activities, the Company complies with all obligations stipulated in the relevant legislation, especially the KVKK, regarding the protection of personal data.

STORAGE OF RECORDS REGARDING INTERNET ACCESS PROVIDED BY THE COMPANY TO VISITORS

Our company can provide internet access to visitors who request it during their stay in our workplaces. In this case, log records regarding your internet access are recorded in accordance with the mandatory provisions of Law No. 5651 and the legislation regulated under this Law; these records are processed only if requested by authorized public institutions and organizations or in order to fulfill our legal obligations in the audit processes to be carried out within the Company.

In this context, only a limited number of Company employees have access to the obtained log records. Company employees who have access to the aforementioned records access these records only to use them in the requests or audit processes from authorized public institutions and organizations and share them with a limited number of legally authorized persons who undertake to protect the confidentiality of the data they access.

MONITORING OF GUEST ENTRANCES AND EXITS CONDUCTED AT AND WITHIN THE COMPANY ENTRANCES

Our Company carries out personal data processing activities to monitor guest entries and exits in the Company buildings and facilities for the purposes specified and to ensure security.

While obtaining the names and surnames of the guests or through texts hung at the Company or made accessible to the guests in other ways, the personal data owners in question are informed within this scope. The data obtained for the purpose of monitoring guest entries and exits is processed only for this purpose, and the relevant personal data is recorded in the data recording system in physical and/or electronic environment.

PROCESSING OF PERSONAL DATA OF BUSINESS PARTNERS

Within the scope of carrying out the activities it has established with business partners such as dealers and distributors, the Company may process personal data of the employees of the business partners in order to fulfill the work or to ensure the operation of the service activity with the purposes specified in the law, to fulfill the human resources objectives and policies, and to fulfill the legal and commercial security of mutual work.

APPLICATION PROCEDURE AND RIGHTS

Your rights pursuant to Article 11 of the KVKK; We hereby inform you that you have the right to apply to us and; a) learn whether your personal data has been processed, b) request information about it if processed, c) learn the purpose of processing and whether it is used in accordance with its purpose, ç) know the third parties to whom it has been transferred domestically/abroad, d) request correction if it has been processed incompletely/incorrectly, e) request deletion/destruction within the framework of the conditions stipulated in Article 7 of the KVKK, f) request notification of the transactions made pursuant to clauses (d) and (e) above to the third parties to whom it has been transferred, g) object to the emergence of a result to your detriment due to analysis by exclusively automated systems, ğ) request compensation for the damages in case you suffer damages due to processing in violation of the law.

The requests included in your application will be finalized free of charge within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost for the Company, the fee specified in the tariff specified in the Communiqué on the Procedures and Principles of Application to the Data Controller by the Personal Data Protection Board may be collected. In accordance with Article 13, paragraph 1 of the KVKK, Personal Data Rights Owners may make their requests to exercise their specified rights using the methods and information specified in the "Communiqué on the Procedures and Principles of Application to the Data Controller" published in the Official Gazette dated March 10, 2018 and numbered 30356.

Exceptions to the Right to Apply: According to Article 28 of the Personal Data Protection Law, it will not be possible for personal data owners to assert their rights on the following issues.

• Processing of personal data for purposes such as research, planning and statistics by making it anonymous with official statistics

• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy or personal rights or does not constitute a crime

• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order and economic security

• Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings

According to Article 28/2 of the Personal Data Protection Law; Article 10, which regulates the data controller's obligation to inform, provided that it is in accordance with and proportionate to the purpose and basic principles of the Law, Article 11, which regulates the rights of the relevant person, excluding the right to demand compensation for damages, and Article 16, which regulates the obligation to register in the Data Controllers Registry, shall not apply in the following cases:

• Personal data processing is necessary for the prevention of a crime or for a criminal investigation

• Processing of personal data made public by the personal data owner

• Personal data processing is necessary for the performance of supervisory or regulatory duties by authorized public institutions and organizations and professional organizations with the status of public institution, based on the authority granted by the law, and for disciplinary investigation and prosecution

• Personal data processing is necessary for the protection of the economic and financial interests of the state in relation to budget, tax and financial matters

We would like to inform you that we continue our activities with the awareness that personal data security is at the forefront in all the products and services we offer to you.