Furisan Gıda San. ve Tic. Ltd. Şti.

Personal Data Protection and Processing Policy

Approval of Publication

Decision by the Board of Directors

Version No 1

---

1. Introduction:

1.1. Purpose of the Policy:

Furisan Gıda Sanayi ve Ticaret Limited Şirketi (hereinafter referred to as "FURİSAN"); commits to comply with the principles and rules brought by the Constitution of the Republic of Turkey, the Law on the Protection of Personal Data No. 6698 (“KVKK/Law”), and other related legislation, and to protect the rights of relevant individuals in line with the “Personal Data Protection and Processing Policy.” To achieve this, a written personal data protection policy and system have been adopted to be implemented and developed.

The purpose of the Personal Data Protection and Processing Policy is to ensure that FURİSAN creates and implements its standards in managing personal data; defines and supports organizational goals and obligations; establishes control mechanisms in line with FURİSAN's acceptable risk level; complies with the obligations it is subject to under international treaties, the Constitution, laws, contracts, and professional rules in the field of personal data protection; and best protects individuals' interests.

1.2. Scope of the Policy:

This policy has been prepared for FURİSAN and covers the services provided within the institution. The provisions of the policy include all information systems and sub-information, contracts, environments, physical areas, and all systems and arrangements produced for the processing of personal data in FURİSAN's fields of activity. This policy covers the board of directors of FURİSAN, all departments, directorates, employees of firms providing any service, interns, and contracted personnel. Any action violating KVKK or this policy is evaluated within the scope of relevant legislation and sanctions are applied accordingly.

Solution partners, public institutions, insurance companies, and all third parties working with FURİSAN who have access to or might access personal data are invited to read and comply with this policy. Third parties must ensure the protection of personal data with a system at least as robust and adequate as that of FURİSAN. A written confidentiality agreement covering the obligations related to the protection of personal data and the right to audit these obligations will be signed between third parties and FURİSAN. Third parties cannot access the personal data processed by FURİSAN without signing the confidentiality agreement. The Personal Data Protection and Processing Policy will ensure the sustainability of FURİSAN's data security principles.

1.3. Objective of the Policy:

The objective of this Policy is to establish the necessary systems to create awareness within the company regarding the lawful processing and protection of personal data and to ensure compliance with the legislation. Within this scope, the aim is to implement the regulations introduced by KVKK and related legislation.

1.4. Definitions and Abbreviations:

Company: Furisan Gıda Sanayi ve Ticaret Limited Şirketi (FURİSAN)

Explicit Consent: Consent given regarding a specific issue, based on information and free will, without any doubt, limited to the specified transaction.

Anonymization: Rendering personal data in such a way that it can no longer be associated with an identified or identifiable person, even when matched with other data.

Employee: Company personnel.

Data Subject: The real person whose personal data is processed.

Personal Data: Any information relating to an identified or identifiable real person.

Special Categories of Personal Data: Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or trade union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

Processing of Personal Data: Any operation performed on personal data, such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, taking over, making available, classification, or preventing its use, fully or partially by automated means or by non-automated means provided that it is part of a data recording system.

Data Processor: The real or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Controller: The real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

KVK Board: The Personal Data Protection Board.

KVK Compliance Process: The program implemented by FURİSAN to ensure compliance with the personal data protection legislation.

KVK Authority: The Personal Data Protection Authority.

KVKK: The Law on the Protection of Personal Data No. 6698, published in the Official Gazette dated April 7, 2016, and numbered 29677.

Policy: Furisan Gıda Sanayi ve Ticaret Limited Şirketi Personal Data Protection and Processing Policy.

Personal Data Retention and Destruction Policy: The "Furisan Personal Data Retention and Destruction Policy" is the basis for determining the maximum period required for the purposes of processing personal data and for deletion, destruction, and anonymization in accordance with the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.

Periodic Destruction: The deletion, destruction, or anonymization of personal data at recurring intervals if all the conditions for processing personal data in the law are eliminated.

Registered Electronic Mail (KEP): A system that protects commercial and legal correspondence and document sharing in the form sent, ensures the identity of the recipient, prevents content alteration, and makes the content legally valid and secure.

Data Controllers Registry Information System: The information system created and managed by the Presidency, which data controllers use for registry applications and other relevant processes.

VERBIS: Data Controllers Registry Information System.

1.5. Distribution of Duties Related to Personal Data:

Title: Distribution of Duties Related to the Protection of Personal Data

Position: Unit

Task:

Board of Directors: Members of the Furisan Board of Directors

• Ensuring that business and operations are conducted in accordance with the company policy.

KVK Committee: Committee consisting of individuals designated by the company for the compliance process related to personal data protection

• Responsible for preparing, developing, implementing, publishing, and updating the policy in relevant environments.

Department Heads: Human Resources, Accounting-Finance, Purchasing, Sales, Sales Support, Information Technology, Quality Assurance, Warehouse Unit

• Responsible for implementing the policy in accordance with their duties and confidentiality agreements.

Contact Person: Person appointed by the data controller

• Responsible for arranging and notifying the matters specified in the policy in compliance with the VERBIS system.

2. Matters Concerning the Protection of Personal Data:

2.1. Ensuring the Security of Personal Data:

All personnel and employees are obliged to ensure that the data processed by FURİSAN and under their responsibility are securely kept and not disclosed to third parties without signing a confidentiality agreement.

Only those who need access to personal data can access them. Information about individual access rights cannot be shared with third parties. Any incident related to information security of personal data is reported to the KVK Committee within the shortest time and no later than 72 hours after its determination. Additionally, the measures stated under the title "Actions to Be Taken in Case of Violation" in Article 12 of this policy are taken.

2.2. Environments Where Personal Data is Stored:

Electronic Environments:

• Servers (Domain, backup, email, database, web, file sharing, etc.)
• Software
• Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)
• Personal computers (desktop, laptop)
• Mobile devices (phone, tablet, etc.)
• Optical disks (CD, DVD, etc.)
• Removable memory (USB, memory card, etc.)
• Printer, scanner, photocopier

Non-Electronic Environments:

• Paper
• Manual data recording systems (survey forms, visitor entry log)
• Written, printed, visual media
• Unit cabinets

2.3. Observing the Rights of the Data Subject:

Data subjects have the rights explicitly stated in Article 11 of the Law on the Protection of Personal Data and Article 1 of Section 11 of this policy concerning the data processing activities and records at FURİSAN. FURİSAN conducts its activities by observing all the rights of data subjects during the processing of personal data.

2.4. Increasing Awareness and Supervision of Departments on Personal Data Protection and Processing:

FURİSAN organizes necessary awareness training for its employees to prevent unlawful processing of personal data, prevent unlawful access to data, and ensure the protection of data. Awareness posters are displayed within the premises to increase awareness in line with KVKK.

2.5. Increasing Awareness and Supervision of Business Partners and/or Suppliers on Personal Data Protection and Processing:

FURİSAN ensures that necessary documents are prepared to increase the awareness of business partners and/or suppliers to prevent unlawful processing of personal data, prevent unlawful access to data, and ensure the protection of data. Additionally, confidentiality agreements are signed to ensure mutual awareness.

3. Principles and Rules to be Followed in Processing Personal Data:

3.1. Processing Personal Data in Compliance with the Principles Set Out in the Legislation:

Processing in Compliance with the Law and Rules of Honesty:

Personal data of data subjects are processed in compliance with the principles of lawfulness, transparency, and the obligation to inform within FURİSAN.

Ensuring Personal Data is Accurate and Up-to-Date When Necessary:

Necessary measures are taken in the data processing procedures to ensure that processed data is accurate and up-to-date. The data subject is provided with the opportunity to update their data and correct any errors in the processed data.

Processing for Specific, Explicit, and Legitimate Purposes:

Personal data are processed within the scope of clearly defined purposes by FURİSAN, based on legitimate purposes determined in line with the legislation and the normal course of commercial life.

Being Relevant, Limited, and Proportionate to the Purposes for which they are Processed:

Personal data are processed in a manner that is relevant, limited, and proportionate to the explicitly stated purposes. The processing of unrelated or unnecessary personal data is avoided. Therefore, unless required by law, special category personal data are not processed or, if necessary, explicit consent is obtained with related disclosures.

Retention for the Necessary Period for the Purpose for which they are Processed or as Prescribed by the Relevant Legislation:

The legislation requires the retention of personal data for a certain period. Therefore, personal data processed by FURİSAN are retained for the period prescribed by the relevant legislation or necessary for the purpose of processing. When the retention period prescribed by the legislation ends or the processing purpose ceases to exist, personal data are deleted, destroyed, or anonymized. The principles and processes related to retention periods are detailed in Article 4.3 of this policy.

3.2. Processing Personal Data Limited to the Conditions Set Out in Article 5 of KVKK:

Personal data are processed under the conditions set out in Article 5 of KVKK, such as:

• Explicitly provided for by laws.
• Necessary for the protection of life or physical integrity of the person or another person who is unable to express his consent due to actual impossibility or whose consent is not legally valid.
• Necessary for the performance of a contract to which the data subject is a party.
• Necessary for the data controller to fulfill its legal obligation.
• Data made public by the data subject.
• Necessary for the establishment, exercise, or protection of a right.
• Necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.3. Informing and Notifying the Data Subject:

When personal data are collected by FURİSAN, the data subjects are explicitly informed and notified in compliance with Article 10 of KVKK and the Communiqué on the Procedures and Principles to Be Followed in Fulfilling the Obligation to Inform. The information notices include:

• The title, full address, and contact details of the company,
• Personal data categories,
• The purpose of processing personal data,
• To whom and for what purposes processed personal data may be transferred,
• The method and legal basis of collecting personal data,
• The rights of the data subject as listed in Article 11 of KVKK.

The information notices are also available in the "KVKK" section of the https://furisan.com website.

3.4. Processing Special Categories of Personal Data:

Special categories of personal data are limited by law. These data are protected by taking the necessary administrative and technical measures required by the law and the KVK Board. Processing special categories of personal data without explicit consent is prohibited by law. Special categories of personal data, excluding those related to health and sexual life, may be processed without explicit consent in cases provided for by law. Personal data related to health and sexual life may be processed without explicit consent only by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing.

4. Classification, Processing Purposes, and Retention Periods of Personal Data Processed by FURİSAN:

4.1. Classification of Personal Data:

4.1.1. Personal Data:

Personal data are any information relating to an identified or identifiable real person. The protection of personal data only concerns real persons, and information related to legal entities without personal data is excluded from personal data protection. Therefore, this Policy does not apply to data related to legal entities.

Categories of Personal Data

Subcategories and Descriptions:

Identity:

Information such as name, surname, T.C. identification number, nationality information, mother's name, father's name, place of birth, date of birth, gender included in documents such as license, identity card, and passport, as well as tax number, SGK number, signature information, vehicle plate number, etc.

Contact:

Contact information such as phone number, address, email address, etc.

Personnel:

Payroll information, disciplinary investigation, employment entry-exit document records, resume information, performance evaluation reports, etc.

Legal Process:

Correspondence information with judicial authorities, information in case files.

Customer Transaction:

Invoice, promissory note, check information, request information, order information, etc., related to customers.

Physical Space Security:

Entry and exit records of employees and visitors, camera records.

Transaction Security:

Password and access information.

Finance:

Balance sheet information, asset information.

Professional Experience:

Diploma information, attended courses, in-service training information, transcript information, certificates.

Visual and Auditory Records:

Visual and auditory records.

Special Categories of Personal Data:

Data specified in Article 6 of KVKK (e.g., blood type, health data, including disability status, criminal record).

4.2. Purposes of Processing Personal Data:

As a company, we process personal data for the following purposes:

• Emergency Management Processes
• Information Security Processes
• Employee Candidate / Intern / Student Application Processes
• Employee Satisfaction and Loyalty Processes
• Compliance with Obligations from Employment Contract and Legislation for Employees
• Employee Benefits and Compensation Processes
• Audit / Ethical Activities
• Warehouse Management
• Training Activities
• Electronic Sales Processes
• Access Authorization Processes
• Conducting Activities in Compliance with the Legislation
• Finance and Accounting Affairs
• Conducting Loyalty Processes for Company / Product / Services
• Ensuring Physical Space Security
• Follow-up and Execution of Legal Affairs
• Fulfillment of Legal Obligations
• Conducting Internal Audit / Investigation / Intelligence Activities
• Conducting Communication Activities
• Planning Human Resources Processes
• Conducting Business Activities / Supervision
• Conducting Occupational Health / Safety Activities
• Receiving and Evaluating Suggestions for Improvement of Business Processes
• Conducting Business Continuity Activities
• Conducting Logistics Activities
• Ensuring Quality Standards
• Controlling Entrances and Exits to the Institution Building and Preventing Unauthorized Entries
• Conducting Goods / Services Procurement Processes
• Conducting Goods / Services Sales Processes
• Conducting Goods / Services Production and Operation Processes
• Conducting Customer Relationship Management Processes
• Ensuring the Security of Property Resources
• Increasing Reliability with Customers
• Conducting Marketing Analysis Studies
• Conducting Performance Evaluation Processes
• Conducting Risk Management Processes
• Conducting Retention and Archiving Activities
• Conducting Purchasing Processes
• Conducting Strategic Planning Activities
• Conducting Contract Processes
• Follow-up of Requests / Complaints
• Ensuring the Security of Movable Property and Resources
• Conducting Supply Chain and Relationship Management Processes
• Conducting Wage Policy and Issuing Product Invoices
• Conducting Marketing Processes of Products / Services
• Providing Information to Authorized Persons, Institutions, and Organizations
• Conducting Management Activities
• Creating and Tracking Visitor Records

4.3. Retention Periods for Personal Data:

Personal data are retained for the period required for the purposes for which they are processed or as prescribed by the relevant legislation. The details of the retention and destruction periods are provided in the "Furisan Gıda Sanayi ve Ticaret Şirketi Retention and Destruction Policy," published on the official website.

If personal data are processed for multiple purposes, they will be deleted, destroyed, or anonymized when the purposes for processing no longer exist, or if the data subject requests deletion and there is no legal obstacle. The legal provisions and decisions of the KVK Board are followed in matters of deletion, destruction, or anonymization.

4.3.1. Measures Taken for the Retention of Personal Data:

4.3.1.1. Technical Measures:

The technical measures taken for the protection of personal data are listed below.

• Network security and application security are ensured.
• Closed system network is used for personal data transfers via the network.
• Security measures within the scope of information technology systems procurement, development, and maintenance are taken.
• An authority matrix is created for employees.
• Corporate policies on access, information security, usage, retention, and destruction have been prepared and implemented.
• Data masking is applied when necessary.
• The access rights of employees who have changed positions or left the company are removed.
• Up-to-date antivirus systems are used.
• Firewalls are used.
• Personal data are backed up and the security of backed-up personal data is also ensured.
• User account management and authorization control system are implemented and monitored.
• Periodic and/or random internal audits are conducted and outsourced.
• Log records are kept in a way that cannot be altered by users.
• Attack detection and prevention systems are used.
• Cybersecurity measures are taken and their implementation is monitored.
• Encryption is applied.
• Data processors are periodically audited for data security.
• Data processors are made aware of data security.

4.3.1.2. Administrative Measures:

The administrative measures taken for the protection of personal data are listed below.

• Information Notices (Employee, Employee Candidate/Intern, Camera Systems) and Explicit Consent Notices have been prepared.
• There are disciplinary regulations containing data security provisions for employees.
• Periodic training and awareness activities are conducted for employees on data security.
• Departmental Access Rights have been arranged.
• Training was provided to protect certain personal data.
• Confidentiality commitments are made.
• Signed contracts contain data security provisions.
• Camera Information Notices are posted in areas with cameras.
• Employees are informed about the technical and administrative risks related to the retention of personal data, and a personal data processing inventory is prepared.
• Personal Data Protection Committee was established.
• Personal data security policies and procedures have been determined.
• Personal data security issues are promptly reported.
• Personal data security is monitored.
• Necessary security measures are taken for entry and exit to physical environments containing personal data.
• Security against external risks (fire, flood, etc.) is ensured for environments containing personal data.
• Security of environments containing personal data is ensured.
• Personal data are minimized as much as possible.
• Protocols and procedures for the security of special categories of personal data have been determined and implemented.
• Contracts are aligned with KVKK.

5. Ensuring the Security of Personal Data:

5.1. Responsibilities Regarding the Security of Personal Data:

Technological capabilities and application costs are taken into account by FURİSAN in ensuring the following aspects for personal data:

• Prevention of unlawful processing of personal data,
• Prevention of unlawful access to personal data,
• Ensuring the lawful retention of personal data.

5.2. Measures Taken to Prevent Unlawful Processing of Personal Data:

• Random and/or periodic internal audits are conducted.
• Periodic awareness training is provided to employees on the protection of personal data.
• The activities carried out by the company are evaluated in detail for all departments, and personal data is processed specifically for the activities of the relevant units based on the evaluations.
• When collaborating with third parties for personal data processing, the contracts include provisions requiring the third parties to take necessary administrative and technical measures for data security.
• If personal data are unlawfully disclosed or a data breach occurs, the situation is reported to the KVK Board within 72 hours, and necessary examinations and measures are taken.

5.2.1. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data:

To prevent unlawful access to personal data:

• Technical measures are periodically updated and renewed.
• Access authorization procedures are established within the company.
• Procedures for reporting technical measures and audit processes are determined.
• Data recording systems used within the company are created in compliance with the legislation and periodically audited.
• Employees receive training and information on access and authorization to personal data.
• Confidentiality agreements are made when collaborating with third parties for personal data processing.
• Technological advancements are utilized to establish security systems to prevent unlawful access to personal data.

5.2.2. Measures Taken in Case of Unlawful Disclosure of Personal Data:

Administrative and technical measures are taken, and related procedures are updated to prevent unlawful disclosure of personal data. If it is determined that personal data have been disclosed without authorization, systems and infrastructure are established to notify the data subject and the KVK Board of the situation.

In the event of an unlawful disclosure, the KVK Board may, if deemed necessary, announce the situation on its website or notify the data subject directly.

6. Groups of Persons Whose Personal Data Are Processed by FURİSAN:

Personal data processed by FURİSAN belong to the following groups of persons:

• Employees
• Employee Candidates / Interns
• Private Law Persons Receiving Services
• Potential Product or Service Recipients
• Suppliers / Supplier Employees
• Customers and Their Authorized Representatives
• Members of the Board of Directors
• Visitors

7. Processing of Personal Data and Special Categories of Personal Data:

7.1. Processing of Personal Data:

According to the Law on the Protection of Personal Data No. 6698, "Personal Data Cannot Be Processed Without the Explicit Consent of the Data Subject." However, personal data can be processed without the data subject's consent under the following conditions:

• It is explicitly provided for by law.
• It is necessary to protect the life or physical integrity of the data subject or another person who cannot express consent due to actual impossibility or whose consent is not legally valid.
• It is necessary for the establishment or performance of a contract to which the data subject is a party.
• It is necessary for the data controller to fulfill its legal obligations.
• The data subject has made the data public.
• It is necessary for the establishment, exercise, or protection of a right.
• It is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

7.2. Processing of Special Categories of Personal Data:

Special categories of personal data (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or trade union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data) cannot be processed without the explicit consent of the data subject. Special categories of personal data, excluding those related to health and sexual life, may be processed without explicit consent in cases provided for by law. Personal data related to health and sexual life may be processed without explicit consent only by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing.

8. Third Parties to Whom Personal Data Processed by FURİSAN are Transferred and the Purposes of Transfer:

Purposes of Transferring Personal Data are as follows:

• Conducting activities,
• Providing support services to customers within the scope of the contract and service standards,
• Determining the preferences and needs of customers and shaping and updating the provided service accordingly,
• Fulfilling legal obligations as required or mandated by legal regulations,
• Conducting market research and statistical studies,
• Evaluating job applications,
• Maintaining contact with individuals with whom the company has business relationships,
• Managing marketing processes,
• Managing seller/supplier relationships,
• Completing legal reporting and invoicing processes.

8.1. Transfer of Personal Data:

8.1.1. Conditions for Transferring Personal Data Domestically:

FURİSAN acts in compliance with the provisions of KVKK and the decisions and regulations of the KVK Board regarding the transfer of personal data.

Unless provided by law, personal data and special categories of personal data are not transferred to other real or legal persons by FURİSAN without the explicit consent of the data subject.

In exceptional cases specified by the legislation, personal data may be transferred without the explicit consent of the data subject to administrative/judicial institutions or organizations authorized by the legislation within the limits specified by the legislation.

8.1.2. Conditions for Transferring Personal Data Abroad:

As a rule, personal data are not transferred abroad without the explicit consent of the data subject.

However, in exceptional cases, if one of the following conditions is met:

• If the foreign country to which personal data will be transferred has adequate protection as declared by the KVK Board,
• If there is no adequate protection in the foreign country where the personal data will be transferred, but both the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and the KVK Board grants permission, personal data may be transferred abroad without explicit consent.

8.1.2.1. Institutions and Organizations to Which Personal Data are Transferred:

Personal data may be transferred to the following institutions and organizations in accordance with the principles and conditions mentioned above:

• Mediation Department,
• Real persons or private law legal entities,
• Shareholders,
• Private law persons receiving services,
• Public institutions and organizations authorized by law,
• Business partners,
• Social Security Institution,
• Suppliers.

8.2. Transfer of Special Categories of Personal Data:

8.2.1. Conditions for Transferring Special Categories of Personal Data Domestically:

FURİSAN may transfer special categories of personal data obtained lawfully to third parties for processing purposes, provided that necessary administrative and technical measures are taken. In this regard, special categories of personal data can be transferred to third parties under the conditions specified in the above section and the conditions specified below.

Additionally, in exceptional cases specified by the legislation and the measures prescribed by the KVK Board, special categories of personal data related to health and sexual life can be transferred without explicit consent to persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing.

8.2.2. Conditions for Transferring Special Categories of Personal Data Abroad:

FURİSAN may transfer special categories of personal data to foreign countries with adequate protection or countries where the data controller in the foreign country guarantees adequate protection by taking necessary care and administrative and technical measures and the necessary measures prescribed by the Board.

Special categories of personal data can be transferred abroad under the following conditions:

• If the data subject's explicit consent is obtained,
• If the data subject's explicit consent is not obtained:
  • Special categories of personal data excluding those related to health and sexual life (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or trade union membership, criminal convictions, and security measures, as well as biometric and genetic data) can be processed in cases provided for by law,
  • Special categories of personal data related to health and sexual life can be processed without explicit consent by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing.

9. Data Processing Activities for Workplace and Website Visitors:

9.1. Camera Surveillance Activities Conducted in the Workplace:

Camera surveillance activities are conducted in compliance with the principles of personal data protection to ensure the security of the workplace, employees, visitors, and customers.

Information notices about camera surveillance activities, the security of the data obtained, the retention period of the data obtained from the camera surveillance activities, and who can access this information and to whom it can be transferred are added to the layered information notices as determined by the KVK Board and displayed in all areas with camera systems.

9.2. Tracking Visitor Entry and Exit Records at the Workplace:

The company provides internet access to visitors upon request during their stay within the workplace to ensure security and for other purposes stated in this Policy. In this case, log records related to internet access are kept in compliance with the provisions of Law No. 5651 and the relevant legislation. These records are processed only if requested by authorized public institutions and organizations or during internal audits of the company to fulfill the legal obligations.

10. Conditions for Deleting, Destroying, and Anonymizing Personal Data:

According to Article 138 of the Turkish Penal Code, Article 7 of the KVK Law, and the "Regulation on the Deletion, Destruction, and Anonymization of Personal Data," personal data that have been processed in compliance with the law but whose processing purposes have ceased are deleted, destroyed, or anonymized by FURİSAN upon its decision or upon the request of the data subject. FURİSAN has established a policy on this matter and performs deletion, destruction, or anonymization processes based on the nature of the data in accordance with this policy. FURİSAN has determined periodic destruction dates according to the Regulation, and a schedule has been established to perform periodic destruction at various intervals starting from the commencement of the obligation.

10.1. Obligation to Delete, Destroy, or Anonymize Personal Data:

According to Articles 5 and 6 of the KVKK, if all conditions for processing personal data no longer exist, personal data must be deleted, destroyed, or anonymized by the data controller ex officio or upon the request of the data subject. In deleting, destroying, or anonymizing personal data, the general principles specified in Article 4 of the Law, the technical and administrative measures required by Article 12, relevant legal provisions, the decisions of the Board, and the personal data retention and destruction policy must be followed. The data controller is obliged to explain the methods applied for the deletion, destruction, or anonymization of personal data in its policies and procedures. In accordance with Article 7 of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, FURİSAN has also created a Furisan Retention and Destruction Policy.

10.2. Techniques for Deleting, Destroying, and Anonymizing Personal Data:

10.2.1. Techniques for Deleting and Destroying Personal Data:

• Physical Destruction
• Secure Deletion Software
• Secure Deletion by a Specialist

10.2.2. Techniques for Anonymizing Personal Data:

• Masking
• Aggregation
• Data Derivation
• Data Shuffling

11. Rights of the Data Subject; Exercise and Evaluation of These Rights:

11.1. Rights of the Data Subject and Exercise of These Rights:

Rights of the Data Subject:

Under the obligation to inform, FURİSAN informs the data subject and establishes systems and infrastructure for this purpose. The data subject is provided with necessary technical and administrative arrangements to exercise their rights over their personal data.

The data subject has the following rights over their personal data:

• Learning whether personal data are processed,
• Requesting information if personal data are processed,
• Learning the purpose of processing personal data and whether they are used in accordance with the purpose,
• Knowing the third parties to whom personal data are transferred in the country or abroad,
• Requesting the correction of incomplete or inaccurate personal data,
• Requesting the deletion or destruction of personal data in case the reasons requiring their processing disappear,
• Requesting notification of the actions taken under subparagraphs (d) and (e) to third parties to whom personal data are transferred,
• Objecting to a result that is detrimental to the data subject arising from the analysis of processed data exclusively by automated systems,
• Requesting the compensation of the damage in case of loss due to unlawful processing of personal data.

Procedure for Submitting a Request by the Data Subject:

The data subject can submit their requests regarding the above-mentioned rights to FURİSAN in accordance with the procedure specified in the "Communiqué on the Procedures and Principles of Application to the Data Controller."

Requests within the scope of the rights specified in Article 11 of the Personal Data Protection Law No. 6698 can be made by filling out the form available in the "KVKK" section at https://furisan.com/ and using one of the following methods:

Requests submitted to the company will be answered within 30 days from the date of receipt by the company, as stipulated in Article 13/2 of KVKK. Responses to the application will be delivered to the applicant in written or electronic form in accordance with Article 13 of KVKK.

APPLICATION METHOD

ADDRESS FOR APPLICATION

INFORMATION TO BE PROVIDED FOR APPLICATION

Personal Application (Applicant's visit with a document proving their identity)

Kale Mah. Kılıçlar Cad. No:4/6 Kestel / BURSA

Envelope must be labeled "Request for Information under the Personal Data Protection Law."

Notification via Notary

Kale Mah. Kılıçlar Cad. No:4/6 Kestel / BURSA

Envelope must be labeled "Request for Information under the Personal Data Protection Law."

Using a secure electronic signature

furisan@hs01.kep.tr

Email subject line must state "Request for Information under the Personal Data Protection Law."

Right of the Data Subject to Lodge a Complaint with the Personal Data Protection Board:

In case of rejection of the application, finding the response insufficient, or failure to respond within the specified time, the data subject has the right to lodge a complaint with the KVK Board within 30 days from the date of learning the response and within 60 days from the date of application.

11.2. Cases Where the Data Subject Cannot Exercise Their Rights:

Under Article 28/2 of KVKK, the data subjects cannot exercise their rights specified in Article 11 of the Law, except for the right to claim compensation, in the following cases:

• Processing of personal data is necessary for the prevention of crime or for criminal investigation.
• Processing of personal data is necessary for the protection of the life or physical integrity of the data subject or another person who is unable to give consent due to actual impossibility or whose consent is not legally valid.

12. Actions to Be Taken in Case of Violation:

If a violation occurs despite all technical and administrative measures taken by FURİSAN, the situation will be reported to the KVK Authority through the contact person as soon as possible and no later than 72 hours after learning of the violation. The same sensitivity will be shown to the data subjects who may be affected by the violation. The notification will be made to the data subject in a clear and plain language. This notification will include:

• The date of the occurrence of the violation,
• The categories of personal data affected by the violation (personal data / special category personal data distinction),
• The possible consequences of the personal data breach,
• Measures taken or suggested to mitigate the negative effects of the data breach,
• Names and contact details of contact persons from whom data subjects can get information about the data breach.

13. FURİSAN Personal Data Protection and Processing Policy Management Structure:

A KVK Committee has been established by the decision of the Board of Directors to manage this policy and other related policies within FURİSAN.

The duties of this Committee related to the protection of personal data are listed below:

• Preparing, developing, implementing, publishing, and updating the fundamental policies related to the protection and processing of personal data and submitting them to the Board of Directors for approval,
• Deciding how to implement and supervise the policies related to the protection and processing of personal data and submitting these matters to the Board of Directors for approval and ensuring coordination within the company,
• Identifying the necessary actions for compliance with the KVK Law and related legislation and submitting them to the Board of Directors for approval, overseeing and coordinating their implementation,
• Increasing awareness within the company and among institutions collaborating with the company regarding the protection and processing of personal data,
• Identifying the risks that may arise in FURİSAN's personal data processing activities and ensuring that necessary measures are taken, and submitting improvement suggestions to the Board of Directors for approval,
• Ensuring that training is organized to inform the relevant persons about their rights and personal data processing activities,
• Deciding on the applications of data subjects,
• Following developments and regulations related to personal data protection and taking necessary measures within the company accordingly,
• Managing relations with the KVK Board and Authority,
• Executing other duties assigned by the Board of Directors related to the protection of personal data.