POLICY FOR THE PROTECTION AND PROCESSING OF PERSONAL DATA

Contents

• Definitions
• Purpose
• Scope and Amendments
• Principles applicable to the process of personal data
  • Compliance with the law and rules of good faith
  • Purpose-specific restriction
  • Transparency and disclosure
  • Personal Data minimization and data economy
  • Deletion of personal data
  • Veracity and data currency
  • Confidentiality and data security
• Purposes of personal data processing
  • Principles applicable to the process of customer and business partner data
    • Data processing for contractual relations
    • Data processing for advertising purposes
    • Data operations under our statutory obligations or subject to express statutory requirements
    • Principle of legitimate interest in processing Personal Data
    • Process of Sensitive Data
    • Data processed via solely automated systems
    • User details and Internet
  • Principles applicable to the process of personal data of employees
    • Data operations under our statutory obligations or subject to express statutory requirements
    • Process of personal data in line with legitimate interest
    • Process of sensitive personal data
    • Data processed via solely automated systems
    • Telecommunication and Internet
• Principles of Personal Data Transfer
• Data subject’s rights
• Confidentiality
• Security
• Controls and audits
• Management of data breaches
• Obligation to be registered with Data Controllers Registry

i. Definitions

Explicit Consent

means an informed consent to a specific matter and which is given at one’s free will.

Anonymization

means a process in which personal data is altered in such a way that it can no longer be related back to an identified or identifiable person even if it is matched with other data.

Personal Data

means any type of information of an identified or identifiable individual.

Sensitive personal data

Imeans data about race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures as well as biometric and genetic data.

Process of personal data

means any process on personal data whereby it is obtained, recorded, stored, kept, modified, edited, disclosed, transferred, taken over, physically structured, categorized or prevented from usage through or by way of fully or partially automated, or provided to be a part of any data recording system, non-automatic means.

Committee

Means Personal Data Protection Committee.

Policy

means the Policy of This Is A Company Teknoloji Gelişim ve Yatırım A.Ş. for the Protection and Processing of Personal Data,

Data Processor

means an individual or entity which processes personal data of the data controller upon the latter’s authorization.

Data Controller

means a person that determines the purpose and means of personal data processing and that administers the site (data recorder system) where data is systematically kept.

ii. Purpose

The purpose of this policy is to define and govern basic principles and implementation rules to be adopted to ensure that This is A Company Teknoloji Gelişim ve Yatırım A.Ş. (“TIAC”) complies with the obligations of data controllers imposed on them Published in the Official Gazette dated April 7, 2016 and entered into force under the Personal Data Protection Law no. 6698 (“PDPL”),

iii. Scope and Changes

This Policy, drafted in line with the PDPL, shall be applicable to all personal data of our existing and potential customers and employees, and the employees, shareholders, authorized officers of our business partners as well as third parties where such personal data are processed by automated means, or provided to be a part of any data recording system, by non-automated means. TIAC reserves its right to amend the Protocol in line with the amendments to the PDPL and the applicable regulation.

iv. Principles applicable to the Process of Personal Data

TIAC adopts the principles below in collecting, processing and analyzing personal data.

a. Acts in compliance with the law and rules of good faith

TIAC shall fairly and lawfully collect personal data to protect the rights of data subjects. It shall give due consideration to the principles of proportionality and on-a-need-to-know basis in conducting these operations.

b. Purpose-specific restriction

Personal data may be only processed for purposes defined prior to the collection of data. Changes that would mean an enhancement of the purpose may be only permitted to a limited extent and based on a just cause.

c. Transparency and disclosure

Data subjects must be informed in detail before the collection and process of their personal data. They must be informed about the following before their data are collected:

• Identity of data controller, and if any, its representative,
• Purpose of processing personal data,
• To whom and for which purposes processed personal data are transferred,
• Method and legal grounds for personal data collection,
• Rights of a data subject pursuant to Article 11 of the PDPL

d. Data economy

Before personal data are processed, it should be determined whether or not this process is required to achieve the purpose, and if the answer is yes, to what extent. Anonymous or statistical data may be used in circumstances where the purpose is acceptable and proportional.

e. Deletion of Personal Data

Personal data are deleted or destroyed or anonymized in case they are no longer needed upon the expiry of such time periods set to keep them for registration purposes for evidence and in line with data retention obligations defined in the applicable laws.

f. Veracity and data currency

Personal data must be accurate, complete and, and if known, up-to-date. It must be ensured that any inaccurate or incomplete data must be deleted, corrected, completed or updated.

g. Confidentiality and data security

Personal data should be kept confidential and safely. Unauthorized access to Personal Data must not be allowed by taking required administrative and technical measures in order to avoid unlawful operations, sharing, data loss, modification or destruction by mistake, and data should be kept confidential at personal level.

v. Purposes for processing personal data

Personal data shall be collected and processed in line with the Privacy Notice and purposes defined below.

a. Customer and Business Partners

• Data processing for contractual relations: Personal data belonging to existing or potential customers and business partners (or, where the business partner is a legal entity, its authorized officers) may be processed without the need to get a further approval in the case that this processing may be necessary to execute, perform and terminate a contract. During pre-contract times leading up to the commencement of the contract, personal data may be processed to draft quotations, purchase order forms or to meet requests of data subject for the performance of the contract. Data subjects may be contacted in light of data provided by them in the course of contract drafting.
• Data processing for advertisement purposes: Personal data may be processed for advertising or marketing purposes only if the purpose for collecting them is in line with the said objectives. A data subject is duly informed about the use of his data for advertisement purposes. A data subject may refuse to disclose disclosing his personal data which is to be used for advertising purposes or to give his consent to their processing. Data subject’s explicit consent is required to process data for advertising purposes. The data controller may obtain a data subject’s explicit consent in this respect by way of electronic approval, mail, electronic mail or telephone. Use of personal data for advertising purposes is not allowed without the explicit consent of the data subject.
• Data operations under our statutory obligations or subject to express statutory requirements: Personal data may be processed without the need to get further approval in case the process is expressly required under the applicable legislation or a legal obligation defined therein is to be performed. The type and scope of data operations must be relevant to legally permitted data process operations and must be in line with the applicable law.
• Principle of legitimate interest in processing personal data: Personal data may be also processed without further approval in case it is required for a legitimate interest of TIAC. Legitimate interests are usually lawful ones.
• Processing sensitive data: Sensitive personal data are processed in line with the provisions of the PDPL and on the condition that adequate measures dictated by the Committee shall be adopted. Sensitive data of a data subject other than data related to his health and sexual life are processed subject to his explicit consent, or where there is no such consent, under the exceptions defined in the PDPL. Sensitive data related to the healthcare and sexual lives of persons may only be processed by competent authorities or those persons who are bound by confidentiality obligations for the purpose of protecting public health and undertaking preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their funding.
• Data processed via solely automated systems: Where personal data collected via automatic systems are processed, this shall not justify or make lawful the use of such data in acts and operations that may adversely affect the data subject. A personal data subject has the right to object to a consequence that is detrimental to him in case his processed data is analysed by means of solely automated systems. TIAC shall show utmost care to take necessary measures in line with the requests of the personal data owner.
• User data and Internet: Users of a web site or application must be informed about the use of their personal data provided by them during the registration as well as about the privacy notice and cookies in the case that their personal data are collected, processed and used. Privacy notice and cookie info shall be integrated so that a data subject may conveniently define and have direct access to such data, which should be available at all times.

b. Principles applicable to the process of employee personal data

It is mandatory to collect and process employee personal data in the course of execution, performance and termination of an employment contract. There may be no need to get a further explicit consent of the employee for such actions. Personal data of potential employees (candidates) are processed at the time of their applications. In the case that an application by a candidate is rejected, his personal data shall be stored for such applicable data retention period for the purpose of the next recruitment stage, and are deleted, destroyed or anonymized upon the expiry of such term. Following principles are given due consideration in processing personal data of employees:

• Data operations under statutory obligations or subject to express statutory requirements: Personal data of an employee may be processed without the need to get further approval in case that the process is expressly required under the applicable legislation or a legal obligation defined therein is to be performed.
• Principle of legitimate interest in processing personal data: Personal data may be also processed without a further approval in case it is required for a legitimate interest of TIAC. Legitimate interests are usually lawful ones. In circumstances where employee interests are to be protected, personal data are not processed for the purpose of legitimate interests. Before the data are processed, it should be determine if there are interests that need to be protected. In the case that employee data is processed on the basis of legitimate interests of TIAC, it should be checked if this process is proportional and prudent, and it should be checked if its legitimate interest violates an employee right that should be protected.
• Processing sensitive data: Sensitive personal data are only processed under specific conditions. Sensitive data are defined as data about race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures as well as biometric and genetic data. Sensitive data may only be processed upon the employee’s explicit consent and on the condition that required administrative and technical measures are to be taken. Following circumstances are exceptions to this provision, and sensitive personal data may be processed even without the employee’s explicit consent.
  • Sensitive personal data of the employee other than his health and sexual life, and in such circumstances defined in the applicable law.
  • Sensitive data related to the employee’s healthcare and sexual life may only be processed by competent authorities or those persons who are bound by confidentiality obligations for the purpose of protecting public health and undertaking preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their funding.
• Data processed via solely automated systems: If personal data of an employee is processed via solely automated systems as a part of the employment relation, the employee shall have the right to object to a position that may arise by using his personal data and that works to his detriment, or to the consequences that may arise therefrom.
• Telecommunication and Internet: Phone devices, e-mail addresses, Intranet and Internet, including in-house networking are all provided by TIAC with a first and foremost focus on business duties. These are work tools and devices and constitute TIAC resources. They are to be used in line with statutory regulations and internal by-laws of TIAC. Telephone or e-mail communication or Intranet or Internet use is not subject to general audit. In order to prevent any attack against the IT infrastructure or individual users, preventive measures are taken at gateways to TIAC which would block technically harmful contents or analyse attack modelling. The use of phone devices, e-mails, Intranet/ Internet and/ or in-house social networks is stored for a limited time for security purposes. Such data with respect to their user is evaluated only in case of a substantial suspicion. These controls are applied by relevant departments only subject to the maintenance of proportionality principle.
• Access ban: TIAC tries its utmost care and effort to process, safeguard and protect the personal data collected by it pursuant to its statutory obligations, legitimate interests and upon the explicit consents of its employees in line with the purpose underlying their collection, and it discloses such data to its relevant employees only. Every employee shall be personally liable for any act and action taken by him in connection with personal data which he has no authority to have access to or which is not relevant or related to his job description without the explicit written authorization of TIAC, and shall duly take all legal measures in this respect. Therefore, regular training courses must be provided to employees to make sure that they shall not disclose or share personal data unlawfully, and a disciplinary mechanism shall be set up that would be triggered in case employees fail to comply with security policies and procedures.

vi. Transfer of Personal Data

Personal data may be transferred to third parties other than TIAC for the purposes described in the Privacy Notice and set out below. Accordingly, TIAC may transfer personal data to the following individuals and organizations for specific purposes:

• To TIAC business partners in a limited way to achieve the purpose of the business partnership in the first place;
• To suppliers of outsourced products and services that are needed by TIAC to perform its business operations;
• To TIAC affiliates in a limited way to ensure the ongoing business operations that require the involvement of TIAC affiliates;
• To TIAC shareholders limited to the design and audit of strategies for TIAC’s business operations in line with the provisions of the PDPL;
• To legally competent public bodies and agencies in a way limited to the purpose that such bodies and agencies may require under their legal authority;
• To legally competent private persons in a manner limited to the purpose that such persons may require under their legal authority.

Your personal data processed by TIAC shall be transferred to such countries that shall be publicized by the Committee as having adequate protection for such data. Personal data may be transferred to such jurisdictions and territories which are said to be lacking the adequate protection only after the data subject gives his approval or both data controllers in Turkey and foreign country deliver a written letter of undertaking for protection and the Committee permits such transfer. TIAC may also use cloud storage services while processing your personal data.

vii. Rights of a Data Subject

A Data Subject shall be entitled to the following:

• To inquire into whether his personal data are processed;
• To ask for information in case his personal data are processed;
• To inquire into the purpose underlying the process of his personal data, and whether or not such data are used in line with that purpose;
• To know about third parties to in Turkey or abroad to whom his personal data are transferred;
• Where his personal data are processed incompletely or wrongly, then to ask for its correction and to ask further that such corrective action shall be notified to third parties to whom his personal data are transferred;
• Even if his personal data are processed in accordance with the PDPL and other applicable laws, in the case that reasons for processing it are no longer applicable, to ask for the deletion or destruction of his personal data, and to ask further that such action shall be notified to third parties to whom his personal data are transferred;
• To object to any consequence that is detrimental to it and that arises from the analysis of processed data by means of solely automated systems;
• To claim a damages in case he sustains a loss due to the unlawful process of his personal data.

Upon the receipt of such a request, TIAC shall be under the obligation to give a timely respond to it. Therefore, TIAC shall duly inform the data subjects about how the rights above may be exercised and how requests received by it shall be handled. Below are exceptions to the above-listed rights that personal data subjects may enjoy under the PDPL, and in these circumstances, TIAC shall not be under the obligation to respond to the requests received from data subjects:

• Process of personal data by anonymizing them by means of official statistics for the purpose of researches, planning and statistics;
• Process of personal data in light of freedom of expression or for artistic, historical, literary or scientific purposes provided that they shall not constitute a crime or infringe national defence, national security, public security, public order, economic security, privacy of personal life or personal rights;
• Process of personal data in connection with preventive, protective or intelligence operations run by public bodies or agencies appointed or authorized under the applicable law to ensure national defence, national security, public order, public security or economic security;
• Process of personal data by judicial or enforcement authorities in connection with investigations, prosecutions, trials or enforcement purposes

Pursuant to the PDPL, data subjects may not assert their rights in the following circumstances other than the right to seek and claim damages for their losses:

• Where personal data processing is required to prevent the commitment of a crime or for criminal investigations;
• Process of personal data publicised by the data subjects himself;
• Where process of personal data is required to ensure that, based on the statutory powers, competent and authorized public bodies or public body like professional societies shall carry out their audit or regulatory tasks or undertake disciplinary investigations or prosecutions;
• If process of personal data are required to defend the government’s economic and financial interests in connection with budgetary, tax-related or financial matters;

Data subjects may send their requests to exercise the above-mentioned rights after they complete and sign the Personal Data Application Form posted at our web site at www.thisiscompany.com and deliver the original copy of the form to the following address in person or by means of a registered mail with return receipt to TIAC, provided that a photocopy of their ID card should also accompany the form: Ömer Avni Mah. Meclis-i Mebusan Cad., İnebolu Sok. No:1 Ekeman Han, Kat:4 Kabataş, Beyoğlu, Istanbul. In case of applications that the data subject may file on behalf of someone else other than himself, he should be granted a power of attorney that shall be duly issued and given by the right owner. TIAC may ask additional data from the applicant to verify if the applicant is the data subject, and may ask certain questions to him in connection with the application in order to clarify things. TIAC shall finalize the application free of charge and as soon as possible depending on its nature but at the latest within thirty (30) days.

viii. Confidentiality

Personal data are subject to confidentiality. Employees may not collect, process or use data without permission. Unauthorized use means an unauthorized process by the employees for any purpose other than their legitimate tasks. The principle of need-to-know basis is applicable: Employees may have access to personal data only to the extent of their said task and in line with its nature. Employees are banned to use personal data for personal or commercial purposes, to disclose them to unauthorized parties or to make them available for access otherwise. Managers need to inform their employees about the data protection obligations at the time when the employment relation commences. This obligation shall survive the termination of the employment contract.

ix. Security

Necessary measures and controls are undertaken and required audits and inspections are carried out by or on behalf of TIAC in order to establish and maintain such appropriate security level to prevent the unlawful process of personal data processed by it, to prevent unlawful access to them and to ensure the safekeeping of data. This shall be valid independent of whether or not data process takes place by way of electronic means or in writing. In particular, in case of transitions to new IT systems, before new methods to process data are commissioned, technical and organizational measures are defined and implemented to protect personal data. These measures are based on the latest developments, risks of transactions and the need for protection relative to the information categorization. Technical and organizational measures for the protection of personal data are a part of the Company’s information security method and are constantly adapted relative to technical advances and organizational changes.

x. Controls and audits

Compliance with the Personal Data Protection and Process Policy as well as the PDPL is maintained by means of regular data protection audits and other controls.

xi. Management of data breaches

TIAC shall urgently take and implement such security measures to protect personal data that may be intercepted or captured in breach of this Policy and the PDPL provisions, and shall report it to the data subject and the Committee as soon as possible. For this purpose, TIAC is under the responsibility to set up such systems and application methods that would allow the receipt of demands and complaints from data subjects in connection with their personal data by the most effective means and as soon as possible, If the Committee deems it necessary, this may be published at the Committee’s web site or by some other methods.

xii. Obligation to register with Data Controllers’ Registry

Where TIAC becomes obliged to be registered with the data controllers’ registration, TIAC shall submit such application information and documents listed in the PDPL and be registered with the Data Controllers Registration within thirty days following the date on which it becomes obliged to do so.