POLICY OF PROTECTION AND PROCESSING OF SENSITIVE PERSONAL DATA

I. SCOPE

This Policy covers all departments, employees and 3rd parties involved in any process that processes personal data within KRK Holding, group company, affiliated companies and other companies within their partnerships.

This Policy; It will define the dispositions for the security of the Company's Sensitive Personal Data and cover all activities that will ensure management in this area and will be implemented at every step to maintain this.

This Policy will not be applied on data that are not Sensitive Personal Data.

II. DEFINITIONS

Law Personal Data Protection Law No 6698
By-Laws Regulation on Erasure, Destruction or Anonymization of Personal Data
Board Personal Data Protection Board
Personal Data All kinds of information regarding an identified or identifiable natural person
Policy This Policy of Protection and Processing of Sensitive Personal Data
Personal Data Processing Inventory Personal data processing activities carried out by data controllers depending on the business processes; an inventory created by associating the recipient groups and the group of data subjects, the personal data processing purposes and legal basis with the data category and detailing the maximum storage period required for the personal data processing, the personal data envisaged to be transferred abroad and the measures taken regarding data security.
Sensitive personal data Within the scope of the personal data protection law, the data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership to associations, foundations or trade-unions, health, sexual life, criminal conviction and security measures, and biometric-genetic data
Company KRK Holding, group company, affiliates and other companies within its partnerships
Data subject Natural person whose personal data are processed
Data Controllers’ Registry Information System (VERBIS): Data Controllers Registry held by the Presidency

III. PURPOSE

This Policy has been created in order to determine the procedures and principles for the protection and processing of sensitive data collected by the Company possessing title of data controller pursuant to the Law.

The Company, as a data controller who has the obligation to register with VERBIS, provides Sensitive Personal Data; It is obliged to keep it in accordance with the Personal Data Processing Inventory, to define the rules for the security of this data, to act in accordance with this Policy by covering all the activities that it will manage and preparing a Policy that it will implement to maintain this.

Conditions and principles in the Law and related legislation will be valid for the storage and destruction of Personal Data.

IV. SENSITIVE PERSONAL DATA

1) General Principles Regarding Processing Sensitive Personal Data

The Company takes all necessary technical and administrative measures regarding the safe storage of Personal Data and to prevent it from being processed and accessed illegally.

The Company undertakes that it will not process Personal Data contrary to the manner specified in the Law.

Except for the exceptions specified in the Law, the company is prohibited from storing the Sensitive Personal Data without explicit consent of persons unless there are exceptions at the conditions of Sensitive Personal Data processing specified in 3 paragraph of Article 6 of the Law. In cases where the Company stores Sensitive Personal Data, it processes the data in accordance with the relevant legislation, upon obtaining explicit consent.

2) Sensitive Personal Data Processed by the Company

Sensitive Data other than health and sexual life, people's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership to associations, foundations or trade-unions, criminal conviction and security measures and biometric data and genetic data may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. Sensitive Personal Data are processed within the Company with the express consent of the data subjects, and these data are processed only within the framework of the controls specified in the 'General Principles Regarding the Processing of Sensitive Personal Data' section of this Policy. It diversifies and differs depending on the type and nature of the relationship between the Company and the Related Person, the communication channels used and the purpose information mentioned.

3) Purposes of Processing Sensitive Personal Data

Personal Data can be processed within the scope of the purposes specified in the Personal Data Processing Inventory and can be stored for as long as these purposes and the relevant legal periods stipulate.

4) Transfer of Sensitive Personal Data

Within the scope of the purposes exemplified in the 'Purposes of Processing Sensitive Personal Data' section of this Policy and in accordance with Articles 8 and 9 of the Law, The Company transfer data in country and abroad and Personal Data can be processed and stored in the servers and electronic media used in this context. The recipients to whom the personal data is transferred and data transfer purposes are detailed in the Personal Data Processing Inventory prepared by the Company. The nature of these transfers and the recipients to whom the personal data is transferred vary depending on the type and nature of the relationship between the Data subject and the Company, the purpose of the transfer and the relevant legal basis, and the measures taken within this scope, the basic procedures of practice and the transactions to be taken within this framework are valid. If the Company will transfer Sensitive Personal Data; It carries out the transfer by taking the necessary measures in accordance with the terms and conditions specified in the law and relevant legislation.

5) Disappearance of Data Processing Conditions

The Company is responsible for currency of the Sensitive Personal Data processing conditions and shares this responsibility with all its employees. Employees cannot continue data processing in cases where data processing conditions no longer exist. Personal data shall be destructed in compliance with the provisions of this Policy by the Company ex officio or on the request of the data subject, in the event that the reasons for the processing no longer exist. The Company accepts that the conditions for the processing of Special Qualified Personal Data are no longer exist in the relevant cases listed below as an example and specified in the Regulation:
-    In case the purpose of the processing of Personal Data is no longer exist,
-    In case the processing of Personal Data is against the law and the principle of honesty,
-    If the processing of Personal Data takes place only on the condition of explicit consent, in case of withdrawal of explicit consent

6) Protection of Sensitive Personal Data

The company takes the following measures as a data controller:

i) Administrative Measures

- For employees, training and awareness activities are carried out periodically on improving the quality and technical knowledge / skills of employees, preventing illegal processing of Personal Data, preventing unlawful access to Personal Data, ensuring the preservation of Personal Data, communication techniques and relevant legislation.

- Disciplinary regulations that include data security provisions for employees.

- Personal Data Processing Inventory has been prepared.

- Corporate policies on storage and destruction issues have been prepared.

- Before starting to process Personal Data, the obligations of informing the data subjects and obtaining their explicit consent are fulfilled.

- Personal Data is reduced as much as possible.

- Periodic and random audits are made.

- VERBIS registration is made.

- In addition to the administrative measures taken for Personal Data; a separate systematic, clear, manageable and sustainable policy and procedure for the security of Sensitive Personal Data is determined.

- Regular trainings are given on the law and related regulations and Sensitive Personal Data security.

- Scope and duration of data access authorization of users are clearly determined.

Authorization controls are carried out periodically.

ii) Technical Measures

- Personal Data security policies and procedures have been determined.

- Personal Data security issues are reported directly.

- Personal Data security is monitored.

- Erasure, destruction or anonymization processes are applied periodically in accordance with the Personal Data storage and destruction policy.

- In case of a change of position or leaving the job, the employee is disempowered in this field.

- Necessary security measures are taken for entering and exiting physical platformes containing Personal Data.

- The security of platformes containing Personal Data is ensured.

- Risks to prevent illegal processing are identified, technical measures are taken in accordance with these risks.

- Procedures are established and implemented for distribution of access authorizations and roles.

- Network and application security is provided.

- Authorization matrix is made.

- Access logs are kept regularly.

- When necessary, data masking measures are applied.

- Current antivirus systems are used.

- Firewalls are used.

- User account management and authorization control system is applied and they are also monitored.

- Personal Data is backed up and the security of Personal Data backed up is also ensured.

- In addition to the technical measures taken for Personal Data; Sensitive Personal Data are stored using cryptographic methods.

- Records of all actions performed on the data are logged securely.

- When remote access to data is required, at least two-step identity validation system is applied.

- When data need to be transferred via e-mail, encrypted corporate e-mail address or Registered Electronic Mail account is used.

- In addition to the technical measures taken for Personal Data; adequate security measures (against electrical leakage, fire, flood, theft, etc.) are taken for the platforms where Sensitive Personal Data is available.

- Unauthorized entry and exit to the platforms where Sensitive Personal Data is available are prevented.

- In the transfer of Sensitive Personal Data with paper documents, necessary measures are taken against risks such as theft, loss or being seen by unauthorized persons and the document is sent in the format of "classified documents".

7) Transfer of Sensitive Personal Data

The Company may transfer Sensitive Personal Data, obtained in accordance with the law, to third parties, by taking all safety precautions in line with data processing purposes. Accordingly, the Company may transfer Sensitive Personal Data to third parties in case of meeting one of conditions for processing specified in the above section and the following conditions:

- with explicit consent of related person

- If there is an explicit regulation in the laws regarding the transfer of Sensitive Personal Data,

- If it is necessary for the protection of the Related Person's life or bodily integrity and

- In case the explicit consent of the related person cannot be obtained due to the factual impossibilty or his/her consent is not legally valid

- If it is necessary to transfer Personal Data belonging to the parties of the contract, provided that it is directly related to the conclusion or performance of a contract,

- In case the personal data processing activity is necessary for the company to fulfill its legal obligation

- In the sensitive personal data owner discloses his/her personal data

- If the transfer of Sensitive Personal Data is mandatory for the establishment, use and protection of a right,

- If the transfer of Personal Data is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the Related Person.

8) International Transfer of Sensitive Personal Data

The Company, taking the necessary security measures and adequate precautions stipulated by the Board, in line with the legitimate and lawful Personal Data processing purposes, can transfer to the data controller abroad who has adequate level of protection or who undertakes to protect the Sensitive Personal Data of the Related person in the undermentioned cases:

- with explicit consent of related person or

- without explicit consent of related person, Senitive Data other than health and sexual life, people's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership to associations, foundations or trade-unions, criminal conviction and security measures and biometric data and genetic data may be processed without seeking explicit consent of the data subject, in the cases provided for by laws; and Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

V. UPDATE

In the event that new legislation on the subject is determined or the relevant legislation is updated, the Company will update its policy in line with the relevant legislation and comply with the legislation requirements.