INFORMATION TEXT

ÖZTÜRE HOLDİNG A.Ş. (Company), we exhibit maximum sensitivity to the security of your personal data. With this awareness, we attach great importance to the processing and preservation of all personal data pertaining to all persons related to the Company, including those who benefit from our services as the Company, in accordance with the Personal Data Protection Law (“Personal Data Protection Law”) no. 6698. We process your personal data in the capacity of “Data Controller” as defined in the Personal Data Protection Law with full comprehension of this responsibility as set forth below and within the limits required by the legislation.

a. Data Controller and its Representative

Pursuant to the Personal Data Protection Law no. 6698 (“Law no. 6698″), your personal data may be processed within the scope described below by Vişne Madencilik A.Ş. residing at “Şehit Nevres Bulvarı No: 3/7 Alsancak İZMİR” as data controller.

b. Purpose of Processing Your Personal Data

Your personal data collected will be processed within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law No. 6698 within the framework of carrying out our commercial activities for the purpose of carrying out the necessary works by our business units to benefit you from the services provided by our Company; recommending the services provided by our Company to you by customizing them according to your like, usage habits and needs; ensuring the execution of our company’s human resources policies; ensuring the legal and commercial security of our company and the persons in business relations with our Company.

Detailed information about the purposes of processing your personal data by our Company is shared with the public at www.visnemadencilik.com.

c. To whom and for what purpose the Processed Personal Data may be Transferred

Your personal data collected may be transferred limited to the purposes specified at www.visnemadencil.com within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law no. 6698; for the purposes of determining and implementing the commercial and business strategies of our company; for the purposes of performing the necessary works by our business units in order to benefit you from the services provided by our company; for the services provided by our company to be customized and recommended to you according to your likes; for the provision of the human resources policies of our company; for the purposes of performing our business activities to our business partners, shareholders, affiliates, legally competent public institutions and private individuals.

d. Method and Legal Reason for Collecting Your Personal Data

Your personal data are collected in writing or electronically by means of technical and procedural methods, automatic or non-automatic means performed in different channels such as web site, mobile applications and physical channels; within the framework of legal reasons arising therefrom and executed based on the relevant legislation, contract, demand, commercial practice and integrity principles that have the opportunity to implement our commercial services to you using these channels and to conduct our commercial activities in this framework. Your personal data collected for this legal reason may be processed and transferred for the purposes specified in Articles (b) and (c) of this Disclosure Text within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law No. 6698.

e) The Rights of Personal Data Subject set out in Article 11 of the Law No. 6698.

As personal data subjects, our Company will conclude the request as soon as possible and within thirty days at the latest according to the nature of the request. However, if the transaction also requires a cost, the fee in the tariff determined by the Personal Data Protection Board will be charged by our Company. Within this context, personal data subjects are entitled to

  • Be aware of whether or not personal data are processed,
  • Request information if their personal data has been processed,
  • Be aware of the purpose of the processing of personal data and whether they are used in accordance with their purpose, • Be aware of the third parties to whom personal data are transferred at home or abroad,
  • To request correction of the personal data in case they are incomplete or wrong processed and the transaction performed under this scope to be informed to the third parties to whom the personal data are transferred,
  • Request the erasure or destruction of personal data in the event that the reasons requiring processing are eliminated despite being processed in accordance with the provisions of the Law No. 6698 and other relevant laws, and request the notification of the transaction made within this scope to the third parties to whom the personal data are transferred,
  • Object to the emergence of a result against the person by analyzing the processed data exclusively through automated systems,
  • Request compensation in case of loss due to unlawful processing of

personal data.

Pursuant to paragraph 1 of Article 13 of the Personal Data Protection Procedure no. 6698, you may submit your request for exercising your rights mentioned above to our company in writing. In this context, the channels and procedures for submitting your application in writing to our company within the scope of Article 11 of the Personal Data Protection Law No. 6698 are described below:

In order to exercise your above-mentioned rights, you can forward your request containing the necessary information identifying yourself and your explanations regarding your right to exercise from the rights specified in Article 11 of the Personal Data Protection Law No. 6698 to “Şehit Nevres Bulvarı No: 3/7 Alsancak İZMİR” by hand by using the application form at www.visnemadencilik.com, via notary public or other methods specified in the Law No. 6698.

In addition, you may forward it to “kvk@visnemadencilik.com” by using the e-mail (KEP) address, secure electronic signature, mobile signature or e-mail address previously notified to our Company and registered in our systems in accordance with Article 5 of the “Communiqué on Application Procedures and Principles to the Data Controller”.

  1. DATA PRIVACY COMMITMENT

1.1. This Personal Data Protection Policy (“Policy”) sets forth the principles to be followed by ÖZTÜRE HOLDİNGand/or ÖZTÜRE HOLDİNGwhen performing its obligations by ÖZTÜRE HOLDİNGÜRETİM SANAYİ And TİCARET A.Ş. to protect the Personal Data and processing the Personal Data in accordance with the provisions of the relevant legislation, in particular the Personal Data Protection Law 6698.

1.2. ÖZTÜRE HOLDİNGundertakes to comply with the procedures to be applied in accordance with this Policy and Policy in terms of Personal Data within its own body.

  1. PURPOSE OF POLICY

The main purpose of this Policy is to set forth the principles regarding the methods and processes for the protection of Personal Data by ÖZTÜRE HOLDİNG.

III. SCOPE OF POLICY

3.1. This Policy covers all activities related to the Personal Data processed by ÖZTÜRE HOLDİNGand applies to such activities.

3.2. 3.2. This Policy will not apply to data that do not have the nature of Personal Data.

3.3. This Policy may be amended from time to time with the approval of the Board of Directors if the provisions of the Foreign Trade and Customs legislation or the legislation to be supervised by the Banking Law are required by the Data Controller Representative of ÖZTÜRE HOLDİNG.

  1. DEFINITIONS

Definitions contained in this Policy have the following meanings;

“Explicit Consent” refers to the consent of the Data Subject to the processing of Personal Data based on information and disclosed with free will.

“Anonymization” refers to rendering personal data unlikely to be associated with any identified or identifiable real person in any way even when personal data is mapped with other data.

“Anonymous Data” refers to data that may not be associated with the natural person in any way.

“Personal Data” refers to any information related to an identified or identifiable natural person (for the purposes of this Policy, “Personal Data” will include, to the extent applicable, “Sensitive Personal Data” as defined below).

“Personal Data Processing” refers to all kinds of processes performed on Personal Data, including obtaining, recording, storing, re-arranging, disclosure, transmission, acquisition, making available, classification or prevention of use in whole or in part, automatically or in non-automatic ways, being part of any data recording system.

“Board” refers to Personal Data Protection Board.

“Authority” refers to Personal Data Protection Authority.

“Personal Data Protection Law” refers to Personal Data Protection Law no. 6698 and other relevant legislation for the protection of Personal Data, binding decisions, policy decisions, provisions, instructions and applicable international agreements and any other legislation issued by regulatory and supervisory authorities, courts and other official authorities for the protection of data.

“Personal Data Protection Procedures” refers to the procedures that are approved and entered into force by the Board of Directors and specify the obligations of ÖZTÜRE HOLDİNG, employees, Data Controller Representative under this Policy.

“Sensitive Personal Data” refers to the biometric and genetic and security data and security measures of individuals with respect to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership to an association, foundation or trade union, health, sexual life, criminal conviction and security measures.

“Erasure or Deletion” refers to making personal data inaccessible and unavailable to the users involved in any way.

“Data Inventory” refers to the inventory of Personal Data Processing activities of ÖZTÜRE HOLDİNGwhich includes information such as the processes and methods of Personal Data Processing, the purposes of the Personal Data Processing, the category of data, the third parties to whom the Personal Data is transferred, etc.

“Data Processor” refers to real or legal person who processes Personal Data on behalf of Data Controller by obtaining authorization from Data Controller.

“Data Subject” refers to all natural persons whose Personal Data are processed by or on behalf of ÖZTÜRE HOLDİNG.

“Data Controller” refers to real or legal person responsible for personal data processing purposes and means of processing and installing and managing data registry system.

“Data Controller Representative” refers to the employee selected from among employees of ÖZTÜRE HOLDİNGand conducting his/her relations with the Personal Data Protection Authority and appointed by the decision of the Board of Directors.

“Destruction” The process of destruction of personal data is the process of making personal data inaccessible, recoverable and unavailable to anyone.

  1. PRINCIPLES OF PERSONAL DATA PROCESSING

5.1. Processing Personal Data in Compliance with Law and Integrity Guidelines

Personal Data are processed by ÖZTÜRE HOLDİNGin accordance with the law and the guidelines of integrity and on the basis of moderation.

5.2. Taking Required Measures for Accurate and Up-to-date Personal Data When Required

ÖZTÜRE HOLDİNGwill take all necessary measures to ensure that the Personal Data is complete, accurate and up-to-date and will update the relevant Personal Data if the Data Subject requests changes to the Personal Data.

5.3. Processing of Personal Data for Specific, Legitimate and Clear Purposes

Before the Processing of the Personal Data, the purpose for which the personal data is to be processed is determined by ÖZTÜRE HOLDİNG. In this context, the Data Subject is clarified within the scope of the Personal Data Protection Regulations and their explicit consent is obtained when necessary.

5.4. Personal Data being Related, Limited and Measured for the Purpose they are Processed

ÖZTÜRE HOLDİNGprocesses the Personal Data only in exceptional cases within the scope of the Personal Data Protection Law Regulations (Articles 5.2 and 6.3 of Personal Data Protection Law) or for the purpose of the explicit consent received from the Data Subject (Articles 5.1 and 6.2 of Personal Data Protection Law) and in accordance with the principle of moderation.

5.5. Maintaining Personal Data as Needed and Deleting Them Thereafter

5.5.1. ÖZTÜRE HOLDİNGwill keep Personal Data for as long as is necessary for the purpose herein. If ÖZTÜRE HOLDİNGwishes to retain the Personal Data for a period longer than the period stipulated in the Personal Data Protection Law Regulations or required for the purpose of the Personal Data Processing, ÖZTÜRE HOLDİNGwill comply with the obligations set out in the Personal Data Protection Law Regulations.

5.5.2. After the expiry of the period required for the purpose of Personal Data Processing, Personal Data is Erased, Destroyed or Anonymized. In this case, third parties to whom ÖZTÜRE HOLDİNGtransfers the Personal Data are also ensured to Erase, Destroy or Anonymize the Personal Data.

5.5.3. The Data Controller is responsible for the operation of Erasing, Destroying and Anonymizing Procedures. In this context, the necessary procedures are established by the Data Controller.

  1. PROCESSING PERSONAL DATA

Personal Data may only be processed by ÖZTÜRE HOLDİNGwithin the scope of the following procedures and principles.

6.1. Explicit Consent
6.1.1. Personal Data are processed after the notification to be made within the framework of fulfilling the obligation to disclose to Data Subjects and if the Data Subjects give explicit consent.

6.1.2. Data Subjects are informed of their rights before obtaining explicit consent within the framework of the Disclosure Obligation.

6.1.3. The explicit consent of the Data Subject is obtained by appropriate methods in accordance with the Personal Data Protection Law Regulations. Explicit Consents will be maintained by ÖZTÜRE HOLDİNGfor the time required under the Personal Data Protection Law Regulations in a provable manner.

6.1.4. The Data Controller is responsible for ensuring the fulfilment of the Disclosure Obligation in respect of all Personal Data Processing processes and, if necessary, obtaining and maintaining the explicit consent. All department employees who process Personal Data are liable for complying with the Data Controller instructions, this Policy and the Personal Data Protection Procedures attached to this Policy.

6.2. Processing Personal Data Without Explicit Consent
6.2.1 Where the Processing of Personal Data is foreseen under the Personal Data Protection Law Regulations without explicit consent (Articles 5.2 and 6.3 of the Personal Data Protection Law), ÖZTÜRE HOLDİNGmay process the Personal Data without obtaining the explicit consent of the Data Subject. In the event that Personal Data is processed in this way, ÖZTÜRE HOLDİNGProcesses Personal Data within the limits set by the Personal Data Protection Regulations. Within this scope:

6.2.1.1. Personal Data may be processed by ÖZTÜRE HOLDİNGwithout explicit consent for the protection of the life or body integrity of a person other than the Data Subject and/or the Data Subject for which legal validity has not been recognized for its consent and which is in a position to explain its consent due to the actual impossibility.

6.2.1.2. Personal Data pertaining to the parties of the contract may be processed by ÖZTÜRE HOLDİNGwithout the explicit consent of the Data Subjects, if the conditions are met that it is directly related to establishment, implementation, performance or termination of a contract.

6.2.1.3. If the Processing of Personal Data is compulsory for ÖZTÜRE HOLDİNGto fulfil its legal obligation, Personal Data may be processed by ÖZTÜRE HOLDİNGwithout the explicit consent of the Data Subjects.

6.2.1.4. Personal Data publicized by the Data Subject may be processed by ÖZTÜRE HOLDİNGwithout explicit consent.

6.2.1.5. Personal Data processing without explicit consent is the only possible way for the establishment, use or protection of a right, and Personal Data may be processed by ÖZTÜRE HOLDİNGwithout explicit consent of the Data Controller Representative.

6.2.1.6. It is mandatory to process data for the legitimate interests of ÖZTÜRE HOLDİNG, provided that it does not prejudice the fundamental rights and freedoms of the Data Subject, personal data may be processed by ÖZTÜRE HOLDİNGwithout explicit consent.

VII. PROCESSING SENSITIVE PERSONAL DATA
7.1. Sensitive Personal Data may only be processed if explicit consent of the Data Subject is obtained or if explicit processing is required by law in respect of Sensitive Personal Data other than sexual life and personal health data.

7.2. Personal Data relating to health and sexual life can only be processed without explicit consent for planning and managing the financing and health services and executing protective medicine, medical diagnosis, treatment and care services and protecting public health. Therefore, personal health data and sexual life data can only be processed by the physician of ÖZTÜRE HOLDİNGwho is under the obligation of keeping secrets or within the scope of explicit consent until otherwise stipulated in the Personal Data Protection Law Regulations.

7.3. When Processing Sensitive Personal Data, measures determined by the Board are taken.

7.4. In any case requiring Processing Sensitive Personal Data, the Data Controller Representative is informed by the relevant employee.

7.5. If it is not understandable whether a data is Sensitive Personal Data, an opinion is obtained from the Data Controller Representative by the relevant department.

VIII. ERASURE, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
8.1. When the legitimate purpose for the Processing of Personal Data vanishes, the relevant Personal Data is Erased, Destroyed or Anonymized. Any cases where Personal Data must be Erased, Destroyed of or Anonymized are monitored by the Data Controller.

8.2. The Data Controller is responsible for the operation of Erasing, Disposing and Anonymizing Procedures. In this context, the necessary procedure is created by the Data Controller.

8.3. ÖZTÜRE HOLDİNGwill not store the Personal Data after the expiry date of the legal periods considering the possibility of future use and will destroy it as specified in the Destruction Procedure.

  1. TRANSFERRING PERSONAL DATA AND PROCESSING PERSONAL DATA BY THIRD PARTIES
    ÖZTÜRE HOLDİNGmay transfer Personal Data to a third natural or legal person (the “Contractor”) in accordance with the Personal Data Protection Law Regulations. In this case, ÖZTÜRE HOLDİNGwill ensure that third parties to whom the Personal Data is transferred comply with this Policy. In this context, necessary protective arrangements are added to the contracts concluded with third parties. The article to be added to the contracts concluded with third parties to which all kinds of Personal Data are transferred will be obtained from the Data Controller Representative. Each employee is obligated to progress the process set forth in this Policy in the event of Personal Data transfer. If the third party to whom personal data is transferred requests a change in the article communicated by the Data Controller Representative, the employee will immediately notify the Data Controller Representative.

9.1. Personal Data Transfer to Third Parties in Turkey
9.1.1. Personal Data may be transferred by ÖZTÜRE HOLDİNGto third parties in Turkey without explicit consent in exceptional cases specified in Article 5.2 and Article 6.3 of Personal Data Protection Law or provided that explicit consent of the Data Subject is obtained in other cases (Article 5.1 and Article 6.2 of Personal Data Protection Law).

9.1.2. Employees of ÖZTÜRE HOLDİNGand Data Controller’s Representative will be severally responsible for ensuring that the transfer of Personal Data to third parties in Turkey complies with the Personal Data Protection Regulations.

9.2. Transfer to Third Parties within Foreign Borders

9.2.1. Personal Data may be transferred by ÖZTÜRE HOLDİNGto third parties abroad without explicit consent in the exceptional cases set out in Articles 5.2 and 6.3 of the Personal Data Protection Law or provided that explicit consent of the Data Subject is obtained in other cases (Articles 5.1 and 6.2 of the Personal Data Protection Law).

9.2.2. In the event that the Personal Data is transferred without explicit consent in accordance with the Personal Data Protection Law Regulations, the presence of one of the following conditions is required in terms of the foreign country to be transferred separately:

9.2.3. The foreign country in which the personal data is transferred has the status of countries with adequate protection by the Board (please follow the current list of the Board for the list),

9.2.4. If the foreign country to which the transfer will take place is not included in the Council’s list of safe countries, ÖZTÜRE HOLDİNGand the Data Controllers in the relevant country will obtain permission from the Board by making a written commitment to ensure adequate protection.

9.2.5. Employees of ÖZTÜRE HOLDİNGand Data Controller’s Representative will be severally responsible for ensuring that the transfer of Personal Data abroad to third parties complies with the Personal Data Protection Regulations.

X DISCLOSURE OBLIGATION OF THE COMPANY
10.1. ÖZTÜRE HOLDİNGwill make a disclosure to Data Subjects before processing Personal Data in compliance with Article 10 Personal Data Protection Law. In this context, ÖZTÜRE HOLDİNGfulfils the Disclosure Obligation during acquiring the personal data. The notification to be made to Data Subjects under the Disclosure Obligation will include the following elements, respectively:

10.1.1. Identification of Data Controller or its representative, if any,

10.1.2. For what purpose the personal data is to be processed,

10.1.3. To whom and what purpose the processed personal data will be transferred,

10.1.4. Method and legal reason for personal data collection,

10.1.5. Rights of Data Subjects.

10.2. ÖZTÜRE HOLDİNGwill make the required disclosure in cases where Data Subject requests information in compliance with Article 11 of Personal Data Protection Law.

10.3. If requested by Data Subjects, ÖZTÜRE HOLDİNGwill notify the Data Subject of the Personal Data processed by the Data Subject.

10.4. The employee and the Data Controller Representative following the relevant process are severally responsible for ensuring that the necessary Disclosure Obligation is fulfilled before the Processing of Personal Data. In this context, the Personal Data Protection Procedure is established by the Data Controller Representative and the Committee to report each new processing process to the Data Controller Representative.

10.5. In case the Data Processor is a third party other than ÖZTÜRE HOLDİNG, it must be committed by the third party before the start of the Personal Data Processing by a written contract in which the third party will comply with the obligations set out above. In cases where third parties transfer Personal Data to ÖZTÜRE HOLDİNG, the article to be added to the contracts is supplied from the Data Controller Representative. Each employee is obliged to proceed with the process contained in this Policy in case of transfer of Personal Data to ÖZTÜRE HOLDİNGby a third party. If the third party transferring the Personal Data requests changes in the article communicated by the Data Controller Representative, the employee will immediately notify the Data Controller Representative.

  1. RIGHTS OF DATA SUBJECTS
    11.1.ÖZTÜRE HOLDİNGwill respond to the following requests of the Data Subjects to whom it holds Personal Data in accordance with the Personal Data Protection Law Regulations:

11.1.1. Acquiring the information whether or not personal data are processed by ÖZTÜRE HOLDİNG,

11.1.2. Requesting information if their personal data is processed,

11.1.3. Being aware of the purpose of the processing of personal data and whether they are used in accordance with their purpose,

11.1.4. Being aware of the third parties to whom personal data are transferred at home or abroad,

11.1.5. Requesting correction of Personal Data in case of incomplete or incorrect processing by ÖZTÜRE HOLDİNG,

11.1.6. Requesting the deletion, destruction or anonymization of the personal data by ÖZTÜRE HOLDİNGin the event that the reasons requiring processing of the personal data are eliminated for evaluation within the purpose, duration and legitimacy principles,

11.1.7. Requesting notification of the transactions made within the scope of Articles 11.1.5 and 11.1.6 to the third parties to whom the personal data are transferred,

11.1.8. Objecting to this result in the event of a result to the detriment of the Data Subject if the Processed Personal Data is analyzed exclusively through automated systems,

11.1.9. Requesting compensation in case of unlawful processing of Personal Data and consequent loss of Data Subject.
In cases where the Data Subjects wish to exercise their rights and/or ÖZTÜRE HOLDİNGconsiders that they are not acting within the scope of this Policy when processing the Personal Data, they may deliver their requests by hand to the e-mail address of the Data Controller given below and which may change from time to time, either by secure electronic signature or by a wet signed petition identifying them to the postal address below and which may change from time to time, or by notary public.
Data Controller: ÖZTÜRE HOLDİNGÜretim San. Ve Tic. A.Ş.
E-mail: kvk@visnemadencilik.com
Address : Mınak Boğazı Mevkii Çelemli Belgesi Yüreğir Adana Türkiye

11.2. ÖZTÜRE HOLDİNGwill conclude the request free of charge within at the latest thirty days according to the nature of the request if the Data Subjects submit their requests regarding the rights listed above to ÖZTÜRE HOLDİNGin writing. In case of a separate cost related to the finalization of the claims by the Data Controller, the fees in the tariff determined by the Personal Data Protection Board may be requested by the Data Controller. The Data Controller accepts or rejects the request by explaining the reason and notifies in writing or electronically to the relevant person. If the request included in the application is accepted, it will be duly fulfilled by the Data Controller. In case the application is caused by the error of the Data Controller, the fee collected will be returned to the data subject.

XII. DATA MANAGEMENT AND SECURITY
12.1. ÖZTÜRE HOLDİNG appoints a Data Controller Representative to fulfil its obligations under the Personal Data Protection Law Regulations, to ensure and supervise the implementation of the Personal Data Protection Law Procedures required for the implementation of this Policy, and to make suggestions for their functioning and to form a Committee.

12.2. All employees involved in the process of protecting Personal Data in accordance with this Policy and Personal Data Protection Procedures are severally responsible.

12.3. Personal Data Processing activities are audited by ÖZTÜRE HOLDİNGwith technical systems according to technological facilities and application cost.

12.4. Knowledgeable personnel are employed in technical matters related to Personal Data Processing activities.

12.5. ÖZTÜRE HOLDİNGis informed and trained for the protection and lawful processing of Personal Data.

12.6. In order to ensure that the employees who need to access the Personal Data in ÖZTÜRE HOLDİNGhave access to the said Personal Data, the necessary Personal Data Protection Procedure is established and the Data Controller Representative and the Committee are jointly and severally responsible for its creation and implementation.

12.7. Employees of ÖZTÜRE HOLDİNGmay access Personal Data only within the scope of the authority defined for them and in accordance with the relevant Personal Data Protection Law Procedure. Any access and processing performed by the employee in excess of his/her authority is against the law and is a valid reason for termination of the employment contract.

12.8. If ÖZTÜRE HOLDİNGsuspects that the security of the Personal Data is not adequately ensured or detects such a vulnerability, he/she will immediately notify the Data Controller Representative.

12.9. Detailed Personal Data Protection Procedure for the security of Personal Data is established by the Data Controller Representative and the Committee.

12.10. Each person assigned ÖZTÜRE HOLDİNGdevice is responsible for the safety of the devices allocated for his/her own use.

12.11. Each employee or person working within ÖZTÜRE HOLDİNGis responsible for the security of the physical files in his/her area of responsibility.

12.12. In case of security measures requested or to be requested additionally for the security of Personal Data within the scope of the Personal Data Protection Regulations, all employees are obliged to comply with additional security measures and to ensure the continuity of these security measures.

12.13. Software and hardware containing virus protection systems and firewalls are installed in compliance with technological improvements for storing Personal Data in secure environments in ÖZTÜRE HOLDİNG.

12.14. Backup programs are used in order to prevent the loss or damage of Personal Data in ÖZTÜRE HOLDİNGand adequate safety measures are taken.

12.15. Documents containing Personal Data in ÖZTÜRE HOLDİNGare protected by encrypted (encrypted) systems in the server environment on the site where ÖZTÜRE HOLDİNGA.Ş. factory is located. Within this scope, Personal Data is not stored in common areas and on desktop. Documents such as files and folders containing Personal Data etc. will not be moved to desktop or common folder, information on computers of ÖZTÜRE HOLDİNGmay not be transferred to another device such as USB etc. without the prior written consent of the Data Controller Representative, and may not be taken out of ÖZTÜRE HOLDİNG.

12.16. The Committee, together with the Board of Directors, is obliged to take technical and administrative measures for the protection of all Personal Data in ÖZTÜRE HOLDİNG, to continuously follow the developments and administrative activities and to prepare the necessary Personal Data Protection Procedures and submit them to the approval of the Board of Directors, to announce them within ÖZTÜRE HOLDİNGafter approval and to ensure that they are complied with and to supervise them. Within this scope, the Committee and Data Controller Representative organize the necessary trainings to increase the awareness of the employees.

12.17. If a department within ÖZTÜRE HOLDİNGProcesses Sensitive Personal Data, that department will be informed by the Committee of the importance, security and confidentiality of the Personal Data they process and the relevant department will act in accordance with the instructions of the Committee. Access to Sensitive Personal Data is granted only to limited employees and is listed and monitored by the Committee.

12.18. All Personal Data processed within ÖZTÜRE HOLDİNGwill be accepted as “Confidential Information” by ÖZTÜRE HOLDİNG.

12.19. Employees of ÖZTÜRE HOLDİNGhave been informed that their obligations regarding the security and confidentiality of Personal Data would continue even after the termination of the business relationship and ÖZTÜRE HOLDİNGemployees have been obliged to comply with these guidelines.

XIII. TRAINING
13.1. ÖZTÜRE HOLDİNGwill provide its employees with the necessary training sessions within the scope of the Policy on the Protection of Personal Data and the Personal Data Protection Procedures and the Personal Data Protection Law Regulations contained in its annex.

13.2. Applications for the definition and protection of Sensitive Personal Data in Training Sessions are specifically mentioned.

13.3. If employee of ÖZTÜRE HOLDİNGaccesses Personal Data physically or in a computer environment, ÖZTÜRE HOLDİNGprovides training to the relevant employee on these accesses (e.g. the accessed computer program).

XIV. AUDIT
ÖZTÜRE HOLDİNGwill have the right to inspect the compliance of all employees, departments and contractors of ÖZTÜRE HOLDİNGwith this Policy and Personal Data Protection Regulations at all times and without any prior notice on a regular basis and will carry out the necessary routine inspections within this context. The Committee and the Data Controller’s Representative will establish the Personal Data Protection Procedure for these audits, submit it to the approval of the Board of Directors and ensure the implementation of the said procedure.

  1. BREACHES
    15.1.Each employee of ÖZTÜRE HOLDİNGreports to the Committee any work, transaction or action that he/she considers contrary to the principles and procedures specified in the Personal Data Protection Regulations and this Policy. In this context, the Committee will establish an action plan in accordance with this Policy and Personal Data Protection Procedures for the relevant violation.

15.2. As a result of the notifications made, the Committee prepares the notification to be made to the Data Subject or Institution regarding the violation taking into account the provisions of the legislation in force on the subject, especially the Personal Data Protection Regulations. The Data Controller Representative conducts correspondence and communication with the Institution.

XVI. RESPONSIBILITIES
Responsibilities within ÖZTÜRE HOLDİNGare respectively employee, department, Data Controller Representative. In this context,

16.1. The Representative of the Committee and Data Controller responsible for the implementation of the policy will be appointed by the Board of Directors of ÖZTÜRE HOLDİNGwith the decision of the Board of Directors and the amendments in this context will be made in the same way.

XVII. AMENDMENTS IN THE POLICY

17.1. This Policy may be amended by ÖZTÜRE HOLDİNGwith the approval of the Board of Directors from time to time.
17.2. ÖZTÜRE HOLDİNGshares the updated Policy text with its employees via e-mail so that the changes made to the Policy can be exchanged or makes it available to the employees and Data Subjects via the following web address.
Related website: www.ozture.com

XVIII. EFFECTIVE DATE OF THE POLICY
This version of this Policy has been approved and entered into force by the General Directorate of ÖZTÜRE HOLDİNGon 30.09.2019