AIM

As HİBSAN; We aim to define, implement and maintain the personal data processing processes for the reduction of personal data we obtain while performing our activities and the protection of the data we have to process.

We undertake to maintain the confidentiality of non-public personal/private personal data obtained while carrying out our activities, and to comply with the legislation in force when processing this data. We fulfill this commitment by establishing the necessary management system, performing / having audits, process management and risk analysis studies.

The Law on the Protection of Personal Data (KVK Law) was adopted by the Turkish Grand National Assembly on 24.03.2016 and entered into force after being published in the Official Gazette dated 07.04.2016 and numbered 29677. The purpose of this law; to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data, and to regulate the obligations of natural and legal persons who process personal data and the procedures and principles to be followed.

SCOPE

This Procedure; automatically or by non-automatic means, provided that they are part of any data recording system; It has been prepared for other third parties whose personal data are processed by our organization, especially employees, employee candidates, customers, suppliers, visitors and will be implemented within the scope of these specified persons. This procedure will in no way apply to legal entities and legal entity data.

DEFINITIONS AND ABBREVIATIONS

General Principles in the Processing of Personal Data

Personal data is only processed in accordance with the procedures and principles stipulated in the law and other laws. The following principles are followed in the processing of personal data:

• Compliance with the law and the rules of honesty,
• Being accurate and up-to-date when necessary,
• Processing for specific, explicit and legitimate purposes,
• Being connected, limited and restrained with the purpose for which they are processed,
• To be kept for the period required by the relevant legislation or for the purpose for which they are processed.

These data are defined on VERBIS through the HR-FR-18 Personal Data Inventory.

Personal Data Processing Conditions

Processing of Personal Data

As a rule, our organization does not process personal data without the explicit consent of the person concerned, pursuant to article 5/1 of the KVK Law. Exceptions to the processing of personal data without the explicit consent of the person concerned are detailed in article 5/2 of the KVK Law. Our organization collects and processes personal data in accordance with the conditions of the relevant law.

Personal data is processed after being informed in accordance with the legislation and policy for the collection and/or processing of the Data of the Relevant Person and after giving express consent in written or electronic environment with free will. In case of processing personal health data, express consent must be obtained in writing. Explicit consent statements received are documented and stored in physical or electronic media. Two different explicit consent statements (İK-FR-06 Employee Explicit Consent Statement – Female, İK-FR-07 Employee Explicit Consent Statement – Male, İK-FR-11 Employee Candidate Explicit Consent Statement) are defined in the system as employee and employee candidate.

Personal data may be processed without the consent of the person concerned in the presence of the following conditions listed in the KVK Law:

• clearly stipulated in the law,
• It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not given legal validity,
• Provided that it is directly related to the establishment or performance of a contract, it is necessary to process the personal data of the parties to the contract,
• It is mandatory for the data controller to fulfill its legal obligation.
• The person concerned has been made public by himself,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Employees are signed by using the document “İK-FR-08 KVK Law Personnel Undertaking” within the scope of KVV Law.

Processing of Private Personal Data

Special categories of personal data can only be processed if the data subject has the explicit consent of the data subject or in cases expressly stipulated by the law, excluding data related to health and sexual life (for example, in cases listed in article 5.2.1 above). Personal data related to health and sexual life can only be processed without the explicit consent of the person concerned, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. In the processing of special quality personal data, the decisions of the “Personal Data Protection Board” are followed.

It is prohibited to process sensitive personal data without the explicit consent of the person concerned. Exceptions to the processing of personal data without the explicit consent of the person concerned are detailed in article 6/3 of the KVK Law. Persons who process sensitive data are informed in this context and “İK-FR-09 Confidentiality Personnel Commitment for Private Data” is signed. For example; Human resources process workers, project managers, HSE-Q process workers, workplace physician, occupational safety specialist, etc.

Transfer of Personal Data

Personal data can only be transferred to third parties in Turkey if the data subject has explicit consent to data transfer or if there is one of the situations where the explicit consent specified in the KVK Law is not sought. In addition to these conditions;

• The foreign country to which the personal data is transferred provides an adequate level of protection; or
• In case of lack of adequate protection in the relevant foreign country, HİBSAN and the data controllers in the relevant foreign country undertake in writing that adequate protection is provided and the Board has permission,

conditions must exist.

Collection of Personal Data

Personal Data automatically or non-automatically, provided that it is part of a recording system; If you show a reference person through your internet access within our organization, through your identity document, through your license plate information, through the cameras in our buildings, by obtaining information from these people for the legitimate interest of our organization, your corporate e-mail address or the e-mail you send to the e-mails of our employees. It is collected by mail and other technical and other methods, in various ways such as our website, electronically, in writing or verbally, in order to fulfill the responsibilities arising from the law in a complete and correct manner within the framework of legal reasons based on legislation, contract, request and request for the realization of the defined purposes. Personal data is processed by our organization or data processors appointed by our organization.

Disposal and Anonymization of Personal Data

Personal data is stored for the maximum retention period in accordance with the purposes of processing; this period may be kept longer in order to comply with the obligations set forth in the legislation or to protect legitimate business interests.

Personal data that is not needed after the legal, administrative or commercial periods expire will be deleted, anonymized or destroyed in accordance with the legislation and the relevant procedure. With the deletion of personal data, this data is destroyed in a way that it cannot be used again in any way and cannot be restored. By anonymizing data, it is meant that personal data cannot be associated with an identified or identifiable natural person, even if it is matched with other data.

Our organization is responsible for the destruction of all data in accordance with the legislation, in the event that the purpose of collection of this data ceases and the legal retention periods expire regarding the personal data contained in the physical and electronic data recording systems. Documents found as paper will be shredded so that they cannot be read when destroyed.

All transactions regarding the deletion, destruction and anonymization of personal data will be recorded and these records will be kept for at least three (3) years, excluding other legal obligations.

Taking Measures for the Protection of Personal Data

Our organization takes technical and administrative measures to ensure that personal data is processed in accordance with the law. These measures are defined in the İK-TL-01 Personal Data Security Instruction. The control of compliance with these measures is carried out according to the criteria defined in the İK-FR-17 KVK Internal Audit Report. These reports are submitted to senior management evaluation.

Access method for access to Personal Data is defined and access is granted with appropriate approvals. Accesses are reviewed at least once a year and more frequently according to the criticality of the data, and authorizations are regulated. In case of a change of duty or dismissal of authorized personnel, access is immediately removed. In this context, HR-FR-18 Authorization Matrix has been prepared and updated when necessary.

Our organization is subject to the 12th article of the KVK Law. In the event that the personal data processed in accordance with the article is obtained by others illegally, it will notify the Related Person and the Personal Data Protection Board as soon as possible. If deemed necessary by the Personal Data Protection Board, this may be announced on the website of the Personal Data Protection Authority or by any other method.

Rights and Obligations of Related Parties

Rights of the Relevant Person

Natural persons whose personal data are collected or processed by HİBSAN have the right to apply to the data controller in accordance with the KVK Law.

The rights of the Relevant Person whose personal data are processed in accordance with Article 11 of the Law are defined below;

• Learning whether personal data is processed or not,
• If personal data has been processed, requesting information about it,
• Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
• Knowing the third parties to whom personal data is transferred at home or abroad,
• Requesting correction of personal data if it is incomplete or incorrectly processed,
• 7 of the Law. Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in the article,
• 11 of the Law. of the item (d) and (e) Requesting the notification of the transactions made in accordance with the subparagraphs to the third parties to whom the personal data has been transferred,
• Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
• To request the compensation of the damage in case of loss due to unlawful processing of Personal Data.

The person concerned may use the right to apply and direct the requests listed below to HİBSAN or its representatives in writing or via e-mail, in line with the contact information given in the last part of this procedure.

In the İK-FR-19 Data Subject Application Form, the subjects of application, situations outside the scope of the right to apply, application procedure, processing of personal data related to the application, response to the application and filing a complaint with the Board are defined.

Obligations of the Data Controller

Lighting Obligation

Our organization will make an informative, clear and understandable notification to the relevant persons about the process of processing personal data and the purposes of data processing during the acquisition of personal data; will ensure that these persons are informed of their rights regarding their personal data and that they have reasonable access to their personal data processed by us. The notification to be made to the relevant persons includes at least the following elements:

• Identity of the data controller or its representative, if any,
• Purpose, method and legal reason for data processing,
• To whom and for what purpose personal data can be transferred,
• Legal rights of the persons concerned

In this context; Five different lighting texts were prepared: employee, employee candidate, supplier, customer and visitor.

• İK-FR-05 Employee Illumination Text
• İK-FR-10 Employee Candidate Disclosure Text
• İK-FR-13 Visitor Illumination Text
• İK-FR-14 Supplier Clarification Text
• İK-FR-15 Customer Disclosure Text

When the applications of the employee candidates are received negatively, a text is prepared for the return to the parties and recorded as the Employee Candidate Return Text in accordance with the HR-FR-12 Personal Data Protection Legislation.

Obligations Regarding Data Security

Our organization within the scope determined in the relevant legislation;

• Unlawful processing of personal data
• To prevent unlawful access to personal data
• It takes the necessary technical and administrative measures to ensure the appropriate level of security in order to protect personal data against misuse, disclosure, alteration and destruction.

Our organization takes the necessary measures to ensure personal data security. These measures are defined in the İK-TL-01 Personal Data Security Instruction. Detailed administrative and technical measures are defined in the HR-FR-17 Protection of Personal Data Internal Audit Report.

Personal data collected and/or processed by our organization within the framework of its activities;

• Keeps it confidential in accordance with the provisions of the KVK Law and the policy,
• It cannot be used for purposes other than processing,
• Prohibits all kinds of data processing activities of its employees who are not involved in the processing of personal data due to their duties,
• It allows its employees to access personal data to the extent appropriate to the limits of their duties.

In case the processed personal data is obtained by others illegally, our organization will notify the relevant person and the Board as soon as possible.

Information Studies

The relevant parties of our organization within the scope of the KVK Law; procedure, instruction, lighting texts, undertaking etc. information with documents. Employees are also informed by periodically organized training activities. These information activities are recorded with the method defined in the Human Resources Management Procedure.

Relevant notifications include e-mail signature, call center records, contract attachments, etc. ways as well. The notifications to be made in this context are defined by the İK-TL-02 Instruction on the Protection of Personal Data on the Issues to be Added to the System.

Registration in the Data Controllers Registry

According to the Regulation on the HİBSAN Data Controllers Registry, it fulfills the relevant obligation to be fulfilled in accordance with the regulation by registering with the data controllers registry to be established by the Presidency of the Personal Data Protection Authority. In this context, the following information will be made available to the public:

• Name, address and KEP address of Data Controller, if any, Data Controller representative and contact person,
• For what purposes personal data can be processed,
• The personal data subject group and groups and the data categories of these persons,
• Recipient and recipient groups to whom personal data can be transferred,
• Personal data intended to be transferred to foreign countries,
• The date of registration in the registry and the date of the end of the registration,
• Measures taken regarding personal data security,
• The maximum period required for the purpose for which personal data is processed.

Duplication and Distribution of Personal Data

Encryption will be made in the folder (electronic media) where the personal data is located or the files used in the transfer of personal data. Personal data transferred in portable memory, CD, DVD media will be encrypted and transferred.

Rooms and cabinets with personal information will be kept locked. Only authorized employees can access this information.

Audit

The studies and practices carried out within the scope of the Personal Data Protection Law are carried out at least once every six months and as often as requested by the senior management. Audits are carried out by the parties assigned by the top management The results are recorded with the İK-FR-17 Protection of Personal Data Internal Audit Report.