Personal Data Processing and Protection Policy

ARTICLE – INTRODUCTION

Introduction

The Personal Data Protection Law No. 6698 (the “Law”) imposes significant obligations on data processors to protect individuals’ fundamental rights and freedoms, particularly the right to privacy, in the context of personal data processing. Ekmob Mobil İş Sistemleri ve Teknolojileri Anonim Şirketi (the “Company”), headquartered at Çifte Havuzlar Mahallesi Eski Londra Asfaltı Caddesi Kuluçka Merkezi B1 Blok Apartment No.151/1d/106 Esenler, Istanbul, has adopted a meticulous and sensitive approach to fulfill these obligations and ensure that its personal data processing practices comply with the Law and related regulations. This Personal Data Processing and Protection Policy (the “Policy”) establishes the Company’s data processing procedures based on the provisions of the Law and relevant legislation.

Purpose and Scope

Purpose

This Policy has been prepared to:

• Inform individuals, including employees, whose personal data is processed within the Company’s activities,
• Provide a detailed guide on the adopted processes, principles, and practices, and
• Share the applications developed and implemented by the Company to fulfill its obligations under the Law and related regulations.

Scope

The groups of individuals whose data is subject to this Policy are detailed below. The personal data of these groups, such as employees, employee candidates, family members of employees, supplier representatives, customers, and visitors, is processed and protected in accordance with the provisions of this Policy, either automatically or through non-automatic methods as part of a data recording system.

Data Subject Group	Description
Employee	Refers to individuals engaged in an employment relationship with the Company.
Employee Candidate	Refers to individuals being evaluated by the Company for potential employment.
Employee Family Member	Refers to family members of employees, such as spouses and children.
Customer	Refers to individuals who are considered customers of the Company through verbal or written agreements or those evaluated as prospective customers by Company departments.
Customer Representative	Refers to individuals employed by legal entities considered customers of the Company.
Supplier Representative	Refers to individuals or representatives of legal entities from whom the Company procures products or services.
Visitors	Refers to individuals visiting Company premises or its corporate website.
Third Parties	Refers to individuals whose personal data is processed but not categorized separately under this Policy.

Policy and Applicable Legislation

This Policy aims to systematically fulfill the obligations related to personal data processing under the Law and relevant legislation. The Company prioritizes compliance with the Law to protect the right to personal data protection as enshrined in the Turkish Constitution. In the event of a conflict between the provisions of this Policy and applicable legislation, the Company will comply with the latter.

Effectiveness and Amendments

This Policy has been prepared with the diligent efforts and leadership of the Company’s Personal Data Protection Committee and was approved by the authorized body on {■} before coming into force.

The Policy will be reviewed every six months by the Personal Data Protection Committee, and necessary updates will be made to align with current regulations. These updates will be published on the Company’s website upon approval by the authorized body. Upon request, relevant individuals may access the updated Policy through various channels within the limits of legislation and at the Company’s discretion.

---

ARTICLE – DEFINITIONS

Term	Definition
Recipient Group	Categories of individuals or entities to whom personal data is transferred by the data controller.
Data Subject	Refers to the individual whose personal data is being processed.
Personal Data	Any information relating to an identified or identifiable natural person.
Processing of Personal Data	Any operation performed on personal data, such as collection, recording, storage, alteration, or transfer.
Special Categories of Personal Data	Sensitive information such as race, ethnicity, political opinion, religious beliefs, health, or biometric data.
Data Category	A classification of personal data based on shared characteristics.
Data Subject Group	Categories of individuals whose personal data is processed by the data controller.
Board	Refers to the Personal Data Protection Board.
Request Management Procedure	A procedural guide detailing how the data subject can exercise their rights and how the Company responds to such requests.
Data Controller	The entity responsible for determining the purposes and means of personal data processing and managing the data recording system.
Website	The Company’s corporate and e-commerce website used for its online activities.

---

ARTICLE – PERSONAL DATA PROCESSING

The Company designs its personal data processing activities from the moment of initial contact with personal data to its destruction in compliance with the provisions of the Law. One of the primary objectives of this Policy is to provide transparency regarding the Company’s personal data processing and protection principles.

The methodology adopted by the Policy is based on allowing the data subject to “track the journey of their personal data within the Company from start to finish.” Accordingly, this article answers the following questions:

• What categories of personal data does the Company process?
• What special categories of personal data does the Company process?
• How does the Company structure its processes for informing data subjects and obtaining their explicit consent?
• What are the conditions under which the Company processes personal data without explicit consent?
• What principles does the Company adhere to when processing personal data?
• What are the purposes of personal data processing?
• Where does the Company store personal data?
• To which recipient groups does the Company transfer personal data domestically and internationally?
• What is the Company’s retention and destruction policy for personal data?

Security of Physical Space

Personal data such as information gathered through the use of cameras, guest entry logs, and records of access to company premises, processed automatically or via non-automated methods as part of a data recording system, belonging to identifiable individuals, fall under this category.

Financial
Data such as salary, bank account details, payment information, and income tax declarations of individuals, processed automatically or via non-automated methods as part of a data recording system.

Visual and Audio Records
Photographs, video recordings, and voice recordings of identifiable individuals, processed automatically or via non-automated methods as part of a data recording system.

Sensitive Personal Data
Special categories of personal data, as defined by the Law, including data related to race, ethnicity, political opinions, philosophical beliefs, religion, sect, union membership, health, sexual life, criminal convictions, security measures, and biometric and genetic data.

Other
Personal data falling outside the aforementioned categories that are processed automatically or via non-automated methods as part of a data recording system and pertain to identifiable individuals.

PRINCIPLES FOR PROCESSING PERSONAL DATA

While processing personal data, the Company adheres to the following principles established by the Law:

1. Lawfulness and Fairness: Personal data is processed in a lawful and fair manner.
2. Accuracy and Up-to-Dateness: Necessary measures are taken to ensure that personal data is accurate and up-to-date.
3. Purpose Limitation: Data is processed for specific, explicit, and legitimate purposes.
4. Data Minimization: Data processing is limited to what is necessary for the purposes.
5. Retention Period: Data is stored for the duration required by law or for the purposes of processing.

PURPOSES FOR PROCESSING PERSONAL DATA

The Company processes personal data for the following purposes, in compliance with the Law and related regulations:

• To fulfill legal and contractual obligations.
• To manage employee relationships and human resources.
• To ensure the security of company premises and systems.
• To provide customer service and support.
• To carry out financial transactions and accounting processes.
• To conduct marketing and communication activities.

DISCLOSURE AND CONSENT PROCEDURES

Informing the Data Subject: The Company informs individuals about the purposes, methods, legal grounds, and rights concerning their data processing activities before or during the collection of personal data.

Obtaining Explicit Consent: Where necessary, the Company obtains explicit consent from the individual before processing their data. In cases where consent is not required by law, the data is processed under the conditions outlined in the Law.

DATA STORAGE AND TRANSFER

Storage Locations: Personal data is securely stored in both physical and digital environments. Appropriate measures are taken to protect the data against unauthorized access, loss, or damage.

Data Transfers: The Company may transfer personal data to authorized entities within Turkey or abroad, subject to the principles and conditions stated in the Law.

RETENTION AND DESTRUCTION POLICY

The Company retains personal data only for the period necessary to fulfill the purposes of processing, as required by law. After this period, personal data is securely destroyed through methods such as deletion, shredding, or anonymization.

FINAL PROVISIONS

Compliance Monitoring and Updates: The Personal Data Protection Commission conducts regular reviews of this Policy every six months. Necessary updates are made to ensure alignment with current legal requirements and business needs.

Effective Date and Publication: This Policy was approved by the Company’s authorized body and came into effect on {■}. Updates and changes will be announced on the Company’s Website or other appropriate channels.

For further inquiries or to request access to personal data processed by the Company, please contact the Personal Data Protection Commission.

The Purposes of Personal Data Processing by the Company

In line with the principles outlined in Article 4 of the Law and the conditions stipulated in Articles 5 and 6, the Company processes personal data for the following purposes:

• Ensuring compliance with legal regulations or fulfilling mandatory legal obligations,
• Processing personal data directly related to the establishment and performance of contracts,
• Retaining personal data for establishing, exercising, or protecting legal rights,
• Conducting necessary statistical studies and legal reporting on matters such as sales performance evaluations,
• Retaining personal data for the Company’s legitimate interests without harming individuals’ fundamental rights and freedoms,
• Managing human resources processes and ensuring communication with individuals or entities with business relationships,
• Retaining personal data to fulfill any legal obligations of the Company or when explicitly stipulated by legislation,
• Ensuring the security of the Company,
• Obtaining explicit consent from data subjects for data retention activities that require it,
• Acting as evidence in future legal disputes due to the obligation of proof,
• Managing emergency response processes,
• Managing information security processes,
• Conducting recruitment, internship, and student placement processes,
• Managing job application processes for candidates,
• Ensuring employee satisfaction and engagement,
• Fulfilling employment contracts and obligations arising from legislation for employees,
• Managing employee benefits and side benefits,
• Conducting audit and ethical activities,
• Organizing training activities,
• Managing access permissions,
• Ensuring compliance with regulations in operations,
• Managing financial and accounting tasks,
• Managing loyalty processes related to products and services,
• Ensuring physical space security,
• Managing task assignment processes,
• Managing legal affairs,
• Conducting internal audits, investigations, and intelligence activities,
• Conducting communication activities,
• Planning human resources processes,
• Managing and monitoring business activities,
• Managing occupational health and safety activities,
• Receiving and evaluating suggestions to improve business processes,
• Ensuring business continuity,
• Managing logistics processes,
• Managing procurement processes,
• Providing after-sales support for goods and services,
• Managing sales processes for goods and services,
• Managing production and operational processes for goods and services,
• Managing customer relationship processes,
• Conducting customer satisfaction activities,
• Organizing events and activities,
• Conducting marketing analysis studies,
• Managing performance evaluation processes,
• Managing advertising, campaign, and promotional activities,
• Managing risk management processes,
• Managing data storage and archiving activities,
• Managing contract processes,
• Managing sponsorship activities,
• Conducting strategic planning activities,
• Monitoring and managing requests and complaints,
• Ensuring the security of movable property and resources,
• Managing supply chain processes,
• Managing compensation policies,
• Conducting marketing processes for products and services,
• Ensuring the security of data controller operations,
• Managing work and residency permits for foreign personnel,
• Managing investment processes,
• Conducting talent/career development activities,
• Providing information to authorized individuals, institutions, and organizations,
• Managing administrative activities,
• Creating and tracking visitor records.

---

Environments Where Personal Data is Recorded and Stored

Personal data processed wholly or partially by automated means or as part of a data recording system through non-automated methods are stored in various environments based on the data’s nature, processing purposes, and frequency of use. The Company securely retains personal data in compliance with relevant legislation and international data security principles in both electronic and physical environments.

Electronic environments include:

• Software, cloud systems, centralized servers, portable media, and databases.

Physical environments include:

• Locked or unlocked cabinets, archives, paper files, network devices, flash-based media, magnetic tapes, disks, mobile phones, optical disks, printers, and access/security systems.

The Company processes and stores personal data securely in accordance with legal retention periods and the principles set forth in this Policy and the Law.

---

Transfer of Personal Data

The Company may transfer personal data domestically and internationally to specific recipient groups for purposes defined under the Law and within the boundaries of the adopted principles.

Domestic Transfer of Personal Data

The Company complies with the following conditions when transferring personal data within the country:

1. If the data subject provides explicit consent, the transfer is permitted.
2. Without explicit consent, if legal regulations explicitly require the transfer, it is permissible.
3. In cases where the data subject cannot give consent due to physical or legal incapacity, personal data may be transferred to third parties to protect the data subject’s or another person’s life or physical integrity.
4. If the transfer is necessary for the establishment or performance of a contract directly concerning the parties, personal data can be shared with third parties.
5. Personal data may be transferred to third parties if necessary to fulfill the Company’s legal obligations.
6. If the personal data has been made public by the data subject, it may be transferred to third parties within the scope of its publication purpose.
7. If the transfer is necessary for establishing, exercising, or protecting a legal right, personal data can be shared.
8. Personal data may be transferred to third parties to protect the Company’s legitimate interests, provided it does not harm the data subject’s fundamental rights and freedoms.

International Transfer of Personal Data

The Company transfers personal data abroad under the following conditions:

1. With explicit consent: If the data subject gives explicit consent, the transfer is permitted.
2. Without explicit consent: Personal data may be transferred abroad if:
   • The destination country is declared to provide adequate protection by the Personal Data Protection Board (the “Board”), or
   • If the destination country does not provide adequate protection, a written commitment ensuring protection is obtained from the foreign data controllers, and permission is granted by the Board.

Transfers without explicit consent must meet one or more of the following conditions:

• The transfer is explicitly required by law,
• The transfer is necessary to protect the life or physical integrity of the data subject or another person where the data subject cannot provide consent,
• The transfer is necessary for establishing or performing a contract directly related to the data subject,
• The transfer is necessary to fulfill the Company’s legal obligations,
• The personal data has been made public by the data subject,
• The transfer is necessary for establishing, exercising, or protecting a legal right,
• The transfer is necessary to protect the legitimate interests of the Company without infringing the data subject’s fundamental rights and freedoms.

Sensitive Personal Data:
The Company may transfer sensitive personal data abroad with explicit consent from the data subject and by implementing administrative and technical measures under the principles in this Policy and the special precautions determined by the Board. Transfers without explicit consent require compliance with the following conditions:

• For sensitive personal data excluding health and sexual life, processing is permitted if explicitly required by law.
• For data concerning health and sexual life, processing is permitted for protecting public health, preventive medicine, medical diagnosis, treatment, and care services, and for the management and financing of health services.

kapsamında, sır saklama yükümlülüğü altında bulunan kişiler veya yetkili kurum ve kuruluşlar tarafından işlenmesi durumunda, ilgili kişinin açık rızası olmaksızın sağlık ve cinsel hayata ilişkin özel nitelikli kişisel veriler yurt dışına aktarılabilir.

Şirket’in Açık Rızası Olmaksızın Yurtdışına Veri Aktarımı İçin Koşullar:

1. Mevzuatta Açık Hüküm Bulunması: İlgili mevzuat, kişisel verinin yurt dışına aktarılmasına izin veriyorsa aktarım yapılabilir.
2. Hayati Durumlar: Kişisel veri sahibinin veya bir başkasının hayatı veya beden bütünlüğünün korunması için zorunluluk olması durumunda ve veri sahibinin rızasını açıklayamayacak durumda olması halinde aktarım yapılabilir.
3. Sözleşmenin Gerekliliği: Sözleşmenin kurulması veya ifasıyla doğrudan ilgili olması şartıyla, sözleşme taraflarına ait kişisel veriler yurt dışına aktarılabilir.
4. Hukuki Yükümlülüklerin Yerine Getirilmesi: Şirket’in yasal bir yükümlülüğünü yerine getirmesi için zorunlu olduğu durumlarda aktarım yapılabilir.
5. Verinin Alenileştirilmesi: Veri sahibi tarafından kamuya açıklanmış olan kişisel veriler, açıklama amacıyla sınırlı olarak aktarılabilir.
6. Hakkın Tesisi veya Korunması: Bir hakkın tesisi, kullanılması veya korunması için zorunlu olan hallerde kişisel veriler yurt dışına aktarılabilir.
7. Meşru Menfaatler: İlgili kişinin temel hak ve özgürlüklerine zarar vermemek kaydıyla, şirketin meşru menfaatlerini koruma amacıyla kişisel verilerin yurt dışına aktarımı yapılabilir.

Özel Nitelikli Kişisel Verilerin İşlenmesi ve Aktarılması

Şirket, özel nitelikli kişisel verilerin işlenmesi ve aktarımı için ilgili yasa ve yönetmeliklerde belirtilen güvenlik tedbirlerini almakla yükümlüdür. Şirket, ilgili kişilerin açık rızası olmadan yalnızca aşağıdaki durumlarda özel nitelikli kişisel verileri işleyebilir veya yurt dışına aktarabilir:

• Sağlık ve Cinsel Hayat Dışındaki Veriler: Kanunlarda açıkça öngörülmesi halinde, ilgili kişinin açık rızası olmaksızın işlenebilir veya aktarılabilir.
• Sağlık ve Cinsel Hayat ile İlgili Veriler: Kamu sağlığının korunması, tıbbi teşhis, tedavi ve bakım hizmetlerinin yürütülmesi, sağlık hizmetlerinin finansmanının planlanması ve yönetimi gibi amaçlarla, sır saklama yükümlülüğü bulunan kişiler veya yetkili kurumlar tarafından işlenebilir ve aktarılabilir.

Kişisel Verilerin Korunması ve Güvenliği

Şirket, kişisel verilerin işlenmesi ve korunmasında uluslararası standartlar çerçevesinde gerekli idari ve teknik tedbirleri uygulamaktadır. Kişisel veriler, yalnızca yetkilendirilmiş kişilerin erişimine açık tutulur ve veri güvenliği ihlallerine karşı düzenli olarak denetlenir. Şirket, veri işleme faaliyetlerini şeffaflık ilkesi doğrultusunda yürütmekte ve veri sahiplerini bilgilendirme yükümlülüğünü yerine getirmektedir.