DATA POLICY

1- Purpose

This data processing and protection policy (“Policy”) regulates the principles that our company operating in the field of [brokering services] has determined to ensure compliance with the applicable legislation on the processing of personal data and the protection and destruction of this data.

2- Definitions

Capitalized terms used in this Policy that are not defined in the Policy will have the meanings ascribed to them below.

3- Scope

The Company undertakes to comply with the confidentiality and security requirements of Personal Data existing under the Law, therefore, the Company has adopted this Policy in order to establish the principles of understanding, policies and procedures regarding the protection and processing of Personal Data.

This Policy applies to all full-time and part-time employees, subcontractors, employees of the Company's Affiliates who have access to, provide information to or receive Personal Data from the Company, Personal Data collected and processed by the Company. applies to joint venture employees and to all suppliers and vendors. In addition, all provisions contained in this Policy are subject to Law and Secondary Legislation. In cases where the provisions of this Policy conflict or conflict with the provisions of the Law, the provisions of the Law shall be taken as basis and applied.

4- Fundamentals

4.1 Principles to be Followed in the Processing of Personal Data

4.1.1 Personal Data is Processed Only in accordance with the Law and Integrity Rules.

The Company acts in accordance with the law and the rule of honesty in the processing of Personal Data. In this context, the Company processes Personal Data in accordance with the rules introduced by the Law. In addition, the Company also follows the Secondary Legislation to be published by the Board from time to time, and the regulations to be brought about data processing activities, and makes reorganizations and improvements in its applications, if necessary, within the framework of these legal regulations, and strives to make improvements.

4.2.2 Personal Data Must Be Accurate and Up-to-Date When Necessary.

Company; takes the necessary measures to ensure that the Personal Data it processes are accurate and up-to-date when necessary.

4.2.3 Personal Data Must Be Processed for Specific, Explicit and Legitimate Purposes.

The company clearly and precisely determines the purpose of data processing and processes Personal Data only for legitimate purposes. What is meant by this is that the data processed by the Company is related to and necessary for the work it has done or the service it has provided.

The Company clearly announces these purposes to the Data Owners before their Personal Data is obtained.

In the event that the Company's Personal Data processing purposes change, this Policy will be updated to the extent necessary. In addition, efforts will be made to announce changes in data processing purposes to Data Owners through different channels as much as possible.

4.2.5 Personal Data Should Be Retained For The Period Envisaged In The Relevant Legislation Or Required For The Purpose For Which They Are Processed.

The Company retains Personal Data only for the period specified in the relevant legislation or required for the purpose for which they are processed. In this context, if a period is stipulated in the relevant legislation for the storage of Personal Data, the Company keeps the Personal Data limited to these periods.

However, the Company takes as a basis the maximum retention periods determined by the Company for the protection of data in a way that will not cause loss of rights of its employees and customers, especially taking into account the statute of limitations, where Personal Data may need to be protected subject to different legislation. If a period is not determined in the legislation or there is no legal reason to keep the data for a longer period, the Company keeps the Personal Data as determined by it for the maximum period necessary for the purpose for which it was processed.

In addition to these, the Company complies with the rules and procedures stipulated in the Company's Disposal Policy regarding data protection.

4.3 Processing Conditions

4.3.1 Processing of Personal Data

Personal Data is processed by the Company based on one or more of the legal processing conditions of Personal Data specified in the Law. Our company processes Personal Data in accordance with the regulations introduced in the Law.

In this context:

4.3.1.1 Personal Data can be processed with the Explicit Consent of the Data Owner.

4.3.1.2 In the presence of one of the following conditions, it is possible to process the Personal Data without seeking the Explicit Consent of the Data Owner.

Expressly provided for in laws;

  1. 1. It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to de facto impossibility, or whose consent is not given legal validity;
  2. 2. It is necessary to process the Personal Data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract;
  3. 3. It is mandatory for the Data Controller to fulfill his legal obligation;
  4. 4. It has been made public by the Data Owner himself;
  5. 5. Data processing is mandatory for the establishment, exercise or protection of a right;
  6. 6. Data processing is mandatory for the legitimate interests of the Data Controller, provided that it does not harm the fundamental rights and freedoms of the Data Owner.

4.3.2. Data Protection Commission

Within the framework of the Company's compliance program, it has been decided that the personal data processing activities will be carried out and supervised by the Data Protection Commission composed of [Evrim Özkoç and Baran Utku Akarsu].

It is administered by the Data Protection Commission [Evrim Özkoç and Baran Utku Akarsu]. The duties of the Data Protection Commission are as follows:

  1. 1. To determine the procedures and standard contractual provisions necessary for vendors, suppliers and third parties to whom Personal Data is transferred from the Company, those who have access to Personal Data obtained and processed by the Company, and those who provide data to the Company, to comply with this Policy,
  2. 2. To determine the regular audit mechanisms, applied procedures and applicable rules in order to comply with this Policy,
  3. 3. To determine, maintain and carry out the system that will ensure a fast and appropriate response to the requests of the Data Owner to the Company while exercising their rights arising from the Law,
  4. 4. Ensuring the Company's compliance program is up-to-date,
  5. 5. To inform the Company's senior executives, executives and managers about potential corporate and individual, administrative or criminal liabilities that may be brought against the Company and/or its employees due to the violation of the applicable legislation, and to carry out the necessary actions,
  6. 6. To manage and carry out the relations of the Company with the Institution, Board and Registry,
  7. 7. To ensure that all necessary records are made in the Registry in accordance with the relevant legislation and Board decisions, and to supervise the registry entries,
  8. 8. To manage and implement activities to implement the Board's decisions,

4.3.3. Processing of Private Personal Data

Personal Data is processed by the Company in accordance with the conditions specified in the Law. In addition, special measures may be introduced by the Board for the processing of Sensitive Personal Data. If measures are taken by the Board at any time after the publication of this Policy, the Company will make the necessary arrangements to comply with these measures.

In this context:

4.3.3.1 Special Quality Personal Data can be processed with the Explicit Consent of the Data Owner.

4.3.3.2 Private Personal Data (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and dress, association, foundation or union membership, criminal conviction and data related to security measures and biometric and genetic data) can be processed without seeking the explicit consent of the person in cases stipulated by the laws.

4.3.3.3 Personal Data related to health and sexual life can only be provided by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. It can be processed without seeking his explicit consent.

4.3.3.4 Personal Data related to health of employees can be processed directly or indirectly, especially in order to carry out processes within the scope of employer-employee relationship (permit, advance, insurance process, creation of personal file, etc.). In such cases, explicit consent is obtained from the employees and personal data related to health can only be processed and accessed by the persons or departments that are required to process this data. These personal data may be processed without explicit consent, if determined within the framework of the current legislation and the decision of the Institution/Board, which do not require consent.

4.3.3.5 It is not necessary to process sensitive personal data; however, in cases where it is strictly dependent on a personal data that needs to be processed (such as the sensitive personal data on the identity card), the sensitive personal data is removed from the personal data that needs to be processed by means of breaking links such as masking.

4.3.3.5 As soon as it is understood during the recorded phone calls of the Company that the other party to whom the call is made has shared a sensitive personal data, that person is immediately asked whether the personal data they share is sensitive personal data and whether they consent to the recording of the personal data they share. If the person does not consent, the conversation is not recorded, if recorded, it is deleted or masked.

4.4 Consent

4.4.1 To be valid, consent must be informed, explicit, and freely expressed.

4.4.2.1 The Data Owner must be informed in a clear and understandable manner on all matters related to the processing. This information should be understandable and easily accessible in a language that the average individual can understand.

4.4.2.2 Explicit Consent should be understood as a statement of consent that is clear without hesitation and is limited to that transaction only. An open-ended consent cannot be considered an Open Consent. As a rule, it is sufficient to obtain the Explicit Consent of the Data Owner once for different transactions to be performed by the Data Controller. However, if the data in question is requested to be processed for purposes other than its original purpose, a separate consent will be required.

4.4.2.3 Explicit Consent must be given freely, without any pressure, and is valid only if the Data Subject is able to demonstrate a genuine choice.

4.4.2.4 As long as these conditions are met, the way of obtaining consent can be freely determined. These can be in the form of clauses in employment contracts, checkboxes on application or purchase forms, and boxes in online forms where Personal Data is entered.

4.4.3 Where consent is obtained through other written representations, the request for consent must be made prominently.

4.4.4. Consent can be withdrawn by the Data Owner at any time.

4.4.5. The Data Protection Commission, together with the relevant departments, will establish systems for obtaining and documenting the Data Owner's Explicit Consent for Personal Data processing.

4.5 Transfer of Personal Data

4.5.1 Transfer of Personal Data to Third Parties

4.5.1.1 Personal Data should not be transferred to another institution, country or region without taking reasonable and appropriate measures for the required level of data protection.

4.5.1.2 Personal Data may be transferred to third parties only for reasons consistent with the purposes for which they were obtained or for other purposes permitted by the Law.

4.5.1.3 Necessary security measures should be taken for all Sensitive Personal Data transferred by the Company or should be protected against unauthorized access by using encryption to the extent possible.

4.5.1.4 Transfer of Personal Data to third parties for subsequent data processing activities will be subject to written agreements. The company will develop standard terms and conditions that can be used for this purpose together with the Data Protection Commission.

4.5.1.5 Personal Data may be transferred where any of the following applies:

  1. Explicit Consent of the Data Owner to the said transfer,
  2. The transfer is clearly stipulated in the laws,
  3. The transfer is compulsory for the protection of the life or physical integrity of the person or another person who is unable to express his consent due to actual impossibility or whose consent is not legally valid.
  4. Provided that the transfer is directly related to the establishment or performance of a contract, the Processing of Personal Data belonging to the parties to the contract is necessary,
  5. The transfer is mandatory for the Data Controller to fulfill its legal obligation,
  6. Transfer of data made public by the Data Owner himself,
  7. The transfer is mandatory for the establishment, use or protection of a right,
  8. The transfer is mandatory for the legitimate interests of the Data Controller, provided that it does not harm the fundamental rights and freedoms of the Data Owner.
  9. Provided that adequate precautions are taken, personal data other than health and sexual life can be transferred without seeking the explicit consent of the person concerned, in cases stipulated by the laws. Personal Data related to health and sexual life can only be collected by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. It can be processed without seeking his explicit consent.

4.5.2 Transfer of Personal Data Abroad

Our company may transfer the Personal Data it processes [by taking adequate precautions] to third parties residing abroad, subject to the conditions set forth in 4.4.1 above. However, Personal Data can only be sent to foreign countries that will be declared to have sufficient protection by the Board (“Foreign Country with Sufficient Protection”) or in case of lack of sufficient protection, except in cases where the Data Owner has given Explicit Consent to the transfer, in accordance with the Law. It is transferred to foreign countries where the Data Controllers in Turkey and in the relevant foreign country undertake an adequate protection in writing and where the Board has permission (“Foreign Country Where the Data Controller Undertaking Adequate Protection Is Located”).

Servers of programs and applications (Emarsys, Google Adwords, Google Analytics, Facebook, Insider, etc.) that provide international transfers, CRM, mass e-mail sending, e-mail and backup and other services that the Company may need to carry out its activities, or including the cases where the servers to which the data obtained by them are sent are abroad.

4.6. Monitoring Visitor and Customer Activities

4.6.1. Taking Closed Circuit Camera Recording

In order to ensure security and fulfill its obligations arising from the R&D legislation, the Company carries out personal data processing activities for monitoring the entrance and exit of persons, such as visitors, who work with closed circuit cameras at the workplace of the Company.

Personal data is processed in accordance with the Law and other relevant legislation by using cameras and recording employee and visitor entries and exits and their activities.

It is possible to monitor with closed circuit cameras, especially to ensure the safety of the company, visitors and other persons and to fulfill its obligations arising from the R&D legislation. The company duly discloses the objectives it has determined in this context to the relevant persons. In addition to the lighting it makes regarding general matters, the company also notifies with a different method it deems appropriate regarding the surveillance activity with a closed circuit camera.

Personal data processed within the scope of surveillance with closed circuit camera are retained for a maximum of [30 days].

In addition, for security purposes, identity checks are made by the Anel building management at the entrance to the company's headquarters and a guest book is kept. In this context, necessary measures are taken regarding the processing and security of personal data.

Personal Data Owners who come to the company workplace as guests are enlightened in this context through texts posted before the Company or made available to guests in other ways. Personal data obtained for the purpose of tracking guest entry-exit is processed only for this purpose and the relevant personal data is recorded in the data recording system in the physical environment.

The Data Owner is informed by the Company in accordance with Article 10 of the Law.

In addition to the lighting it makes regarding general issues, the company can make notifications with more than one method regarding the camera monitoring activity. The Company aims to prevent harming the fundamental rights and freedoms of the personal data owner and to ensure transparency and enlightenment of the personal data owner.

For the camera monitoring activity by the company; A notification letter stating that monitoring will be made is posted at the entrances of the areas where monitoring is done. It is essential that only a limited number of Company employees have access to the footage. Access authorization is done by the Data Protection Commission. Those who have access to the records are also made to sign a confidentiality agreement.

4.6.2. Internet Access Provided to Visitors and Customers

Internet access can be provided by the Company to the visitors who request it during their stay in the Company workplaces. In this case, log records regarding internet access are recorded in accordance with the Law No. 5651 and the mandatory provisions of the legislation regulated according to this Law; These records can only be processed when requested by authorized public institutions and organizations or to fulfill the relevant legal obligations in the audit processes to be carried out within the Company.

Only a limited number of Company employees have access to the log records obtained within this framework. Company employees who have access to the aforementioned records access these records only for use in requests or audit processes from authorized public institutions and organizations, and share them with legally authorized persons. Access authorization is done by the Data Protection Commission. Those who have access to the records are also made to sign a confidentiality agreement.

4.6.3. Website Visitors

On the company's website; to ensure that visitors to the site perform their visits in accordance with the purposes of their visit; Internet movements within the site can be recorded by technical means (eg Cookies/Cookies) in order to show them customized content and to engage in online advertising activities.

If the company carries out such a processing activity, detailed explanations on the protection and processing of personal data are included in the text of the "Cookie Policy" on the company's website.

4.7. Clarification During Obtaining Personal Data

4.7.1 When consent is requested from the Data Owner to process Personal Data, or in any case where Personal Data is obtained (whether consent is requested or not), it is essential that the Data Owner be properly informed. In this context, including but not limited to the following,

  1. Name/title and address of the Data Controller and, if applicable, the name and address of the Data Controller's representative
  2. Purpose(s) of data processing
  3. Purpose of data transfer and to whom data will be transferred,
  4. Data collection method and legal reason,
  5. Data Owner's rights enumerated in the Law, such as the right to access data, get a copy of data, delete and rectify data, and the methods of exercising these rights
  6. Type of data processed/li>

It will be disclosed to the Data Owner.

4.7.2 The lighting obligations above will not be applied in cases where the applicable laws make exceptions to the obligations stipulated for lighting.

  1. The processing of Personal Data is necessary for the prevention of crime or for criminal investigation.
  2. Processing of Personal Data made public by the Data Owner himself.
  3. Personal Data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority granted by the Law.
  4. The processing of Personal Data is necessary for the protection of the economic and financial interests of the state with regard to budgetary, tax and financial matters.

4.7.3 Clarification should be done as soon as possible and preferably at the first contact with the Data Owner. In the case of employees, lighting should be done separately. In addition, appropriate disclosures should be made in job application forms or in employee handbooks and workplace regulations. Explanations should be constructed and made in such a way as to attract the attention of those concerned.

4.7.4 Clarification can be made verbally, electronically, orally or in writing. Where disclosure is made orally, the person making the disclosures must use an appropriate written text or form approved in advance by the Company or the Data Protection Commission. The acknowledgment or form should be kept with a simultaneous record specifying the method, content, date and event of the disclosure.

4.7.5 If the initial explanation is insufficient, annotations can be made later and the event, date, content and method of these annotations are recorded.

4.8. Avoiding New Unlawful Activities

As a rule, new or expanded Personal and/or Special Quality Personal Data acquisition or processing activities will not be carried out by the Company without the approval of the Data Protection Commission. They will try to work in harmony with all relevant departments and managers, the Data Protection Commission and other departments, and will avoid new activities that are not in compliance with the Law.

4.9 Rights of the Data Owner

4.9.1 The Company, through the Data Protection Commission, will establish a system in line with its own policies and practices in order to enable the Data Owner to exercise their rights listed in Article 11 of the Law, to facilitate this and to inform those concerned about the inappropriate disclosure of Personal Data.

4.9.2 About their Personal Data with a request made in accordance with the policies and procedures set by the Data Owner, the Company and the Data Protection Commission:

4.9.2.1 To learn whether the Company processes Personal Data about the Data Owner, if so, to request information about it,

4.9.2.2 To learn the purpose of processing Personal Data and whether they are used in accordance with its purpose,

4.9.2.3 has the right to learn whether the Personal Data is transferred domestically or abroad and to whom.

4.9.3 The Data Owner also has the right to request the Company to correct his/her inaccurate and incomplete Personal Data and to inform the recipients whose data has been or may have been transferred.

4.9.4 In accordance with Article 7 of the Law, the Data Owner may request the deletion and destruction of his data from the Company, in case the reasons requiring the processing of his Personal Data disappear.

4.9.5 The Data Owner may object to the results of Personal Data analyzes created exclusively using an automated system if these results are contrary to their interests.

4.9.6 All requests to be made by the Data Owner to the Company for the exercise of the above rights must be made in writing by filling out the request form presented at [email protected].

Applications can be submitted in person or through a notary public or by e-mail with a secure electronic signature.

In order for the requests of those acting to represent the Data Owner to be processed, they must submit to the Company a power of attorney (notarized) issued by the Data Owner, containing a special provision regarding the requests or actions regarding their Personal Data. Identity card and guardianship decision are requested from those who apply on behalf of their children or guardians.

4.9.7. All business units that receive a request from the Data Owner for access to Personal Data will notify these requests to the Data Protection Commission.

4.9.8 The Company shall establish a system to record the requests mentioned herein when they are received and to determine the response dates.

Unless otherwise required by applicable laws and regulations, the Company responds to a request for information made as stated above within 30 days from the date of receipt of a written request from the Data Owner and appropriate confirmation that the requester is the Data Owner or an authorized legal representative proving his identity. will give. Incomplete, incomprehensible or illegible requests will not be considered by the Company. In such a case, the Company will inform the applicant within 30 days of the application not being processed.

4.9.9 Even if the Company fails to respond fully to the request within the specified time, the Data Protection Department must in any case provide the following information to the Data Subject within the said 30-day period:

  1. A confirmation that the data subject's request has been received,
  2. Description of all information collected until then in response to the request,
  3. An explanation of the information or change requested by the Data Owner that cannot be provided or performed by the Company, the reason(s) for refusal of the Data Owner's request, and, if any, an explanation of the decision objection procedures within the Company
  4. Notification of the price to be paid by the Data Owner, if any, or an estimate of the price, unless the applicable laws and regulations prevent the Data Owner's liability in this regard.

4.9.10 If the provision of information to the relevant Data Owner making the request would cause the disclosure of another person's Personal Data or risk violating their fundamental rights and freedoms, the business unit executing the request should review the data and act as necessary or appropriate to protect the rights of that person. make corrections to the data or not disclose the data.

4.9.11 The Company will not charge any fee from employees for providing the above-mentioned information. In cases where the information request imposes additional costs on the Company, the Company may charge a fee in the tariff to be determined by the Board in order to respond to requests from Data Owners who are not employees. In such a case, the fees to be determined cannot be higher than the fees to be announced by the Board from time to time.

4.9.12 The Company and the Data Protection Commission may establish procedures to monitor and reject repetitive or annoyingly burdensome requests by or on behalf of the Data Subject.

4.10 Storage, Deletion, Destruction and Anonymization of Personal Data (“Storage and Disposal of Personal Data”)

The procedures and principles regarding the storage and destruction of Personal Data, along with the retention periods of personal data, are included in the Company's Retention and Destruction Policy.

The Company keeps the Personal Data that it processes in accordance with the principles in the Law for the period stipulated in the legislation. If the legislation does not provide for a certain period of time for the storage of the relevant Personal Data categories, the Personal Data is retained until the end of the purpose for which they are processed.

In cases where the legislation does not stipulate a certain period for the storage of the relevant Personal Data categories, the storage periods are determined for each data processing purpose. In this context, retention periods are determined by taking into account the practices of the Company and the practices of its commercial life.

Personal Data; Apart from the processing purpose, it can be stored in order to constitute evidence in possible legal disputes, to assert a right that can be proven with Personal Data, to establish defense and to respond to information requests from authorized public institutions. In the establishment of the periods herein, the statute of limitations for asserting the aforementioned right and the retention obligations arising from the legislation applied to the activities of the Company, the contracts to which it is a party and the international regulations to which it is subject are taken into account.

The Company takes the necessary actions to destroy the relevant Personal Data as reasonably possible and appropriately when the specified periods expire. In addition, the Company may delete, destroy or anonymize Personal Data, ex officio or as the case may be, upon the request of the Data Owner. The Company, through the Data Protection Commission, decides which of these methods is reasonable and applies that method. The Data Owner may request information about why the Company has chosen this method, by exercising its rights described in article 4.9.

In accordance with Article 28 of the Law; Anonymized Personal Data may be processed for purposes such as research, planning and statistics.

4.11 Proportionality

In terms of the implementation of this Policy, the Company will pay attention to the principle of proportionality. Care will be taken to ensure that the expense and effort spent in terms of the Company's data processing activities and the protection of the relevant Personal Data are proportionate to the purpose of protecting the data.

5- Registration of the Company in the Registry for Processing Activities

The company will fulfill its registration obligation in accordance with the Regulation on the Registry of Data Controllers, if necessary.

6- Use of Third Party Data Processors

6.1. Obligations of the Third Party Data Processor

In cases where the Company receives services or other support from others to assist its processing activities, a Data Processor will be selected who provides adequate security measures and takes reasonable steps to comply with these measures, in accordance with the Law, Secondary Legislation and Company policies.

6.2 Written Agreements for Third Party Data Processors

The Company will enter into a written contract with each Data Processor that requires the Company to comply with the data privacy and security requirements that it is obliged to fulfill in accordance with the Law and Secondary Legislation.

6.3 Control of Third Party Data Processor

As part of the Company's internal data audit processes, the Company will conduct audits from time to time on data processing activities and, in particular, data security and measures by a third-party Data Processor, and will establish the necessary legal infrastructure to carry out these audits.

7- Data Security

7.1 Physical, Technical and Organizational Security Measures

7.1.1 In order to ensure the security of Personal Data, the Company takes into account the level of technological development, the nature of the data and the risk they are exposed to by human or physical or natural environmental effects, including changes, loss, damage, unauthorized processing or access, physical, technical or organizational measures.

7.1.2 Security measures to be taken will be determined and implemented in accordance with the company's information security policies.

7.1.3 Precautions are taken to ensure that the software produced by the Company does not violate the processing conditions of personal data detailed in 4.3.1 and that the personal data they contain can take place safely.

7.1.4 The Company takes additional security measures for the protection of sensitive personal data and the processing of personal data in accordance with the processing conditions detailed in 4.3.1.

7.2 Employee Confidentiality Agreements

Everyone involved in any stage of the processing of Personal Data must clearly make a confidentiality commitment and sign a confidentiality agreement, which must continue after the end of the business relationship.

8- Resolution of Disputes

8.1 Employees

8.1.1 Employees who have complaints and questions regarding the processing of their Personal Data should first discuss this matter with the Data Protection Commission. In cases where the Data Owner does not want to submit a question or complaint to the Data Protection Commission, or in cases where the Data Protection Commission cannot find a satisfactory solution to the Data Owner's questions or requests within 30 days from the date of the request, the employee does so in writing at the end of the period. It should be directed to the Department of Conservation.

8.1.2 In cases where the problem cannot be resolved through the Data Protection Commission, disputes should be resolved in accordance with the internal regulations and regulations of the company and the provisions of the employment contract.

9- Compliance Check

9.1 Current Compliance Assessment

The company must set a schedule and conduct a data protection compliance audit for all business units through the Data Protection Commission. The company, in coordination with the business units, should produce a plan and program to rectify the identified deficiencies within a reasonable period of time.

9.2 Annual Data Protection Audit

Each business unit should evaluate data acquisition, processing and security practices. This annual assessment should cover at least the following:

9.2.1 Departments, which Personal Data is collected and planned to be collected by the department, the purpose of data collection and processing, any additional purposes allowed, the actual use of the data, the existence of the data subject's consent to these transactions and the scope of consent, the data collection and processing. any legal obligations, the scope, adequacy and implementation status of security measures will be determined.

9.2.2 Departments will determine whether there is Personal Data processed by non-automatic means, provided that it is part of a data recording system.

9.2.3 Departments must identify the persons to whom Personal Data under their control or control is transferred. The department should determine the location of the transferees, the purposes of the transfer, and at least what physical and technical systems and processes are in place to maintain the current level of data security.

9.2.4 Information obtained as a result of this annual evaluation should be reported to the Data Protection Commission for appropriate action to be taken, updating company policies and procedures, and ensuring appropriate processes.

10- Application

10.1. Publishing

This policy will be presented to employees by the Human Resources Department.

10.2. Effective date

This Policy is effective as soon as it is posted. All departments will jointly develop a timeline and process for the implementation of this policy. This implementation process will include resolution of conflicts between this Policy and other existing policies.

10.3. Changes

Changes can be made to this Policy at any time. Notification of material changes will be communicated to employees by the Company's Human Resources Department and others through an appropriate mechanism selected by the Data Protection Commission.

11- Protector

The Data Protection Commission is responsible for protecting this Policy. Each department manager is responsible for the implementation of this Policy. Questions regarding the implementation of this Policy should be directed to the Data Protection Commission.

12- Severability

Each section of this Policy will be construed as maintaining that section in accordance with applicable law, however, if any provision is prohibited or deemed invalid, the invalidity of that provision will only be valid without affecting the remainder of the provision or the remaining provisions of this Policy. and will be subject to invalidity.