This Policy named Personal Data Protection and Confidentiality Policy covers all departments and employees within the organization of Eroglu Holding A.S. This Policy was prepared for the purpose of providing the necessary information by clarifying all of the rules for the processing of the personal data and came into force on 15.06.2020 by being approved by the management of Eroglu Holding A.S.

The amendments to be made in this Policy upon the enforcement of the additional legislations under the PDPL or at various times can be followed up at the corporate website of the Company and the current version of this Policy is also available at this corporate website.

The Company processes the personal data of its suppliers, employees, customers, visitors and other natural persons who establish relationship with the Company by making job applications or for any other purpose or by any other means in order to be able to perform its operations such as import, export, customs clearance, logistics, organization, marketing, retailing and wholesaling in compliance with the law.

The purpose of this policy is to inform the relevant persons by making clarifications about the processing activities that the Company carries out and the systems related to the personal data and to ensure transparency about the personal data in this way.

In this regard, the Company details and clarifies the processing of the personal data under the PDPL, the data owners subjecting to such processing and the rights of these persons as well as the use of the cookies and similar technologies in this Policy.

2.1 – General Principles for the Processing of the Personal Data

The Company processes the personal data in compliance with the following principles within the scope of the purposes instantiated in the second paragraph of the article 4 of the PDPL and in the section titled “Purposes of Processing the Personal Data” of this Policy:

• Compliance with the law and the principle of honesty
• Accuracy and up-to-dateness when necessary
• Being processed for specific, explicit and legitimate purposes
• Being related, limited and restrained with the purpose of processing
• Retention for the duration stipulated in the relevant legislation or for the period necessary for the purpose of processing

2.2 – Personal Data Processed by the Company

The personal data is processed within the organization of the Company by the explicit consent obtained from the data owners or except for the exceptional cases specified in the articles 5 and 6 without subjecting to explicit consent pursuant to the articles 5 and 6 of the PDPL and this data shall be processed exclusively within the framework of the purposes instantiated in the section titled “Purposes of Processing the Personal Data” of this Policy. The types of this personal data which varies and differs depending on the type and nature of the relationship between the Company and the data owner, the communication channels used and the mentioned purpose information and which is processed in compliance with the principles set forth in this Policy are as follows:

• Information introducing the data owner such as name, surname, occupation, title, job details, educational status, gender, marital status, spouse/children details, citizenship status, military service details, criminal record details, tax liability status,
• Data such as date of birth, place of birth, identity number, blood type, religion and photograph available in the authentication documents such as photocopy of the birth certificate, photocopy of the vital record, passport and driving licence,
• Contact details such as address, electronic mail, phone and fax numbers, communication records within the scope of the phone calls and electronic mail correspondences and other audio data,
• Natural person information on the documents for the legal entities such as tax plate, trade gazette, authorization certificate, qualification certificates, circular of signature and certificate of activity,
• Detailed financial data regarding pricing, agreement, collection and payment procedures.

2.3 – Purposes of Processing the Personal Data

The personal data can be processed by the Company within the scope of the following purposes and can be retained as long as it is stipulated by these purposes and the relevant legal periods:

• Ensuring the performance of the necessary works by the business departments in order to allow the customers to take advantage from the products and services provided by the Company,
• Planning and executing the sustainability activities,
• Providing support for the performance of the companies and partnership law procedures of the group companies,
• Ensuring the legal and commercial security of the Company and the persons who are in business relationship with the Company,
• Carrying out the commercial activities for the purpose of establishing and implementing the Company’s commercial and business strategies,

2.4 – Transfer of the Personal Data

The Company transfers the personal data in the country and in abroad within the framework of the purposes instantiated in the section titled “Purposes of Processing the Personal Data” of this Policy and pursuant to the articles 8 and 9 of the PDPL and the personal data can be processed and stored in the servers and electronic medias used within this scope. The nature of these transfers made and the parties with whom or which the personal data is shared vary depending on the type and nature of the relationship between the data owner and the Company, the purpose of the transfer and the relevant legal basis and such parties generally are as follows:

• Third persons in the country and in abroad, from whom the Company purchases service,
• Direct and indirect shareholders, affiliates and subsidiaries,
• Persons and organizations from whom and which the Company purchases service and/or consultancy service,
• Business partners with whom the Company executes contracts

2.5 – Collection of the Personal Data

The Company can obtain personal data directly from the employees and customers, suppliers, business partners, group companies, call center, public institutions and other physical environments and can collect personal data also via websites, mobile applications, social media and other public media or by means of the trainings, organizations and similar events held within the framework of the requirements stipulated in the articles 5 and 6 of the PDPL in order to achieve the purposes instantiated in the section titled “Purposes of Processing the Personal Data” of this Policy.

2.6 – Retention Period of the Personal Data

The personal data is retained during the relevant legal retention periods within the organization of the Company and kept for the period necessary for the performance of the activities related to this data and the purposes specified in this Policy. The personal data the intended purpose of which has ended and the legal retention period of which has expired, on the other hand, is deleted, destructed or anonymized by the Company pursuant to the article 7 of the PDPL.

2.7 – Rights of the Data Owner under the PDPL

Under the article 11 of the PDPL, the rights of the natural persons whose personal data is processed are regulated and the data owners have the following rights on the Company pursuant to this article:

• Learning whether the personal data has been processed or not,
• Requesting the relevant information if the personal data has been processed,
• Learning the purpose of processing the personal data and whether the personal data is used as suitable for the purpose,
• Knowing the third persons to whom the personal data has been transferred in the country or in abroad,
• Requesting the correction of the personal data if it has been processed deficiently or incorrectly,
• Requesting the deletion or destruction of the personal data if the reasons requiring the processing of the personal data are eliminated,
• Requesting the notification of the correction and deletion procedures to the third persons to whom the personal data has been transferred,
• Objecting to the occurrence of a result against the person himself by analyzing the personal data exclusively via automatic systems,
• Requesting the elimination of the damage if the person incurs damage due to the processing of the personal data in contrary to the Law.

The requests to be received from the data owners for the purpose of exercising any of the rights stated above shall be met by the Company within 30 days at latest. These requests can be forwarded by delivering to the address of Eroglu Holding A.S. Huzur Mah. Cendere CAD. No: 114 34396 Sariyer / Istanbul / Turkey by hand together with the authenticating documents, by sending to this address via the notary public or can be forwarded to the address of erogluholding@hs03.kep.tr with secure electronic signature. In the event that the requests require a separate cost, the Company may claim fees at the amounts determined under the relevant legislation.

2.8 – Data Transfer to Abroad

The personal data can be transferred to abroad in compliance with the legislation in order to achieve the purposes instantiated in the section titled “Purposes of Processing the Personal Data” of this Policy in order to be used for processing, storage, administration or any other purpose specified in this Policy. For these transfers, the necessary measures are taken for the protection of the personal data as required.

2.9 – Security of the Personal Data

The Company attaches importance to maintain the confidentiality and security of the personal data. Accordingly, the necessary technical and administrative security measures are taken in order to protect the personal data against unauthorized access, damage, loss or disclosure. Accordingly, the necessary system access controls, data access controls, secure transfer controls, business continuity controls and other necessary corporate controls are applied.

3.1 – General

The small data files sent to the devices of the users by the internet network server via the internet browser used are called as cookies and the websites recognize the users by means of such cookies and the useful life of the cookies differs depending on the browser settings.

These cookies are created via the systems managed by the Company and also certain service providers authorized by the Company can obtain the IP address, unique identifier and device identifier details by placing similar technologies to the devices of the users. Furthermore, the links belonging to the third parties available in the Company’s systems are subject to the confidentiality policies of such third parties and the responsibility for the confidentiality applications does not belong to the Company and in this regard, it is recommended to read the confidentiality policy of the website when the website within the scope of the relevant link is visited.

3.2 – Types of Cookies

The cookies the main intended purpose of which is to provide the users with convenience are basically gathered in 4 main groups

3.2.1 – Advertising and Third Party Cookies:

These are the cookies that belong to the third party suppliers and allow for the use of certain functions at the Company’s website and the follow-up of the advertisements.

3.3 – Intended Purposes of Cookies

The intended purposes of the cookies that are used by the Company are as follows:

3.3.1 – Usages for Performance:

The Company can use such cookies that evaluate and analyze the interaction with the messages sent and the user behaviours for the purpose of increasing and measuring the performance of its systems.

3.3.2 – Usages for Advertising:

The Company can use such cookies that measure the effectiveness of the advertisements or analyze the click status for the purpose of forwarding the advertisements and similar contents within the scope of the areas of interest of the users via the systems belonging to the Company itself or the third parties.

3.4 – Disabling the Cookies

The cookie usage option is selected as pre-defined in many browsers and the users can change the status of this selection by using the browser settings and accordingly they can delete the existing cookies and reject the further cookie usages. However, if the cookie usage option is cancelled, certain features in the Company’s systems may not be used.

The method for changing the cookie usage option varies depending on the type of the browser and can be learned from the relevant service provider at any time.

This Policy shall come into force on the date when it is approved by the Board of Directors of the Company. The amendments to be made in the Policy shall come into force after the approval of the General Manager of the Company is obtained. The Policy is usually reviewed and updated once a year. However, the Company reserves its right to review this Policy in line with the amendments in the legislation, the amendment in any technical standard referred to, the procedures of and/or the decisions to be taken by the Personal Data Protection Board and the court decisions and to update, amend or abolish the policy and to establish a new policy in the necessary circumstances. The authorization to take decision regarding the abolishment of the Policy belongs to the Board of Directors of the Company.

EROGLU HOLDING A.S. takes the necessary measures in order to ensure the confidentiality and security of the customer information within the framework of the relevant legal legislations at the highest level and accordingly the issues set forth at the website of our Company at the address of www.erogluholding.com are applied.

• EROGLU HOLDING A.S., in the capacity of Data Collector, processes the personal data that it can obtain via the verbal, written or electronic environment from the channels such as group companies, customs, factories and dealers in order to be able to perform its operations such as import, export, customs clearance, logistics, organization, marketing, retailing and wholesaling and to ensure that its services can progress without disruption in compliance with the law.
• The personal data is processed by our Company in order to completely carry out its operations such as import, export, customs clearance, logistics, organization, marketing, retailing and wholesaling, to perform the activities which the Company is liable to conduct within the scope of the legal and administrative obligations, to clarify the data owner about the amendments in the legislation and in the rules and policies recognized within the organization of the Company, to protect the legitimate interests, to carry out the promotion and marketing operations, to obtain the opinion of the data owners by means of surveys and voting and to ensure the customer satisfaction, to ensure the security of the electronic systems and physical environments owned or used by the Company and to take the necessary measures by making the relevant evaluations and for the performance of the necessary works by the business departments in order to allow the customers to take advantage from the products and services provided by the Company.
• Our Company attaches importance to maintain the confidentiality and security of the personal data. Accordingly, the necessary technical and administrative security measures are taken in order to protect the personal data against unauthorized access, damage, loss or disclosure. The Company is not liable for the security and confidentiality of the links provided for the access to the other websites via the Company’s website. The Company shall not accept any liability in case of pecuniary or non-pecuniary losses that might occur as a result of login to these websites.
• The access of the third persons to the information entered by our customers on the website is prevented. In order to maintain the confidentiality of the personal data of our customers, the necessary measures have been taken by keeping our Company’s system and internet infrastructure at reliable level.
• The personal data the intended purpose of which has ended and the legal retention period of which has expired is deleted, destructed or anonymized by the Company pursuant to the article 7 of the PDPL.
• Our Company receives support services from diverse organizations in the cases that it considers necessary and ensures that the relevant organizations act in compliance with the confidentiality standards and requirements of the Company. Our Company makes sure and contractually ensures that the data processors with whom it executed contracts attach importance to the information security at least as much as the Company itself and act with the awareness of joint liability. The data processors process the personal data exclusively in line with the instructions of EROGLU HOLDING A.S. in parallel to the definition set forth in the legislation, by remaining within the framework of the contract signed with EROGLU HOLDING A.S. and in compliance with the legislation.
• The security and confidentiality of the links provided for the access to the other websites via our Company’s website are not under the responsibility of our Company. Our Company may not assume any responsibility for the pecuniary/non-pecuniary losses that might occur at these websites.
• The copyrights regarding the information and materials available at our Company’s website and their regulation belong to EROGLU HOLDING A.S. Except for the materials belonging to the third persons, all copyrights, registered trademarks, patents, intellectual and other property rights for the information and materials available at our Company’s website are reserved by our Company.
• Under the article 11 of the PDPL, the rights of the natural persons whose personal data is processed are regulated and the data owners have the following rights on the Company pursuant to this article:

1. Learning whether the personal data has been processed or not,
2. Requesting the relevant information if the personal data has been processed,
3. Learning the purpose of processing the personal data and whether the personal data is used as suitable for the purpose,
4. Knowing the third persons to whom the personal data has been transferred in the country or in abroad,
5. Requesting the correction of the personal data if it has been processed deficiently or incorrectly,
6. Requesting the deletion or destruction of the personal data if the reasons requiring the processing of the personal data are eliminated,
7. Requesting the notification of the correction and deletion procedures to the third persons to whom the personal data has been transferred,
8. Objecting to the occurrence of a result against the person himself by analyzing the personal data exclusively via automatic systems,
9. Requesting the elimination of the damage if the person incurs damage due to the processing of the personal data in contrary to the Law.

The requests to be received from the data owners for the purpose of exercising any of the rights stated above shall be met by the Company within 30 days at latest. These requests can be forwarded by making application in person to EROGLU HOLDING A.S. together with the documents ensuring the authentication (birth certificate, driving licence etc.) by filling in and signing the PDPL Data Owner Request Form during the application, by delivering to the address of Huzur Mah. Cendere CAD. No: 114 34396 Sariyer / Istanbul / Turkey by hand together with the authenticating documents, by sending to this address via the notary public or can be forwarded to the address of erogluholding@hs03.kep.tr with secure electronic signature.

In the event that the requests require a separate cost, the Company may claim fees at the amounts determined under the relevant legislation.

The login of our customers/visitors to the website of our Company means that they have accepted the aforementioned conditions and our Company is entitled to amend and update the conditions and provisions set forth in this legal warning without prior notice.