PROTECTION AND PROCESSING OF PERSONAL DATA POLICY

Law No. 6698 on Protection of Personal Data

Prepared by-Approved

SAZCILAR AUTOMOTIVE INC.

Release date
01/06/2019

This document may not be reproduced or distributed without the written permission of SAZCILAR OTOMOTİV A.Ş.

Contents
IntroductionProtection of Personal Data (“Policy”) SAZCILAR OTOMOTIV A.Ş. (AZ SAZCILAR ”), which was published in the Official Gazette dated 7 April 2016 and entered into force by the Law No. 6698 on the Protection of Personal Data (“ KVKK ”) and the related Regulations and Communiqués, and the technical, technical and administrative infrastructure, processes and procedures.

Many provisions set out in this Policy are currently implemented by our company and data security is given utmost importance. With the policy, the principles and terms and conditions adopted by the SAZCILAR family have been determined in order to protect all data processed by our company and to ensure compliance with the obligations specified in KVKK and its related Regulations and Communiqués.

Our Company, which periodically audits that the terms and conditions stated in the Policy are followed, publishes and updates these terms and conditions in line with the legal obligations and needs and ensures the up-to-date of the Policy. The changing terms and conditions of our Policy will be announced on our official website and will take effect as of the date of announcement. By following the current version of our Policy on our website, you can see the current version of the terms and conditions to which your personal data are subject to our Company.

Definitions
Open Consent It is an informed consent based on free will which is related to a certain subject.
Anonymous Making Personal data, even by pairing with other data under no circumstances can be associated with a certain or identifiable real person.
A Personal Data ID is any information that belongs to a specific or identifiable natural person.
Personal Data of Private Nature Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise, association foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data are qualified data.

Processing of Personal Data The acquisition, storage, storage, storage, modification, reorganization, disclosure, classification, acquisition and classification of personal data, whether fully or partially automated or as part of any data recording system, or any processing of data such as

Board Personal Data Protection Board
Politics SAZCILAR OTOMOTİV A.Ş. Personal Data Protection and Processing Policy.

Data Processing Person is a natural and legal person who processes personal data on behalf of the data officer based on his authorization.

Data Officer The person who determines the purposes and means of processing personal data and manages the place where the data is systematically kept (data recording system) is the data officer.

Goal
This Policy; SAZCILAR OTOMOTİV A.Ş. (hereinafter referred to as AZ SAZCILAR ‘) was brought to the data responsible within the scope of the Personal Data Protection Law No. 6698 (hereinafter referred to as V KVKK)), which was published in the Official Gazette dated 7 April 2016. was established in order to determine the basic principles and implementation principles to be adopted in ensuring compliance with the obligations. Compliance with the policy is audited by our internal audit units and the Company takes all technical and administrative measures for the security of personal data.

III. Scope and Changes
This Policy, which was prepared in accordance with KVKK, concerns all personal data of employees, shareholders and authorities of the institutions we cooperate with our current and potential customers and employees, and third parties that are automated or processed in non-automated ways, provided that they are part of any data recording system. SAZCILAR reserves the right to make changes in the Protocol in line with the amendments to be made in KVKK and the related regulation.

Principles of Personal Data Processing
SAZCILAR has adopted the following principles in the collection, processing and analysis of personal data.

Acting in Accordance with Law and Integrity Rules
SAZCILAR will collect and process personal data in a lawful and fair manner in order to protect the rights of data owners. The principles of proportionality and necessity will be taken into account in the conduct of these activities.

Purpose-Specific Restriction
Personal data may only be processed for defined purposes prior to data collection. Additional changes to the purpose are possible only to a limited extent and with justification.

Retention for the time required by the relevant legislation or for the purpose for which it was processed

SAZCILAR retains personal data only for the period required for the purpose for which they are specified or processed in the relevant legislation. In this context; SAZCILAR firstly determines whether a period is stipulated in the relevant legislation for the storage of personal data, and if it is determined for a period of time, it acts in accordance with this period and if it is not specified, it shall store the personal data for the period specified in the SAZCILAR Personal Data Policy. SAZCILAR is based on the storage periods in the personal data inventory and at the end of the periods specified here, personal data is deleted, destroyed or anonymized according to the nature and purpose of the data in accordance with the obligations under the Law.

Transparency and Lighting
Data owners should be informed in detail prior to the collection and processing of their personal data. Prior to data collection, beneficiaries should be informed of the following:

The identity of the data officer and the representative, if any,

Purpose of processing personal data,

To whom and for what purpose the personal data processed are transmitted,

The method and legal reason of personal data collection,

The rights of the person whose personal data is processed in accordance with Article 11 of the KVKK.

Data Economy
Prior to the processing of personal data, it is necessary to determine whether and to what extent it is necessary to achieve the objective. Where the objective is acceptable and proportionate, anonymous or statistical data may be used.

Deleting Personal Data
After the expiry of the periods stipulated in the relevant laws for record keeping obligations and proof-keeping procedures, personal data that is no longer required are deleted or destroyed or made anonymous.

Accuracy and Data Update
Personal data must be accurate, complete and up-to-date if known. Inaccurate or missing data should be deleted, corrected, completed or updated.

Privacy and Data Security
Personal data should be stored and kept as confidential information. Personal Data is protected and kept confidential on a personal level by taking the necessary administrative and technical measures to prevent unauthorized access, unlawful transactions, sharing, accidental loss, alteration or destruction.

Personal Data Processing Objectives
Collection and processing of personal data will be carried out for the purposes of the Lighting Text and the purposes set out below.

Customer and business partners data
Data processing for contractual relationship: Personal data of existing and potential customers and business partners (in case the business partner is a legal entity) can be processed for the establishment, implementation and termination of a contract without further approval. Personal data during the contracting phase prior to the contract; may be processed in order to prepare a proposal, to prepare a purchase form or to meet the data owner’s requests regarding the implementation of the contract. In the process of contract preparation, data owners can be contacted in the light of the information they provide.

Data processing for advertising purposes: Personal data is processed for advertising or market and public surveys only if the purpose of collecting this information is appropriate for the purposes in question. The data owner is informed that their information will be used for advertising purposes. Data owners may refrain from providing or consenting to the processing of data that is reported to be used for advertising purposes. For data processed for advertising purposes, the explicit consent of the data owner is required. The data officer shall obtain the express consent of the data owner in this respect by electronic approval, mail, e-mail or telephone. Use of personal data for advertising purposes is prohibited without the express consent of the data owner.

Data processing due to our legal obligations or expressly stipulated by law: Personal data may be processed without further approval in order to explicitly specify the processing in the relevant legislation or to fulfill a legal obligation specified by the legislation. The type and scope of data processing should be required for legally permitted data processing and must comply with the applicable legal provisions.

Data processing due to our legal obligations or expressly stipulated by law: Personal data may be processed without further approval in order to explicitly specify the processing in the relevant legislation or to fulfill a legal obligation specified by the legislation. The type and scope of data processing should be required for legally permitted data processing and must comply with the applicable legal provisions.

Principle of legitimate interest in the processing of personal data: Personal data may be processed without further consent when necessary for the legitimate benefit of SAZCILAR. Legitimate interests are usually legal interests.

Processing of private data: Private personal data are processed in accordance with the provisions of KVKK, provided that adequate measures are taken by the Board. Except for the health and sexual life of the personal data owner, private personal data are processed with the express consent, and in the absence of explicit consent, within the scope of the exceptions provided for in the KVKK. Personal data relating to the health and sexual life of individuals is provided by persons or authorized persons who are under the obligation of confidentiality for the purpose of protection of public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. and organizations.

Data processed exclusively through automated systems: The processing of personal data obtained through automated systems shall not justify and legitimate the use of such data in business or transactions that adversely affect the owner of the personal data. The personal data owner has the right to object to the occurrence of a disadvantage by analyzing the processed data exclusively through automated systems. At the request of the personal data owner, SAZCILAR will endeavor to take the necessary measures.

User information and the Internet: In the event that personal data are collected, processed and used on the website or applications, users with personal data should be informed about the use of the information they have stored on the site, the privacy statement, the cookies. The privacy statement and cookie information are integrated so that they are easily identifiable, directly accessible, and consistently appropriate for the person concerned.

Principles regarding the processing of personal data of employees
It is compulsory to collect and process personal data of employees during the process until the establishment, implementation and termination of the employment contract. Employees may not obtain their express consent for this. Personal data of potential employee candidates are also processed in job applications. In case of rejection of the job application of the applicant, the personal data obtained during the application are kept for the next period of selection for the appropriate data storage period, at the end of this period they are deleted, destroyed or made anonymous. The following principles should be considered in the processing of personal data concerning employees.

Data transactions that are expressly required by law and carried out due to legal obligations: Personal data of the employee may be processed without further approval in order to clearly state the processing in the relevant legislation or to fulfill a legal obligation determined by the legislation.

Processing of data in accordance with legitimate interest: Personal data of employees may be processed without consent, if SAZCILAR has a legitimate interest. Legitimate interests are usually legal or economic interests. In personal situations where the interests of the employees need to be protected, personal data is not processed for legitimate benefit purposes. It is determined whether there are interests that require protection before the data is processed. If the data of the employees are processed on the basis of SAZCILAR’s legitimate interest, it should be examined whether this process is measured or not and that the legitimate interest does not violate a right of the employee to be protected.

Processing of private data: Private personal data are processed only under certain circumstances. Data on race and ethnic origin, political thought, religion, philosophical belief, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. as defined. Special personal data can only be processed if the employee has explicit consent and by taking necessary administrative and technical measures. The following cases constitute the exception to this provision and in such cases, personal data may be processed even if the employee does not have explicit consent.

Personal data except for the health and sexual life of the employee, in cases foreseen by law,
The personal data regarding the health and sexual life of the employee are only provided by persons or authorized institutions and organizations under the obligation of keeping secrets for the purpose of protection of public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

Data processed exclusively through automated systems: If personal data belonging to employees are processed exclusively through automated systems as part of the business relationship, the employee has the right to object to the outcome of the employee or to the result arising against it.

Telecommunication and Internet: Telephone equipment, e-mail addresses, intranet and internet as well as in-house networks are primarily provided by SAZCILAR for business-related tasks. These are working tools and reeders’ resources. These vehicles must be used in accordance with legal regulations and the internal regulations of the SAZCARS. There is no general control over telephone and e-mail communication or intranet and internet use. In order to prevent attacks against the IT infrastructure or individual users, preventive measures are taken in the transition to the SAZCILAR network by blocking technically harmful content or analyzing the modeling of attacks. The use of telephone equipment, e-mail addresses, intranet / internet and / or in-house social networks is kept for a limited period of time for security reasons. These data are evaluated only if there is a concrete suspicion. These controls are carried out by the relevant departments only if the principle of proportionality is maintained.

Security cameras and Voice Recording: There is a recording and monitoring system with cameras in order to provide security in the workplaces and add-ons of our company. In addition, voice recording can be taken in order to ensure job quality and interview standards in certain units and to control the proper performance of the job. The records are kept, monitored and audited by the Company. It is possible that these records will be used for identification and proof of non-compliance within the scope of a disciplinary investigation conducted.

Prohibition of Access: SAZCILAR makes maximum efforts to process, protect and maintain personal data collected by legal obligations, legitimate interests and the express consent of its employees in accordance with their purpose of collection, and only shares personal data with relevant employees. In the event that the work performed by the employees within the scope of their job descriptions and SAZCILAR does not have explicit written authorization, the personal responsibility of the related employee shall be taken in relation to any work and transactions carried out in connection with access data or personal data that are not required by the Company. Therefore, employees should be provided with regular training on the unlawful disclosure and sharing of personal data, and disciplinary process should be established in case the employees do not comply with the security policies and procedures.

Transferring Personal Data
The transfer of personal data to a third party other than SAZCILAR will be carried out for the purposes set out in the Lighting Text and for the purposes set out below. Accordingly, SAZCILAR may transfer personal data to the following persons and institutions for certain purposes;

SAZCILAR limited business partners in order to ensure the fulfillment of the objectives of establishing a business partnership,

To SAZCILAR’s suppliers, which are outsourced from the supplier and providing the necessary products and services for carrying out their commercial activities,

SAZCILAR affiliates are limited in order to ensure the execution of commercial activities that require the participation of SAZCILAR subsidiaries,

To SAZCILAR shareholders, limited with the purpose of designing and auditing the commercial activities of SAZCILAR in accordance with the provisions of KVKK,

To the legally authorized public institutions and organizations for the purpose requested by the relevant public institutions and organizations within the legal authority,

To legally competent private law persons limited to the purpose requested by the relevant private law persons within their jurisdiction.

Your personal data processed by SAZCILAR will be transferred to the foreign countries after the foreign countries have sufficient protection. The adequate protection of the no declared that countries and regions personal data, but an adequate protection of those responsible for the data in the case or in Turkey to give his approval and the relevant foreign country of the data can be transferred in situations where writing commits it and found the permission of the Board. SAZCILAR may also use the cloud storage service to process your personal data.

VII. Data Owner Rights

Personal Data Owners:

To learn whether personal data is processed or not,

Request information if personal data is processed,

Learning the purpose of processing personal data and whether they are used in accordance with their purpose,

Knowing the third parties to whom personal data is transferred at home or abroad,

If the personal data is incomplete or incorrectly processed, to request that it be corrected and to request the notification of the transaction to the third parties to whom the personal data has been transferred,

To request the deletion or destruction of personal data in the event that the reasons that require processing are eliminated, although it has been processed in accordance with the provisions of KVKK and other related laws, and to request the notification to the third parties to whom the personal data has been transferred,

Object to the occurrence of a result against the person by analyzing the processed data exclusively through automated systems,

In the event that the personal data is damaged due to unlawful processing, it has the right and authority to request the loss of the loss and if a request in this direction reaches SAZCILAR, SAZCILAR shall respond to the request within the period. For this reason, SAZCILAR will provide the data owners with the necessary information about the use of the rights mentioned above and the manner in which the requests are evaluated.

The exceptions to the above rights granted to personal data owners in the KVKK are listed below, in which case SAZCILAR has no obligation to respond to requests from data owners:

Processing personal data for purposes such as research, planning and statistics by making it anonymous with official statistics,

Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy or privacy rights or constitute a crime,

Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to provide national defense, national security, public security, public order or economic security.

The processing of personal data by judicial authorities or enforcement authorities with respect to investigations, prosecutions, proceedings or executions.

Pursuant to the KVKK, the persons concerned cannot claim their other rights, except for the right to claim the damages, in the following cases:

That personal data processing is necessary to prevent crime or to investigate crime.

Processing of personal data publicized by the personal data owner.

Personal data processing is required for the conduct of supervisory or regulatory duties, and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.

That personal data processing is necessary to protect the economic and financial interests of the State in relation to budget, tax and financial matters.

Personal data holders can sign the above mentioned rights after completing the Personal Data Application Form on our website www.sazcilar.com.tr and have their original copy by hand or with photocopies to Nilüfer Organize Sanayi Bölgesi Mine Caddesi 205. Sokak Number: 5 16140 Nilüfer / Bursa. return to SAZCILAR by registered letter. For applications made by the personal data holder on behalf of a person other than him / herself, he / she must have a power of attorney duly issued by the right holder. SAZCILAR may request additional information from the person concerned in order to determine whether the applicant has personal data or not, and may ask questions about his / her application to clarify the issues mentioned in the application.

According to the nature of the request, SAZCILAR will finalize the request as soon as possible and within thirty (30) days at the latest.

VIII. Privacy

Personal data is subject to confidentiality. Employees are not permitted to collect, process or use data without permission. Unauthorized use is the processing of unauthorized data by employees other than their legitimate duties. The principle of knowledge applies: Employees may access personal data only if they are appropriate to the scope and nature of the task in question.

Employees are prohibited from using personal data for private or commercial purposes, distributing it to unauthorized persons, or otherwise making it accessible. Managers should inform their employees about data protection obligations at the start of the business relationship. This obligation continues even after termination of the employment relationship.

Security
SAZCILAR takes necessary measures and controls in order to prevent the unlawful processing of personal data it is processing, to prevent unlawful access to the data and to ensure the protection of the data, and carries out the necessary audits or controls. This applies regardless of whether the data processing is performed electronically or in writing. Technical and organizational measures for the protection of personal data are defined and implemented, especially before starting new methods of data processing in the transition to new IT systems. These measures are based on the latest developments, the risks of the transaction and the need for data protection, as determined by the information classification process. Technical and organizational measures to protect personal data are part of company information security management and are constantly adapted to technical developments and organizational changes.

Controls and Inspections
Compliance with the Personal Data Protection and Processing Policy and KVKK is ensured through regular data protection audits and other controls.

Data Violation Management
SAZCILAR shall immediately implement the security measures necessary for the protection of personal data seized in contradiction with the provisions of this Policy and KVKK and shall notify such person and the Board as soon as possible. For this purpose, it is the responsibility of SAZCILAR to establish system and application methods that enable personal data holders to submit their requests and complaints regarding their personal data to him in the most effective and shortest time. If deemed necessary by the Board, this may be announced on the Board’s website or by any other means.

XII. Obligation to Enroll in the Data Officers Register
SAZCILAR is obliged to register with the Data Officers Registry specified in Article 16 of the KVKK and shall register with the Data Responsible Register by presenting the application information and documents listed in the KVKK within the period to be determined and announced by the Board. Accordingly, the information and documents to be submitted to the Board for registration are as follows:

The identity and address information of SAZCILAR and his representative, if any,
The purpose for which personal data will be processed,
Information about the group and groups of data subject and the data categories of these persons,
The recipient or recipient groups to which personal data can be transferred,
Personal data intended to be transferred to foreign countries,
Personal data security measures,
The maximum time required for the purpose for which personal data is processed.
XIII. Classification of Personal Data and Data Inventory

SAZCILAR, personal data owners (customers, dealers, authorized persons, customers, customers, employees, visitors, third parties, employee candidates, employees of the institutions we cooperate with) under this Policy, the personal data processing of personal data specified in article 5 of KVKK Law. conditions and the principles set out in Article 4, fulfilling the obligation of illumination, and categorized the data as follows.

SAZCILAR has created a personal data inventory in accordance with the Data Responsible Registry Regulation issued by the Personal Data Protection Authority. This data inventory includes data categories, data source, data processing purposes, data processing process, receiver groups to which data is transferred, and retention times. In this context, the following types of data categories are included in the SAZCILAR personal data inventory.

Personal Data Inventory Other than the following personal data and categories, it contains a variety of information, including protection methods, access rights, the person to whom the data is transmitted, and the methods of their transfer.

Personal Data
categorization
Personal Data Categorization Description
Contact Data This is the group of data that can be used to reach the contact (Phone, address, e-mail, Fax number, IP address).

Identity Data This is the group of data that contains information about the identity of the person (name, surname, TCKN, mother name, father name, place of birth, date of birth, gender, wallet serial number, identity copy, tax number, sgk number, nationality data, marriage certificate photocopy / scan) , employee card).

Health Data This is the group of data containing the person’s health information (blood type, medical history, check-up result, consultation report, diet form).

Vehicle Data This is the group of data that contains the vehicle information of the person (license plate number, chassis number, engine number, license information).

Location Data This is the group of data (GPS location) that contains the location data of the person.

Audio / Visual Data This is the group of data that contains the visual and audio data of the person (photo, audio recording, camera recording, license copy / scan, ID copy / scan, passport copy / scan).

Digital Trace Data This is the data group (Log) that contains the digital traces that are formed as a result of processing the personal information.

Financial Data This is the group of data that contains the financial information of the person (Bank account number, iban number, card information, bank name, financial profile, mail order form, credit note).

Biometric / Genetic Data This is the group of data that contains the biometric / genetic data of the individual (Fingerprint, genetic information, vascular).

Professional Data This is the group of data that contains information related to the occupation of the person (institution information, professional chamber registry).

Training Data This is the data group containing the personal training data (diploma grade, photocopy / scan of diploma).

Asset Data This is the data group containing the assets of the person (copy of title deed / scan, copy of vehicle license / scan).

Travel Data This is the data group that contains information about the person’s travel (flight information, flight card, tour route, mileage card number, accommodation data).

Company Data Personal company data (Company address).

Race / Religion Knowledge is the group of data that contains data on the origin and belief of a person (Race / religion knowledge).

Association membership information This is the data group that contains the member’s and related association information (All association memberships).

Signature Data This is the data group that contains the signature information of the person (wet signature, e-signature, photocopy / scan of signature).

Visa / Passport Data This is the data group that contains the person’s visa / passport information (Visa information, photocopy / scanning of the passport).

Costume Data This is a group of data that distinguishes a person’s clothing (the history of costume purchase, the distinctive clothing he wears).

Sanction Data This is the data group related to the sanctions the person has received (Criminal Proceedings, Criminal Record Record, Disciplinary Record).

It is presented to your information.

SAZCILAR AUTOMOTIVE INC.
Law No. 6698 on Protection of Personal Data
http://www.mevzuat.gov.tr/mevzuatmetin/1.5.6698.pdf