1. INTRODUCTION

1.1. In General

The confidentiality and security of personal data and compliance with relevant legal regulations are among the top priorities of Polivin Kimya Sanayi ve Ticaret A.Ş. (‘‘Company”), and utmost care is taken in this regard. In this context, the process and the intended purpose, which are governed by this Personal Data Protection and Processing Policy (the “Policy”) and other written policies within the Company, and the processes and objectives targeted by them, is to inform our employees, job applicants, visitors, guests, and other third parties (“Relevant Persons”) about the lawful processing, storage, and protection of their personal data and to reflect our corporate culture.

In preparing this Policy, we consider the provisions of the Constitution of the Republic of Turkey and Law No. 6698 on the Protection of Personal Data (“KVKK”), as well as the relevant legal norms regarding the protection and processing of personal data and the provisions of the Personal Data Protection Board’s decisions, as guidelines for our Company.

This Policy will explain the fundamental principles adopted by our Company for the processing of personal data, as outlined below:

• Processing of personal data in accordance with the law and principles of fairness,
• Ensuring that personal data is accurate and kept up to date when necessary,
• Processing of personal data for specific, explicit, and legitimate purposes,
• Personal data must be processed in a manner that is relevant, limited, and proportionate to the purpose for which it is processed.
• Personal data shall be retained for the period required by the relevant legislation or necessary for the purpose for which it is processed.
• Informing the relevant persons,
• Establishing the necessary processes for relevant individuals to exercise their rights,
• Taking the necessary measures in the processing and storage of personal data,
• Transfer to third parties in accordance with the requirements of the purpose of processing personal data,
• Demonstrating the necessary sensitivity in the processing and protection of special categories of personal data,
• Deletion, destruction, or anonymization of personal data when the purpose of processing no longer exists.

1.2. The Purpose of the Policy

The primary purpose of this Policy is to provide explanations regarding the personal data processing activities conducted by our Company in compliance with the law and the procedures adopted for the protection of personal data, and to ensure transparency by informing the Relevant Persons in this regard. In addition, this prepared KVK Policy and other written policies aim to sustain our principle of compliance with the KVKK and other relevant legal regulations regarding personal data security.

1.3. Scope of the Policy

The scope of this policy covers natural persons whose personal data is processed by our Company through automated means or non-automated means as part of any data recording system, and an Internal Directive on the Protection of Personal Data has been established within the scope of this Policy.

1.4. Implementation of the Policy and Relevant Legislation

This Policy has been formulated and organized in accordance with the principles established by the relevant legislation. Our company undertakes and accepts that, in the event of any inconsistency between the legislation in force and this Policy, the legislation in force shall prevail.

1.5. Enforcement of the Policy

This policy shall enter into force upon approval by our Company‘s board of directors, shall be published on the website (……………..), and shall be made available to Data Subjects in this manner.

2. DEFINITIONS AND ABBREVIATIONS

3. PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

3.1. Processing of Personal Data in Compliance with the Principles Set Forth in Legislation

3.1.1. Processing in Compliance with Legal and Integrity Rules

Our company has adopted as a fundamental principle that all processing of personal data must comply with the law and the rules of good faith. In this context, by embracing the principle of transparency, we inform Data Subjects about the purpose of use of the personal data collected through this Policy and other documents.

3.1.2. Ensuring Personal Data is Accurate and Updated When Necessary

Our company has systems and processes in place to ensure the accuracy and currency of the personal data it processes while carrying out its personal data processing activities. In this context, Data Subjects can enable their personal data to be kept accurate and up-to-date by submitting a request to our company.

3.1.3. Processing for Specific, Clear, and Legitimate Purposes

Our company clearly defines the purpose of personal data processing within legitimate and legally compliant limits and informs the Data Subjects of this purpose through this Policy and other documents before the personal data processing activity begins.

3.1.4. Limited and proportionate to the purposes for which they are processed

Our company processes personal data in a manner that is relevant and proportionate to the subject matter of its activities and within the scope of purposes necessary for the conduct of its activities. In this context, while carrying out data processing activities, it carefully avoids processing personal data that is not related to the achievement of the purpose and is not needed now or in the future.

3.1.5. Retention for the Period Required by the Relevant Legislation or Necessary for the Purpose for Which They Are Processed

Our company retains personal data only for the period specified in the relevant legislation or for the period necessary for the purpose for which it is processed. In this context, it is first determined whether a period has been specified in the relevant legislation for the storage of personal data. If a period has been specified, the data is processed in accordance with that period. If no specific period has been specified, the period necessary for the purpose for which each piece of personal data is processed is determined, and the data is retained for that period.

In this context, our Company prepares and implements policies and guidelines regarding the deletion, destruction, or anonymization of personal data.

3.2. Processing of Personal Data in Compliance with and Limited to the Conditions for Processing Personal Data Specified in Article 5 of the KVKK

Our company processes personal data only with the explicit consent of the Data Subject or, in cases specified in the KVKK where explicit consent is not required, without explicit consent and only under these circumstances and conditions.

3.2.1. Explicit Consent

Explicit consent is a statement made by the Data Subject freely and based on information regarding a specific matter. In accordance with Article 5/1 of the KVKK, our Company respects and complies with the explicit consent of the Data Subject when necessary for personal data processing activities.

3.2.2. Cases Where Explicit Consent Is Not Required

Article 5/2 of the KVKK regulates the processing of personal data in certain situations without the explicit consent of the Data Subject. If any of the specified conditions are met, obtaining explicit consent from the Data Subject would be considered misleading the Data Subject. Therefore, our Company does not seek explicit consent in situations where the conditions for data processing are met.

3.3. Processing of Special Category Personal Data

Our company exercises the utmost care in the processing and protection of personal data classified as “special category” by the KVKK due to the risk of causing greater harm or discrimination to individuals when processed. The principles accepted regarding special category personal data are also addressed in this Policy.

Our company may process special category personal data in the following circumstances, provided that sufficient safeguards determined by the Board are implemented, even if the data subject has not given explicit consent.

1. Personal data of a special nature, other than the health and sex life of the person concerned, in the cases provided for by law,
2. Personal data of a special nature concerning the health and sexual life of the person concerned may only be processed without the explicit consent of the person concerned by persons or authorized institutions and organizations subject to confidentiality obligations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, and the planning and management of health services and their financing.

Our Company has established additional measures and processes regarding the processing of special category personal data and access to such data. In this context, the environments where special category personal data are stored are protected with secondary locks and secondary passwords, and are processed only by authorized persons within the framework of the authorization matrix.

3.4. Transfer of Personal Data

Personal data may be shared with supervisory authorities within the scope of audit activities for the purposes specified in this Policy, with our shareholders for reasons arising from audit and partnership rights as required by relevant legal regulations, with legally authorized public institutions and organizations, to our suppliers and business partners located domestically and/or abroad, to real persons to whom services are provided, or to third parties to whom services are provided, within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the KVKK.

4. PRINCIPLES RELATED TO THE PROTECTION OF PERSONAL DATA

4.1. Technical and Administrative Measures Taken by Our Company Regarding the Security of Personal Data

4.1.1. Technical Measures

The main technical measures taken by our company to ensure that personal data is processed in accordance with the law and to prevent unlawful access to personal data are as follows:

Network security and application security are provided.

• Key management is implemented.
• The security of personal data stored in the cloud is ensured.
• Disciplinary regulations containing data security provisions for employees are in place.
• Employees receive regular training and awareness programs on data security.
• An authorization matrix has been created for employees.
• Access logs are kept regularly.
• Corporate policies have been developed and implemented regarding access, information security, use, storage, and disposal.
• Data masking measures are applied when necessary.
• Confidentiality agreements are being made.
• The permissions of employees who have changed roles or left the company are revoked in this area.
• Up-to-date anti-virus systems are used.
• Firewalls are used.
• The signed contracts contain data security provisions.
• Extra security measures are taken for personal data transmitted via paper, and the relevant documents are sent in a confidential document format.
• A personal data inventory has been prepared.
• Personal data security policies and procedures have been established.
• Personal data security issues are being reported quickly.
• Personal data security is being monitored.
• The necessary security measures are taken regarding access to physical environments containing personal data.
• The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
• The security of environments containing personal data is ensured.
• Personal data is minimized as much as possible.
• Protocols and procedures for the security of special category personal data have been established and are being implemented.
• If special category personal data is to be sent via email, it must be encrypted and sent using KEP or a corporate email account.

In this context, our Company continuously carries out sustainable work on the technical measures determined by the Board and listed below:

• Authority Matrix
• Authorization Control
• User Account Management
• Network Security
• Application Security
• Encryption
• Firewalls
• Up-to-date Anti-Virus Systems
• Deletion, Destruction, or Anonymization

4.1.2. Administrative Measures

The main administrative measures taken by our company to ensure that personal data is processed in accordance with the law and to prevent unlawful access to personal data are as follows:

• Our staff are informed and trained on data protection law and the lawful processing of personal data.
• The personal data processing activities carried out by our company’s business units; the requirements to be fulfilled to ensure that these activities comply with the data processing conditions specified in the KVKK are examined for each employee and activity carried out.
• Records are kept that impose an obligation not to process, disclose, or use personal data, except as directed by the Company and as permitted by law, through contracts and documents governing the legal relationship between our Company and its employees. Employee awareness is being increased in this regard.
• Awareness is being raised and implemented within the relevant business units to ensure compliance with legal requirements determined based on our business units. The necessary administrative measures are being implemented through internal company policies and training to ensure the monitoring of these matters and the continuity of implementation.
• In accordance with activity-based legal compliance requirements, access to and authorization processes for personal data are implemented within our Company.
• The Personal Data Protection Committee, established to facilitate and ensure compliance with the KVKK and other relevant regulations, monitors related tasks and processes.
• Our company adds provisions to contracts established with third parties to whom personal data is transferred in accordance with the law, stipulating that necessary security measures will be taken to protect the transferred personal data and that compliance with these measures will be ensured within their own organizations.

In this context, our Company continuously and sustainably works on the administrative measures determined by the Board and listed below:

• Preparation of a Personal Data Processing Inventory
• Corporate Policies (Access, Information Security, Use, Storage, and Disposal, etc.)
• Contracts (Data Controller-Data Controller, Data Controller-Data Processor)
• Privacy Commitments
• Internal Periodic and/or Random Audits
• Employment Contract (Addition of Provisions in Compliance with the Law)
• Corporate Communications (Crisis Management, Board and Stakeholder Notification Processes, Reputation Management, etc.)
• Education and Awareness Activities (Information Security and Law)
• Data Controllers Registry Information System (VERBİS) Notification

4.2. Increasing Awareness and Monitoring of Our Employees in the Field of Personal Data Protection

Our company ensures that the necessary training and meetings are held to raise awareness about preventing the unlawful processing of personal data, unlawful access to data, and ensuring the secure storage of data.

Our company works with professionals when necessary to raise awareness among existing employees regarding the protection of personal data.

4.3. Protection of Special Category Personal Data

Our company carefully protects personal data that is classified as special category data under the KVKK and processed in accordance with the law. In this context, the technical and administrative measures taken by our company to protect personal data are determined based on the relevant legal regulations and the decision published by the Personal Data Protection Authority titled “Sufficient Measures to be Taken by Data Controllers in the Processing of Special Category Personal Data” and are carefully implemented in terms of protecting special category personal data.

4.4. Process to Follow in the Event of Unauthorized Disclosure of Personal Data

Our company will notify the relevant person and the Board within 72 hours if personal data it processes is obtained by others through unlawful means.

If deemed necessary by the Board, this situation may be announced on the Board’s website or by other means.

4.5. Personal Data Inventory

Each unit of our company creates an up-to-date personal data processing inventory. The unit manager is responsible for the accuracy and currency of this inventory and for presenting it to the contact person when necessary. Maintaining accurate inventories, implementing the company’s current policy on personal data protection, and keeping abreast of the latest developments in personal data protection are always followed.

5. Data Subjects’ Requests to the Data Controller, Our Communication Channels, and Request Evaluation Processes

5.1. Subject of the Application

Our company attaches great importance and value to the rights of Data Subjects and provides them with the means and opportunity to exercise these rights. A “Data Controller Application Form” has been prepared by our company and published on our website to enable Data Subjects to easily submit their requests. However, Data Subjects are not required to use this form. Every application made in accordance with the Circular on Procedures and Principles for Applications to the Data Controller will be evaluated.

Everyone may apply to our Company regarding themselves;

1. a) To learn whether their personal data is being processed,
2. b) Request information regarding the processing of personal data,
3. c) To learn the purpose of processing their personal data and whether it is being used for its intended purpose,

ç) To know the third parties to whom their personal data has been transferred within or outside the country,

1. d) Requesting the correction of personal data if it has been processed incompletely or incorrectly,
2. e) Requesting the deletion or destruction of personal data within the framework of the conditions set forth in Article 7 of the KVKK,
3. f) Request notification to third parties to whom personal data has been transferred regarding the processing carried out in accordance with paragraphs (d) and (e),
4. g) Objecting to the analysis of processed data exclusively through automated systems resulting in a decision adverse to the individual,

ğ) To request compensation for damages incurred as a result of the unlawful processing of personal data,

has the right to.

5.2. Application Method and Address

5.3. Post-Application Process

Requests submitted to us are responded to within a maximum of 30 (thirty) days from the date the request is received by our Company, depending on the nature of the request. Our responses are sent based on the notification method specified by the applicant in the Data Controller Application Form.

Relevant Persons; Pursuant to Article 14 of the KVKK, in cases where the application is rejected, the response provided is deemed insufficient, or no response is provided to the application within the specified time frame; the relevant person may file a complaint with the Board within thirty days from the date they learn of our Company’s response and, in any case, within sixty days from the date of the application.

5.4. Application Fee

Applications are generally free of charge. However, if the requested service incurs additional costs, the Company will charge the fee specified in the tariff determined by the Board.

6. INFORMING AND NOTIFYING RELEVANT PERSONS

Our company informs relevant individuals about the process of obtaining personal data in accordance with the provisions of Article 10 of the KVKK, through this Policy and the Information Text and other texts that are easily accessible on our website. In this context, our Company informs data subjects about the identity of the data controller, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal basis for collecting personal data, and the other rights of the data subject.

A Data Controller Application Form has been created and published on our Company’s website to enable the Data Subject to more easily exercise their rights as specified in the KVKK. The relevant section is explained in detail under heading number 5.

7. PURPOSES OF PROCESSING PERSONAL DATA AND RETENTION PERIODS

7.1. Purposes of Processing Personal Data

Our company processes personal data strictly within the purposes and conditions specified in Articles 5 and 6 of the Personal Data Protection Law (KVKK). These purposes and conditions are as follows:

• The processing of personal data is explicitly provided for by law in relation to our Company’s relevant activities,

• The processing of personal data by our Company is directly related to and necessary for the establishment or performance of a contract,
• The processing of personal data is necessary for our Company to fulfill its legal obligations,
• Provided that the personal data has been made public by the relevant person; processing by the Company for the limited purpose of making it public,
• The processing of personal data by the Company is necessary for the establishment, exercise, or defense of a legal claim,
• Provided that it does not harm the fundamental rights and freedoms of the persons concerned, it is necessary to process personal data for the legitimate interests of the Company.
• The processing of personal data by our company is necessary to protect the life or physical integrity of the data subject or another person, and in such cases, the data subject is unable to give consent due to actual impossibility or legal invalidity.
• Personal data of a special nature, other than those related to the health and sex life of the individuals concerned, shall be processed only in the cases provided for by law.
• Personal data of a special nature concerning the health and sexual life of the individuals concerned are processed by persons or authorized institutions and organizations bound by confidentiality obligations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, and the planning and management of health services and their financing.

7.2. Retention Periods for Personal Data

As a company, we store personal data for the period specified in the relevant legislation, if required by such legislation. In addition, when determining storage periods, we also take into account our obligations arising from relevant contracts and our administrative and legal responsibilities/obligations.

When the purpose for processing personal data has ended and the retention period specified by the relevant legislation and the company has expired, such personal data is deleted and only backed up for the purpose of serving as evidence in potential legal disputes or asserting rights related to the personal data. In this case, access to personal data is not provided for any other purpose. Personal data is destroyed or anonymized after the periods specified in our company’s Personal Data Retention and Destruction Policy have expired.

Processed personal data and personal data inventories are reviewed every six months, and personal data that must be deleted/destroyed is deleted/destroyed within these six-month periodic destruction periods and recorded in the transaction log.

8. PERSONAL DATA PROCESSING ACTIVITIES WITHIN THE WORKING AREAS

8.1. Camera Surveillance Activities Conducted at Entrances and Inside Work Areas

By our company; In order to ensure the safety of the Relevant Persons and our Company, we provide services and conduct security camera monitoring activities at the entrance and inside the work areas where we perform these services to track entries/exits and personal data processing activities related to work time tracking. In this context, as a Company, we act in accordance with the KVKK and other relevant legislation.

8.1.1. Providing Information Regarding Surveillance Activities Using Cameras

Our company informs relevant individuals in accordance with Article 10 of the KVKK; thereby aiming to prevent harm to the fundamental rights and freedoms of relevant individuals and to ensure transparency. Regarding camera surveillance activities, the Company provides information both on its website through this Policy (online Policy) and at the entrances to the areas under surveillance through notices stating that surveillance is being conducted (on-site information/layered information).

8.1.2. Purpose of Surveillance Activities and Limitations on Purpose

As a company, we process personal data in a manner that is relevant, limited, and proportionate to the purpose for which it is processed, in compliance with the KVKK. The purpose of the company’s video camera recording and monitoring activities is limited to the purposes listed in this Policy. Accordingly, the monitoring areas, number, and timing of security cameras are implemented in a manner that is sufficient to achieve the security objective and limited to that purpose.

8.1.3. Ensuring the Security of Data Obtained Through Camera Surveillance Activities

The company takes all necessary technical and administrative measures to ensure the security of personal data obtained through camera recordings. Detailed information is provided in the section on data security measures.

8.1.4. Who Has Access to the Information Obtained as a Result of Monitoring and to Whom This Information Is Transferred

Only authorized personnel may access the information obtained as a result of monitoring and the storage environment. Live camera footage may be viewed by Company employees or external security personnel. A limited number of individuals with access to the recordings have signed confidentiality agreements, pledging to protect the confidentiality of the data they access.

8.2. Visitor Entry/Exit Tracking at Work Area Entrances and Inside

The Company and the external service provider process personal data for the purposes of ensuring security and for the purposes specified in this Policy, in order to monitor visitor entry and exit in the Company’s work areas.

The names and surnames of individuals visiting our work areas are collected, and the relevant individuals are informed through texts posted in the relevant areas or made available to visitors in other ways. Data collected for the purpose of tracking visitor entry and exit is processed solely for this purpose, and the relevant personal data is recorded in a data recording system in physical and/or electronic form.

8.3. Recording Information on Electronic Devices at Work Area Entrances

As a company, in line with our commitment to information security and the protection of personal data, we record the MAC addresses of guests’ personal computers or similar electronic devices when they use them. The reason for this is to ensure the security of our company and the personal data of individuals within our company.

9. REVIEW

This policy shall enter into force upon approval by the Company’s board of directors. Any changes to the policy shall require the approval of the person(s) authorized by the board of directors. Matters related to the implementation of this policy within the Company have been systematized through internal policies, procedures, and internal guidelines. The policy is reviewed every six months, and revisions are made with the approval of the authorized person if necessary.

10. PERSONAL DATA PROTECTION COMMITTEE

The company has appointed a contact person within the framework of personal data protection law. A Committee consisting of ………. members has been formed from among the employees of the company units. The company contact person chairs the Personal Data Protection Committee (“Committee”).

The contact person acts in accordance with the Committee’s opinions and recommendations regarding administrative and technical measures. The principles determined by the Committee regarding administrative and technical measures are taken into consideration. The Committee makes every effort to ensure the Company’s compliance with personal data protection legislation. The contact person monitors the Company units for which they are responsible under personal data protection law. As a result of these audits, they alert the relevant units where necessary and inform senior management of the situation.

The contact person coordinates the response to data subject requests made to the Company within the legal time frames and in accordance with the procedure. The contact person manages the Company’s relations with the Personal Data Protection Authority.

11. ENFORCEMENT

This Policy shall enter into force on the date it is approved and announced by the company’s board of directors/authorized bodies.