1. Data Controller

This information text has been prepared by TEZCANLAR YATIRIM A.Ş. HACI SABANCI OSB. İSTİKLAL STREET. NO: 29 SARIÇAM ADANA TURKEY Tel: (90) (322) 3944875, e-mail: info@tzy.com.tr (Company) in its capacity as the data controller within the scope of Article 10 of the Personal Data Protection Law No. 6698 and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Information Obligation.

All personal data shared with our company will be processed in a lawful manner, in connection with our activities and service objectives, and in a proportionate manner. Details included in the information notice can be accessed via our Personal Data Processing and Protection Policy on our website.

2. Definitions

Personal Data: Refers to any information relating to an identified or identifiable natural person.

Processing of Personal Data: Refers to any operation performed on data, such as the collection, recording, storage, preservation, alteration, reorganisation, disclosure, transfer, acquisition, making available, classification, or restriction of use of personal data, whether fully or partially automated or non-automated provided it forms part of a data recording system.

Recipient Group: Refers to the category of natural or legal persons to whom personal data is transferred by the data controller.

Data Subject: Refers to the natural person whose personal data is processed.

Data Recording System: Refers to any environment containing personal data processed by fully or partially automated means or by non-automated means provided that it forms part of a data recording system.

Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

3. Personal Data and the Purpose of Processing Personal Data

Which of Your Personal Data Will Be Processed by Our Company for the Purposes Mentioned Above:

Our company processes your personal data for the purposes listed below:

Personal Data Belonging to Our Employees; Implementation of Emergency Management Processes (in the event of disasters such as fire, earthquake, etc., to be able to accurately identify employees present at the workplace and provide emergency medical intervention, to contact the person specified by the employee in the event of an emergency, etc.), Execution of Information Security Processes (monitoring and auditing actions taken on electronic devices such as PCs, notebooks, computers, printers, etc., monitoring and auditing email traffic and correspondence, ensuring the control and security of information flow, ensuring compliance with company policies regarding the use of electronic devices and internet), Implementation of Employee Satisfaction and Loyalty Processes (organising birthday celebrations or similar events for employees or their relatives, or providing assistance, etc.), Fulfilment of Obligations for Employees Arising from Employment Contracts and Legislation (fulfilling obligations under the Labour Law No. 4857, Occupational Health and Safety Law No. 6331, Turkish Code of Obligations No. 6098 and other labour and social security legislation, Social Insurance Law No. 5510 and related legislation, tax legislation and other relevant legal regulations), Implementation of Processes Related to Employee Benefits and Privileges (providing transportation/meals, etc. to our employees), Conducting Audit/Ethics Activities (tracking items or vehicles assigned to employees, computers, PCs, notebooks, email accounts, printers, etc.), Monitoring, controlling, and auditing illegal activities related to the use of electronic devices and the internet, Conducting Training Activities (orientation, occupational health and safety, organising in-house training, monitoring participation in training, determining suitable employees to participate in training, etc.), Execution of Access Authorisations, Execution of Activities in Compliance with Legislation (execution of disciplinary procedures relating to employees, ensuring that work is carried out effectively and in compliance with legislation, protecting employees from criminal and legal liability based on their actions, etc.), Execution of Finance and Accounting Tasks (determining and paying employee monthly salaries, social security contributions, tax deductions, determining expenses, controlling expenses, making necessary payments to employees, tracking expenses and payments, etc.), Ensuring Physical Premises Security (recording images via security cameras located at the entrance doors, exterior of the building, and service areas within our company), Execution of Assignment Processes (distribution of tasks within the company, determination of job descriptions, notification of job changes, execution of assignment procedures, retrieval of assigned devices when assignment ends, etc.), Monitoring and execution of legal affairs (resolving disputes between the Company and employees; responding to wage garnishment letters, following up on them, etc.), Execution of internal audit/investigation/intelligence activities (tracking documents and records related to company activities, keeping records of who obtained, borrowed, archived, destroyed them, and similar activities), Conducting Communication Activities, Planning Human Resources Processes, Conducting/Monitoring Business Activities, Conducting Occupational Health & Safety Activities (fulfilling obligations within occupational health and safety legislation, monitoring compliance with health conditions required for positions, conducting periodic health checks and examinations), Receiving and Evaluating Recommendations for Improving Business Processes (obtaining employee opinions through surveys and polls), Implementing Business Continuity Activities, Organisational and Event Management (organising events, inviting employees, monitoring participation, making reservations), Conducting Marketing Analysis Studies, Conducting Performance Evaluation Processes, Execution of Storage and Archiving Activities, Ensuring the Security of Movable Property and Resources, Execution of the Remuneration Policy, Ensuring the Security of Data Controller Operations, Execution of Talent/Career Development Activities, Provision of Information to Authorised Persons, Institutions and Organisations (e.g., Social Security Institution), Carrying out Management Activities (managing employees and ensuring work order, handling corporate changes such as merger/division/restructuring), Carrying out Goods/Services procurement processes, Execution of goods/services sales processes, Execution of contract processes, Execution of product/service marketing processes, Execution of risk management processes. Personal data will be processed in accordance with the conditions for processing personal data specified in Articles 5 and 6 of the KVKK (Personal Data Protection Act).

4. Transfer of Personal Data

Our company acts in accordance with the regulations stipulated in the Personal Data Protection Law regarding the transfer of personal data.

Your personal data may be transferred to institutions and organisations permitted under the law (e.g., The Labour Law, Occupational Health and Safety Law, Social Security and General Health Insurance Law, Law on the Regulation of Publications on the Internet and the Fight Against Crimes Committed Through These Publications, Turkish Commercial Code, Tax Procedure Law, Law No. 6698 on the Protection of Personal Data), public legal entities such as the Personal Data Protection Authority, the Ministry of Finance, the Ministry of Customs and Trade, the Ministry of Labour and Social Security, and the Information and Communication Technologies Authority; real or private legal entities with whom we contractually cooperate to carry out our activities and who are jointly responsible with us for data security measures; banks, pension companies and institutions engaged contractually to perform our activities; our shareholders; our affiliated companies and/or direct/indirect subsidiaries, group companies; and, with the explicit consent of the employee concerned, to parties for advertising/promotional activities, in accordance with Articles 8 and 9 of the Personal Data Protection Law.

Personal data may be transferred if necessary for the performance of the employment contract and in other cases stipulated by law, provided that adequate protection exists in the recipient country or international organisation; if adequate protection is not available, one of the conditions specified in Articles 5 and 6 must be met and appropriate safeguards must be provided so that the data subject can exercise their rights and seek effective legal remedies in the country to which the data is transferred.

5. Method of Collection and Legal Basis for Personal Data

Your personal data may be obtained through non-automated methods that form part of a data recording system, such as documents, forms, reports, etc., submitted by the employee during the establishment and execution of a business relationship with our Company; through written evaluations from authorized persons such as the employee's manager or supervisor; and through minutes prepared regarding disciplinary procedures. Your personal data may also be obtained or collected through automated or partially automated systems, such as recording work hours, security camera footage, and, when necessary, monitoring communication and transportation devices such as computers, telephones, vehicles, corporate email addresses, etc., provided to the employee solely for business purposes by the Company. Employees must use company-provided electronic devices and internet access only for business purposes and must not permit third parties to use them for personal purposes.

6. Legal Reasons for Processing Your Personal Data by the Company

Where explicitly provided for by law (including, but not limited to, the Labour Code No. 4857, the Occupational Health and Safety Code No. 6331, the Turkish Code of Obligations No. 6098, and the Social Insurance and General Health Insurance Code No. 5510, as well as any other applicable legislation in force), the necessity of processing personal data belonging to the parties to the contract provided that it is directly related to the establishment or performance of the contract, the necessity for our Company to fulfil its legal obligations, the necessity of data processing for the establishment, exercise or protection of a right, the necessity for the fulfilment of legal obligations in areas of employment, occupational health and safety, social security, social services and social assistance, and the processing of data for the legitimate interests of our Company provided that such processing does not harm your fundamental rights and freedoms. In cases not covered by the above legal grounds, your explicit consent is required. Based on legal grounds, data is collected and processed by our Company for the purposes specified in this information text.

7. Storage Period of Personal Data

Your processed personal data will continue to be processed for as long as your employment contract with our Company remains in force. Should your employment contract with our Company terminate, your personal data will continue to be stored for 10 years from the date of termination (15 years for health data) and will be destroyed during the first periodic destruction period corresponding to the end of the storage period.

8. Rights of the Relevant Person

As the Data Subject, we hereby inform you that you have the following rights under Article 11 of the Law:

• To learn whether your personal data has been processed;
• To request information if your personal data has been processed;
• To learn the purpose of processing your personal data and whether it is being used in accordance with that purpose;
• To know the third parties to whom your personal data has been transferred within or outside the country;
• To request the correction of your personal data if it has been processed incompletely or incorrectly;
• To request the deletion or destruction of your personal data within the framework of the conditions stipulated in the relevant legislation;
• To request that the third parties with whom your personal data has been shared be notified of the correction, deletion and destruction operations carried out;
• To object to the analysis of your processed personal data exclusively through automated systems resulting in a negative outcome for you;
• To request compensation for any damage you may have suffered due to the unlawful processing of your personal data.

You may submit your requests regarding the above-listed rights to our Company by filling out the Data Subject Request Form available on our website. Requests must be submitted in writing to our company's address at Hacı Sabancı Organised Industrial Zone, İstiklal Cad. No:29 Sarıçam / Adana, or, if available, via the email address previously provided to our company and registered in our system to info@tzy.com.tr. Such requests will be evaluated and finalised within 30 (thirty) days. Requests submitted by the relevant person must include the relevant person's name, surname, signature if the application is in writing, Turkish Republic identity number or, if foreign, nationality, passport number or foreign identity number if available, place of residence or business address for notification purposes, e-mail address for notification purposes if available, telephone and fax number, and the subject of the request.

If a written response is to be provided to the request, the Company reserves the right to charge a fee in accordance with the fee schedule stipulated by the legislation. If the response to the application is provided on a recording medium such as a CD or flash drive, the Company may charge the data subject requesting the information a fee equivalent to the cost of the recording medium.

Changes to the Text

Our Company may change the provisions contained in this Text at any time. The provisions changed by our Company shall enter into force on the date of publication.