PERSONAL DATA PROTECTION AND PROCESSING POLICY OF SERAPOOL PORSELEN SANAYI VE TICARET A.S.

The protection of personal data is one of the most important priorities of Serapool Porselen San ve Tic. A.S. ("Company"). The most important part of this matter is the protection and processing of the personal data of our employees, employee candidates, customers, company shareholders, company officials, visitors and employees, shareholders, and officials of the establishments we cooperate and third parties under this Policy.


Concerning the protection of data being a right guaranteed by the Constitutional Law, the Company exercises due diligence to protect the personal data of our employees, employee candidates, customers, company shareholders, company officials, visitors and employees, shareholders, and officials of the establishments we cooperate and third parties under this Policy and thereby, adopts this as a Corporate Policy.


In this context, the Company takes necessary administrative and technical measures to protect the personal data processed within the framework of the legislative regulation.


The basic principles adopted by the company in the processing of personal data in this Policy are as follows;


• Processing personal data lawfully and in good faith,


• Keeping personal data accurate and up-to-date when necessary,


• Processing the personal data for specific, express, and legitimate purposes,


• Processing the personal data relevant with, limited to, and proportional to the purpose of their processing,


• Retaining the personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed,


• Enlightening and informing the personal data subjects,


• Building up the necessary system for personal data subjects to exercise their rights,


• Taking necessary measures in the retention of personal data,


• Complying with the relevant legislation and the regulations of the Personal Data Protection Board in transferring the personal data to third parties in line with the requirements of the processing purpose,


• Displaying necessary sensitivity to the processing and protection of personal data of special nature.


ARTICLE 1: PURPOSE OF THE POLICY

The main purpose of the policy is to inform the persons, particularly our customers, employees, employee candidates, company shareholders, company officials, visitors and employees, shareholders, and officials of the establishments we cooperate with and third parties whose personal data are processed by our Company, concerning the personal data processing activity conducted by the company lawfully and thereby, to ensure transparency and confidence.


ARTICLE 2: CONTENT AND DEFINITIONS

This Policy covers all personal data of our employees, employee candidates, customers, company shareholders, company officials, visitors and employees, shareholders, and officials of the establishments we cooperate with and third parties, which are processed through automatic or non-automatic means provided that they are part of any data registry system.


The application scope of this Policy concerning the groups of personal data subjects in the aforesaid categories may be the entire of this Policy as well as only one part of the policy.


The definitions of the concepts in this policy text are as follows:


Recipient group: It refers to a category of natural persons or legal entities to whom personal data are transferred by the data controller,


Express consent: It refers to consent on a specific subject, based on informed and expressed with free will,


Anonymizing: It refers to rendering personal data impossible to link with an identified or identifiable natural person, even though matching them with other data,


Employee: It refers to the Company staff,


Electronic medium: It refers to media where personal data can be created, read, changed, and written through electronic devices,


Non-electronic medium: It refers to all written, printed, visual and other media,


Service provider: It refers to a natural person or legal entity who/that renders services under a specific contract with the institution,


Concerned person: It refers to a natural person whose personal data is processed,


Concerned user: It refers to persons who process personal data within the organization of the data controller or by the authority and instruction granted/given by the data controller, except for the person or department responsible for the technical storage, protection, and backup of the data,


Destruction: It refers to erasure, destruction, or anonymization of the personal data,


Law: It refers to Law on the Protection of Personal Data No. 6698,


Recording medium: It refers to all kinds of media where the personal data processed through fully or partially automatic or non-automatic means provided to be a part of any data registry system is kept,


Personal data: It refers to all kinds of information concerning an identified or identifiable natural person,


Personal data processing inventory: It refers to an inventory created by data controllers for their personal data processing activities depending on their business processes by associating these activities with the purposes and legal grounds of personal data processing, data category, recipient group to which they are transferred, and groups of the personal data subjects and explaining and detailing maximum retention period necessary for purposes of personal data processing, personal data foreseen to be transferred to foreign counties and measures taken regarding data security.


Processing of personal data: It refers to any operation performed on the personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means,


Board: It refers to the Personal Data Protection Board,


Personal data of special nature: It refers to any data concerning race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data,


Periodic destruction: It refers to the process of erasure, destruction or anonymization to be carried out ex officio at regular intervals as specified in the personal data retention and destruction policy in case all the conditions for processing personal data in the law are no longer available,


Policy: It refers to Personal Data Retention and Destruction Policy,


Company: It refers to Serapool Porselen San ve Tic. A.S.,


Data processor: It refers to a natural person or legal entity who/that processes personal data on behalf of the data controller, under the authority granted by the data controller,


Data registry system: It refers to a registry system where personal data are structured and processed according to certain criteria,


Data controller: It refers to a natural person or legal entity who/that establishes the purposes and means of processing personal data and is responsible for the installation and management of the data recording system.


Registry information system for data controllers: It refers to information system to be used by data controllers in application to the Registry and other transactions related to the Registry, accessible over the internet, created and managed by the Presidency,


VERBIS: It refers to Data Controllers Registry Information System


Regulation: It refers to Regulation on the Erasure, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017,


ARTICLE 3: IMPLEMENTATION OF THE POLICY AND RELATED LEGISLATION

The applicable legislative regulations in force concerning the processing and protection of personal data will be applied primarily. Our Company hereby accepts that the applicable legislation will be applied in case of any inconsistency between the applicable legislation and the Policy.


The policy has been issued by concretizing and regulating the rules stipulated by the applicable legislation within the scope of Company practices.


ARTICLE 4: ENFORCEMENT OF THE POLICY

This Policy issued by our company enters into force on the day when it is published on our website. If there is any amendment or change in the policy, the enforcement date will be updated.


The policy is released on the website of our company and made accessible for the concerned persons upon the request of personal data subjects.


ARTICLE: 5 PROVISIONS OF THE PROTECTION OF PERSONAL DATA

Under the Article 12 of the KVKK (‘’Law on the Protection of Personal Data’’), our company takes all necessary administrative, technical, and legal measures to prevent illegitimate processing of personal data, to prevent illegal access to data, and to achieve convenient security to retain the data and conducts all necessary audits within this scope.


The main administrative, technical, and legal measures taken by our company to ensure the legitimate processing of personal data are as follows:


The personal data processing activities carried out within our company are audited by technical systems installed.


The technical measures taken are periodically reported to the concerned person under the internal audit mechanism.


The personnel knowledgeable in technical issues are employed.


The employees are informed and trained on the protection of personal data and the processing of personal data per the law.


All activities carried out by our company are analyzed specific to all business units in detail and as a result of this analysis, personal data processing activities specific to the commercial activities carried out by the relevant business units are revealed.


It takes technical and administrative measures depending on the nature of the data to be protected, technological opportunities and application costs to prevent the incautious or unauthorized disclosure, access and transfer of the personal data or all other unauthorized accesses,


The technical measures are taken in pursuance of developments in the technology and thereby, the measures taken are periodically updated and renewed.


The technical solutions for access and authorization are put into use under legal compliance requirements determined on a business unit basis.


The software and hardware including the virus protection systems and firewalls are installed.


The personnel knowledgeable in technical issues are employed.


The employees are trained on technical measures to be taken to prevent illegitimate access to personal data.


The employees are informed concerning that they cannot disclose the personal data they have learned to anyone in violation of the provisions of the Law on Personal Data Protection (‘’KVKK’’) and cannot use them for any purpose other than the purpose of processing, and this obligation will survive even after they quit the work and in this regard, necessary commitments are taken from them.


The provisions stipulating that the persons to whom the personal data are transferred, shall take the necessary security measures to protect the personal data and ensuring that these measures are followed in their organizations, are added to the contracts concluded by our company with persons to whom personal data are legally transferred, or a separate contract is concluded.


Our company takes necessary technical and administrative measures according to the technological opportunities and application costs to retain personal data in secure environments and to prevent them from being destroyed, lost, or changed for illegal purposes.


The systems convenient to technological developments are used to retain personal data in secure environments.


The personnel knowledgeable in technical matters are employed.


The backup programs are employed in compliance law to ensure the secure retention of personal data.


The employees are trained to ensure that personal data is retained securely.


If the company is obliged to outsource due to technical requirements regarding the storage of personal data, the provisions stipulating that the persons to whom the personal data are transferred, shall take the necessary security measures to protect the personal data and ensuring that these measures are followed in their organizations, are added to the contracts concluded by our company with persons to whom personal data are legally transferred, or a separate contract is concluded.


Audit of the Measures Taken for the Protection of Personal Data


Under Article 12 of the Law on the Protection of Personal Data, our company conducts the necessary audit or gets these audits done. The results of these audits are reported to the relevant department within the scope of the internal operation of the company and thereby, necessary actions are taken to improve the measures taken.


Measures to be Taken in Case of Unauthorized Disclosure of Personal Data


If the personal data processed under Article 12 of the Law on the Protection of Personal Data (‘’KVKK’’) are obtained by others illegally, our Company will ensure that this will be reported to the relevant personal data subject and the Personal Data Protection Board as soon as possible.


If the Personal Data Protection Board deems necessary, this may be announced on the website of the Personal Data Protection Board or by any other method.


ARTICLE: 6 PROTECTING THE RIGHTS OF THE DATA SUBJECT; THE CREATION OF CHANNELS TO CONVEY THESE RIGHTS TO OUR COMPANY AND THE EVALUATION OF REQUESTS OF THE DATA SUBJECTS

Our company provides necessary channels and conducts internal operation, administrative and technical regulations under the Law on Protection of Personal Data (‘’KVKK’’) to evaluate the rights of personal data subjects and to provide the necessary information to personal data subjects.


If personal data subjects submit their requests regarding their rights listed below to our Company in writing, our Company will conclude the request complimentarily as soon as possible and within thirty days at the latest depending on the nature of the request. However, if the procedure requires an additional cost, you may be charged according to the tariff determined by the Personal Data Protection Board. The personal data subjects have the following rights:


to learn whether his/her personal data are processed or not,


to request information if his/her personal data are processed,


to learn the purpose of processing his/her personal data and whether this data is used for intended purposes,


to know the third parties to whom his/her personal data is transferred at home or abroad,


to request the correction of the incomplete or inaccurate data if they are processing missing or inaccurately and the notification of this procedure to third parties to whom the personal data have been transferred,


to request the erasure or destruction of personal data if the reasons for processing are no longer available even if they have been processed per the provisions of the Law on the Protection of Personal Data and other applicable laws and the notification of such procedures to third parties to whom the personal data have been transferred,


to object to the processing, exclusively by automatic means, of his personal data, which leads to an unfavorable consequence for the data subject,


to request compensation for the damage arising from the unlawful processing of his/her personal data.


ARTICLE: 7 PROTECTION OF THE PERSONAL DATA OF SPECIAL NATURE

Under the Law on the Protection of Personal Data (‘’KVKK’’), special importance has been attributed to some personal data of special nature due to the risk of leading to unjust treatment or discrimination of the persons in case of illegitimate processing.


These data are biometric and genetic data concerning race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, attire, association, foundation or union membership, health, sexual life, criminal conviction, and security measures.


Our company acts responsibly in the protection of personal data of special nature, which are determined as "special nature" by the Law on the Protection of Personal Data (‘’KVKK’’) and thereby, processed per the law. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully taken in terms of the personal data of special nature and the necessary inspections are conducted within the company.


ARTICLE 8: PROCESSING OF THE PERSONAL DATA OF SPECIAL NATURE

Our Company acts responsibly in processing the personal data of special nature determined as the Law on the Protection of Personal Data (‘’KVKK’’) as ‘’special nature’’ in compliance with the provisions of the KVKK.


Under Article 6 of the KVK Law, some personal data that have the risk of to the risk of leading to unjust treatment or discrimination of the persons in case of illegitimate processing are determined as "special nature". These data are biometric and genetic data regarding race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction, and security measures.


Under the Law on the Protection of Personal Data, our Company processes the personal data of special nature in the following cases provided that sufficient measures to be determined by the Law on the Protection of Personal Data are taken:


If the personal data subject has granted express consent, or


If there is no express consent of the personal data subject;


The personal data of special nature other than the health and sexual life of the personal data subject are processed in cases stipulated by the law,


The personal data of special nature concerning the health and sexual life of the personal data subject are processed only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, persons or authorized institutions and organizations under the obligation of confidentiality.


ARTICLE 9: TRANSFER OF THE PERSONAL DATA

Our company can transfer the personal data and personal data of the special nature of the personal data subject to third parties (third-party companies, business associates, third-party natural persons) by taking necessary security measures in compliance with the legitimate purposes of personal data processing. In this regard, our company acts in compliance with the regulations stipulated in Article 8 of the Law on the Protection of Personal Data.


9.1 Transfer of the Personal Data

In line with legitimate and lawful purposes of processing the personal data, our company can transfer personal data to third parties based on one or several of the personal data processing requirements stipulated by Article 5 of the Law listed below:


If the personal data subject has granted express consent;


If there is a clear regulation in the laws concerning that personal data will be transferred,


If it is mandatory for the protection of the life or body integrity of the personal data subject or someone else and if the personal data subject is unable to grant his/her consent due to the actual impossibility or his/her consent is not legally valid;


If it is necessary to transfer personal data of the parties of the contract if it is directly related to concluding or enforcing a contract,


If the transfer of personal data is mandatory for our company to fulfill its legal obligation,


If the personal data has been made public by the personal data subject,


If the transfer of personal data is mandatory for establishing, exercising, and protecting a right,


If the transfer of personal data is mandatory for the legitimate interests of our Company provided that the fundamental rights and freedoms of the personal data subject are not damaged.


9.2 Transfer of the Personal Data of Special Nature

Our Company can transfer the personal data of special nature of the personal data subjects by exercising due diligence, taking necessary security measures, and taking adequate precautions stipulated by the Law on the Protection of Personal Data in line with legitimate and legal personal data processing purposes in the following cases.


If the personal data subject has granted express consent, or


If there is no express consent of the personal data subject;


The personal data of special nature other than the health and sexual life of the personal data subject are processed in cases stipulated by the law,


The personal data of special nature concerning the health and sexual life of the personal data subject are processed only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, persons or authorized institutions and organizations under the obligation of confidentiality.


ARTICLE 10: TRANSFER OF THE PERSONAL DATA ABROAD

Our company can transfer the personal data and personal data of the special nature of the personal data subject to third parties by taking necessary security measures in line with the legitimate purposes of personal data processing. Our Company transfers the personal data to foreign countries declared by the Personal Data Protection Board as having adequate protection (‘’Countries Having Adequate Protection’’) or if there is no adequate protection, to foreign countries where the data controllers in Turkey and relevant foreign countries have undertaken to provide adequate protection and the Personal Data Protection Board has granted authorization (‘’Foreign Country Where Data Controller Undertaking Sufficient Protection"), is transferred. In this direction, our company acts in compliance with the regulations stipulated in Article 9 of the Law on the Protection of Personal Data.


10.1 Transfer of the Personal Data Abroad

In line with legitimate and lawful purposes of personal data processing, our Company can transfer the personal data if the data subject has granted express consent or to Foreign Countries Having Adequate Protection or to Foreign Countries Where the Data Controller Has Undertaken to Provide Adequate Protection if the data subject has not granted express consent in any of the following cases:


If there is a clear regulation in the laws concerning that personal data will be transferred,


If it is mandatory for the protection of the life or body integrity of the personal data subject or someone else and if the personal data subject is unable to grant his/her consent due to the actual impossibility or his/her consent is not legally valid;


If it is necessary to transfer personal data of the parties of the contract if it is directly related to concluding or enforcing a contract,


If the transfer of personal data is mandatory for our company to fulfill its legal obligation,


If the personal data has been made public by the personal data subject,


If the transfer of personal data is mandatory for establishing, exercising, and protecting a right,


If the transfer of personal data is mandatory for the legitimate interests of our Company provided that the fundamental rights and freedoms of the personal data subject are not damaged.


10.2 Transfer of the Personal Data of Special Nature Abroad

In line with legitimate and lawful purposes of personal data processing, our Company can transfer the personal data of special nature to Foreign Countries of the Data Controllers Having Adequate Protection or Undertaking to Provide Adequate Protection by exercising due diligence, taking necessary security measures, and taking adequate protection stipulated by Personal Data Protection Board in any of the following cases:


If the personal data subject has express consent, or


If there is no express consent of the personal data subject;


Personal data of special nature other than the health and sexual life of the personal data subject (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and clothing, association, foundation or union membership, criminal conviction and security measures, and biometric and genetic data), in cases stipulated by the laws,


The personal data of special nature concerning the health and sexual life of the personal data subject are processed only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, persons or authorized institutions and organizations under the obligation of confidentiality.


ARTICLE 11: CATEGORIZATION OF THE PERSONAL DATA

The personal data categorized as follows are processed in our Company limited to the periods within the frame of this Policy by fulfilling all liabilities stipulated by the Law on the Protection of Personal Data. The subjects of the personal data processed in these categories under this Policy are also specified in this Policy.


IDENTITY INFORMATION; It refers to all information contained in documents such as Driving License, Identity Card, Residence, Passport, Attorney Identity, Marriage Certificate and clearly belonging to an identified or identifiable natural person and processed partially or fully automatically or non-automatically as a part of any data registry system,


CONTACT INFORMATION; It refers to all information such as phone number, address, and e-mail and clearly belonging to an identified or identifiable natural person and processed partially or fully automatically or non-automatically as a part of any data registry system,


CUSTOMER INFORMATION; It refers to all information obtained and generated about the concerned person as a result of our commercial activities and operations carried out by our business departments within this framework and clearly belonging to an identified or identifiable natural person and processed partially or fully automatically or non-automatically as a part of any data registry system,


PHYSICAL SPACE SECURITY INFORMATION; It refers to personal data clearly belonging to an identified or identifiable natural person and concerning the records and documents taken during the stay in the physical space at the entrance to the physical space.


PROCESS SECURITY INFORMATION; It refers to your personal data processed to ensure our technical, administrative, legal, and commercial security while carrying out our commercial activities, and clearly belonging to an identified or identifiable natural person and processed partially or fully automatically or non-automatically as a part of any data registry system,


RISK MANAGEMENT INFORMATION; It refers to data that can be used and processed per the generally accepted legal, commercial practice, and good faith in these fields to manage our company commercially, technically and administratively, and clearly belonging to an identified or identifiable natural person and processed partially or fully automatically or non-automatically as a part of any data registry system,


FINANCIAL INFORMATION; It refers to personal data processed concerning the information, documents, and records demonstrating all financial results created according to the type of legal relationship that our company has established with the personal data subject., and clearly belonging to an identified or identifiable natural person and processed partially or fully automatically or non-automatically as a part of any data registry system,


PERSONNEL INFORMATION; It refers to all kinds of personal data processed to obtain information that will form the basis of the personnel rights of our employees or natural persons who have a working relationship with our Company, and clearly belonging to an identified or identifiable natural person and processed partially or fully automatically or non-automatically as a part of any data registry system,


EMPLOYEE CANDIDATE INFORMATION; It refers to personal data processed concerning the individuals who have applied to be an employee of our company or who have been evaluated as employee candidates in line with the human resources needs of our company under the rules of business practice and good faith or who have a working relationship with our Company, and clearly belonging to an identified or identifiable natural person and processed partially or fully automatically or non-automatically as a part of any data registry system,


EMPLOYEE PROCESS INFORMATION; It refers to personal data concerning all kinds of business transactions performed by our employees or natural persons who have a working relationship with our company, and clearly belonging to an identified or identifiable natural person and processed partially or fully automatically or non-automatically as a part of any data registry system,


WORKING PERFORMANCE AND CAREER DEVELOPMENT INFORMATION; It refers to data processed to measure the performance of our employees or natural persons who have a working relationship with our Company and to plan and conduct their career developments within the scope of our company's human resources policy, and clearly belonging to an identified or identifiable natural person and processed partially or fully automatically or non-automatically as a part of any data registry system,


FRINGE RIGHTS AND BENEFITS INFORMATION; It refers to your personal data processed to plan the fringe benefits and benefits we have been offering and will offer to our employees or other natural persons who have a working relationship with our Company, to determine objective criteria for their entitlement and to follow up their progress, and clearly belonging to an identified or identifiable natural person and processed partially or fully automatically or non-automatically as a part of any data registry system,


LEGAL TRANSACTION AND COMPLIANCE INFORMATION; It refers to your personal data processed within the scope of the establishment and follow-up of our legal receivables and rights and the execution of our liabilities and compliance with our legal obligations and our company's policies, and clearly belonging to an identified or identifiable natural person and processed partially or fully automatically or non-automatically as a part of any data registry system,


AUDIT AND INSPECTION INFORMATION; It refers to your personal data processed within the scope of our company's legal obligations and compliance with company policies, and clearly belonging to an identified or identifiable natural person and processed partially or fully automatically or non-automatically as a part of any data registry system,


PERSONAL DATA OF SPECIAL NATURE; It refers to data stipulated by the Article 6 of Law No. 6698 and clearly belonging to an identified or identifiable natural person and processed partially or fully automatically or non-automatically as a part of any data registry system,


REQUEST/COMPLAINT MANAGEMENT INFORMATION; It refers to personal data concerning receiving and evaluating all kinds of requests or complaints directed to our company, and clearly belonging to an identified or identifiable natural person and processed partially or fully automatically or non-automatically as a part of any data registry system,


ARTICLE 12: PURPOSE OF PROCESSING PERSONAL DATA

Based on the categorization prepared by our company, the primary purposes regarding processing the Personal Data are as follows:


Carrying out necessary works by our relevant business departments for carrying out commercial activities conducted by our company and performing the relevant business processes,


Planning and conducting our company's commercial and/or business strategies,


Conducting necessary works by our business units to make the concerned persons use the products and services offered by our company and carrying out the relevant processes,


Planning and performing our company's human resources policies and processes,


Ensuring the legal, technical, and commercial occupational safety of the persons who are in business relationships with our company.


Data processing purposes within the scope of the abovementioned primary purposes are as follows:


Event Management


Planning and Execution of Research and Development Activities


Planning and Execution of Business Activities


Planning and Execution of Corporate Communication Activities


Planning and Execution of Information Security Processes


Creating and Managing the Information Technology Infrastructure


Planning and Execution of Business Associates and/or Suppliers' Authorities to Access to Information and