POLICY ON PROCESSING OF PRIVATE PERSONAL DATA

VERSION 02 – 17/07/2025

Document No.: 111.12

Document name: Policy on Processing of Private Personal Data

Revision Date: 7/17/2025

Issuance Date: 1/2/2020

TABLE OF CONTENTS

PURPOSE AND SCOPE OF THE POLICY
DEFINITIONS
PRINCIPLES FOR PROCESSING OF PERSONAL DATA
PROCESSING OF PRIVATE PERSONAL DATA
LOCAL AND ABROAD TRANSFER OF PRIVATE PERSONAL DATA
PRIVATE PERSONAL DATA RETENTION PERIOD AND DISPOSAL
PERIODIC DISPOSAL PERIOD
PERIODS APPLICABLE UPON THE DELETION, DESTRUCTION, OR ANONYMIZATION REQUEST OF THE DATA SUBJECT REGARDING THEIR PRIVATE PERSONAL DATA
SECURITY MEASURES TAKEN BY THE COMPANY
TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR STORAGE OF PERSONAL DATA AND TO ENSURE PREVENTION OF UNLAWFUL PROCESSING AND ACCESS
TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO DESTROY PERSONAL DATA IN COMPLIANCE WITH THE LAW
RIGHTS OF PRIVATE PERSONAL DATA SUBJECT
TRAINING
AUDIT
AMENDMENTS TO THE POLICY
EFFECTIVE DATE OF THE POLICY

This Policy sets forth the principles and procedures to be observed within and/or by the Company as obligations for protection of personal data are fulfilled and personal data are processed by Lotus Teknik Tekstil Sanayi ve Ticaret Anonim Şirketi (“Company”) pursuant to the provisions of applicable legislation, particularly the Law no. 6698 on Protection of Personal Data.

1. PURPOSE AND SCOPE OF THE POLICY

The purpose of the Policy on Processing of Private Personal Data is to indicate how private personal data pertaining to existing and potential customers, business partners, suppliers, employees, prospective employees, and third parties shall be processed and protected with a view to comply with the Law no. 6698 on Protection of Personal Data (“Law”) and “Adequate Measures to be Taken by Data Controllers in Processing of Private Personal Data”, as well as the Resolution no. 2018/10 of 31/01/2018 of the Personal Data Protection Board.

This Policy covers all private personal data processed, transferred, and stored within the Company.

Provisions and principles in this Policy apply to any sensitive information and document related to identified or identifiable real entities, which are physically or digitally accessible.

In case of a discrepancy between regulations of the applicable legislation and this Policy, regulations of the applicable legislation shall prevail.

2. DEFINITIONS

Meanings of the technical terms used in the Policy are given below.

Explicit Consent:

Freely given, specific and informed consent.

Recipient Group:

Category of natural or legal persons to which the personal data are transferred by the data controller.

Data Subject:

Persons who process personal data within the organization of the data controller or upon authorization and instructions received from the data controller, other than the person or department which is responsible for the technical storage, protection and back up of personal data.

Data Subject:

Real entities, whose Personal Data are processed by the Company or entities/organizations authorized on behalf of the Company.

Law:

Personal Data Protection Law no. 6698 of 24/3/2016.

Regulation:

By-Law on Erasure, Destruction or Anonymization of Personal Data.

Recording Medium:

Any type of environment that keeps the personal data processed wholly or partially by automated means or non-automated means, provided that they form part of a data recording system.

Personal Data:

Any information on an identified or identifiable natural person (within the scope of this Policy, the term “Personal Data” shall also include Private Personal Data as defined below, where appropriate).

Private Personal

Data:

Data on race, ethnicity, political view, philosophical belief, religion, sect or other beliefs, manners of clothing, association, foundation or union membership, health, sex life, criminal record and safety measures of individuals, as well as biometric and genetic data.

Personal Data Processing:

All kinds of procedures performed on all or a part of the Personal Data, such as obtaining, recording, storing, retaining, modifying, readjusting, disclosing, transferring, receiving, making available, classifying, or preventing the use of personal data, by automated or partially automated means or non-automated means as part of a Data Recording System.

Data Inventory:

The inventory where the following items are explained and detailed: personal data processing activities performed by data controllers depending on their business processes; maximum period that is required for the purposes relating to the purposes of personal data processing and determined in association with purposes of personal data processing, data category, recipient group to whom the data are transferred, and data subject groups; personal data estimated to be transferred to foreign countries; and measures taken in respect of data security.

Board: :

Personal Data Protection Board.

Office:

Personal Data Protection Authority.

LPPD:

Law no. 6698 on Protection of Personal Data.

Periodic Disposal:

The erasure, destruction or anonymization process which is determined in the personal data storage and disposal policy and to be carried out periodically ex officio, in the event that all of the conditions for processing laid down in the Law no longer exist.

Registry:

Data Controllers’ Registry kept by Personal Data Protection Authority.

Data Recording System:

The filing system where personal data are processed by being structured according to specific criteria.

Data Controller:

(Lotus Teknik Tekstil Sanayi ve Ticaret Anonim Şirketi) The natural or legal person who determines the purpose and means of processing personal data and is responsible for the establishment and management of the data filing system.

Anonymization:

Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.

Anonymized

Data:

Data rendered impossible to link with an identified or identifiable natural person even through matching them with other data.

Deletion:

Rendering personal data inaccessible and nonreusable by relevant users.

Destruction:

Rendering personal data inaccessible, nonrestorable and nonreusable by anyone.

Direct Identifiers:

Standalone identifiers that directly reveal, disclose, and distinguish the person, whom they are associated with.

Indirect Identifiers:

Identifiers that reveal, disclose, and distinguish the person, whom they are associated with, in combination with other identifiers.

Disposal:

Erasure, destruction or anonymization of personal data.

Obfuscation:

Actions such as blacking out, painting over, and blurring all personal data, so that they cannot be associated with an identified or identifiable natural person.

Masking:

Actions such as erasing, blacking out, painting over, and using asterisks to hide certain personal data, so that they cannot be associated with an identified or identifiable natural person.

3. PRINCIPLES FOR PROCESSING OF PERSONAL DATA

Our Company performs personal data processing activities pursuant to the following principles and procedures in accordance with article 4 of the LPPD, which regulates the principles and procedures for processing of personal data.

a. Compliance with the Law and the Rules of Integrity

Our Company processes your personal data in compliance with the LPPD and other laws and regulations that must be observed due to the conducted business.

b. Accuracy and Currency

Our Company carries out necessary procedures and takes necessary technical and administrative measures to prevent personal data, provided by data subjects, from being modified without authorization and contrary to facts, and to update personal data upon request by data subjects in case of a change regarding processed data.

c. Processing for Certain, Clear and Legitimate Purposes

Your personal data, which are processed by our Company, are processed in line with the purpose of processing notified to you and within the notified framework.

d. Being Linked to the Purpose of Processing, Limited, and Prudent

Our Company does not process personal data that are not compatible with its operations, not required within the scope of the Company’s operations, and which will go beyond the purpose of processing.

e. Retention As Long As Stipulated in the Relevant Legislation or Required for the Purpose of Processing

Your data, processed within the scope of the LPPD and other applicable laws and regulations, are stored as long as the periods stipulated in the applicable legislation or that require retaining due to the nature of the processed data.

Personal data are deleted or anonymized upon expiration of the period required by the purpose of personal data processing. In this case, it shall be ensured that the third parties, to which the Company transferred the personal data, also delete, destroy, or anonymize the personal data.

4. PROCESSING OF PRIVATE PERSONAL DATA

Private personal data comprises data on race, ethnicity, political view, philosophical belief, religion, sect or other beliefs, manners of clothing, association, foundation or union membership, health, sex life, criminal record and safety measures of individuals, as well as biometric and genetic data. It is prohibited to process private personal data without explicit consent of the relevant party.

However, such private personal data can be processed without obtaining explicit consent of the relevant entity in the presence of the following circumstances;

Express stipulation in the legislation,
The need for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid,
Pertinence to personal data made public by the Data Subject and conformity with the public disclosure will,
Requirement for establishment, exercise, or protection of a right,
Requirement by entities under confidentiality obligation or authorized institutions and organizations for the purposes of protection of public health, preventive medicine, performance of medical diagnosis, treatment and care services, and planning, management, and financing of health services,
The need for fulfillment of legal obligations in employment, occupational health and safety, social security, social services, and social welfare,
Being aimed at current or former members and affiliates of foundations, associations, and other non-profit organizations or entities established with political, philosophical, religious, or union purposes, or other individuals in regular contact with these organizations and entities, provided that processing is in line with the legislation governing them and fit for their purposes, limited to their areas of activity, and not disclosed to third parties,

provided that adequate measures are taken as determined by the Board.

Measures determined by the Board and necessary administrative and technical measures are taken when private personal data are processed.

Provisions of the Policy on Processing of Personal Data shall be applicable to the matters that are not included in this policy.

5. LOCAL AND ABROAD TRANSFER OF PRIVATE PERSONAL DATA

The Company may transfer lawfully obtained private personal data of data subjects to third parties in line with the purposes of data processing by taking necessary security measures.

Local Transfer

The Company transfers the private personal data of the data subject locally to our Group Companies, Tetra Pazarlama ve Dış Ticaret A.Ş. & Multipak Ambalaj San. ve Tic. A.Ş. & Lotus Teknik Tekstil San. ve Tic. A.Ş. & CM Holding A.Ş. in the presence of one of the conditions specified in paragraph 3 of article 6 of the LPPD in line with legitimate and lawful personal data processing purposes, by exercising due diligence and taking necessary security measures and adequate actions stipulated by the Board.

Under circumstances where such processing conditions are not available, the Company transfers personal data locally upon obtaining explicit consent of the Data Subject. The Company observes the provisions in other laws concerning local transfer of personal data.

Abroad Transfer

Your personal data shall not be transferred abroad under any circumstances.

6. PRIVATE PERSONAL DATA RETENTION PERIOD AND DISPOSAL

Your personal data, processed for purposes set forth in this Policy, shall be deleted, destroyed, and anonymized by us upon cessation of purposes that require processing pursuant to article 7/1 of the LPPD and expiration of periods stipulated by laws.

The Company shall by no means retain personal data in consideration of the possibility of future use.

All deletion, destruction, and anonymization activities, to be performed by the Company on personal data, shall be carried out pursuant to the principles set forth in the Personal Data Storage, Disposal and Anonymization Policy.

During the first periodic disposal procedure following emergence of the obligation to delete, destroy, or anonymize personal data, your personal data shall be deleted, destroyed, or anonymized. Such period cannot exceed six (6) months in any event.

The Board may shorten the period set forth in this article if losses, which are difficult or impossible to recover from, arise or in the case of explicit illegality.

a. Erasure of Private Personal Data

Erasure of personal data that is completely or partially processed by automated means; rendering such personal data inaccessible and nonreausable by any means by the relevant users. The data controller describes in its relevant policies and procedures how the conditions specified in the third paragraph are fulfilled in order for personal data to be considered as deleted.

Non-essential personal data on paper, transferred to electronic media by scanning or without digitization, shall be anonymized. Upon erasure of personal data, the Company shall render data inaccessible or nonreusable by any means. During the performance of this procedure, the Company guarantees that data becomes inaccessible or nonreusable by any user. This guarantee is under the responsibility of the data controller.

b. Destruction of Private Personal Data

Destruction procedure shall be carried out in case the Company processes data on physical recording media and the Company is obliged to render such data unrecoverable.

During these procedures, Company employees and relevant departments are liable to notify the relevant data, to be destroyed, to the controller; upon which the Company shall take all kinds of necessary technical and administrative measures.

c. Anonymization of Private Personal Data

Anonymization procedure is rendering data impossible to be associated with an identified or identifiable real person even through matching with other data, in case the Company processes personal data by physical or automated means.

7. PERIODIC DISPOSAL PERIOD

Private personal data in possession of the Company shall be checked in certain periodic intervals and the data, processing circumstances of which no longer exist, shall be deleted, destroyed, or anonymized.

Periodic disposal is carried out in semi-annual intervals for all personal data. The mentioned period does not exceed the maximum periodic disposal period, specified in article 11 of the Regulation, under any circumstances. The Company pledges to comply with new periods if the Board shortens the periods within the scope of the LPPD and the applicable legislation.

These periodic inspection and disposal procedures, to be carried out for private personal data, are included in the Personal Data Processing Inventory generated and implemented by the Company.

All operations performed within the scope of disposal are recorded by the Company and such records are retained for at least 3 (three) years, except for other legal obligations. The Company reserves the right to retain personal data due to its other legal obligations.

8. PERIODS APPLICABLE UPON THE DELETION, DESTRUCTION, OR ANONYMIZATION REQUEST OF THE DATA SUBJECT REGARDING THEIR PRIVATE PERSONAL DATA

The Data Subject shall submit their requests regarding implementation of the Law to the Company in writing or by other methods to be determined by the Board. The Company approves the request or justifies its rejection and sends the response to the relevant person in writing or online at the latest within thirty (30) days. If the request in the application is approved, necessary action shall be taken.

The private personal data subject to the request are deleted, destroyed, or anonymized in the event that all of the circumstances for processing the private personal data, which are subject to the request, no longer exist. The requests specified in the application are finalized at no charge, as soon as possible, and at the latest within thirty (30) days according to the nature of request. However, if the procedure requires an additional cost, relevant fee in the tariff determined by the Board may be charged. If it is caused by the mistake of the data controller, charged fee is refunded to the data subject.

Unless the Board makes a resolution to the contrary, the Company shall select the suitable method among ex officio deletion, destruction, or anonymization of personal data. The Company shall select the suitable method and provides justification upon request of the data subject.

If the personal data subject to the request were transferred to third parties, the matter shall be notified to the third party and it shall be ensured that the third party takes necessary action pursuant to the Regulation on Deletion, Destruction, or Anonymization of Personal Data.

You can file an application regarding matters in respect of processing of your personal data by completing the form on the Company’s website or in writing* to the following address.

Lotus Teknik Tekstil San. ve Tic. A.Ş. Contact Details

Head Office Address: Ortaköy Mah. İlter Bulvarı No: 27 34592 Silivri, İstanbul / Türkiye

Contact E-Mail: kvkk@lotustekstil.com.tr

Website address: http://www.lotustekstil.com.tr/

*Please specify the matter on the envelope as “Information Request Pursuant to the Law on Protection of Personal Data” in case of written application.

9. SECURITY MEASURES TAKEN BY THE COMPANY

9.1 Security measures, taken by the Company in terms of Processing of Private Personal Data, are as follows:

9.1.1 The Company established a this systemic, manageable, and sustainable Policy, rules of which are clear, as well as associated PPD Procedures, for security of Private Personal Data.

9.1.2 In respect of employees involved in Private Personal Data Processing operations conducted by the Company or specialist trainers, from whom the Company receives relevant service support:

Regular trainings are provided about LPPD Regulations and Private Personal Data security,
Confidentiality agreements are made,
Authorization scopes and durations for users, authorized to access Private Personal Data, are clearly defined,
Relevant authorizations for employees, who are reassigned or who leave their jobs, are revoked immediately. In this scope, the inventory allocated to them is recovered by the Company.

9.1.3 If Private Personal Data are processed, stored, and/or accessed on electronic media:

Data are stored using cryptographic methods,
Cryptographic keys are kept on secure and different media,
Activity records for all actions performed on data are logged securely,
Security updates for media containing data are constantly followed, the Company performs or has necessary security tests performed regularly, and test results are recorded.
If data are accessed by means of a software, user authorizations are made for such software, the Company performs or has necessary security tests for such software performed regularly, and test results are recorded.
At least two-factor authentication system is provided if it is necessary to access data remotely.

9.1.4 If Private Personal Data are processed, stored, and/or accessed on physical media:

Adequate security measures (against situations such as electrical failure, fire, flood, theft, etc.) are taken according to the nature of the environment where Private Personal Data is stored,
Physical security is provided in these environments and unauthorized entries and exits are prevented.

9.1.5 If Private Personal Data are to be transferred to third parties:

If it is necessary to transfer the data by e-mail, data transfer is made with encryption via corporate e-mail address or Registered Electronic Mail (KEP) account,
If it is necessary to transfer data with media such as flash drive, CD or DVD, the data is encrypted with cryptographic methods and cryptographic key is kept on different media,
In case of transfer between servers in different physical locations, data transfer is made by establishing a VPN between servers or by means of SFTP,
If it is necessary to transfer data on paper, necessary measures are taken against risks such as theft, loss, or unauthorized people viewing the documents, and the documents are sent in “classified document” format.

9.2 In addition to this policy and abovementioned measures, the Company agrees to take any technical and administrative measures to ensure the proper level of security set forth in Lotus Teknik Tekstil Sanayi ve Ticaret Anonim Şirketi Personal Data Protection and Processing Policy published on http://www.lotustekstil.com.tr/ website.

10. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR STORAGE OF PRIVATE PERSONAL DATA AND TO ENSURE PREVENTION OF UNLAWFUL PROCESSING AND ACCESS

Qualifications Technical Measures Taken for Lawful Storage of Your Private Personal Data and to Ensure Prevention of Unlawful Processing and Access

Personal data storage, processing, and access activities are inspected by installed technical systems.
Software and hardware, including antivirus systems and firewalls, are used.
Technical measures, which are taken, are reported to the relevant party.
Employees with technical knowledge are employed.
Access authorizations are restricted and authorizations are reviewed regularly.
Backup software are used in a lawful manner to ensure secure backup of personal data.
Accesses to data storage areas containing personal data are logged and unauthorized accesses or access attempts are instantly notified to relevant parties.

Administrative Measures Taken for Lawful Storage of Personal Data and to Ensure Prevention of Unlawful Processing and Access

Employees are informed and trained about personal data protection law and lawful storage and processing of personal data.
The personnel that process, store, and access personal data are identified in the Personal Data Processing inventory.
Specific analyses are conducted for all departments in respect of all of the performed activities and, as a result of such analysis, personal data processing activities are carried out specific to commercial and administrative activities performed by relevant business units.
In order to fulfill legal compliance requirements, established on a department basis, awareness is raised and implementation rules are determined specific to the relevant departments; administrative measures necessary for ensuring inspection of these matters and continuity of implementation are adopted by means of internal policies and trainings.
Employees are informed that they cannot disclose the personal data, which they find out, to another party and they cannot use such data for purposes other than processing in violation of the provisions of the Law no. 6698 on Protection of Personal Data and this obligation shall remain in effect after they leave their offices, and necessary commitments are obtained from them accordingly.
Aside from instructions of Lotus Teknik Tekstil Sanayi ve Ticaret Anonim Şirketi and exceptions imposed by the law, stipulations that impose obligations not to process, disclose, and use personal data are included in contracts and documents, which govern the legal relationship between employees; thus, awareness is raised among employees.

11. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO DESTROY PERSONAL DATA IN COMPLIANCE WITH THE LAW

Secure Deletion via Software: Methods for rendering personal data inaccessible and nonreusable by relevant users irrecoverably from the relevant software are used when data processed by completely or partially automated means and stored on digital media are deleted.
Deletion of Relevant Data by Issuing Delete Command on Cloud System: Removing access rights of the relevant user on the file or the directory containing the file in the core server; deletion of relevant lines in databases with database commands; or deletion of data on removable media, i.e. flash drive, using suitable software can be considered in this scope.

However, if deletion of personal data shall render other data inaccessible in the system or result in the inability to use such data, personal data shall be deemed to have been deleted if they are archived in a manner that cannot be associated with the relevant person, provided that the following conditions are fulfilled.

Being inaccessible by another institution, organization, or person,
Taking any and all technical and administrative measures to ensure that only authorized people are able to access personal data.

Secure Deletion by a Specialist: In certain cases, the Company may employ a specialist to delete personal data on its behalf. In this case, personal data shall be securely deleted by the specialist, rendering personal data inaccessible and nonreusable by Relevant Users.
Obfuscation of Personal Data on Paper Media: This is the method of obfuscating data to prevent misuse of personal data or to delete data that are requested to be deleted by physically cutting out and removing relevant personal data from the document or rendering data illegible, covering by using indelible ink so that they cannot be recovered and read by technological solutions.
Demagnetization: Treating magnetic media with special devices, where they will be exposed to highly magnetic fields, to corrupt data on the media, rendering them unreadable.
Physical Destruction: Personal data can also be processed by non-automated means as part of any data recording system. Physical destruction system is implemented, in a manner that would render personal data from being used later, when such data are destroyed. Destruction of data on paper and microfiches are also performed in this manner because it is not possible for them to be destroyed otherwise.
Overwriting: Overwriting method involves writing random data comprising 0 and 1 at least seven times on magnetic media and rewritable optical media using special software.
Anonymization methods that do not provide value irregularity: Generalization of any personal data group, substitution, or removal of a certain data or sub-data group from the group without performing any change or addition/removal in stored personal data by means of anonymization methods that do not provide value irregularity
Variable Removal: It is the anonymization of the available data set by removal of “highly descriptive” ones from the variables in the data set, generated after accumulation of collected data, by removal of descriptive data method.
Record Removal: Retained data are anonymized by removing data rows, involving singularity among the data, from records.
Partial Hiding: If a single data has an identifying characteristic as it creates a combination with very low visibility, anonymization is ensured by hiding such data.
Lower and Upper Limit Coding: It is the anonymization of values in a data set, which contains previously determined categories, by being combined with a certain criteria by lower and upper limit coding method.
Generalization: Multiple data are aggregated with data aggregation method and personal data are transformed so that they cannot be associated with any person.
Global Coding: A more general content is generated from the content of personal data by means of data derivation method, and personal data are transformed so that they cannot be associated with any person.
Anonymization methods that provide value irregularity: Unlike anonymizations that do not provide value irregularity, those that provide value irregularity create corruption by changing certain data in personal data sets.
Adding Noise: In this method, data are anonymized by adding certain positive or negative deviations at a determined rate to data available in a data set with particularly numeric data.
Micro Combination: In micro combination method, all data are initially sorted in a meaningful order, separated into groups, their arithmetic mean is calculated, and obtained value is written in the place of relevant data in the existing group to ensure anonymization.
Data Exchange: In data exchange method, values of variables are exchanged between pairs selected from retained data.

During performance of abovementioned situations, provisions of the LPPD, Regulation, and other applicable legislation are fully observed and all necessary administrative and technical measures are taken.

12. RIGHTS OF PRIVATE PERSONAL DATA SUBJECT

In respect of personal data processed within the scope of our Company’s activities, under their rights specified in article 11 of the LPPD, the data subject is entitled to apply to our Company to;

a) find out whether their personal data was processed,

b) request pertinent information if personal data was processed,

c) find out the purpose of processing and whether personal data was purposefully used,

d) find out local and foreign third parties to whom personal data was transferred,

e) request correction of personal data if they were processed incompletely or incorrectly,

f) request deletion or destruction of personal data pursuant to the terms stipulated in article 7 of the LPPD,

g) request notification of procedures carried out pursuant to clauses (d) and (e) to third parties, to whom personal data was transferred,

h) object to an outcome against the person due to the analysis of processed data exclusively by means of automated systems,

i) request compensation if losses are incurred due to unlawful processing of personal data.

When data subjects want to exercise their rights and/or consider that the Company does not act pursuant to this Policy when it processes personal data, they may submit their requests, along with documents authenticating their identities, by completing the form on the Company’s website; forming their requests so that the conditions determined by the Authority are fulfilled and sending these to the abovementioned e-mail address, which may change from time to time; sending these to the registered e-mail address of the Company, either with an e-mail from the e-mail address that was previously notified to the Company and that is registered in the Company’s system (the e-mail address registered in the system should be checked) or with secure electronic signature or mobile signature; to the abovementioned postal address which may change from time to time; by hand with an application letter bearing an original signature; or by means of notary public; or by other methods determined by the Board, which may be added to these in the future. Current application methods and application contents should be confirmed from the legislation before application.

If data subjects submit their requests, in respect of their rights listed above, to the Company in writing, the Company shall finalize the request at the latest within thirty (30) days depending on the nature of request. If conclusion of requests by the Data Controller involves a separate cost, the Data Controller may charge fees in the tariff determined by the Personal Data Protection Board.

13. TRAINING

The Company provides necessary trainings on protection of private personal data to its employees within the scope of Company Policies and Procedures and the LPPD.

Definitions and practices regarding protection of private personal data are particularly mentioned during trainings.

If the company employee accesses personal data physically or in computer environment, the Company provides training, specific to such access (for example computer software that is used for access), to the relevant employee.

14. AUDIT

The Company is entitled to audit at all times and ex officio whether all of its employees, departments, and contractors act in compliance with this Policy and the LPPD regulations without any prior notice, and performs necessary routine audits in this scope.

15. AMENDMENTS TO THE POLICY

The Company may amend this Policy from time to time upon approval of the Board of Directors.

The Company shares the updated Policy text with its employees by e-mail or makes it available to its employees and other relevant parties on the following website so that modifications to the Policy can be reviewed.

In case of a discrepancy between the Turkish version, which this Policy was issued in, and the translation in another language published by the Company, Turkish version shall prevail.

16. EFFECTIVE DATE OF THE POLICY

Version 02 of this Policy took effect upon approval by the Company’s Board of Directors for implementation regarding all personal data processing activities of the Company as of 17/07/2025.