KVKK POLICY

POLICY ON THE PROCESSING AND PROTECTION OF HAZEINFEAR PERSONAL DATA

1. PURPOSE OF THE POLICY AND COMMITMENT TO PRIVACY

1.1. Protecting your fundamental rights and freedoms and privacy in the processing of your personal data, especially the privacy of your private life, and ensuring the security of your personal data within this scope are among the Company's top priorities and objectives. In this context, the principles adopted in the execution of personal data processing activities carried out by our Company within the framework of this Hazeinfear (“Hazeinfear”) (“COMPANY”) Personal Data Protection and Processing Policy (“POLICY”), and the data processing activities of our Company, especially the Personal Data Protection Law No. 6698 In this way, our Company provides the necessary transparency by informing you as personal data owners.

1.2. In this context, our company undertakes to process and protect your personal data in accordance with the relevant legislation, this Policy and this Policy, with full awareness of responsibility.

2. SCOPE OF THE POLICY

2.1. This Policy relates to all personal data of all natural persons whose personal data are processed automatically or non-automatically, provided that they are part of any data recording system.

2.2. This Policy covers all data processing activities for the personal data that the Company processes and is applied to such activities.

2.3. This Policy does not apply to data that does not qualify as personal data.

2.4. This Policy can be changed if required by the relevant legislation or when the Company deems necessary.

2.5. In case of inconsistency between the relevant legislative regulations and this Policy, the relevant legislative regulations are taken as basis.

3. DEFINITIONS

The definitions in this Policy have the following meanings:

“Explicit Consent”: Consent, which is based on being informed about a particular subject and expressed with free will,

“Clarification Obligation”: The obligation regarding the Data Controller or the persons authorized by him/her to provide information to the relevant persons within the scope of Article 10 of the KVKK and the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Illuminate, during the acquisition of personal data,

“Relevant Person”: Natural persons whose personal data are processed by the Company or authorized persons/institutions on behalf of the Company,

“Destruction”: Deletion, destruction or anonymization of personal data,

“Personal Data”: Any information relating to an identified or identifiable natural person (the term “Personal Data” within the scope of this Policy also includes “Private Personal Data” defined below to the extent appropriate),

“Processing of Personal Data”: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, of personal data fully or partially automatically or by non-automatic means provided that it is a part of any data recording system. All kinds of operations on data such as bringing, classifying or preventing its use,

 “Board”: Personal Data Protection Board,

“Institution”: Personal Data Protection Authority,

“KVKK”: Law No. 6698 on the Protection of Personal Data,

“KVK Regulations”: Protection of personal data that may come into force in the future with KVKK and applicable international agreements regarding the protection of personal data in force, relevant laws and regulations, Board decisions, Agency guides, other regulatory and supervisory authorities, courts and other official authority decisions/instructions all regulations in the field and any changes to be made therein,

“Policy”: Hazeinfear Policy on Processing and Protection of Personal Data

 “Special Quality Personal Data”: Data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures. with biometric and genetic data,

“Data Processor”: The natural or legal person who processes personal data on behalf of the Data Controller, based on the authority given by him,

“Data Controller”: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

means.

4. BASIC PRINCIPLES OF PROCESSING PERSONAL DATA

4.1. Processing of Personal Data in Compliance with the Law and the Rules of Integrity

The company processes personal data in accordance with the law and the rules of honesty and on the basis of proportionality. In this context, the Company processes personal data to the extent required by the Company's business activities and limited to these.

4.2. Ensuring Personal Data Are Accurate and Up-to-Date When Necessary

The Company takes all necessary measures to ensure that the Personal data is complete, accurate and up-to-date during the processing period. In this context, the Company establishes the necessary mechanisms to ensure the accuracy and up-to-dateness of personal data and updates the relevant personal data in accordance with the change requests of the person concerned within the scope of KVKK Regulations.

4.3. Processing of Personal Data for Specific, Clear and Legitimate Purposes

Before the personal data is processed, the purpose for which the personal data will be processed is determined by the Company. In this context, the Company clearly reveals the purposes of processing personal data and processes personal data within the scope of purposes related to these activities in line with its business activities. In this respect, the persons concerned are informed in accordance with the KVK Regulations and their explicit consent is obtained when necessary.

4.4. Relating to the Purpose for which Personal Data is Processed, Limited and Measured

The Company collects personal data only in the quality and extent required by its business activities and processes it limited to the determined purposes. Accordingly, the Company refrains from processing personal data that is not related to the realization of the determined purposes or is not needed.

4.5. Retention of Personal Data for the Period Envisioned in the Relevant Legislation or Required for the Purpose of Processing

4.5.1. The Company retains personal data for the minimum period required for the purpose for which they are processed and stipulated in the relevant legislation. In this context, the Company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, Personal Data is stored for the period necessary for the purpose for which they are processed.

4.5.2. At the end of the determined storage periods, personal data is destroyed in accordance with the periodic destruction periods or the application of the relevant person and with the determined destruction methods (deletion and / or destruction and / or anonymization). In this case, the third parties to whom the Company transfers personal data are also provided to delete, destroy or anonymize personal data.

5. PROCESSING PERSONAL DATA

Personal data can only be processed by the Company within the scope of the following procedures and principles.

5.1. Open Consent

5.1.1. Personal data is only processed with the explicit consent of the person concerned, in the absence of any of the other personal data processing conditions listed below.

5.1.2. In this case, personal data is processed after the information to be made within the framework of fulfillment of the obligation to inform the relevant persons and upon the express consent of the persons concerned with their free will.

5.1.3. Explicit consent from the relevant persons is obtained through methods in accordance with the KVK Regulations. Explicit consents are provably maintained by the Company for the required period of time within the scope of KVK Regulations.

5.1.4. The Company is obliged to ensure that the disclosure obligation is fulfilled in terms of all Personal Data Processing processes, and that express consent is obtained when necessary and that the Explicit Consent is retained. All employees who process personal data are obliged to comply with the Company's instructions and this Policy.

5.2. Explicitly Provided in Laws

If the personal data of the data subject is expressly stipulated in the law on the processing of personal data, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, they are processed within the scope of this data processing condition.

5.3. Failure to Obtain Explicit Consent of the Person Related to the Cause of Actual Impossibility

In the event that the personal data of the person who is unable to express his explicit consent due to actual impossibility or whose express consent cannot be validated is required to be processed in order to protect the life or physical integrity of himself or another person, the personal data of the data subject is processed within the scope of this data processing condition.

5.4. Direct Concern with the Establishment or Performance of the Contract

Provided that it is directly related to the conclusion or performance of a contract to which the data subject is a party, if the processing of personal data is necessary, the personal data of the data subject is processed within the scope of this data processing condition.

5.5. Fulfilling the Company's Legal Obligation

In case Personal Data processing is mandatory for the Company to fulfill its legal obligations, the personal data of the person concerned is processed within the scope of this data processing condition.

5.6. Making Personal Data of the Related Person Public

If the personal data of the data subject is made public, the relevant personal data is processed within the scope of this data processing condition for a limited purpose.

5.7. Mandatory Personal Data Processing for the Establishment or Protection of a Right

In case personal data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data subject is processed within the scope of this data processing condition.

5.8. Mandatory Personal Data Processing for the Legitimate Interest of the Company

Provided that it does not harm the fundamental rights and freedoms of the data subject, the personal data of the data subject is processed within the scope of this data processing condition, if data processing is necessary for the legitimate interests of the Company.

6. PROCESSING OF SPECIAL QUALITY PERSONAL DATA

6.1. Special Quality Personal Data is processed by the Company in accordance with the principles and principles set forth in this Policy, by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:

6.1.1. Special Quality Personal Data excluding health and sexual life are processed without the explicit consent of the person concerned, if it is expressly stipulated in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data. Otherwise, the explicit consent of the data subject is sought for the processing of Sensitive Personal Data other than health and sexual life.

6.1.2. Special Qualified Personal Data related to health and sexual life, for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, persons (e.g. workplace doctor) or authorized institution. and organizations without the express consent of the person concerned. Otherwise, the explicit consent of the data subject is sought for the processing of Sensitive Personal Data other than health and sexual life.

6.2. For employees who are involved in the processing of Sensitive Personal Data:

6.2.1. Provides regular training on KVK Regulations and the security of Sensitive Personal Data.

6.2.2. Makes confidentiality agreements.

6.2.3. It clearly defines the scope and duration of authorization of users who are authorized to access Sensitive Personal Data.

6.2.4. Periodically performs authorization checks.

6.2.5. It immediately removes the authority of employees who have a change in duty or quit their job in this field and immediately takes back the inventory allocated to the relevant employee.

6.3. In case Special Quality Personal Data is transferred to electronic media, the Company:

6.3.1. It preserves Special Quality Personal Data using cryptographic methods.

6.3.2. Keeps cryptographic keys secure and in different environments.

6.3.3. It securely logs the transaction records of all movements performed on Private Personal Data.

6.3.4. It constantly monitors the security updates of the environments in which Special Quality Personal Data is located, regularly performs / has the necessary security tests done, and records the test results.

6.3.5. If Private Personal Data is accessed through a software, it makes user authorizations for this software, regularly performs/has the security tests of these software, and records the test results.

6.3.6. Provides at least two-stage authentication system in case of remote access of Special Quality Personal Data.

6.4. In the event that Sensitive Personal Data are processed in a physical environment, the Company:

6.4.1. It takes adequate security measures (against electrical leakage, fire, flood, theft, etc.) according to the nature of the environment where the Special Quality Personal Data is located.

6.4.2. It prevents unauthorized entry and exit by ensuring the physical security of these environments.

6.5. In case of transfer of Special Qualified Personal Data, the Company:

6.5.1. If it is necessary to transfer Sensitive Personal Data via e-mail, an encrypted corporate e-mail address or a Registered Electronic Mail (KEP) account is used.

6.5.2. If it is necessary to transfer Special Quality Personal Data via media such as portable memory, CD, DVD, encryption is done by cryptographic methods and the cryptographic key is kept in a different environment.

6.5.3. If Private Personal Data needs to be transferred between servers in different physical environments, VPN is set up between the servers or the transfer is performed using the SFTP method.

6.5.4. If it is necessary to transfer Sensitive Personal Data via paper media, necessary precautions are taken against the risks such as theft, loss or viewing of the documents by unauthorized persons, and the document is sent in the form of "confidential documents".

6.6. In addition to the regulations above, the Company is responsible for taking measures and establishing mechanisms in accordance with the KVK Regulations, especially the Personal Data Security Guide published by the Board, regarding the security of Private Personal Data.

7. PERSONAL DATA PROCESSED BY THE COMPANY AND THE PURPOSE OF PROCESSING

Before the Company, by informing the relevant persons in accordance with the KVK Regulations, in line with the personal data processing purposes of the Company, based on and limited to at least one of the personal data processing conditions specified in the 5th and 6th articles of the KVKK, in particular the KVKK on the processing of personal data. Personal data is processed in accordance with the general principles specified in the KVKK, including the principles specified in Article 4 of the Law.

8. STORAGE AND DISPOSAL OF PERSONAL DATA

8.1. The Company retains personal data for the period required for the purpose for which they are processed and for the minimum period stipulated in the relevant legislation. In this context, the Company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which they are processed. Personal data is not stored by the company in any way, taking into account the possibility of future use.

8.2. The company creates a personal data storage and destruction policy in accordance with the personal data processing inventory and performs all its destruction (deletion and/or destruction and/or anonymization) activities in accordance with the Personal Data Retention and Destruction Policy related to the KVK Regulations. At the end of the storage periods determined within the scope of the Personal Data Retention and Disposal Policy, personal data is destroyed in accordance with the periodic destruction periods or the application of the relevant person and with the determined destruction methods (deletion and / or destruction and / or anonymization).

9. TRANSFERRING PERSONAL DATA

9.1. The Company may transfer the personal data of the persons concerned to the third parties and affiliated group companies in the country in accordance with the KVK Regulations, by taking the necessary security measures in line with the legal personal data processing purposes. In this case, necessary protective regulations are added to the contracts concluded with third parties.

9.2. Even without the explicit consent of the person concerned, in case one or more of the following conditions are present, personal data may be transferred by the Company to third parties by taking the necessary administrative and technical measures in accordance with the KVK Regulations:

9.2.1. The relevant activities regarding the transfer of personal data are clearly stipulated in the laws,

9.2.2. The transfer of personal data by the Company is directly related to and necessary for the establishment or performance of a contract,

9.2.3. The transfer of personal data is mandatory for the Company to fulfill its legal obligations,

9.2.4. Transfer of personal data by the Company in a limited manner for the purpose of making it public, provided that the personal data has been made public by the person concerned,

9.2.5. The transfer of personal data by the Company is mandatory for the establishment, exercise or protection of the rights of the Company or the relevant person or third parties,

9.2.6. It is mandatory to transfer personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the person concerned,

9.2.7. It is compulsory for the person or someone else, who is unable to express his consent due to actual impossibility, or whose consent is not legally valid, to protect his or her life or physical integrity.

10. TRANSFER OF SPECIAL QUALITY PERSONAL DATA

Special Quality Personal Data may be transferred by the Company in accordance with the principles set forth in this Policy, by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:

10.1. Special Quality Personal Data excluding health and sexual life are processed without the explicit consent of the person concerned, if it is expressly stipulated in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data. Otherwise, the existence of the explicit consent of the data subject is sought for the processing of Sensitive Personal Data excluding health and sexual life.

10.2. Special Qualified Personal Data related to health and sexual life, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, persons under the obligation of confidentiality (eg, workplace doctor) or authorized institution and organizations without the express consent of the person concerned. Otherwise, the existence of the explicit consent of the data subject is sought for the processing of Sensitive Personal Data excluding health and sexual life.

11. LIGHTING OBLIGATION OF THE COMPANY

11.1. The Company informs the persons concerned before the processing of personal data, in accordance with Article 10 of the KVKK and the provisions of the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation of Clarification. In this context, the Company informs the persons concerned about who, as the Data Controller, and for what purposes their personal data is processed, for what purposes, with whom it is shared, by what methods it is collected, and the legal reason and the rights of the persons concerned within the scope of the processing of their personal data.

11.2. In case the data processor is a third party other than the Company, the third party undertakes to act in accordance with the obligations stated above, before the personal data is processed, with a written contract. Each employee is obliged to comply with the provisions of this Policy in case personal data is transferred to the Company by a third party.

12. RIGHTS OF RELATED PERSONS

12.1. İThe persons concerned have the following rights

12.1.1. learning whether their personal data is processed,

12.1.2. If personal data has been processed, requesting information about it,

12.1.3. Learning the purpose of processing personal data and whether they are used in accordance with their purpose,

12.1.4.  Knowing the third parties to whom personal data is transferred in the country or abroad,

12.1.5. Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to third parties to whom personal data has been transferred,

12.1.6. Even though it has been processed in accordance with the provisions of the law and other relevant laws, in the event that the reasons requiring its processing have disappeared, requesting the deletion or destruction of personal data and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,

12.1.7. Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,

12.1.8. In case of loss due to unlawful processing of personal data, requesting the compensation of the damage.

12.2. Relevant Persons, section 12.1 of this Policy. They will be able to convey their requests regarding their rights listed in the section to the Company through the methods determined by the Board. Accordingly, they will be able to benefit from the Data Owner Application Form, which can be accessed at (www.hazeinfear.com). However, in any case, the current application methods and application content should be checked in the relevant legislation before the application and the applications should be made in accordance with the aforementioned procedures and principles.

12.3. In case the relevant persons submit their requests regarding their rights listed above to the Company in writing, the Company concludes the request free of charge within 30 (thirty) days at the latest, depending on the nature of the request, in accordance with the KVK Regulations. If a separate cost arises for the conclusion of the requests by the Data Controller, the fees in the tariff determined by the Board may be requested by the Data Controller.

13. PERSONAL DATA MANAGEMENT AND SECURITY

13.1. The Company takes all necessary administrative and technical measures to ensure the security of personal data in accordance with the KVK Regulations. In this context, the processing of personal data by the Company is controlled by technical systems according to technological possibilities and application costs.

13.2. Personnel knowledgeable in technical matters related to the Processing of Personal Data are employed.

13.3. Company employees are informed and trained about the protection of personal data and its legal processing.

13.4. Company employees can access personal data only within the authorization defined for them and in accordance with the relevant KVK Regulations.

13.5. If the company employees suspect that the security of personal data is not adequately provided or if they detect such a security gap, they immediately notify the company.

13.6. Each person assigned a Company device is responsible for the security of the devices assigned to him/her.

13.7. Each Company employee is responsible for the security of the physical files in their area of ​​responsibility.

13.8. In the event that there are security measures requested or to be requested additionally for the security of personal data within the scope of KVK Regulations, all employees are obliged to comply with additional security measures and to ensure the continuity of these security measures.

13.9. All of the personal data processed within the Company is considered as "Confidential Information" by the Company.

13.10. Company employees have been informed that their obligations regarding the security and confidentiality of personal data will continue after the termination of the business relationship, and a commitment has been received from the Company employees to comply with these rules.

14.  AUDIT

The Company has the right to regularly and ex officio audit that all employees and data processors of the Company act in accordance with the KVK Regulations and this Policy, and performs the necessary routine audits in this context.

15.  CHANGES TO THE POLICY

15.1. The company reserves the right to make changes in the Policy in line with the legal regulations.

15.2. The Company makes the updated version of the Policy available to the relevant persons via the website address below. “www.hazeinfear.com”