PROCESSING PERSONAL DATA AND PROTECTION POLICY

Karsac Ventilation Heating and Cooling Construction. Industry. and Commerce. Ltd. Company.

we attach utmost importance to the legal processing and protection of personal data in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”), and we act with this care in all our planning and activities. With this awareness, we present this Personal Data Processing and Protection Policy (“Policy”) to your information in order to fulfill the obligation of disclosure within the scope of Article 10 of the Law and to inform you of all the administrative and technical measures we have taken within the scope of processing and protection of personal data.

The main purpose of this Policy is to make explanations about the systems for processing and protecting personal data in accordance with the law and the purpose of the Law, in this context, Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Company and Group. To inform the persons whose personal data are processed by our Company, especially Company Customers, Potential Customers and Third Parties. In this way, it is aimed to ensure full compliance with the legislation in the processing and protection of personal data carried out by our Company and to protect all the rights of personal data owners arising from the legislation regarding personal data.

This Policy; automatically or by non-automatic means provided that it is a part of any data recording system, personal data, especially Company Stakeholders, Company Officials, Company Business Partners, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers and Third Parties It has been prepared for the persons whose data is processed by our Company and will be applied within the scope of these specified persons. This Policy will in no way apply to legal entities and legal entity data.

Our company informs the Personal Data Owners about the Law by publishing this Policy on its website. For the employees of our company, the Personal Data Processing Policy for Employees will be applied. This Policy will not be applied if the data is not included in the scope of "Personal Data" within the scope specified below or if the Personal Data processing activity carried out by our Company is not carried out in the above-mentioned ways.

In this context, the personal data owners within the scope of this Policy are as follows:

The terms used in this Policy have the following meanings:

This Policy, which is issued by the Company and entered into force on the date of its publication, is published on the Company's website (www.karsac.com.tr) and is made available to the relevant persons upon the request of the Personal Data Owners.

Personal Data is processed by the Company in accordance with the procedures and principles stipulated in the Law and this Policy. The Company acts with the following principles when processing Personal Data:

Personal Data is processed in accordance with the relevant legal rules and the requirements of the honesty rule.

• It is ensured that Personal Data is accurate and up-to-date. In this context, issues such as determining the sources from which the data is obtained, confirming its accuracy, and evaluating whether it needs to be updated are carefully considered.
• Personal Data; processed for specific, explicit and legitimate purposes. Being legitimate means that the Personal Data processed by the Company is related to and necessary for the work it has done or the service it has provided.
• Personal Data is related to the purpose in order to achieve the purposes determined by the Company, and the processing of Personal Data that is not related to the realization of the purpose or is not needed is avoided. It limits the processed data only to what is necessary for the realization of the purpose. Personal Data processed in this context are related, limited and measured for the purpose for which they are processed.
• If there is a period stipulated for the storage of data in the relevant legislation, it complies with these periods; otherwise, it retains the Personal Data only for the period necessary for the purpose for which they are processed. In the event that there is no valid reason for further preservation of Personal Data, the said data is deleted, destroyed or anonymized.

The Company does not process Personal Data without the explicit consent of the data owner. In the presence of one of the following conditions, Personal Data may be processed without seeking the explicit consent of the data owner.

The Company may process Personal Data of Personal Data Owners in cases expressly stipulated by law, even without express consent. For example; In accordance with Article 230 of the Tax Procedure Law, the explicit consent of the person concerned will not be sought to include the name of the person on the invoice.

• Personal Data may be processed without explicit consent in order to protect the life or bodily integrity of the person or another person who are unable to express their consent due to actual impossibility or whose consent cannot be validated. For example, in a situation where the person's consent is not valid due to unconsciousness or mental illness, the Personal Data of the Personal Data Owner may be processed during medical intervention in order to protect the integrity of life or body. In this context, data such as blood type, diseases and surgeries, and medications used can be processed through the relevant health system.
• Personal Data of the parties to the contract may be processed, provided that it is directly related to the establishment or performance of a contract by the Company. For example, according to a contract made, the account number of the creditor can be obtained for the payment of money.
• The Company may process the Personal Data of the Personal Data Owners if it is necessary to fulfill its legal obligations as a data controller.
• Personal Data made public by the Personal Data Owners by the Company, in other words, disclosed to the public in any way, can be processed because the legal benefit that needs to be protected is no longer valid.
• The Company may process the Personal Data of the Personal Data Owners without seeking explicit consent, in cases where data processing is necessary for the exercise or protection of a legally legitimate right.
• The Company may process the Personal Data of the Personal Data Owners in cases where it is necessary to process the Personal Data for their legitimate interests, provided that the fundamental rights and freedoms of the Personal Data Owners are protected under the Law and Policy. The Company shows the necessary sensitivity to comply with the basic principles regarding the protection of Personal Data and to observe the balance of interests of the Personal Data Owners.

The Company does not process Sensitive Personal Data without the explicit consent of the person concerned. However, Personal Data other than health and sexual life may be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws. Personal Data regarding health and sexual life are only processed by the Company for the purposes of protecting public health, performing preventive medicine, medical diagnosis and treatment and care services, planning and managing health services and financing, without seeking the explicit consent of the person concerned, under the conditions under which we are under a confidentiality obligation. The Company carries out the necessary actions to take adequate measures determined by the Board in the processing of Private Personal Data.

Our company may transfer Personal Data of Personal Data Owners and Private Personal Data to third parties in accordance with the Law by creating the necessary confidentiality conditions and taking security measures in line with the purposes of processing Personal Data. Our company acts in accordance with the regulations stipulated in the Law during the transfer of Personal Data. In this context, our Company, based on and limited to one or more of the Personal Data processing conditions listed below, specified in Article 5 of the Law, in line with the legitimate and lawful Personal Data processing purposes.

Personal Data to third parties:

• If the Personal Data owner has express consent;
• If there is a clear regulation in the law regarding the transfer of Personal Data, if it is necessary for the protection of the life or physical integrity of the Personal Data owner or someone else, and
• If the Personal Data owner is unable to express his consent due to actual impossibility or if his consent is not legally valid,
• If it is necessary to transfer the Personal Data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
• If Personal Data transfer is mandatory for our company to fulfill its legal obligation,
• If the Personal Data has been made public by the Personal Data owner,
• If Personal Data transfer is necessary for the establishment, exercise or protection of a right,
• Provided that the fundamental rights and freedoms of the Personal Data owner are not harmed, Personal Data may be transferred if it is necessary for the legitimate interests of our Company.

Our company may transfer the Personal Data and Special Quality Personal Data of the Personal Data Owners to third parties abroad by taking the necessary security measures in line with the Personal Data processing purposes. Personal Data by our Company; It can be transferred to foreign countries that are declared to have sufficient protection by the KVK Board or, in the absence of sufficient protection, to foreign countries where the data controllers in Turkey and the relevant foreign country undertake an adequate protection in writing and where the permission of the KVK Board is available.

The company, by showing due diligence, taking the necessary security measures and taking the adequate measures prescribed by the KVK Board; In accordance with the legitimate and lawful Personal Data processing purposes, it can transfer the Personal Data of the Personal Data Owner to third parties in the following cases.

The company, by showing due diligence, taking the necessary security measures and taking the adequate measures prescribed by the KVK Board; In accordance with the legitimate and lawful Personal Data processing purposes, it can transfer the Personal Data of the Personal Data Owner to foreign countries where the data controller has sufficient protection or undertakes to provide adequate protection in the following cases.

(i) In case of explicit consent of the Personal Data Owner, or

(ii) In the presence of the following conditions, without seeking the explicit consent of the Personal Data Owner;

•  Sensitive Personal Data (race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress and dress, association, foundation or union membership, criminal conviction and data related to security measures, biometric and genetic data), in cases stipulated by law,
• Persons who are under the obligation to keep confidential for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, or by authorized institutions and organizations.

Before the company; In line with the Company's legitimate and lawful personal data processing purposes, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Law, the general principles specified in the Law, primarily the principles specified in Article 4 regarding the processing of personal data. Personal data in the categories specified below, limited to the subjects within the scope of this Policy, are processed by informing the relevant persons in accordance with Article 10 of the Law. It is also stated in this section that the personal data processed in these categories are related to which data owners are regulated within the scope of this Policy.

The type of Personal Data of the Personal Data Owners specified in the article (1.3.) of Section 1 of the Policy is specified in the table below:

Personal Data; in accordance with the law and the purpose of the Law,

• Planning and implementing human resources policies in the best way,
• Accurate planning, execution and management of commercial partnerships and strategies,
• Ensuring the legal, commercial and physical security of itself and its business partners,
• Ensuring corporate functioning, planning and execution of management and communication activities,
• Making the best use of the products and services of the Personal Data Owners and recommending them by customizing them according to their demands, needs and wishes,
• Ensuring the highest level of data security,
• Creation of databases,
• Improving the services offered on the website and eliminating the errors that occur on the website,
• Communicating with the Personal Data Owners who forwarded their requests and complaints to him and ensuring the management of requests and complaints,
• event management,
• Management of relations with business partners or suppliers,
• Execution of personnel procurement processes,
• Supporting Group Companies' personnel procurement processes and compliance with the relevant legislation,
• Planning and execution of audit activities in order to ensure that the activities of the Group Companies are carried out in accordance with the relevant legislation,
• Supporting the planning and execution of fringe benefits and benefits to be provided to him and the senior executives of the Group Companies,
• Supporting Group Companies in the realization of company and partnership law transactions,
• Execution/follow-up of financial reporting and risk management transactions,
• Execution/follow-up of company legal affairs,
• Carrying out studies to protect its reputation,
• Managing investor relations,
• Giving information to authorized institutions based on legislation,
• Creating and tracking visitor records.

It is processed within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law, limited to its purposes. If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated in the Law, your express consent is obtained by the Company regarding the relevant processing process.

Your Personal Data; In accordance with the law and the purpose of the Law, it can be transferred to the following categories of persons governed by the Policy for the following purposes:

For the purpose of checking the compliance with Article 1, which regulates the purpose of the Law, and Article 2, which regulates the scope of the Law, Personal Data; in all kinds of verbal, written, electronic media; It is collected through technical and other methods, in various ways such as call center, Company website, mobile application, in order to fulfill the responsibilities arising from the law completely and accurately within the framework of legal reasons based on legislation, contract, demand and request in order to achieve the purposes stated in the Policy, and It is processed by the Company or data processors appointed by the Company.

Without prejudice to the provisions of other laws regarding the deletion, destruction or anonymization of Personal Data, although the Company has processed it in accordance with the provisions of this Law and other laws, in the event that the reasons for its processing disappear, ex officio or the data owner. deletes, destroys or anonymizes at its request. With the deletion of Personal Data, this data is destroyed in such a way that it cannot be used again in any way and cannot be restored. Accordingly, Personal Data is deleted from the tools such as documents, files, CDs, floppy disks, hard disks in which they are registered, in a way that cannot be recycled. Destruction of Personal Data, on the other hand, means the destruction of materials suitable for data storage such as documents, files, CDs, floppy disks, hard disks, in which the data is recorded, so that the information cannot be retrieved or used again. By anonymizing the data, it is meant that the Personal Data cannot be associated with an identified or identifiable natural person, even if it is matched with other data.

The Company stores Personal Data for the period specified in this legislation, if it is stipulated in the legislation. If a period of time is not regulated in the legislation regarding how long personal data should be stored, Personal Data is processed for a period of time that requires it to be processed in accordance with the Company's practices and commercial life practices, depending on the activity carried out while processing that data, and then deleted, destroyed or anonymized. is brought.

The purpose of processing personal data has ended; if the relevant legislation and the retention periods determined by the Company have also come to an end; Personal data can only be stored to provide evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. Despite the expiry of the statute of limitations and the statute of limitations for the right to assert the aforementioned right in the establishment of the periods herein, retention periods are determined based on the examples previously submitted to the Company on the same issues. In this case, the stored personal data is not accessed for any other purpose, and only when necessary to use it in the relevant legal dispute, access to the relevant personal data is provided. Here, too, personal data is deleted, destroyed or anonymized after the aforementioned period expires.

The Company takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that Personal Data is processed in accordance with the law.

The Company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and the cost of implementation in order to prevent the reckless or unauthorized disclosure, access, transfer or any other unlawful access to Personal Data.

The Company takes the necessary technical and administrative measures according to the technological possibilities and implementation cost in order to keep the Personal Data in secure environments and to prevent its destruction, loss or alteration for unlawful purposes.

The Company observes all legal rights of Personal Data Owners with the implementation of the Policy and Law and takes all necessary measures to protect these rights. Detailed information on the rights of Personal Data Owners is given in the sixth section of this Policy.

The law attaches special importance to certain Personal Data due to the risk of causing victimization and/or discrimination when processed unlawfully. These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. The Company pays maximum attention to the protection of special quality Personal Data, which is determined as "special quality" by the law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company for the protection of personal data are also implemented with the utmost care in terms of Special Quality Personal Data, and the necessary audits are provided within the Company in this regard.

The Company informs the Personal Data Owners during the acquisition of Personal Data in accordance with Article 10 of the Law. In this context, if any, it clarifies the identity of the Company representative, for what purpose the Personal Data will be processed, to whom and for what purpose the processed Personal Data can be transferred, the method of collecting Personal Data and the legal reason, and the rights of the Personal Data Owner.

The Company informs you of your rights in accordance with Article 10 of the Law; It provides guidance on how to exercise these rights and carries out the necessary internal functioning, administrative and technical arrangements for all these. The Company, in accordance with Article 11 of the Law, to the persons whose Personal Data is received;

• Learning whether Personal Data is processed or not,
• If Personal Data has been processed, requesting information about it,
• Learning the purpose of processing Personal Data and whether they are used in accordance with its purpose,
• Knowing the third parties to whom Personal Data is transferred in the country or abroad,
• Requesting correction of Personal Data if it is incomplete or incorrectly processed,
• Requesting the deletion or destruction of Personal Data within the framework of the conditions stipulated in Article 7 of the Law,
• Requesting notification of the transactions made pursuant to subparagraphs (d) and (e) of Article 11 of the Law, to third parties to whom personal data has been transferred,
• Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
• Requesting the compensation of the damage in case of loss due to unlawful processing of Personal Data

 explains that they have rights.

Since the following cases are excluded from the scope of the Law pursuant to Article 28 of the Law, Personal Data Owners cannot claim their rights listed in article (6.2.) of this Policy in the following cases:

• Processing of Personal Data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.
• Processing Personal Data for purposes such as research, planning and statistics by making it anonymous with official statistics.
• Processing of Personal Data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
• Processing of Personal Data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
• Processing of Personal Data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

 Pursuant to article 28/2 of the Law; In the cases listed below, Personal Data Owners cannot claim their rights listed in article (6.2.) of this Policy, except for the right to demand the compensation of the damage:

• The processing of Personal Data is necessary for the prevention of crime or for criminal investigation.
• Processing of personal data made public by the Personal Data Owner.
• Personal Data processing is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, based on the authority given by the law.
• The processing of Personal Data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.

Personal Data Owners can submit their requests regarding their rights listed in article (6.2.) of this Policy to the Company free of charge by filling in and signing the Application Form, which you can access from the "Application Form" link, with the information and documents that will identify their identities and with the methods specified below or other methods determined by the KVK Board. They can transmit as:

• After the application form is filled, a wet signed copy can be sent to GEBZE DİLOVASI OSB MAHALLESİ D-3001 SK. NO:3/1 GEBZE / KOCAELİ address.

• It can be signed with a secure electronic signature and sent to the registered e-mail address of the Company via e-mail "This email address is being protected from spambots. You need JavaScript enabled to view it.".

 In order for third parties to apply on behalf of personal data owners, a special power of attorney issued by the data owner through a notary public on behalf of the person to apply must be present.

The company concludes the requests included in the application free of charge as soon as possible, within thirty days at the latest, depending on the nature of the request. However, if the said transaction requires an additional cost, the fee in the tariff determined by the KVK Board may be charged. The company may accept the request or reject it by explaining the reason; gives its answer in writing or electronically. In case the request in the application is accepted, the Company fulfills the requirements of the request.

In cases where the application is rejected, the answer given is insufficient or the application is not answered in due time; The data owner has the right to file a complaint with the KVK Board within thirty days from the date of learning the answer and in any case within sixty days from the date of application.

The Company reserves the right to make changes in this Policy and other related and related policies in line with the changes made in the Law, in accordance with the decisions of the KVK Board or in line with the developments in the sector or in the field of informatics.

Changes made in this Policy are immediately processed in the text and explanations regarding the changes are announced at the end of the Policy.