Personal Data Processing Policy

1. INTRODUCTION

DERCE AŞ. It is of great importance to protect the Personal data of its customers, employees and other real persons with whom it has a relationship. For the processing and protection of personal data, this Policy and other written Policies within DERCE AŞ. are the process and the targeted purpose; It is the legal processing and protection of personal data of our Customers, Potential customers, Employees, Candidates, Visitors, Employees of the Institutions We Collaborate with, DERCE AŞ. employees and Third Parties.

In this context, necessary administrative and technical measures are taken by DERCE AŞ. for the processing and protection of personal data in accordance with the Law No. 6698 and the relevant legislation.

In this Policy, the following basic principles adopted by DERCE AŞ. for the processing of personal data will be explained:

Processing personal data within the scope of consent,
Processing personal data in accordance with the law and honesty rules,
Keeping personal data accurate and up-to-date when necessary,
Processing personal data for specific, explicit and legitimate purposes,
Processing personal data in connection with the purpose for which they are processed, limited and measured,
Keeping personal data for as long as required by the relevant legislation or for the purpose for which they are processed,
Enlightening and informing personal data owners,
Creating the necessary infrastructure for personal data owners to exercise their rights, Taking necessary measures for the protection of personal data,
To act in accordance with the relevant legislation and KVK Board regulations in the determination and implementation of the processing purposes of personal data, transferring them to third parties,
Special regulation of the processing and protection of sensitive personal data

2. PURPOSE OF THE POLICY

The main purpose of this Policy is to make explanations about the personal data processing activity carried out by DERCE AŞ. in accordance with the law and the systems adopted for the protection of personal data, in this context, our customers, employees, employee candidates, visitors, customers whose personal data have been obtained through dealers and customers, To provide transparency by informing the shareholders, employees and third parties of the institutions we cooperate with.

3. SCOPE OF THE POLICY

This Policy; It relates to all personal data of our customers, employees, employee candidates, visitors, customers whose personal data are obtained through dealers and customers, employees of institutions we cooperate with, and third parties, which are processed automatically or non-automatically, provided that they are part of any data recording system.

4. ENFORCEMENT OF THE POLICY

This Policy, issued by DERCE AŞ., was put into effect on 01/01/2019. This Policy is published on the website of DERCE AŞ. (www.derce.com.tr) and made available to the relevant persons upon the request of the personal data owners.

5. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

DERCE AŞ.; In accordance with Article 12 of the KVK Law, it takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes, to prevent illegal access to the data and to ensure the preservation of the data, and in this context, it makes or has the necessary inspections done.

5.1. Measures Taken to Ensure Legal Processing of Personal Data

DERCE AŞ. takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that personal data is processed in accordance with the law.

5.1.1. Technical Measures

The main technical measures taken by DERCE AŞ. to ensure the legal processing of personal data are listed below:

Personal data processing activities carried out within the body of DERCE AŞ. are audited by established technical systems.
The technical measures taken are periodically reported to the relevant person as required by the internal audit mechanism.
Technical departments have been established and knowledgeable personnel are employed.

5.1.2. Administrative Measures

Administrative measures taken by DERCE AŞ. for the legal processing of personal data:

DERCE AŞ. employees, dealers and customer employees are informed and trained on the law of protection of personal data and the processing of personal data in accordance with the law.
All personal data processing activities carried out by DERCE AŞ.; It is carried out in accordance with the personal data inventory and its annexes, created by analyzing all business units in detail.
Personal data processing activities carried out by the relevant departments of DERCE AŞ.; The obligations to be fulfilled in order to ensure that these activities comply with the personal data processing requirements sought by the KVKK, are bound to the written Policy, policies and procedures by DERCE AŞ., and each business unit has been informed about this issue and the points to be considered specific to the activity it carries out have been determined.
The control and management of the personal data security of the departments is organized by the Information Security Unit. Awareness is created in order to ensure the legal requirements determined on the basis of the business unit, and the necessary administrative measures are implemented through internal policies, policies and procedures and trainings to ensure the supervision of these issues and the continuity of the implementation.
Service agreements and related documents between DERCE AŞ. and its employees include information and data security records regarding personal data, and additional protocols are made. Studies have been carried out to create the necessary awareness for employees in this regard.

5.1.3. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

DERCE AŞ., in order to prevent the disclosure, access, transfer of personal data by reckless or unauthorized persons, data leaks within DERCE AŞ. systems or all other unlawful access; takes technical and administrative measures according to the class, quality, technological possibilities and implementation cost of the data to be protected.

5.1.4. Technical Measures

The main technical measures taken by DERCE AŞ. to prevent unlawful access to personal data are listed below:

New technological developments are followed and technical measures are taken on systems, especially in the field of cyber security, and the measures taken are periodically updated and renewed.
Access and authorization technical solutions are implemented within the framework of legal compliance requirements determined for each department.
Access authorizations are limited and authorizations are reviewed regularly. Access restrictions are applied to ex-employees and accounts are closed.
The technical measures taken in accordance with the internal functioning of DERCE AŞ. are reported to the relevant users, and the necessary technological solutions are produced by re-evaluating the risky issues.
Software and hardware including virus protection systems, firewall, Data Vulnerability security and firewalls are installed.
Personnel knowledgeable in technical matters are employed.
In order to detect security vulnerabilities in applications where personal data is collected, applications are regularly subjected to external impact tests and the gaps found according to the results of this test are closed.

5.1.5. Administrative Measures

Employees, dealers and customers, especially relevant users who process personal data, and all personnel are trained on administrative measures to prevent unlawful access to personal data.
Considering the personal data processing processes on a departmental basis, legal compliance, access to personal data and authorization processes are implemented within the company.
In the contracts signed between DERCE AŞ. and the employees, the scope of the personal data processing activity in accordance with the law is explained and there are commitments to act in accordance with these issues.
Contracts concluded by DERCE AŞ. with the persons to whom personal data are transferred in accordance with the law; Provisions are added that the persons to whom personal data are transferred will take the necessary security measures for the protection of personal data and ensure that these measures are complied with in their own institutions.

5.2 Supervision of the Measures Taken on the Protection of Personal Data

DERCE AŞ. has a Personal Data Privacy Manager. Personal Data Confidentiality Manager, on behalf of DERCE AŞ., which is the data controller, carries out the necessary audits in its own institution or organization in order to ensure the implementation of the provisions of the Law, in accordance with its duty arising from Article 12 of the Law, and has it done by getting support from competent institutions when needed. According to the results of this audit, the detected violations, negativities and non-compliances are reported to the board of directors and the board of directors takes the necessary measures regarding these issues. In the case of outsourcing by DERCE AŞ. due to technical requirements regarding the storage of personal data, in the contracts concluded with the relevant companies to which the personal data is transferred in accordance with the law; persons to whom personal data is transferred,

6. RIGHTS AND REQUESTS OF THE PERSONAL DATA OWNER

DERCE AŞ., as the data controller, has established a personal data application and response procedure as an annex to the personal data inventory and a written template for applications that do not meet the application conditions specified in the law, as a data controller, in accordance with Article 13 of the KVK Law. Technical preparations have been made in order to carry out the necessary actions in accordance with these procedures. DERCE AŞ. has a systemic infrastructure to ensure the implementation of this procedure.

Requests of personal data owners regarding their rights listed below; By personal application with ID presentation or in writing or by using registered electronic mail (KEP) address, secure electronic signature, mobile signature or the electronic mail address previously notified to DERCE AŞ. by the relevant person and registered in DERCE AŞ. system, or DERCE AŞ., in case they transmit their identities to DERCE AŞ. in a verifiable form through a software or application developed for the purpose of application; will respond to the request free of charge within thirty days at the latest, depending on the nature of the request.

If the response to the application is given in a recording medium such as a CD or flash memory, a fee may be charged equal to the cost of the recording medium.

Personal data owners; With the application they make in accordance with this procedure, they will be able to claim all the rights in the relevant article of the law, including all processing processes, purposes and transfer information of their personal data.

7. PROTECTION OF PRIVATE PERSONAL DATA

With the KVK Law, special importance is attached to certain personal data due to the risk of causing victimization or discrimination when processed unlawfully. These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

DERCE AŞ. acts sensitively in the protection of special quality personal data, which is determined as "special quality" by the KVK Law and processed in accordance with the law. In this context, technical and administrative measures taken by DERCE AŞ. for the protection of personal data are carefully implemented in terms of special quality personal data and necessary audits are provided within DERCE AŞ.

In this context, due to the workplace medicine service provided by DERCE AŞ., the health data of the employees are processed and the personnel who can access these special quality personal data are given the necessary training, the scope and duration of the access authorization of these personnel are determined, periodic audits are carried out and confidentiality agreements are signed. If the relevant personnel leaves the job, the access authorization is immediately revoked.

The physical files containing the personal health data of the employees, which are physically stored in the health files, are locked and stored in areas accessible only to the infirmary personnel. No unit other than the infirmary personnel can access the health data of the employees.

8. TRAINING OF DERCE AŞ. EMPLOYEES AND DEALER EMPLOYEES ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

DERCE AŞ. provides the necessary trainings to its employees and dealers in order to prevent the illegal processing of personal data, illegal access to the data, and to raise awareness to ensure data protection.

9. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA

DERCE AŞ., in accordance with Article 20 of the Constitution and Article 4 of the KVK Law, regarding the processing of personal data; in accordance with the law and the rules of honesty; accurate and up-to-date where necessary; for specific, clear and legitimate purposes; engages in personal data processing activities in a connected, limited and measured manner for this purpose. DERCE AŞ. preserves personal data for as long as required by law or for the purpose of processing personal data. Personal information of DERCE AŞ., its customers, employees, dealer and customer employees, visitors, supplier company employees and third parties; (identification information (name, surname, TR identity number, gender, age, date of birth,) contact information (e-mail address, telephone number, address information, IP address), vehicle characteristics, license information, chassis information,

DERCE AŞ. enlightens the data owners in accordance with Article 10 of the KVK Law and requests their consent in cases where consent is required; processes these personal data on the basis of the following criteria.

9.1. Processing in Compliance with Law and Integrity

DERCE AŞ.; acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. Pursuant to the principle of being in compliance with the principle of honesty, DERCE AŞ. considers the interests and reasonable expectations of the persons concerned while trying to achieve its goals in data processing.

9.2. Ensuring Personal Data Is Accurate and Up-to-Date When Necessary

Keeping personal data accurate and up-to-date is necessary for DERCE AŞ. to protect the fundamental rights and freedoms of the person concerned. DERCE AŞ. has an active duty of care to ensure that personal data is accurate and up-to-date when necessary. For this reason, all our communication channels are open by DERCE AŞ. in order to keep the information of the data owner accurate and up-to-date.

9.3. Processing for Specific, Explicit, and Legitimate Purposes

DERCE AŞ. determines the legitimate and lawful purpose of processing personal data clearly and precisely. DERCE AŞ. processes personal data in connection with the commercial activity it carries out and as necessary for these.

9.4. Being Related to the Purpose for which they are Processed, Limited and Measured

DERCE AŞ. operates within the scope of its field of activity and for the purposes necessary for the conduct of its business. For this reason, DERCE AŞ. processes personal data in a way that is suitable for the realization of the determined purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed. For example, personal data processing activities are not carried out to meet the needs that may arise later.

9.5. Retention for as Long as Required for the Purpose of Processing or Envisioned in the Relevant Legislation

DERCE AŞ. retains personal data only for as long as specified in the relevant legislation or required for the purpose for which they are processed. In this context, DERCE AŞ. first determines whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period. DERCE AŞ. is based on the retention periods in the personal data inventory, and at the end of the periods specified here, personal data is deleted, destroyed or anonymized according to the nature of the data and the purpose of use, within the framework of the obligations under the Law.

10. PROCESSING OF DATA COLLECTED BY DERCE AŞ. DEALERS AND CUSTOMERS BY DERCE AŞ.

Within the scope of its activities, DERCE AŞ. enters into contractual relations with DEALERS and CUSTOMERS and carries out sales and after-sales services through these people. In this context, the personal data of a significant portion of DERCE AŞ. customers are obtained from the real persons who are data subjects through the Dealers and CUSTOMERS, by fulfilling the obligation of disclosure and obtaining their consent, and transferred to DERCE AŞ. In order to carry out the business, these data can be processed by both DERCE AŞ. and DEALER and CUSTOMERS. In the event that the relationship between DERCE AŞ. and the DEALER and CUSTOMERS regarding personal data sharing takes place in the form of personal data transfer from the data processor to the data controller within the scope of the KVK Law, the relevant DEALER or CUSTOMERS shall, at the stage of collecting the personal data of the relevant person, clarifies that these personal data can be sent to DERCE AŞ.. DERCE AŞ. evaluates the collection of personal data on its own behalf, informs DEALERS and CUSTOMERS on this matter, provides the necessary training and ensures that contracts prepared in line with the KVKK, which regulates the rights and obligations of the parties, are signed.

11. DISCLOSURE AND INFORMATION OF THE PERSONAL DATA OWNER

DERCE AŞ.; In accordance with Article 10 of the KVK Law, it enlightens the Personal Data Owners during the acquisition of personal data. In this context, DERCE AŞ. considers the nature of the data owner and the data processing process regarding the identity of the data controller, the identity of the representative, if any, the purpose for which the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the legal reason and the rights of the personal data owner. lighting accordingly. In this context, LIGHTING texts have been placed in the areas of the Dealer that customers can easily see. Along with this policy, the customer clarification text, cookie policy and application form have also been published on the DERCE AŞ. websites.

12. TRANSFER OF PERSONAL DATA

DERCE AŞ. can transfer the personal data and sensitive personal data of the personal data owner to third parties by taking the necessary security measures in line with the personal data processing purposes in accordance with the law. by DERCE AŞ.; Personal data can be transferred to foreign countries that are declared to have adequate protection by the KVK Board or, in the absence of sufficient protection, to foreign countries where data controllers in Turkey and the relevant foreign country undertake an adequate protection in writing and where the permission of the KVK Board is available. The reasons for the transfer are explained below:

If there is a clear regulation in the law regarding the transfer of personal data,
If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
If personal data transfer is necessary for DERCE AŞ. to fulfill its legal obligation,
If personal data transfer is necessary for the establishment, exercise or protection of a right,
If personal data transfer is necessary for the legitimate interests of DERCE AŞ., provided that it does not harm the fundamental rights and freedoms of the personal data owner.

13. DERCE AŞ. PERSONAL DATA INVENTORY AND CLASSIFICATION OF PERSONAL DATA

Before DERCE AŞ.; In line with DERCE AŞ. legitimate and lawful personal data processing purposes, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the KVK Law, in particular the principles specified in Article 4 regarding the processing of personal data, KVK Law In accordance with the general principles set forth in the KVK Law and all obligations regulated in the KVK Law, and limited to the personal data owners within the scope of this Policy (Dealers, Customers, Employees, Visitors, Third Parties, Employee Candidates, Employees of the Institutions We Collaborate with, DERCE AŞ. affiliated companies) Personal data in the specified categories are processed by informing the relevant persons.

DERCE AŞ. has created a personal data inventory in accordance with the Data Controllers Registry Regulation issued by the Personal Data Protection Authority. This data inventory includes data categories, data source, data processing purposes, data processing process, Recipient groups to which data is transferred, and retention periods. In this context, the following types of data categories exist within DERCE AŞ., but are not limited to these types.

PERSONAL DATA CATEGORY	PERSONAL DATA CATEGORY DISCLOSURE
Identity Data	It is the data group that can be used to reach the person (Phone, address, e-mail, Fax number, IP address,)
Communication Data	It is the data group that contains information about the person's identity (Name, surname, TCKN, mother's name, father's name, place of birth, date of birth, gender, wallet serial number, identity photocopy, tax no, social security number, nationality data, marriage certificate photocopy/scan, employee card)
Health Data	It is the data group that contains the health information of the person (blood type, medical history, check-up result, consultation report, diet form).
Vehicle Data	It is the data group containing the vehicle information of the person (Plate number, chassis number, engine number, license information).
Location Data	It is the data group that contains the location data of the person (GPS location).
Audio/Visual Data	It is the data group that contains the visual and audio data of the person (Photo, sound recording, camera recording, driver's license photocopy/scan, ID photocopy/scan, passport photocopy/scan).
Digital Trace Data	It is a data group (Log) that contains digital traces that are formed as a result of processing personal information.
Financial Data	It is the data group containing the financial information of the person (bank account number, iban number, card information, bank name, financial profile, mail order form, credit rating).
Biometric/Genetic Data	It is the data group that contains the biometric/genetic data of the person (Fingerprint, genetic information, vein print).
Professional Data	It is the data group that contains the information about the profession of the person (information of the institution where he/she works, registry of the professional chamber).
Training Data	It is the data group that contains the education data of the individual (Diploma grade, diploma photocopy/scan).
Asset Data	It is the data group that contains the assets owned by the person (Deed photocopy/scan, vehicle license photocopy/scan).
Travel Data	It is the data group that contains the information of the person's travels (flight information, boarding pass, tour route, mile card number, accommodation data).
Company Data	Sole proprietorship data (Company address).
Race/Religion	It is the data group that contains the data about the origin and belief of the person (racial/religious knowledge).
Association membership information	It is the data group that contains the member and association information of the person (All association memberships).
Visa/Passport Data	It is the data group that contains the visa/passport information of the person (Visa information, passport photocopy/scan).
Clothing Data	It is the data group that contains the distinctive features of the person's clothing (Clothing purchase history, distinctive clothing worn.)
Sanctions Data	It is a data group regarding the sanctions received in the past of the person (Criminal Proceedings, Criminal Record Record, Disciplinary Record.)

14. PURPOSE OF PROCESSING PERSONAL DATA

DERCE AŞ. processes personal data limited to the purposes and conditions specified in the personal data processing conditions specified in the 2nd paragraph of the 5th article of the KVK Law and the 3rd paragraph of the 6th article.

Performance of after-sales services,
product sales,
Fulfilling the requirements of dealership contracts,
Execution of collection transactions including mail order and transfer order,
To customers; Providing various advantages through product-service promotion, information, personalized advertisements, campaigns and other benefits, sending commercial electronic messages within the framework of loyalty programs, surveys and tele-sales applications, statistical analysis,
Performing after-sales services such as damage management, Evaluation with the aim of tracking the damages
Carrying out studies to improve service quality and providing better service,
Issuing invoices for our services,
Outsourcing of services,
Presenting the benefits of specialized institutions to customers in order to receive services and technology services on subjects that are not in their area of expertise,
identity verification,
Answering questions and complaints,
Taking the necessary technical and administrative measures within the scope of data security,
Providing financial reconciliation regarding the products and services offered with the relevant business partners and other third parties,
Providing the necessary information in line with the requests and inspections of regulatory and supervisory institutions and official authorities,
Preserving the information regarding the data that must be kept in accordance with the relevant legislation,
Ensuring the control of the consistency of the information,
Measuring customer satisfaction,
In terms of employees; Creation of personal file, determination of whether it is capable of fulfilling the requirements of the job continuously, making private health insurance, creating a health file, taking occupational safety measures
Harmonization of DERCE AŞ. operation and policies with Dealer operations and policies in the dealer chain
Using the data received through the website or social media channels for marketing purposes through third party agencies
DERCE AŞ. marketing activities
Fulfillment of legal obligations
Supporting the personnel procurement processes of dealer companies
Execution/follow-up of DERCE AŞ. financial reporting and risk management transactions
DERCE AŞ. execution/follow-up of legal affairs
Creating and tracking visitor records

15. PERSONAL DATA STORAGE PERIOD

DERCE AŞ. keeps personal data for the period specified in these legislations, if stipulated in the relevant laws and regulations.

If a period of time is not regulated in the legislation regarding how long personal data should be kept, the Personal Data is stored for a period of time that requires it to be kept in accordance with the practices of DERCE AŞ. and the practices of the industry, depending on the activity carried out by DERCE AŞ. while processing that data, and then by DERCE AŞ. in accordance with the nature of the data. are deleted, destroyed or anonymized in accordance with the relevant Policy created.

The purpose of processing personal data has ended; if the storage periods determined by the relevant legislation and DERCE AŞ. have come to an end; Personal data can only be stored to provide evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. Despite the expiry of the statute of limitations and the statute of limitations for asserting the right mentioned in the establishment of the periods herein, retention periods are determined based on the examples in the previous requests made to DERCE AŞ. on the same issues. In this case, the stored personal data is not accessed for any other purpose and access is provided only when it is necessary to use it in the relevant legal dispute.

16. THIRD PARTIES TO WHICH PERSONAL DATA IS TRANSFERRED BY DERCE AŞ. AND THE PURPOSE OF TRANSFERRING

DERCE AŞ. notifies the personal data owner of the groups of persons to whom personal data is transferred in accordance with Article 10 of the KVK Law.

DERCE AŞ. may transfer the personal data of data subjects managed by this Policy to the following categories of persons in accordance with Articles 8 and 9 of the KVK Law:

DERCE AŞ. business partners,
Bank and insurance companies
travel agents
Institutions and organizations that provide health services to employees
Hotels
Education companies
To DERCE AŞ. Dealers and Customers,
DERCE AŞ. suppliers,
DERCE AŞ. company officials,
Legally Authorized public institutions and organizations,

The transfer scope and data transfer purposes are stated below.

Persons to whom Data Transfer can be made	Definition	Data Transfer Purpose
Business partner	It defines the parties such as the Dealer and the Customer, with which DERCE AŞ. has established business partnerships for purposes such as carrying out various projects and receiving services while carrying out its commercial activities.	It is transferred on a limited basis in order to ensure the fulfillment of the purposes for which the business partnership was established.
supplier	It defines the parties that provide services to DERCE AŞ. on a contractual basis, in accordance with DERCE AŞ. orders and instructions, while carrying out the commercial activities of DERCE AŞ..	It is transferred on a limited basis in order to provide DERCE AŞ. with the services that DERCE AŞ. outsourced from the supplier and which are necessary to carry out the commercial activities of DERCE AŞ..
Authorized Public Institutions and Organizations	Public institutions and organizations authorized to receive information and documents from DERCE AŞ. in accordance with the provisions of the legislation	It is transferred for a limited purpose in cases where public institutions and organizations demand and provide a legal basis.

17. PROCESSING OF PERSONAL DATA

17.1. Processing of Personal Data

The express consent of the personal data owner is only one of the legal bases that makes it possible to process personal data in accordance with the law. Apart from express consent, personal data may also be processed in the presence of one of the conditions specified in the law. The basis of the personal data processing activity can be only one of the conditions stated below, or more than one of these conditions can be the basis of the same personal data processing activity.

Processing Conditions	Scope	Sample
Provision of Law	Tax Legislation, Labor Legislation, Trade Legislation etc.	Personal information of the employee must be kept in accordance with the legislation.
Performance of Contract	Employment Contract, Contract of Sale, Contract of Carriage, Contract of Work etc.	Registering the company's address information for delivery.
Actual Impossibility	A person who cannot give consent due to actual impossibility, or who does not have the power to discern.	Contact or address information of the unconscious person. Location information of a kidnapped person.
Legal Responsibility of Data Controller	Financial Audits, Security Legislation, Compliance with Sector-Oriented Regulations.	Sharing information in audits specific to areas such as Banking, Energy, Capital Markets.
Making Public	The person concerned submits his/her information to the public.	Announcement of the contact information of the person to be reached in case of emergency.
Establishment, Protection, Use of Right	Filing a lawsuit, registration procedures, all kinds of title deeds, etc. mandatory data to be used in business.	Retention of necessary information about an employee leaving the job for the duration of the lawsuit.
Legitimate Interest	Provided that the fundamental rights of the data owner are not harmed, data may be processed if it is necessary for the legitimate interest of the data controller.	Data processing for the purpose of applying rewards and bonuses that increase employee loyalty.

18. PERSONAL DATA PROCESSING ACTIVITIES DONE IN DERCE AŞ. FACTORY BUILDING ENTRY AND INSIDE THE BUILDING

In order to ensure security byDERCE AŞ. , DERCE AŞ. carries out personal data processing activities for monitoring the entrance and exit of the guests with security cameras in the buildings and facilities of DERCE AŞ.

Personal data processing is carried out by DERCE AŞ. by using security cameras and recording guest entries and exits.

DERCE AŞ., within the scope of monitoring activity with security cameras; It aims to protect the interests of the company and other persons in order to ensure their safety. This monitoring activity is carried out in accordance with the Law on KVKK and Private Security Services and the relevant legislation. In this context, the information that camera monitoring is performed is announced to all employees and visitors, and people are enlightened. Notifications are posted at the entrances of the monitoring areas. Necessary technical and administrative measures are taken by DERCE AŞ. to ensure the security of personal data obtained as a result of camera monitoring in accordance with Article 12 of the KVK Law.

18.1. FOLLOW-UP OF GUEST ENTRANCES AND EXITS EXECUTED IN DERCE AŞ. BUILDING, FACILITY ENTRANCES AND INSIDE

by DERCE AŞ.; For the purpose of ensuring security and other purposes specified in this Policy, personal data processing activities are carried out for the tracking of guest entries and exits at DERCE AŞ. buildings and facilities. While obtaining the identity data of the people who come to the DERCE AŞ. premises as guests, or through the texts posted by DERCE AŞ. or made available to the guests in other ways, the personal data owners are informed in this context. The data obtained for the purpose of tracking guest entry-exit is processed only for this purpose and the relevant personal data is recorded in the data recording system in the physical environment.

18.2. KEEPING RECORDS REGARDING THE INTERNET ACCESS PROVIDED TO OUR VISITORS AT DERCE AŞ. FACILITIES

For the purpose of ensuring security by DERCE AŞ. and for other purposes specified in this Policy; DERCE AŞ. can provide internet access to our Visitors who request it during their stay in our buildings and facilities. In this case, log records of your internet access are kept in accordance with the Law No. 5651 and the prevailing provisions of the legislation regulated in accordance with this Law; These records are only processed if requested by authorized public institutions and organizations or in order to fulfill our legal obligations in the audit processes to be carried out within DERCE AŞ..

19. TERMS OF DISPOSAL (DELETE, DESTRUCTION AND ANONYMIZATION) OF PERSONAL DATA

In accordance with Article 138 of the Turkish Penal Code, Article 7 of the KVK Law and the “Regulation on the Deletion, Destruction and Anonymization of Personal Data” issued by the Institution; Although it has been processed in accordance with the provisions of the relevant law, personal data is deleted, destroyed or anonymized upon DERCE AŞ. own decision or upon the request of the personal data owner, in the event that the reasons requiring its processing are eliminated. DERCE AŞ. has created a Policy on this subject in accordance with the provisions of the regulation and in accordance with this Policy, destruction is made according to the nature of the data. In accordance with this regulation, periodic destruction dates have been determined by DERCE AŞ., and a calendar has been established according to which periodic destruction will be carried out at various intervals with the commencement of the obligation.

20. RIGHTS OF PERSONAL DATA OWNERS; USE OF THESE RIGHTS

DERCE AŞ. informs the personal data owner of the rights of the personal data owner in accordance with Article 10 of the KVK Law, and guides the personal data owner on how to use these rights regulated in Article 11, and DERCE AŞ. evaluates the rights of the personal data owners and provides the necessary information to the personal data owners. It carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the KVK Law.

20.1. RIGHTS OF THE DATA SUBJECT AND THE USE OF THESE RIGHTS

20.1.1. Rights of Personal Data Owner

Personal data owners have the following rights:

Learning whether personal data is processed or not,
If personal data has been processed, requesting information about it,
Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
Knowing the third parties to whom personal data is transferred at home or abroad,
Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing are eliminated, although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and requesting that the transaction carried out within this scope be notified to the third parties to whom the personal data has been transferred,
Objecting to this result if a result against the person arises by analyzing the processed data exclusively through automated systems,
To request the compensation of the damage in case of loss due to unlawful processing of personal data.

20.1.2. Circumstances in which the Personal Data Owner cannot assert his rights

Personal data owners cannot claim their rights listed in 20.1.1. in these matters, since the following cases are excluded from the scope of KVK Law in accordance with Article 28 of the KVK Law:

Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.
Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

Pursuant to article 28/2 of the KVK Law; In the cases listed below, personal data owners cannot claim their other rights listed in 20.1.1., except for the right to demand the compensation of the damage:

The processing of personal data is necessary for the prevention of crime or for criminal investigation.
Processing of personal data made public by the personal data owner himself.
Personal data processing is necessary for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law.
The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters

20.1.3. Exercise of Personal Data Owner's Rights

Personal Data Owners will be able to submit their requests regarding their rights specified in this POLICY to DERCE AŞ. free of charge, with the information and documents that will identify them, and by filling out and signing the Application Form with the following methods or other methods determined by the Personal Data Protection Board: Comprehensive regulation in this regard DERCE AŞ. PERSONAL DATA APPLICATION PROCEDURE (ANNEX-5).

www.derce.com.tr After filling out the form at the address of ASO 1. OSB URAL CAD. AYDINOĞULLARI SOK. NO :10 SİNCAN ANKARA
www.derce.com.tr After filling the form derce@derce.com.tr Application by using secure electronic signature, mobile signature or electronic mail address previously notified to DERCE AŞ. by the person concerned and registered in DERCE AŞ. system, or by using a software or application developed for application purposes.
www.derce.com.tr Filling the form at the address and making a personal application together with the identity document

In order for third parties to apply on behalf of personal data owners, a special power of attorney issued by the data owner through a notary public on behalf of the person to apply must be present.

22. DERCE AŞ., COORDINATION OF PERSONAL DATA PROTECTION AND PROCESSING PROCESSES

A management structure has been established by DERCE AŞ. in order to comply with the regulations of the KVK Law and to enforce the Personal Data Protection and Processing Standard.

The Personal Data Protection Committee (“Committee”) has been established within the body of DERCE AŞ. in order to manage this Policy and other Policies connected and related to this Policy, pursuant to the decision of the Company's senior management. The duties of this Committee are as follows;

To prepare and implement the basic Policies regarding the protection and processing of personal data and, when necessary, to submit them to the Senior Management for the approval of the senior management.
To decide how the implementation and control of the policies regarding the protection and processing of personal data will be carried out, and to submit to the senior management the issues of internal assignment and coordination within this framework, to the Senior Management.
To determine the issues that need to be done in order to ensure compliance with the KVK Law and the relevant legislation, to submit to the approval of the senior management, to monitor its implementation and to convey to the Senior Management for coordination.
To raise awareness within DERCE AŞ. and the institutions that DERCE AŞ. cooperates with on the protection and processing of personal data.
To determine the risks that may occur in the personal data processing activities of DERCE AŞ. and to ensure that the necessary measures are taken; To forward the improvement suggestions to the Senior Management for the approval of the senior management.
To deliver trainings to the Senior Management to ensure that personal data owners are informed about personal data processing activities and their legal rights on the protection of personal data and the implementation and dissemination of the Policies.
To forward the applications of the personal data owners to the Senior Management in order to make a decision at the highest level.
To follow the developments and regulations on the protection of personal data; To convey to the Senior Management his suggestions on what should be done within DERCE AŞ. in accordance with these developments and regulations.
To carry out the relations with the KVK Board and the Institution under the coordination of the Senior Management.
To perform other duties assigned by the senior management of the company regarding the protection of personal data.

DERCE AŞ. (Data Controller)

ANNEX-1 DEFINITIONS

Explicit consent: Consent on a particular subject, based on information and expressed with free will.

Making it anonymous: It is the change of personal data in such a way that it loses its quality as personal data and this situation cannot be undone. Ex: Masking, aggregation, data corruption etc. making personal data incapable of being associated with a natural person, by means of techniques.

Application form: "Application Form for Applications to be Made by the Related Person (Personal Data Owner) to the Data Controller in accordance with the Law on Protection of Personal Data No. 6698", which includes the application to be made by the personal data owners to exercise their rights.

Employee Candidate: Real persons who have applied for a job to DERCE AŞ. by any means or have opened their CV and related information to DERCE AŞ. for review.

Employees, Shareholders and Officials of the Institutions We Cooperate With Natural persons, including shareholders and officials of these institutions, working in institutions (including but not limited to business partners, suppliers, etc.) with which DERCE AŞ. has all kinds of business relations.

Business partner: Parties that DERCE AŞ. has established business partnerships with for purposes such as carrying out various projects and receiving services, either personally or together with Group Companies, while carrying out its commercial activities.

Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking.

Personal data owner: The natural person whose personal data is processed. E.g; Customer, Staff, Dealer Employee

Personal data: Any information relating to an identified or identifiable natural person. Therefore, the processing of information regarding legal persons is not within the scope of the Law. E.g; name-surname, TCKN, e-mail, address, date of birth, credit card number, etc.

Special categories of personal data: Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Supplier: Parties that provide services to DERCE AŞ. on a contractual basis in accordance with DERCE AŞ. orders and instructions while carrying out the commercial activities of DERCE AŞ..

Third Party: Natural persons whose personal data are processed within the scope of the POLICY (e.g. family members, former employees) who are not defined differently within the scope of the POLICY.

Data processor: A natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller. For example, DEALERS, CUSTOMERS, external IT company and company information systems department, if any, that keeps the data ofDERCE AŞ.,

data controller Person and company information systems department, which determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system),

Visitor: Real persons who have entered the physical campuses (factory, office, etc.) owned by DERCE AŞ. for various purposes or visited our websites.