PERSONAL DATA PROTECTION AND PROCESSING POLICY

RELATING TO GURIS TEKNOLOJİ A.Ş.

1. PREAMBLE

Güriş Teknoloji A.Ş. (hereinafter referred to as “Güriş Teknoloji” or “Company”) has adopted the principle of protecting and respecting your personal information and privacy with full awareness of its responsibility. In this context, Güriş Teknoloji takes the necessary measures in accordance with the provisions of the Personal Data Protection Law No. 6698 (“Law”), the decisions of the Personal Data Protection Board (“Board”) and, to the extent appropriate, the provisions of international legislation, especially the provisions of the European Union General Data Protection Regulation (“GDPR”).

This Personal Data Protection and Processing Policy (“Policy”) has been prepared in order to concretise the rules set forth by the provisions of the relevant legislation before Güriş Teknoloji and to inform the real persons whose data are processed by Güriş Teknoloji in the capacity of data controller about the collection, processing, storage, protection and destruction of their personal data, as well as their purposes and limits. It is possible to update the Policy from time to time due to legal changes or other reasons. Such updates shall be valid as of the date of publication of the Policy on the Website. In case of any conflict between the Turkish version of the Policy and its translation into other languages, the Turkish text should be taken into consideration.

This Policy does not apply to websites other than the websites of Güriş Holding A.Ş. group companies to which a link extension has been provided from the wtip.io website (“Website”).

By using the Website and Services, this Policy is deemed to be accepted.

1. PERSONEL DATA AND ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA

“Personal Information” or “Personal Data” is any information that directly or indirectly identifies an identified or identifiable natural person (“Data Owner” or “Data Subject”), including but not limited to name-surname, address, telephone number, Turkish ID number, tax number, e-mail, company, profession, title.

Any operation performed on Personal Data such as obtaining, recording, storing, preserving, modifying, reorganising, disclosing, transferring, taking over, making available, classifying or preventing the use of Personal Data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system is accepted as the processing of Personal Data. All kinds of activities carried out in the process until the deletion, destruction or anonymisation of Personal Data after it is collected in the specified manner are considered as processing of personal data within the scope of the Law.

1. 1. 2.1.Processing of Personal Data

Pursuant to Article 5 of the Law, processing of personal data is only possible with the explicit consent of the data subject. However, in the presence of the following conditions, it is possible to process Personal Data without seeking the explicit consent of the data subject:

• Explicitly stipulated in the laws,
• It is necessary for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
• Processing of personal data is directly related to the conclusion or performance of a contract, it is necessary to comply with the relevant data protection legislation,
• It is mandatory for the data controller to fulfil its legal obligation,
• It has been publicised by the person concerned,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

1. 1. 2.2.Processing of Sensitive Personal Data

Pursuant to Article 6 of the Law, data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, and biometric and genetic data are sensitive personal data. Processing of sensitive personal data is prohibited as a rule. However, the processing of these data;

• Explicit consent of the person concerned,
• Explicitly stipulated in the laws,
• It is necessary for the protection of the life or bodily integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
• It is related to the personal data made public by the data subject and is in accordance with the will of the data subject to make it public,
• Being compulsory for the establishment, use or protection of a right,
• It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation to keep secrets or authorised institutions and organisations,
• It is mandatory for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance,
• It is possible for foundations, associations and other non-profit organisations or formations established for political, philosophical, religious or trade union purposes, provided that they comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties; provided that they are intended for their current or former members and members or persons who are in regular contact with these organisations and formations.

In the processing of sensitive personal data, it is also necessary to take adequate measures determined by the Board.

1. 1. 2.3.Principles of the Processing the Personal Data

Pursuant to Article 4 of the Law, the European Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data No. 108  and the European Union Data Protection Directive No. 95/46/EC, the processing of personal data is subject to certain principles:

• Compliance with the law and honesty rules,
• Being accurate and up to date when necessary,
• Processing for specific, explicit and legitimate purposes,
• Being relevant, limited and proportionate to the purpose for which they are processed,
• Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

Güriş Teknoloji accepts, declares and undertakes to act in accordance with the provisions of the legislation and the principles mentioned during all data processing activities.

1. COLLECTION OF PERSONAL DATA

Güriş Technology may collect Personal Data from Data Subjects in person or without meeting face-to-face, through verbal, written, digital, electronic, visual means, regardless of format, as long as it complies with the regulations of this Policy, the Law, and other relevant legislation. This includes but is not limited to all written documents, documents, notifications from judicial authorities, and/or cookies, media, including digital platforms such as websites, email, mobile applications.

Güriş Technology may collect personal data necessary for the purpose and use of the website, both in terms of Personal Data types and personal information channels and types, such as free trials, demo requests, creating/logging into accounts on the online platform and/or website, contacting Güriş Technology, applying for a job, requesting meetings with Güriş Technology teams, partnership requests, subscribing to Güriş Technology’s blog, requesting reports, purchasing products and services listed on the website, registering, downloading, including but not limited to, first and last name, email, date of birth, phone number, country information, address, postal code, citizenship identification number, tax number, user password, job title, company name, resume, description message, LinkedIn profile, payment information, and related persons or companies’ videos, photographs, and/or all kinds of digital or printed visuals and transaction records related to these visuals, as well as explanatory messages sent by the relevant person to facilitate inquiries.

Additionally, Güriş Technology may automatically collect information each time the website is visited, even if no account is logged in by the Data Subject. In this context, Güriş Technology may collect specific information related to your visit, such as the Internet service provider’s name and Internet Protocol (IP) address accessed on the Internet, device identifier necessary to transmit requested content (e.g., especially content, texts, images, and data files provided for download), timezone setting, operating system and platform, date and time of access to the site, browser type and version, pages accessed while on the website, and the Internet address of the website directly connected to the website, user activities on the website context, relevant terminal type, etc. This information is primarily used to provide access to the website, enhance the webpage view on the devices and browsers of the Data Subject and/or company, and adjust settings and language to your preferences. Güriş Technology may also use this information to analyze trends and improve the website and online services.

Güriş Technology may indirectly collect Personal Information and/or Personal Data from third-party sources such as business partners, advertising networks, payment, shipping, and delivery services, as well as from public records such as social media platforms, professional organizations. In such cases, Güriş Technology does not have any obligation or responsibility regarding the use, storage, and disclosure of your personal information as these sources are subject to their own privacy policies.

In cases where Güriş Technology requests consent to contact the Data Subject for providing a requested service or performing a transaction, such as purchasing, downloading, registering for products and services through the website, or obtaining information about products and services, Güriş Technology will seek the Data Subject’s approval. However, it is understood that the Data Subject entering their Personal Data into the system voluntarily or giving explicit consent in this regard is an indication that the Data Subject agrees to the terms provided in the Policy, subject to the provisions of the Law.

1. PROCESSING, PROCESSING PURPOSES AND USE OF PERSONAL DATA

Güriş Teknoloji processes Personal Data for specific, legitimate and explicit purposes. Güriş Teknoloji may use/process Personal Data for the following purposes without limitation, in accordance with applicable laws and the options that may be available to the relevant persons:

• Management and follow-up of contractual processes and legal claims, including negotiation, conclusion and performance of contracts,
• To fulfil Güriş Teknoloji’s obligations arising from the Contracts and to provide the information, products and services requested by the relevant person / Data Owner,
• Customising the products and services offered in accordance with customer demands and/or updating and improving them due to customer needs, tastes, usage habits, legal and/or technical developments,
• Establishing and executing customer relationship management processes, communicating with customers verbally or in writing within this scope, keeping records and statistics regarding this communication,
• Planning and execution of after sales support services,
• Evaluating and improving customer satisfaction,
• Personalisation of user experiences with our products and services on the Website,
• Making user definitions to the systems specific to the products and services offered;
• Planning and execution of sales and marketing activities, announcement and advertisement of new or existing products, services and campaigns;
• Fulfilment of announcements concerning the Customer, the relevant person and/or the Data Owner, such as innovations and updates in products and services, changes in this Policy or terms of use, and informing the Customer, the relevant person and/or the Data Owner,
• Execution, planning, execution and management of operation, assignment, internal audit – investigation, strategic planning, management, business continuity, investment, accounting-finance, financial risk, production and operational risk, business, custody and archive processes,
• Development of commercial strategies,
• Planning and execution of corporate sustainability and corporate communication activities,
• Receiving, evaluating and responding to the questions, suggestions, complaints, requests, etc. of the customers, data subject, Data Owner, and communicating with the customer, data subject, Data Owner about the requested products or services,
• Providing information to authorised persons, institutions and organisations, including judicial and administrative authorities, carrying out legal affairs and transactions, including judicial activities, and fulfilling legal obligations that have arisen or may arise,
• Carrying out company activities in accordance with company procedures and relevant legislation,
• Ensuring the security of company premises and buildings, creating and monitoring visitor records,
• Carrying out access authorisations and information security processes, ensuring the security of the Website, data controller operations and carrying out risk management processes,
• Management of relations with business partners and suppliers, planning and execution of business partners’ and suppliers’ authorisations to access information,
• Planning and execution of human resources and policies processes, including but not limited to employee candidate, young talent, internship selection and placement, execution of employee satisfaction evaluation processes, fulfilment of obligations arising from the employment contract and labour legislation, career development, establishment of wage policy, execution of occupational health/safety activities,
• Conducting market research for sales and marketing of products and services, generating statistics and analysing product, service and website usage,
• Payment of the prices of the products and services on the Website and the ancillary fees related to the products and services, determination of the collection method for the payments.

1. TRANSFER OF PERSONAL DATA

1. 1. 5.1.Transfer of Personal Data Domestically

Personal data obtained for processing within the framework of general principles specified in the law may be transferred to third parties based on the provision of Article 8 of the Law, provided that explicit consent of the data subject is obtained. However, under certain conditions, personal data may be transferred to third parties without the explicit consent of the data subject.

In this context, the explicit consent of the data subject is not required for the transfer of personal data in the presence of one of the following circumstances:

• Explicitly stipulated in the laws,
• It is necessary for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
• Processing of personal data is directly related to the conclusion or performance of a contract, it is necessary to comply with the relevant data protection legislation,
• It is mandatory for the data controller to fulfil its legal obligation,
• It has been publicised by the person concerned,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

In order to transfer sensitive personal data domestically, the explicit consent of the data subject is not required in the presence of one of the following cases, provided that adequate measures are taken:

• Explicitly stipulated in the laws,
• It is necessary for the protection of the life or bodily integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
• It is related to the personal data made public by the data subject and is in accordance with the will of the data subject to make it public,
• Being compulsory for the establishment, use or protection of a right,
• It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation to keep secrets or authorised institutions and organisations,
• It is mandatory for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance,
• Current or former members and members of foundations, associations and other non-profit organisations or formations established for political, philosophical, religious or trade union purposes, or persons who are in regular contact with these organisations and formations, provided that they comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties.

1. 1. 5.2.Transfer of Personal Data Abroad

One of the conditions for processing personal data and sensitive personal data (stated in Articles 2.1. and 2.2. of the Policy), and the existence of an adequacy decision regarding the country, sectors within the country, or international organizations to which the transfer will be made, allows personal data to be transferred abroad by data controllers and data processors. Pursuant to Article 9 of the Law, the adequacy decision is made by the Board and published in the Official Gazette. The Board may change, suspend or revoke the qualification decision with future effect as a result of the evaluation or in other cases deemed necessary.

In the absence of an adequacy decision, personal data may be transferred abroad by data controllers and data processors if one of the following appropriate safeguards is provided by the parties, provided that one of the conditions for processing personal data and sensitive personal data (set out in Articles 2.1. and 2.2. of the Policy) exists, the data subject has the opportunity to exercise his/her rights and to apply for effective legal remedies in the country where the transfer will be made:

• Existence of an agreement that is not an international contract between public institutions and organisations or international organisations abroad and public institutions and organisations or professional organisations in the nature of public institutions in Turkey and the Board’s permission for the transfer.
• Existence of binding corporate rules, approved by the Board, containing provisions on the protection of personal data, which companies within the group of undertakings engaged in joint economic activities are obliged to comply with.
• Existence of a standard contract, announced by the Board, containing data categories, purposes of data transfer, recipient and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data.
• Existence of a written undertaking containing provisions to ensure adequate protection and authorisation of the transfer by the Board.

Data controllers and data processors may transfer personal data abroad only in the presence of one of the following cases, provided that it is incidental, in the absence of an adequacy decision and if any of the above-mentioned appropriate assurances cannot be provided:

• The explicit consent of the data subject to the transfer, provided that the data subject is informed about the possible risks.
• The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject.
• The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.
• The transfer is mandatory for a superior public interest.
• The transfer of personal data is mandatory for the establishment, exercise or protection of a right.
• The transfer of personal data is mandatory for the protection of the life or physical integrity of the person or another person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid.
• Transfer from a registry open to the public or persons with legitimate interests, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it.

Without prejudice to the provisions of international agreements, personal data may only be transferred abroad with the permission of the Board by obtaining the opinion of the relevant public institution or organisation in cases where the interests of Turkey or the person concerned would be seriously damaged.

Güriş Teknoloji may transfer Personal Data to Güriş Holding A.Ş. group companies, business partners, competent judicial authorities and administrations, banks and financial institutions, customers, partners, audit firms in Turkey or abroad, limited to the purposes specified in this Policy and in accordance with the provisions of the Law.

1. STORAGE AND DESTRUCTION OF PERSONAL DATA

Güriş Teknoloji committed protecting the confidentiality and security of personal data and keeps personal data for the minimum period necessary for the purpose, but for a period that does not contradict the provisions of the legislation. If the purpose of collecting and processing personal data ceases to exist, Güriş Teknoloji may continue to store personal data in accordance with its legal obligations or in order to fulfil its legal obligations. However, such storage shall be limited to the period of time prescribed by legislation. Güriş Teknoloji destroys personal data by one of the methods of erasure, anonymisation or destruction if the purpose requiring the processing of personal data and the reasons requiring its storage cease to exist and in any case the period stipulated by the legislation has expired, the data subject withdraws his/her consent in transactions based on explicit consent and/or the data subject requests the destruction of his/her personal data.

Güriş Teknoloji takes all necessary technical and administrative measures to prevent unlawful processing and access to personal data and to ensure the protection of personal data in accordance with Article 12 of the Law; carries out or has carried out the necessary audits; provides the relevant information security system.

1. RIGHTS OF PERSONAL DATA OWNERS AND EXERCISE OF THESE RIGHTS

1. 1. 7.1.Rights of the Data Subject

In accordance with Article 11 of the Law, the Data Subject may exercise the following rights related to them by applying to Güriş Teknoloji:

• To learn whether personal data is being processed,
• Request information if personal data has been processed,
• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
• To know the third parties to whom personal data are transferred domestically or abroad,
• To request correction of personal data in case of incomplete or incorrect processing and notification of this transaction to third parties to whom personal data is transferred,
• Although it has been processed in accordance with the provisions of the Law and other relevant laws, to request the deletion, destruction or anonymisation of personal data in the event that the reasons requiring its processing disappear and to notify third parties to whom personal data is transferred,
• To object to the emergence of a result to the detriment of the person himself/herself by analysing the processed data exclusively through automated systems,
• In case of damage due to unlawful processing of personal data, to demand compensation for the damage.

Pursuant to Paragraph 2 of Article 28 of the Law, in the following cases, the Data Subject cannot exercise their rights under Article 7.1 of the Policy, except for the right to demand compensation for the damage:

• Processing of personal data is necessary for the prevention of crime or criminal investigation.
• Processing of personal data made public by the data subject themselves.
• Processing of personal data is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by the public institutions and organisations and professional organisations in the nature of public institutions, in accordance with the authority granted by law.
• Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters.

1. 1. 7.2.EXERCISE OF THE RIGHTS BY THE DATA SUBJECT

The Data Subject may apply to Güriş Teknoloji to exercise one or more of their rights set out in Article 7.1. Data Subject may submit their requests in writing or by using the registered electronic mail (KEP) address, secure electronic signature, mobile signature or the electronic mail address previously notified to Güriş Teknoloji by the Data Subject and registered in the Güriş Teknoloji system. The application information of Güriş Teknoloji is below:

Application Address : Ankara Cad. No:222 Gaziosmanpaşa Mah. Gölbaşı/ANKARA

KEP address : guristeknoloji@hs01.kep.tr

E-mail : info@guristeknoloji.com

The application must include name-surname and signature if the application is in writing, Turkish ID number for citizens of the Republic of Turkey, nationality, passport number or ID number, if any, for foreigners, residential or workplace address for notification, e-mail address for notification, telephone and fax number, and the subject of the request. Information and documents related to the subject are attached to the application. The application must comply with the provisions of the Communiqué on the Procedures and Principles of Application to the Data Controller and carry the mandatory elements in the Communiqué. Otherwise, the application will not be processed.

Güriş Teknoloji takes all necessary administrative and technical measures to finalise the applications effectively and in accordance with the law and good faith. Güriş Teknoloji finalises the applications free of charge within 30 days at the latest and notifies the Data Owner of the application result via e-mail or in writing to his/her address. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.