ÇAMYUVA TURİZM YATIRIMLARI A.Ş. 

AND GÜLSAN GROUP OF COMPANIES 

PERSONAL DATA PROTECTION AND PROCESSING POLICY

1. INTRODUCTION AND SCOPE

Çamyuva Turizm Yatırımları A.Ş. and Gülsan Holding Group Companies (hereinafter referred to as the "Company" or "Companies") have the utmost care and sensitivity regarding the protection of personal data and act in accordance with all applicable legislation in this context. This Personal Data Protection and Processing Policy (hereinafter referred to as the "Policy") has been established for this purpose.

With this Policy; The basic principles regarding the personal data processing activities carried out by the Company and the principles adopted in terms of compliance of these activities with the regulations contained in the Personal Data Protection Law No. 6698 (hereinafter referred to as "KVKK" or "Law") are explained.

2. DEFINITIONS

Gülsan/ Gülsan Holding Companies:

• Gülsan Investment Holding Joint Stock Company
• Gülsan Construction Industry Tourism Transportation and Trade Inc.
• Gülsan Electric Energy Wholesale Inc.
• Çamyuva Tourism Investments Inc.
• Çamyuva Hotel Management Inc.
• Değirmenüstü Energy Production Trade and Industry Inc.
• Mar-En Energy Production Trade and Industry Inc.
• Agen Energy Production Trade and Industry Inc.
• Gülce Energy Production Trade and Industry Inc.
• Nur Electric Production Trade and Industry Inc.
• Gülsü Energy Production Trade and Industry Inc.
• Tekpa Concrete Industry Mot. Vehicle Marketing and Industry Inc.
• Petpa Fuel Oil Material. Pet. Industry and Trade Inc. It covers all of the companies. Each company will be referred to as Gülsan and together as Gülsan Companies.

Data: Information stored in digital or physical filing systems.

Personal Data: Any information relating to an identified or identifiable natural person.

Sensitive/Special Categories of Personal Data: Race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, association, foundation or trade union memberships, health, sexual life, criminal convictions and security measures and biometric data. These data can only be processed under the conditions stipulated in the legislation and their processing generally requires the explicit consent of the data subject.

Contact Person: It covers all real persons whose Personal Data is processed, especially employees.

Explicit consent: It is the consent given on a specific subject, based on information and free will, in a clear manner that leaves no room for hesitation, and limited only to that transaction.

Employee: Refers to Gülsan Companies personnel.

Employee candidate: Refers to the person or persons who have applied for a job at Gülsan. Processing of personal data: All kinds of operations performed on personal data such as obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. 

Data processor: Refers to the natural person or legal entity that processes personal data on behalf of the data controller based on the authorization granted by the data controller.

Data controller: Refers to the natural person or legal entity responsible for the establishment and management of the data recording system, which determines the purposes and means of processing personal data.

Institution: Personal Data Protection Authority.

Board: Personal Data Protection Board.

KVKK (Law): Law No. 6698 on the Protection of Personal Data published in the Official Gazette dated April 7, 2016 and numbered 29677.

Politics: Çamyuva Turizm Yatırımlar A.Ş. and Gülsan Group of Companies Personal Data Protection and Processing Policy.

3. PROCESSING OF PERSONAL DATA

3.1. Personal Data Processing Principles 

3.1.1. Processing in Compliance with Law and Good Faith; Personal data are processed in accordance with the law and the rule of honesty. Within this framework, personal data are processed in accordance with the disclosure obligation and to the extent and limited to the extent required by the Company's business activities. 

3.1.2. Being accurate and up-to-date when necessary: The Company takes the necessary measures to ensure that personal data is accurate and up-to-date and establishes the necessary mechanisms to ensure the accuracy and currency of personal data.

3.1.3. Processing for Specific, Explicit and Legitimate Purposes; The Company, It clearly sets out the purposes of processing personal data and processes them within the scope of purposes related to business activities.

3.1.4. Being relevant, limited and proportionate to the purpose for which they are processed: Our Company collects personal data only to the extent and quality required by its business activities and processes it limited to the specified purposes.

3.1.5. Storage for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed: Our Company retains personal data for the period required for the purpose for which they are processed and in any case for the maximum period stipulated in the relevant legislation. In this context, our Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed. Personal data are destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or the data owner's application and with the specified destruction methods (deletion and/or destruction and/or anonymization).

3.2. Terms of Processing Personal Data

3.2.1. Processing of Personal Data by Obtaining Explicit Consent: Pursuant to the legislation, one of the necessary grounds for the lawful processing of personal data is to obtain the explicit consent of the data subject. Explicit consent is defined in the Law as "consent regarding a specific subject, based on information and expressed with free will". However, in the presence of one of the following conditions, personal data are processed by the Company without the explicit consent of the data subject.

3.2.2. Explicit Provision in Laws; The personal data of the data subject may be processed in accordance with the law in cases where it is clearly stipulated in the law.

3.2.3. Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility: Personal data may be processed without explicit consent if it is necessary for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.

3.2.4. Direct Relevance to the Establishment or Performance of a Contract: Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data without obtaining explicit consent if it is necessary to process personal data.

3.2.5. Fulfillment of Legal Obligations by the Company: As a data controller, the Company may process personal data that must be processed in order to fulfill a legal obligation without the consent of the data subject.

3.2.6. Publicization of Personal Data by the Personal Data Owner: Personal data made public by the person concerned may be processed without the existence of explicit consent.

3.2.7. Data Processing is Mandatory for the Establishment or Protection of a Right: If data processing is mandatory for the establishment, exercise or protection of a right, personal data may be processed without explicit consent.

3.2.8. Data Processing is Mandatory for the Legitimate Interest of the Company: Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of the Company.

3.3 Processing of Special Categories of Personal Data

In Article 6 of the LPPD, some personal data that have the risk of causing victimization or discrimination when processed unlawfully are referred to as "sensitive" personal data. These "sensitive" personal data are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. Sensitive personal data may be processed in the following cases, provided that all necessary administrative and technical measures are taken by the Company in accordance with the Law:

- Sensitive personal data other than health and sexual life may be processed without the explicit consent of the data subject in cases stipulated by law. Otherwise, the explicit consent of the data subject shall be obtained.

- Sensitive personal data relating to the health and sexual life of the data subject may only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. Otherwise, the explicit consent of the data subject shall be obtained.

3.4. Purposes of Processing Personal Data

Personal data are processed by Gülsan Companies for the purposes set out below.

1. Planning and execution of the Company's human resources policies and processes,

2. Planning and execution of the company's recruitment / job application and Recruitment needs,

3. Planning and management of commercial services and activities within the Company,

4. Execution of personnel processes related to company employees, personnel, social rights, payroll and wage transactions,

5. Execution of contract processes, legal proceedings and legal affairs,

6. Conducting disciplinary processes,

7. Carrying out internal and external audit, control and inspection processes of the Company,

8. Planning and management of advertising, promotion and other related activities within the Company,

9. Planning and management of the Company's business partnerships, subcontractors, service procurements and other related activities,

10. Execution of customer relations and processes within the scope of the Company's hotel management, tourism and accommodation services,

11. Fulfillment of legal obligations within the framework of Labor Law Legislation, Social Security Law Legislation, Tax Procedure Law No. 213 and other legislation provisions,

12. Planning and execution of national and international events,

13. Execution of information security processes,

14. Conducting relations with suppliers, service providers and all other third parties,

15. Training of employees,

16. Execution of projects and activities within the scope of social responsibility, planning and execution of processes related to employee candidates, interns and scholarship holders, 

17. Registration and management of visitors and guests,18. Ensuring the security of facilities,19. Planning and execution of risk management and quality improvement activities,20. Invoicing and accounting transactions for services,21. Execution of company procurement processes,22. Managing all kinds of requests and complaints regarding the Company's activities,23. Providing information to relevant public institutions and organizations such as Judicial and Administrative authorities, Judicial authorities, Prosecutor's Offices, Social Security Institution, Ministry of Labor and Social Security in accordance with the relevant legislation,24. Providing requested information to private insurance companies,25. Providing the necessary information in line with the audits of regulatory and supervisory bodies and official authorities,26. Processing in accordance with the legitimate interests of the Company, provided that it does not harm fundamental rights and freedoms, in line with the Company's commercial activities, except for the purposes listed above, 

If the processing activity within this scope does not meet any of the reasons for compliance with the law stipulated in accordance with the KVKK, data processing is not carried out. However, if explicit consent is obtained, the personal data in question is processed.

4. TRANSFER OF PERSONAL DATA

The Company may transfer the personal data and sensitive personal data of the data owner to third parties in line with the above-mentioned and lawful personal data processing purposes, provided that the necessary security measures determined by the legislation and the PDP Authority are taken. In this regard, the Company acts in accordance with the regulations stipulated in Articles 8 and 9 of the Law.

The Company may transfer personal data to third parties in Turkey as well as abroad for processing in Turkey or for processing and storage outside Turkey, in accordance with the conditions stipulated in the legislation and by taking all specified security measures.

In the event that the Company transfers personal data to a third natural or legal person, the necessary protective arrangements are added to the contracts concluded with the third party. The Company takes necessary technical and administrative measures to prevent violations of rights during data transfer to third parties.

The Company notifies the personal data owner of the groups of persons to whom personal data are transferred in accordance with Article 10 of the KVKK.

4.1. Transfer of Personal Data to Third Parties in Turkey

In line with the purposes of personal data processing, the Company may transfer personal data and sensitive personal data of the personal data owner to third parties in Turkey by taking the necessary security measures. The Company may also transfer personal data to foreign countries declared by the Board to have adequate protection. In the absence of adequate protection, personal data may be transferred to foreign countries where the data controllers in Turkey and in the relevant foreign country undertake adequate protection in writing and where the Board's permission is available.

Even without the explicit consent of the personal data owner, personal data may be transferred to third parties by taking all necessary security measures by the Company if one or more of the following conditions exist.

- The relevant activities regarding the transfer of personal data are clearly stipulated in the laws,

- The transfer of personal data by the Company is directly related and necessary for the establishment or performance of a contract,

- The transfer of personal data is mandatory for the Company to fulfill its legal obligation,

- Transfer of personal data by the Company limited to the purpose of publicization, provided that the personal data has been made public by the data owner,

- The transfer of personal data by the Company is mandatory for the establishment, use or protection of the rights of the Company or the data subject or third parties,

- It is mandatory to carry out personal data transfer activities for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject,

- It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.

Personal data may be transferred to third parties in Turkey without explicit consent in exceptional cases specified in the legislation or in other cases, provided that the explicit consent of the personal data owner is obtained. The Company may transfer data to third parties in Turkey and other companies within the Gülsan Group of Companies, business partners, subcontractors, public authorities and other third parties in accordance with the above-mentioned direction.

4.2. Transfer of Personal Data to Third Parties Abroad

Personal data may be transferred to third parties abroad without explicit consent in exceptional cases specified in the legislation or in other cases, provided that the explicit consent of the personal data owner is obtained. In case personal data is transferred without explicit consent in accordance with the legislation, one of the following conditions must also exist in terms of the foreign country to which it will be transferred:

- The foreign country to which the personal data is transferred is in the status of countries with adequate protection by the Board.

- If the foreign country to which the transfer will be provided is not included in the Board's list of safe countries, the Company and the data controllers in the relevant country must obtain permission from the Board by making a written commitment that adequate protection will be provided.

4.3. Transfer of Sensitive Personal Data

In accordance with the principles stipulated by the Company pursuant to this Policy and in accordance with the procedures to be determined by the PDP Board and provided that all necessary administrative and technical measures are taken and in the presence of the following conditions, personal data of special nature may be transferred:

- Sensitive personal data other than health and sexual life may be transferred without the explicit consent of the data subject, if explicitly stipulated by law. Otherwise, the explicit consent of the data subject shall be obtained.

- Sensitive personal data related to health and sexual life may be transferred without seeking explicit consent by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. Otherwise, explicit consent of the data subject shall be obtained.

4.4. Measures Regarding the Transfer of Personal Data

4.4.1. Administrative measures

The Company establishes policies and procedures for the protection of personal data, including but not limited to those listed below;

- Establishes policies and procedures for access to personal data, including employees within Gülsan/Gülsan Companies,

- It informs and trains its employees on the protection and processing of personal data in accordance with the law,

- Records the measures to be taken in cases of unlawful processing of personal data by employees in the contracts made with employees and/or in the policies established; and

- Supervises the personal data processing activities of collaborating data processors and/or partners of data processors.

4.4.2. Technical measures

The Company, for the protection of personal data, including but not limited to those listed below;

- It makes the technical organization within the Company for the processing and storage of personal data in accordance with the legislation,

- It creates the necessary technical infrastructure to ensure the security of databases where personal data will be stored,

- It re-examines risky situations and produces the necessary technological solutions,

- It monitors and audits the processes of the technical infrastructure created,

- It sets out the processes for reporting on the technical measures taken and the audit processes,

- Periodically updating and renewing technical measures,

- It uses software or hardware security products such as virus protection systems, firewalls and similar software or hardware security products, establishes security systems in accordance with technological developments and employs employees who are experts in their fields and/or receives services in this regard. 

5. DISCLOSURE OF PERSONAL DATA SUBJECT

In accordance with Article 10 of the Law on the Protection of Personal Data and secondary legislation, the Company informs personal data owners about who is the data controller of their personal data, for what purposes, for what purposes, with whom it is shared, by which methods it is collected, the legal reason and the rights of data owners within the scope of processing their personal data. In this context, the Company fulfills its obligation to inform arising from the legislation in accordance with the procedures and principles determined by the legislation.

6. PROTECTION, STORAGE AND DESTRUCTION OF PERSONAL DATA

In accordance with Article 12 of the Law, the Company takes the necessary measures according to the nature of the data in order to prevent unlawful disclosure, access, transfer or other security deficiencies that may occur in other ways. In this direction, the Company takes technical and administrative measures to ensure the necessary level of security in accordance with the regulations arising from the legislation and the guidelines published by the Board, and conducts and / or has audits carried out. In this context, the technical and administrative measures taken by the Company for the protection of personal data are carefully implemented in terms of sensitive personal data and necessary audits are provided within the Company.

The Company ensures that the necessary trainings are organized for the business units in order to raise awareness regarding the unlawful processing of personal data, prevention of unlawful access to data and ensuring the preservation of data.

The Company establishes the necessary systems to ensure that its employees are aware of the protection of personal data and works with consultants if needed. In this regard, the Company evaluates the participation in relevant trainings, seminars and information sessions and organizes new trainings in parallel with the updating of the relevant legislation.

The Company retains personal data for the period required for the purpose for which they are processed and for the maximum period stipulated in the relevant legislation. In this context, the Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed. Personal data are destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or the data owner's application and with the specified destruction methods (deletion and/or destruction and/or anonymization). 

7. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

As regulated in Article 7 of the KVKK, the Company deletes, destroys or anonymizes personal data upon its own decision or upon the request of the personal data owner if the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the relevant law. The Company has established a policy in this regard in accordance with the provisions of the KVKK and the Regulation on the Deletion, Destruction or Anonymization of Personal Data, and in accordance with this policy, it destroys according to the nature of the data. In this context, periodic destruction dates have been determined by the Company and a calendar has been created according to which periodic destruction will be carried out at various intervals with the commencement of the obligation.

7.1. Techniques for Deletion, Destruction and Anonymization of Personal Data

7.1.1. The most commonly used deletion or destruction techniques used by the Company are listed below.

7.1.1.1.1 Physical Destruction: Personal data may also be processed by non-automatic means, provided that they are part of any data recording system. When such data is deleted/destroyed, the system of physically destroying the personal data in a way that cannot be used later is applied.

7.1.1.1.2. Secure Deletion from Software: When deleting/destroying data processed by fully or partially automated means and stored in digital media, methods are used to delete the data from the relevant software so that it cannot be recovered again.

7.1.1.1.3. Secure Erasure by an Expert: In some cases, the Company may agree with an expert to delete personal data on its behalf. In this case, personal data is securely deleted/destroyed by the person specialized in this field in a way that cannot be recovered again.

7.1.2. The anonymization techniques most commonly used by the Company are listed below.

7.1.2.1. With data masking, the basic identifying information of the personal data is removed from the data set and the personal data is anonymized.

7.1.2.2. With the aggregation method, many data are aggregated and personal data are rendered unattributable to any individual.

7.1.2.3. With the data derivation method, a more general content is created from the content of the personal data and the personal data is rendered unassociable with any person.

7.1.2.4. With the data hashing method, it is ensured that the values in the personal data set are mixed and the link between the values and the persons is broken.

In accordance with Article 8 of the LPPD, anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the LPPD and the explicit consent of the personal data owner will not be sought.

8. RIGHTS OF PERSONAL DATA SUBJECTS

Personal data owners have the following rights in accordance with the legislation. The Company takes all kinds of measures to protect and exercise these rights.

Personal data owners;

- To learn whether personal data is processed or not,

- Request information if their personal data has been processed,

- To learn the purpose of processing personal data and whether they are used for their intended purpose,

- To know the third parties to whom personal data are transferred domestically or abroad,

- To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

- Although it has been processed in accordance with the provisions of the Law and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

- To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,

- In case of damage due to unlawful processing of personal data, it has the right to demand the compensation of the damage.

Personal data owners will be able to submit their requests regarding these rights to the Company by the methods determined by the Board. In this direction, they will be able to use the "Data Owner Application Form" available at "www.gulsanholding.com.tr".

Without prejudice to the other methods determined by the Board, the data subject may submit his/her requests for rights regarding his/her personal data by e-mail to the e-mail address "kvkkbilgi@gulsanholding.com.tr" by attaching the documents confirming his/her identity (copy of identity card, etc.) to his/her application or to the e-mail address "Hilal Mah. R. Tagore Cad. No:74 - Çankaya/ANKARA" address by mail.

In the application to exercise the above-mentioned rights, the person concerned should clearly and understandably state the requested matter.

Although the subject matter of the request must be related to the applicant's person, the applicant may also act on behalf of someone else. In the case of acting on behalf of someone else, the applicant must be specifically authorized to do so and this authorization must be documented (special power of attorney). In addition, the application must include identity and address information and documents certifying the identity must be attached to the application. Requests made by unauthorized third parties on behalf of someone else will not be evaluated.

The Company takes the necessary administrative and technical measures to finalize the applications to be made by the personal data owner in accordance with the Law and secondary legislation.

In the event that the personal data owner submits his/her request regarding his/her rights to the Company in accordance with the procedure, the Company will finalize the relevant request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.

 9. TABLE ON PERSONAL DATA SUBJECTS

 11. TRANSFER OF PERSONAL DATA TO THIRD PARTIES

12. POSSIBLE CHANGES AND UPDATES TO THE POLICY

Çamyuva Turizm Yatırımları A.Ş. may make changes or updates to this Policy in line with legal regulations and Company Policy. The relevant persons are informed about the new Policy text reflecting all these changes and updates via the website