FERAT ELEKTRİK TAAHÜT İNŞAAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ PERSONAL DATA PROTECTION COMMITTEE INTERNAL DIRECTIVE

FERAT ELEKTRİK TAAHHÜT İNŞAAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ Personal Data Protection Committee (“Committee”) Internal Directive (“Internal Directive”), dated 07/04/2016 , 29677 According to the Personal Data Protection Law No. 6698 ("Law") published in the Official Gazette No. 30224, issued by the Personal Data Protection Authority and dated 28/10/2017. According to the Regulation on Deletion, Destruction or Anonymization of Personal Data ("Regulation") published in the Official Gazette No. FERAT ELEKTRİK TAAHÜT İNŞAAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ Personal Data Protection and Processing Policy (“Policy”) and FERAT ELEKTRİK TAAHHÜT İNŞAAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ It has been prepared in accordance with the Personal Data Storage and Destruction Policy ("Storage and Destruction Policy").

A Personal Data Protection Committee has been established under the data controller FERAT ELEKTRİK TAAHHÜT İNŞAAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ in order to carry out personal data storage and destruction processes and to carry out the necessary work and transactions in accordance with the Law and Regulation. In this context, in accordance with the personal data protection regulations and Policies, the necessary internal arrangements are made by FERAT ELEKTRİK TAAHHÜT İNŞAAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ for the storage and destruction of personal data and the necessary system is established to raise awareness.

Purpose:

Article 1- This Internal Directive; It has been prepared to determine the matters related to the Committee's fulfillment of its duties, the principles it must comply with within the framework of personal data protection regulations and Policies, and the procedures it will implement in accordance with the Policies.

Scope:

Article 2- This Internal Directive covers the relevant responsibilities, work and activities of the Committee and its members.

Basis:

Article 3- This Internal Directive; It has been prepared based on the above-mentioned regulations regarding the Personal Data Protection Law No. 6698.

Personal Data Protection Committee:

Article 4- The Committee is appointed by the board of directors of FERAT ELEKTRİK TAAHÜT İNŞAAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ in order to fulfill its obligations under the Law, to ensure and supervise the implementation of the Policies, and to make suggestions regarding their operation. Board; FERAT ELEKTRİK TAAHHÜT İNŞAAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ is responsible for ensuring auditing, compliance and sustainable effectiveness within the scope of KVK regulations. The distribution of duties of the Committee members and the removal or addition of members from the Committee are carried out by the committee chairman with the authority given by the data controller.

Data Controller Representative:

Article 5- The Data Controller Representative is selected from within the Committee and carries out the relations of FERAT ELEKTRİK TAAHÜT İNŞAAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ with the Institution.

Members:

Article 6- The composition of the Committee and its duties to individuals are determined below.

Article 7- The Committee is responsible for the protection, storage, processing of personal data and the deletion, destruction and anonymization of personal data.

In this context, the Committee;

Third parties processing personal data check the contracts to be made with these parties and confirm their compliance within the scope of the regulations. Have third parties audit.

It determines and authorizes real and legal persons who process personal data.

Data Controller Representative:

Article 8- The Board, FERAT ELEKTRİK TAAHÜT İNŞAAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ shall ensure that all personal data is protected by technical and By taking administrative measures, constantly following the developments and administrative activities and preparing the necessary procedures. LIMITED COMPANY is obliged to announce it within the company and to ensure and supervise its compliance. The Board periodically monitors itself within the scope of the protection of personal data. or enables external audits to be carried out. Convening periodically with senior management regarding the protection of personal data, to discuss both the current situation and risks provides. Files the meeting decisions by taking them with wet signature. It periodically informs the units concerned with the protection of personal data via the portal / e-mail / announcement.

Article 9- The Committee is obliged to ensure that the obligation to inform is fulfilled in terms of all personal data processing processes and to obtain and maintain explicit consent when necessary.

Committee regarding personal data;

• i. It ensures that the identity of the data controller is announced.
• ii. Purposes of processing personal data; It ensures that it is for specific, legitimate and clear purposes, has it audited and ensures that it is announced to both employees and customers.
• iii. It explains to whom the processed data will be transferred and for what purpose.
• iv. Explains the data collection method and legal reason.
• v. The Committee determines, enforces and supervises the means of obtaining the explicit consent of the person for the processing of personal data.
• vi. It absolutely guarantees that explicit consent is obtained in case special personal data is recorded.
• vii. If personal data will be kept in cloud systems or stored abroad, it ensures that the express consent of the personal data owner is obtained. It ensures that the foreign country to which personal data will be transferred is declared by the board.

Article 10- In case of transfer of personal data to third parties, explicit consent from the data owner according to the status of the place/authority to be shared. It determines whether it will be accepted or not. The situations in which explicit consent will not be obtained are determined below. In any case, which data is shared with the following institutions? It records that it has been shared and that third parties complying with the following status comply with the valid principle:

• i. Inability to obtain explicit consent in case of actual impossibilities.
• ii. When his or another person's life or physical integrity is at stake.
• iii. Being directly related to the establishment or execution of a contract.
• iv. It is necessary to process personal data of the parties to the contract.
• v. Data processing is mandatory for the establishment, exercise or protection of a right.
• vi. It is mandatory for the data controller to fulfill its legal obligation.
• vii. If the person has made his/her own data public.
• viii. It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.
• ix. In the event that non-profit organizations or entities such as political parties, foundations, associations or unions process data regarding their members and members, provided that it is in accordance with the legislation they are subject to and their purposes, is limited to their fields of activity and is not disclosed to third parties.
• x. In case of processing by persons or authorized institutions and organizations under the obligation of confidentiality, for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, and planning, management and financing of health services.

If personal data will be transferred abroad, unless explicit consent has been obtained; It coordinates the sharing of data if there is adequate protection in the place where the data will be transferred or if there is not sufficient protection, if the data controllers in Turkey and the relevant foreign country undertake to provide adequate protection in writing and the permission of the Board is obtained.

The sharer of the data ensures that the place and purpose of sharing this data are written and approved. It is checked whether consent has been obtained for the proposed data and it is documented. It ensures that it is shared after it is received with the approval of the law and the data controller.

Article 11- The Committee evaluates the applications of personal data owners and ensures coordination within FERAT ELEKTRİK TAAHHÜT İNŞAAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ to respond to the applications. Provides the necessary coordination and communication in cases where communication with the Board is required.

In case the personal data owner applies, the following person's rights will be fulfilled within 30 calendar days at the latest:

• i. The person knows whether his or her personal data is being processed.
• ii. Requesting information about personal data.
• iii. Explaining the purpose of processing.
• iv. Disclosure of third parties to whom personal data is transferred at home or abroad.
• v. Receive requests for correction of personal data in case of incomplete or incorrect processing and return them when the process is completed.
• vi. Receiving requests to delete or destroy the person's personal information and responding when the transaction is completed.
• vii. Receiving requests for objections from the data owner in case the data owner finds negative results as a result of the analysis of the processed data exclusively through automatic systems, and returning them when the process is completed.
• viii. Checking whether personal data is processed unlawfully and following up and finalizing requests from the individual.

Article 12- The Committee takes the necessary measures to eliminate any deficiencies or risks in terms of compliance with the Law and Policies in the processes of protection, storage, processing and destruction of personal data. In this context, the Board audits each new processing process reported to it.

Article 13- The Committee, regarding the storage and destruction of personal data;

• i. It determines the storage and destruction period stipulated in the relevant legislation or required for the purpose for which they are processed.
• ii. In accordance with Article 11/2 of the Regulation on Deletion, Destruction or Anonymization of Personal Data, it audits the personal data processed in periods not exceeding six months and ensures the deletion, destruction or anonymization of personal data that needs to be deleted, destroyed or anonymized.< /li>
• iii. It ensures that all transactions regarding the deletion, destruction and anonymization of personal data are recorded and ensures that such records are kept for at least three years, excluding other legal obligations.
• iv. When there is any of the following reasons; It ensures the deletion, destruction or anonymization of personal data within the framework of the procedures and principles determined in the regulations:


1. ✓ In case the reasons requiring processing disappear
2. ✓ In case of expiration
3. ✓ At the request of the data owner

Article 14- The Committee considers that the situations reported to it by the employees of FERAT ELEKTRİK TAAHÜT İNŞAAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ and the procedures and principles stated in the Policies are contrary to the work, transaction, or creates an action plan in accordance with the regulations regarding the violation of the actions. The Committee prepares the notification to be made to the Personal Data Owner or the Institution regarding the violation, taking into account the provisions of the applicable legislation on the subject, and carries out the correspondence and communication with the Institution.

In applications regarding personal data, in case of inappropriate situations regarding the procedure, the audit is acted upon and concluded as stipulated in Annex-1 Incident Management scheme. Other departments provide the necessary assistance in related studies.

Article 15- Sends the documents and information requested by the Board within 15 calendar days and enables on-site inspection when necessary.

In case of a complaint or for any reason, it follows the Board's notifications and ensures their implementation within 30 calendar days.

Article 16- The Committee ensures that the employees of FERAT ELEKTRİK TAAHHÜT İNŞAAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ are informed in order to process and destroy personal data in accordance with the law and to prevent unlawful access. Necessary procedures are established to provide such access to employees who need to access personal data of FERAT ELEKTRİK TAAHHÜT İNŞAAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ, and the Data Controller Representative and the Committee are jointly responsible for the creation and implementation of this. The list and monitoring of the limited employees who are authorized to access special personal data are carried out by the Committee.

Entry into Force of the Internal Directive and Changes

Article 17- Internal Directive is put into effect by the management of FERAT ELEKTRİK TAAHÜT İNŞAAT SANAYİ VE TİCARET LİMİTED ŞİRKETİ. Amendments to be made to the Internal Directive and the Directive regulation are also subject to the same procedure.