POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

1. SECTION 1 - INTRODUCTION

1.1. INTRODUCTION

Protection of personal data is among the top priorities of Zorluteks Tekstil Ticaret ve Sanayi Anonim Şirketi (“Company”). The principles adopted in the processing of personal data carried out by our Company pursuant to the Zorluteks Tekstil Ticaret ve Sanayi Anonim Şirketi Policy on the Protection and Processing of Personal Data ("Policy") and the basic principles adopted with respect to our Company's data processing activities being in compliance with the arrangements in the Law on the Protection and Processing of Personal Data No. 6698 (the "Law") are explained, and thus our Company provides the required transparency by means of  informing the personal data owners. With the full awareness of our responsibility in this context, your personal data will be processed and protected within the scope of this Policy

1.2. SCOPE

This policy relates to all personal data processed by automated means or by non-automated means provided that the data is a part of any data registration system of our customers, potential customers, Company visitors, employee candidates, persons working or authorized in the companies or institutions which our Company conducts all kinds of business relations, the family members or the relatives of our Company employees, excluding our Company employees.

1.3. APPLICATION OF THE POLICY AND RELEVANT LEGISLATION

The relevant legal regulations in force for the processing and protection of personal data shall primarily apply. If there is a discrepancy between the legislation in force and the Policy, our Company accepts that the legislation in force shall apply. The Policy regulates the rules laid down by the relevant legislation in the context of our Company's practices by means of materializing the same.

2. SECTION 2 - ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA

2.1. ENSURING THE SECURITY OF PERSONAL DATA

In accordance with Article 12 of the Law, our Company takes the measures required by the nature of the data to be protected to prevent unlawful disclosure, access, transfer, or security deficiencies that may occur in different forms. In this context, our Company's Personal Data Protection Board (the “Board") takes administrative measures to ensure the required level of security in accordance with the guidelines published by the Company, performs inspections, or has them done accordingly.

2.2. PROTECTION OF SENSITIVE PERSONAL DATA

Sensitive personal data has been attributed special importance under the Law due to the risk to cause victimization of persons or discrimination when processed illicitly. This data of "sensitive nature" is, related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress codes, association, foundation or trade union memberships, health, sexual life, criminal conviction and security measures as well as biometric and genetic data.

In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully applied with regard to special quality personal data and necessary controls are provided within our Company.

Detailed information on the processing of sensitive personal data has been included in Section 3.3 of this Policy.

2.3. INCREASING THE AWARENESS AND SUPERVISION OF THE BUSINESS UNITS ABOUT THE PROTECTION AND PROCESSING OF PERSONAL DATA

Our company ensures that required trainings are organized for the business units in order to increase the awareness for preventing unauthorized and illicit processing of the personal data and unauthorized access to data contrary to the law and providing the safekeeping of data.

Necessary systems are established to raise the awareness of the Company's existing and newly admitted employees, on the protection of personal data, and consultants are engaged related to the subject matter when required. In this regard, our Company evaluates attendance at relevant training courses, seminars, and briefings and provides new training whenever the relevant legislation is updated.

3. SECTION 3 - ISSUES RELATED TO PROCESSING OF PERSONAL DATA

3.1. PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES SET FORTH IN THE LEGISLATION

3.1.1. Processing in compliance with the Rule of Law and Good Faith
Personal data will be processed in accordance with the general trust and integrity rule so that people's fundamental rights and freedoms are not prejudiced. In this context, personal data will be processed to the extent required by our Company's business activities and will be limited to them.

3.1.2. Ensuring that Personal Data is Correct and Up-to-date When Required
While processing personal data, our Company takes the necessary measures to ensure that personal data is accurate and up-to-date, and provides the mechanisms needed to ensure the accuracy and currency of personal data for specific periods of time.

3.1.3. Processing with Specific, Explicit and Legitimate Purposes
Our Company makes clear the purposes for which it processes personal data and with respect to business activities, and it processes them for the purposes relating to these activities.

3.1.4. Personal Data is linked to, limited and measured with the purpose of being processed
Personal data will be processed only to the extent required by our Company's business activities and this will be limited to the stated targets.

3.1.5. Personal data is retained for the time stipulated in the relevant legislation or for the time required regarding the purpose for which they are being processed.
Our Company retains personal data only for the period specified in the relevant legislation or for the purpose for which such data has been processed. In this context, our Company in the first place determines whether a period has been stipulated for the storage of personal data in the relevant legislation and if a period has been stipulated, then it acts in compliance with this period. If there is no legally prescribed period, personal data will be stored for the period required for the purpose for which they are processed. Personal data will be destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or at the data owner's request and by using the prescribed destruction methods (deletion and/or destruction and/or anonymization).

3.2. CONDITIONS FOR PROCESSING PERSONAL DATA

Apart from the explicit consent of the personal data owner, just as the basis for processing personal data can be only one of the following conditions, so multiple conditions can be the basis for processing that same personal data. In the case the processed data is sensitive personal data, the terms contained under title 3.3 of this Policy ("Processing of Sensitive Personal Data") shall apply.

3.3. PROCESSING OF PERSONAL DATA OF SENSITIVE NATURE

Sensitive personal data will be processed by our Company in accordance with the principles specified in this Policy and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, should the following conditions exist:

3.4. PERSONAL DATA PROCESSED BY OUR COMPANY

Identity Information
This is the data concerning the identity of a person: name-surname, Turkish Republic ID number, nationality information, mother's name, father's name, place of birth, date of birth, sex and documents such as driving license, identity card and passport and tax ID number.

Contact Information
Information such as residence, telephone number, address, e-mail, address registration system.

Customer Transaction Information
End users who make use of the products and services offered by our company and customer request information processed regarding the transactions carried out, customer order history information, etc.

Information on Physical Premises Security
Personal data regarding records and documents received upon entry to the physical space during the stay in the physical space; camera recordings, fingerprint records, and security-point records, etc.

Financial Information
Personal data processed in relation to information, documents and records showing any financial results created within the scope of the business relationship established by the Company.

Transaction Security Information
Personal data, IP address information, website entry and exit information, password and passphrase information, etc. processed to ensure the information security of transactions.

Legal Procedures and Compliance Information
Your personal data processed within the scope of detecting and following up our legal receivables and rights, the discharge of our liabilities, and compliance with our legal obligations and our Company's policies.

Visual and Audio Data
Data which explicitly belongs to a real person whose identity is clear or may be determined, photographs and camera recordings, voice recordings and copies of documents containing personal data.

Employee Candidate Information
Personal data processed about the individuals who have applied for a job at our Company to become an employee or who have been evaluated as prospective employees in line with our Company's human resources needs or who desire to have a work relationship with our Company in line with the rules of commercial practice and integrity

Marketing Information
Personal data on usage habits, trends and requirements processed for end-user customers, related to the Company.

Contract Information
Information about our suppliers or business partners who conduct any business relationship with our company and information about the contracts with these companies or company employees

Sensitive Personal Data
Data about the race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership to an association, foundation or trade union, medical condition, sexual life, criminal conviction and security measures as well as biometric and genetic data of persons

3.5. PURPOSE OF PROCESSING PERSONAL DATA

Our company processes your personal data pursuant to the following purposes:

A) Planning or execution of our Company's human resources policies and processes

• Conducting the process of employee candidate application processes
• Conducting the employee candidate, trainee, student selection and recruitment process

B) Planning or execution of activities to ensure the legal and technical security of our Company and the persons concerned who conduct business relations with our Company

• Planning and/or execution of the creation, control or follow-up activities of the personal records of subcontractor employees
• Performance of the operational activities required to ensure that the company activities be carried out in accordance with company procedures or the relevant legislation.
• Planning or performance of procedures relating to company and partnership law
• Creating or tracking visitor records
• Conduct and follow-up of legal affairs
• Providing information to official institutions or organizations within the scope of the obligations arising from the legislation, submitting requested information and documents
• Ensuring that data is accurate and up-to-date
• Performance of Storage and Archive Activities
• Performance of required operational activities related to disciplinary and ethical processes
• Ensuring the security of company operations
• Planning, supervision or enforcement of information security processes
• Establishment and management of the information technology infrastructure
• Planning or execution of our company's legal compliance activities
• Planning and/or execution of identity authentication activities
• Planning and execution of our company's audit, inspection or control activities
• Conducting emergency management processes
• Tracking of contract processes or legal requests
• Ensuring the security of company inventory stocks or resources
• Planning and/or execution of emergency or event management procedures
• Ensuring the security of company premises or facilities
• Planning and/or execution of network monitoring and management activities
• Execution of debt collection communications or transactions
• Management of access authorizations

C) Planning and execution of the activities required for the presentation and suggestion of the products and services offered by the Company to the relevant persons by customizing the same based on their tastes, usage habits and needs.

• Design or execution of personalized marketing or promotional activities
• Realization of campaign, promotion and publicity processes
• Determination or evaluation of the persons to be subject to marketing activities in line with consumer behavior criteria
• Planning and execution of data analytics or data enrichment studies for marketing purposes
• Design and execution of activities to be developed for gaining customers and creating value in existing customers in digital or other media
• Planning and execution of the procedures for creating or increasing loyalty to the goods or services offered by the Company
• Planning or execution of marketing processes of products or services
• Planning or execution of activities related to survey studies carried out by our company

D) Having our relevant business units carry out the work needed for subjects to benefit from the goods and services offered by the Company and carrying out the relevant business procedures

• Performance and monitoring of application or sales processes for products or services
• Conducting customer relationship management processes
• Performance of after sales support services
• Conducting activities for customer satisfaction and experience
• Assessment, monitoring and management of requests or complaints

E) Having our relevant business units carry out the work required for the actualization of the commercial activities run by the Company and conducting the associated business processes

• Follow-up of financial or accounting transactions
• Performance of efficacy, efficiency or on-site analyses of business activities
• Planning or execution of corporate governance activities
• Planning or execution of business continuity activities
• Planning or execution of purchasing processes
• Planning or execution of internal or external reporting activities
• Event management
• Foreign Personnel Work and Residence Permit Procedures
• Planning and execution of supply chain management processes
• Receiving and evaluating the suggestions for the improvement of business processes

F) Planning or execution of our company's commercial or business strategies

• Planning or execution of strategic planning activities
• Performance or execution of budget studies
• Planning and execution of the Company's financial risk procedures
• Performance of risk assessment activities for business partners or suppliers

3.6. DISCLOSURE TO THE PERSONAL DATA OWNER

In accordance with Article 10 of the Law and secondary legislation, our Company in its capacity as the data controller, informs personal data subjects of who is processing their personal data, for what purposes, with whom they are being shared and for what purposes, what methods were used to collect the data, the legal basis, and their rights regarding the processing of their personal data.

3.7. TRANSFER OF PERSONAL DATA

Our company may transfer personal data and personal data of special nature of the personal data owner to third parties by taking the required security measures pursuant to the personal data processing objectives in accordance with the law. In this respect, our Company acts in accordance with the regulations stipulated in Article 8 of the Law.

3.7.1. Transfer of Personal Data

Even if the personal data subject has not given his/her explicit consent, if one or more of the following conditions are present, personal data may be transferred to third persons by our Company by taking all due care and all necessary security precautions including those stipulated by the Board:

• Relevant activities related to the transfer of personal data being explicitly stipulated in the law,
• The transfer of personal data by the Company is directly related to and required for the establishment or execution of a contract,
• The transfer of personal data is compulsory for our Company to fulfill its legal obligations,
• The transfer of personal data by our Company in a limited manner for the purpose of making it public, provided that it has been made public by the data owner,
• The transfer of personal data by the Company is mandatory for the establishment, use, or protection of the rights of the Company or the data owner or third parties,
• Personal data transfer activity is mandatory for the legitimate interests of our Company, provided that such transfer does not violate the fundamental rights and freedoms of the data owner,
• The existence of an obligation to protect the life or bodily integrity of the person who cannot explain his/her consent due to actual impossibility or whose consent is not deemed valid in legal terms.

In addition to those listed above, personal data may be transferred to the foreign countries announced to have adequate protection by the Board if any of the conditions in ("Foreign Countries with Adequate Protection") are met. In the absence of adequate protection, personal data can be transferred to foreign countries where data controllers in Turkey and in the relevant foreign country undertake the adequate protection in written form in line with the data transfer conditions stipulated in the legislation and where the Board has given consent for the transfer of personal data ("Foreign Country of the Data Controller Undertaking Adequate Protection”).

3.7.2. Transfer of Personal Data of Sensitive Nature

Sensitive personal data may be transferred by our Company in accordance with the principles specified in this Policy and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, should the following conditions exist:

(i) Sensitive personal data other than health and sexual lifemay be processed without the explicit consent of the data subject if this is explicitly stipulated by law; in other words, if there is an explicit provision in the relevant law regarding the processing of personal data. Otherwise, the explicit consent of the data owner will be obtained.

(ii) Sensitive personal data relating to health and sexual life can be processed by the authorized institutions and organizations and the persons under the obligation of keeping secret for planning and managing the financing planning and healthcare services and executing protective medicine, medical diagnosis, treatment and care services and protecting public health without seeking any explicit consent. Otherwise, the explicit consent of the data owner will be obtained.

In addition to those listed above, personal data may be transferred if any of the conditions in Foreign Countries With Adequate Protection are met. In the absence of adequate protection, personal data can be transferred to Foreign Country of the Data Controller Undertaking Adequate Protection where data controllers in Turkey and in the relevant foreign country undertake the adequate protection in written form in line with the data transfer conditions stipulated in the legislation.

3.7.3. THIRD PARTIES TO WHICH PERSONAL DATA IS TRANSFERRED AND THE PURPOSE OF SUCH TRANSFER

In accordance with Articles 8 and 9 of the Law, our Company may transfer customers' personal data to the following categories of persons:

(i) Shareholders
(ii) Business Partners
(iii) Zorlu Holding Anonim Şirketi
(iv) Legally Authorized Private Entities
(v) Legally Authorized Public Institutions and Organizations

The scope of the abovementioned persons to whom the transfer has been made and the purposes of data transfer are stated below.

Business Partner
Your personal data will be shared with the parties from whom service is received as data controllers and who have their own processing purposes and means in order to carry out the processes of our company.

• Financial institutions for the conduct of financial and accounting transactions,
• Consultancy offices from whom we receive services regarding our legal processes,
• Our business partners from whom we receive services

Supplier
Within the scope of the execution of our Company's commercial activities, your personal data will be shared with the parties providing services to our Company in accordance with the data processing purposes and instructions of our Company.

• Our suppliers from whom we receive services in software, maintenance, security and personal data hosting within the scope of information technologies,

Zorlu Holding Anonim Şirketi
Your personal data will be shared with Zorlu Holding Anonim Şirketi to monitor the compliance of our Company's processes with the legislation and Company's procedures, basic principles and rules and to receive support services regarding the legal disputes.

Legally Authorized Public Institutions and Organizations
Your personal data will be shared with public institutions and organizations authorized to receive information and documents from our Company in accordance with the provisions of the relevant legislation.

• Courts, Notary Publics, Law Enforcement Officers,

Legally Authorized Private Entities
Your personal data is shared with institutions or organizations established in accordance with certain conditions determined by law in accordance with the provisions of the relevant legislation and which continue their activities within the framework determined by the law.

• Mediators
• Independent Audit Companies

4. SECTION 4 - STORAGE AND DESTRUCTION OF PERSONAL DATA

Our Company retains personal data only for the period specified in the relevant legislation or for the purpose for which such data has been processed. In this context, our Company in the first place determines whether a period has been stipulated for the storage of personal data in the relevant legislation and if a period has been stipulated, then it acts in compliance with this period. If there is no legally prescribed period, personal data will be stored for the period required for the purpose for which they are processed. Personal data will be destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or at the data owner's request and by using the prescribed destruction methods (deletion and/or destruction and/or anonymization).

5. SECTION 5 - RIGHTS OF PERSONAL DATA OWNERS AND EXERCISING THESE RIGHTS

5.1. RIGHTS HELD BY THE DATA OWNER

Personal data owners shall be entitled to the following:

1. To learn whether personal data has been processed or not,
2. To request information if personal data has been processed,
3. To learn the purpose of processing personal data and whether they are used appropriately in accordance with this purpose,
4. To have information about third parties to which personal data is transferred either in Turkey or abroad,
5. To request the correction of personal data if it is incomplete or improperly processed and to request that the process carried out in this context be notified to third parties to whom personal data is transferred,
6. To request that personal data be deleted or destroyed even if it has been processed in accordance with the provisions of the Law and other relevant laws and in the case that the reasons for such processing are not present any more to request that the process carried out in this context be notified to third parties,
7. To object to the occurrence of a result against the person itself by means of analyzing the processed data exclusively through automated systems,
8. To demand that damages be eliminated in the event of a corruption due to the processing of personal data contrary to the law.

5.2. EXERCISING THE RIGHTS HELD BY THE DATA OWNER

Personal data owners may submit their requests regarding their rights as listed in section 6.1. ("Rights Held by the Data Owner”) to our Company using the methods determined by the Board. Pursuant to this, they will be able to utilize the "Data Owner Application Form" to be accessed at the address or

5.3. OUR COMPANY'S RESPONSE TO APPLICATIONS

Our Company takes the necessary administrative and technical measures in accordance with the Law and the secondary legislation to conclude the applications filed by personal data owners.

In the case the personal data owner duly communicates his/her request regarding the rights listed in section 6.1 ("Right s of the Personal Data Owner") to our Company, we will conclude the requests involved in the applications within the shortest time possible depending on the nature of the request and within thirty days at the latest and free of charge. However, if the procedure requires an additional cost, fees may be charged in accordance with the tariff determined by the Board.