Personal Data Protection and Storage Policy

1. INTRODUCTION

1.1. Introduction

For Oran Polyester Keçe Dış Ticaret Sanayi ve Ticaret Anonim Şirketi (“Company“) as the data controller, the protection of personal data of employees and other natural persons with whom the Company has a relationship is among the most important priorities. The most important pillar of this issue is the protection and processing of personal data of our employees, employee candidates, interns, visitors, product or service recipients, Company officials, supplier officials and employees, employees, shareholders and officials of the institutions we cooperate with, and third parties, which is governed by this Personal Data Protection and Storage Policy (“Policy“). Under the Constitution of the Republic of Turkey, everyone has the right to request the protection of personal data concerning him/her. Regarding the protection of personal data, which is a constitutional right, our Company pays due attention to the protection of the personal data of our employees, employee candidates, interns, visitors, product or service recipients, Company officials, supplier officials and employees, employees, shareholders and officials of the institutions we cooperate with and third parties and makes this a Company policy with this Policy. In this context, all necessary care is taken by our Company for the protection of personal data processed in accordance with the relevant legislation, and administrative and technical measures are taken.

• Scope

This Policy relates to all personal data of our employees, employee candidates, interns, visitors, product or service recipients, Company officials, supplier officials and employees, employees, shareholders and officials of the institutions we cooperate with, and third parties, which are processed automatically or non-automatically provided that they are part of any data recording system.

• Implementation of the Policy and Related Legislation

The relevant legal regulations in force regarding the processing and protection of personal data will be applied primarily, and in case of incompatibility between the legislation in force and the Policy, it is accepted by our Company that the legislation in force will be applied. The Policy concretizes and regulates the rules set forth by the relevant legislation within the scope of Company practices.

2. ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA

Our Company complies with Article 12 of the Law No. 6698 on the Protection of Personal Data (“KVKK“). In accordance with the article; it takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the preservation of personal data, and within this scope, it conducts or has the necessary audits carried out.

Our Company retains personal data for the period stipulated by law or required by the purpose of personal data processing. Our Company is subject to Article 10 of the LPPD. In accordance with the article, it informs the relevant persons whose personal data is processed and requests their consent in cases where consent is required and processes this personal data in accordance with their consent based on the criteria specified below.

2.1. Ensuring the Security of Personal Data

Our Company takes the necessary legal, technical and administrative measures regarding data security regarding the following issues and shows the necessary attention and care in this regard. Our Company has been authorized by our Company in accordance with Article 12 of the LPPD. The actions and measures taken to ensure “data security” in accordance with the article are stated below:

• Our Company takes technical and administrative measures to ensure that personal data is processed in accordance with the law, according to technological possibilities and implementation cost. Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the KVKK and cannot use them for purposes other than processing, and that this obligation will continue after they leave their duties, and necessary commitments are taken from them in this direction.
• Our Company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and cost of implementation in order to prevent imprudent or unauthorized disclosure or transfer of personal data or any other unlawful access to personal data.
• Our Company raises awareness among data processing institutions such as business partners and suppliers to whom it has transferred personal data in order to prevent unlawful processing of personal data, to prevent unlawful access to data and to ensure that data is kept in accordance with the law.
• The obligations that our Company, as the data controller, has to comply with when processing personal data and the obligation to comply with the legal, administrative and technical measures it has developed in this regard are contractually imposed on the data processing institutions that our Company is in a relationship with in various capacities such as suppliers and business partners, in accordance with the nature of the activity they carry out in data processing.
• Our Company takes the necessary technical and administrative measures according to technological possibilities and cost of implementation in order to store personal data in secure environments and to prevent the destruction, loss or alteration of personal data for unlawful purposes.
• Our Company is subject to Article 12 of the LPPD. In accordance with the article, it conducts or has the necessary audits carried out within its own organization. The results of these audits are reported to the relevant department within the scope of the internal functioning of our Company and necessary actions are taken to improve the measures taken.

• Our Company is subject to Article 12 of the LPPD. In the event that personal data processed in accordance with the article of the Law on the Protection of Personal Data is unlawfully obtained by others, it carries out the system that ensures that this situation is notified to the relevant personal data owner and the Personal Data Protection Board (“Board“) as soon as possible.

2.2. Protection of Sensitive Personal Data

Some personal data are given special importance in the LPPD due to the risk of causing victimization or discrimination when processed unlawfully. These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Our Company acts sensitively in the protection of special quality personal data, which is determined as “special quality” by the KVKK and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of sensitive personal data and necessary audits are provided in this context.

2.3. Enlightening and Informing the Personal Data Owner

Our Company, during the acquisition of personal data, shall comply with the provisions of the LPPD In accordance with Article 10, it enlightens personal data subjects. In this context, our Company informs the personal data owners about the identity of the personal data owner during the acquisition of personal data, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data and the personal data owner’s personal data in accordance with the KVKK. Under Article 11 of the Turkish Commercial Code, the Company is informed about its rights.

Article 20 of the Constitution article stipulates that everyone has the right to be informed about personal data concerning him/her. In this direction, Article 11 of the LPPD article lists the right to “request information” among the rights of the personal data subject. In this context, our Company is subject to Article 20 of the Constitution. Article 11 of the KVKK. In accordance with the article, it provides the necessary information in case the personal data owner requests information.

In addition, our Company informs the relevant persons about its activities, especially when it applies for the explicit consent of the persons, about its personal data processing activities in accordance with the law and the rule of honesty, and other relevant issues in the KVKK through various documents open to the public, especially this Policy document. Thus, it is ensured that the relevant persons are informed within the scope of personal data processing activities and accountability and transparency are ensured within this framework.

• Supervision of Measures Taken for the Protection of Personal Data and Training of Agency Personnel

There is a Personal Data Protection Committee within our Company. The Committee, on behalf of our Company, which is the data controller, is authorized under Article 12 of the LPPD. article of the Law on Audit and Inspection of Legislation, it personally conducts the necessary audits to ensure the implementation of the legislation in its own institution or organization and, if necessary, by obtaining support from competent organizations. Violations, negativities and nonconformities identified as a result of these audits are reported to the responsible persons within the committee and necessary measures are taken in this regard. In the event that personal data is transferred to real or legal persons from whom an external service is received by our Company, additional agreements are made with the relevant companies to which personal data is transferred in accordance with the law, including provisions that the persons to whom personal data is transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations. In addition, our Company enters into agreements with its employees who are subject to Labor Law No. 4857 and Law No. 6356 on Trade Unions and Collective Bargaining Agreements to comply with personal data protection measures. Our Company also acts in accordance with the decision of the Personal Data Protection Board dated 26.12.2019 and numbered 2019/393 if there are employees subject to the Law No. 6356 on Trade Unions and Collective Bargaining Agreements. In this context, employees are provided with an informative text reminding them of the procedures and principles they must comply with within the scope of the right to protection of personal data and their obligations.

Our Company ensures that necessary trainings are organized for its employees in order to raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the protection of data.

3. ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

Our Company is subject to Article 20 of the Constitution. Article 4 of the KVKK. In accordance with the article, it carries out personal data processing activities in accordance with the law and honesty rules, accurately and, where necessary, up-to-date, for specific, clear and legitimate purposes, in connection with the purpose, in a limited and measured manner. Our Company retains personal data for the period stipulated by law or required by the purpose of personal data processing.

Our Company is subject to Article 6 of the LPPD. In accordance with the article, it acts in accordance with the regulations stipulated for the processing of special categories of personal data.

Our Company, KVKK’s 8. and In accordance with Article 9, it acts in accordance with the regulations stipulated in the law and set forth by the Board regarding the transfer of personal data.

3.1. Processing of Personal Data in Compliance with the Principles Stipulated in the Legislation

3.1.1. Processing in accordance with the Law and Good Faith

Our Company acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. Within this framework, personal data are processed to the extent required by and limited to the business activities of our Company.

3.1.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

Our Company takes the necessary measures to ensure that personal data is accurate and up-to-date throughout the period of processing and establishes the necessary mechanisms to ensure the accuracy and currency of personal data for certain periods of time.

3.1.3. Processing for Specific, Explicit and Legitimate Purposes

Our Company clearly sets out the purposes of processing personal data and processes the relevant personal data within the scope of the purposes related to these activities in line with its business activities.

3.1.4. Being relevant, limited and proportionate to the purpose for which they are processed

Our Company collects personal data only to the extent and quality required by its business activities and processes it limited to the specified purposes.

3.1.5. Preservation for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed

Our Company retains personal data for the period required for the purpose for which they are processed and for the minimum period stipulated in the legal legislation to which the relevant activity is subject. In this context, our Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed. Personal data are destroyed at the end of the specified retention periods in accordance with the periodic destruction periods or in accordance with the data owner’s application and with the specified destruction methods (deletion and/or destruction and/or anonymization).

• Terms of Processing of Personal Data

Except for the explicit consent of the personal data owner, the basis of the personal data processing activity may be only one of the following conditions, or more than one condition may be the basis of the same personal data processing activity. In the event that the processed data is personal data of special nature, 3.3. heading (“Processing of Special Categories of Personal Data”) shall apply.

• Explicit Consent of the Personal Data Owner

One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the personal data subject must be based on information on a specific subject and must be freely given.

             5. Item 2. Pursuant to the paragraph below, personal data may be processed without the explicit consent of the data subject in the presence of the following personal data processing conditions.

• Explicitly Stipulated in Laws

In case there is an explicit provision in the relevant laws regarding the processing of the personal data of the data subject, the personal data of the data subject may be processed.

• Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility

       The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself/herself or another person.

• Direct Relevance to the Establishment or Performance of the Contract

       Provided that it is directly related to the establishment or performance of a contract to which the data subject is a party, if the processing of personal data is necessary, this condition may be deemed to be fulfilled and the personal data of the data subject may be processed.

• Our Company Fulfillment of Legal Obligation

       In the event that personal data processing is mandatory for our Company to fulfill its legal obligations, the personal data of the data subject may be processed.

• Publicization of Personal Data by the Personal Data Owner

If the personal data is made public by the data owner himself/herself, the relevant personal data may be processed limited to the purpose of publicization.

• Data Processing is Mandatory for the Establishment or Protection of a Right

If data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the data subject may be processed.

• Our Company Data Processing is Mandatory for Legitimate Interest

Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of our Company.

• Conditions for Processing Sensitive Personal Data

Sensitive personal data are processed by our Company in accordance with the principles set forth in this Policy and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:

• Sensitive personal data other than health and sexual life may be processed without seeking the explicit consent of the data subject if it is explicitly stipulated in the law, in other words, if there is an explicit provision regarding the processing of personal data in the law to which the relevant activity is subject. Otherwise, the explicit consent of the data subject shall be obtained for the processing of sensitive personal data.

• Sensitive personal data relating to health and sexual life may be processed without seeking explicit consent by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. Otherwise, the explicit consent of the data subject shall be obtained for the processing of sensitive personal data.

3.4. Building, Facility Entrances and Personal Data Processing Activities Conducted Inside the Facility

In order to ensure security, our Company carries out personal data processing activities for the monitoring of third party entrances and exits with security cameras in our Company’s buildings and facilities. Personal data processing activity is carried out by our Company through the use of security cameras and recording the entrances and exits of third parties. In this context, our Company acts in accordance with the Constitution, KVKK and other relevant legislation.

Our Company takes video recordings of third parties by means of a camera surveillance system in the building, at the entrances to the facility and inside the facility. Our Company aims to increase the quality of the service provided within the scope of security camera surveillance, to ensure its reliability, to ensure the security of our Company and third parties and to protect the interests of third parties regarding the service they receive.

Our Company acts in accordance with the regulations in the KVKK in carrying out camera surveillance activities for security purposes. Only a limited number of Company employees have access to the records recorded and maintained in digital media. The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking. Our Company has been authorized by our Company in accordance with Article 12 of the LPPD. In accordance with the article, necessary technical and administrative measures are taken to ensure the security of personal data obtained as a result of camera surveillance activities.

Apart from the above-mentioned camera recording, personal data processing activities are carried out by our Company to ensure security and to monitor the entrances and exits of third parties in our Company’s buildings and facilities for the purposes specified in this Policy.

Detailed explanations regarding camera surveillance activities can be found on our website or in the Camera Surveillance and Storage Policy by submitting your request to the relevant personnel.

4. TRANSFER OF PERSONAL DATA

Our Company may transfer the personal data of the data subject to third parties by taking the necessary security measures in line with the lawful personal data processing purposes. In this context;

• If there is a clear regulation in the laws regarding the transfer of personal data,

• If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,

• If personal data transfer is mandatory for our Company to fulfill its legal obligation,

• If personal data transfer is mandatory for the establishment, exercise or protection of a right,

• If personal data transfer is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the data subject,

• In the presence of the conditions stipulated in the laws for personal data of special nature other than health and sexual life,

• If there is a necessity to share personal data related to health and sexual life with authorized persons and institutions within the scope of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing

is being transferred.

5. COMPANY PERSONAL DATA INVENTORY AND CLASSIFICATION OF PERSONAL DATA

Within our Company, in line with the legitimate and lawful personal data processing purposes of the Company, in accordance with the KVKK Article 5 and Based on one or more of the personal data processing conditions specified in Article 6 and limited to these, personal data in the following categories are processed by informing the relevant persons by complying with the general principles specified in the KVKK and all obligations regulated in the KVKK.

Our Company has created a personal data inventory in accordance with the Regulation on Data Controllers’ Registry put into effect by the Personal Data Protection Authority. This data inventory includes the categories of data, the source of the data, the purposes of data processing, the data processing process, the recipient groups to whom the data is transferred and the retention periods. In this context, our Company’s personal data inventory includes personal data in the following data categories.

PERSONAL DATA CATEGORIZATION	PERSONAL DATA CATEGORIZATION DESCRIPTION
Identity Data	A data group containing information about a person’s identity.
Contact Data	It is the data group that can be used to reach the person.
Audiovisual Recording Data	It is a data group containing visual and auditory data of the person.
Personal Data	This data category refers to types of data such as payroll information, property declaration information, CV information of individuals.
Financial Data	It is the data group containing the person’s financial information.
Professional Experience Data	It is a data group containing information on the person’s occupation, professional experience and education.
Customer Transaction Data	This data category refers to data types such as call center records, receipts, receipts, negotiable instruments and invoice information.
Legal Process Data	This category of data refers to types of data such as information in correspondence with judicial authorities, information in case files, etc.
Process Security Data	It is the data group containing transaction security data such as IP information, log records and cookies.
Risk Management	This category of data refers to types of data such as information processed for the management of technical, administrative risks.
Marketing Data	This data category is the data group containing personal marketing information.
Physical Space Security Data	It is the data group containing physical space security data such as camera records, entrance and exit records of the person.
Health Data	It is a data group related to a person’s health data.
Criminal Convictions and Security Measures Data	Data group containing data on criminal convictions and security measures of the person.
Other	It refers to data such as Military Service Status Information, Vehicle License Plate Information, which are not categorized in the Data Controllers Registry.

 

 

 

6. RETENTION PERIODS OF PERSONAL DATA

 

In cases stipulated in the relevant laws and regulations, our Company retains personal data for the period specified in these regulations. If a period of time is not regulated in the legislation regarding how long personal data should be kept, personal data is kept for the period required to be kept in accordance with our Company’s practices and public customs, depending on the activity carried out by our Company while processing that data.

138 of the Turkish Penal Code. Article 7 of the LPPD. article and pursuant to the “Regulation on Deletion, Destruction and Anonymization of Personal Data” put into effect by the Personal Data Protection Authority, personal data processed in accordance with the provisions of the relevant law are deleted, destroyed or anonymized based on the policies of our Company or upon the request of the relevant person in the event that the reasons requiring their processing disappear. Our Company has established a policy in this regard in accordance with the provisions of the regulations and acts in accordance with this policy.

7. RIGHTS OF THE PERSONS CONCERNED AND EXERCISE OF THESE RIGHTS

Our Company, KVKK’s 10. inform the person concerned of his or her rights in accordance with Article 10; and Article 11 provides guidance to the person whose personal data is processed on how to exercise these rights. In order to evaluate the rights of the relevant persons and to provide the necessary information to the relevant persons, our Company complies with Article 13 of the LPPD. Article 2 of the Law on the Protection of Human Rights and Freedoms, and carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 2 of the Law on the Protection of Human Rights and Freedoms.

7.1. Rights of Data Subjects Whose Personal Data is Processed

Data subjects whose personal data are processed have the following rights:

1. Learn whether personal data is being processed,

1. Request information if their personal data has been processed,

1. To learn the purpose of processing personal data and whether they are used for their intended purpose,

1. To know the third parties to whom personal data are transferred domestically or abroad,

1. To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

1. Although it has been processed in accordance with the provisions of the KVKK and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

1. In the event that the processed data is analyzed exclusively through automated systems and a result occurs to the detriment of the person himself/herself, to object to this result,

1. In case of damage due to the processing of personal data in violation of the KVKK, to demand the compensation of the damage.

7.2. Cases where the Data Subject whose Personal Data is Processed cannot assert his/her rights

Data subjects whose personal data are processed are subject to Article 28 of the LPPD. Pursuant to Article 11 of the LPPD, the following cases are excluded from the scope of the LPPD. item 1. cannot assert their rights listed in the paragraph:

1. Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics,

1. Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime,

1. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security,

1. Processing of personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials or executions.

Article 28 of the LPPD Item 2. Pursuant to the paragraph  ; In the cases listed below, the persons whose personal data are processed, except for the right to demand the compensation of the damage, are subject to Article 11 of the KVKK. item 1. cannot assert their other rights listed in the paragraph:

1. Processing of personal data is necessary for the prevention of crime or criminal investigation,

1. Processing of personal data made public by the person whose personal data is processed,

1. Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by the KVKK,

1. Processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters.

7.3. Exercising the Rights of the Personal Data Subject

Persons whose personal data are processed may submit their requests regarding their rights specified in this Policy to our Company free of charge by filling out and signing the application form with the information and documents that will identify their identity and by the methods specified below or by other methods determined by the KVKK. Regulations in this regard are made in Oran Polyester Keçe Dış Ticaret Sanayi ve Ticaret Anonim Şirketi  Personal Data Application Form and Clarification Texts.

Contact person

• “Kemalpaşa Organized Industrial Zone İzmir Kemalpaşa Asfaltı No:44 Kemalpaşa / İzmir” after filling in the form available at the address “Ke malpaşaOrganized Industrial Zone İzmir KemalpaşaAsfaltı No:44 Kemalpaşa / İzmir ” by hand or in writing via registered mail with return receipt requested or application in person,

• After filling out the form and signing it with the “secure electronic signature” within the scope of the Electronic Signature Law No. 5070, the form with secure electronic signature By sending by registered e-mail to oranpolyester@hs01.kep.tr address, by using secure electronic signature, mobile signature or the e-mail address previously notified to our Company by the relevant person and registered in our Company’s system, or through a software or application developed for the purpose of application Applying to info@orbond.com

can exercise their rights through ways.

In order for the above-mentioned application to be accepted as a valid application, in accordance with the Communiqué on Application Procedures to the Data Controller, the person concerned in the application;

1. Name, surname and signature if the application is in writing,

1. Turkish Republic ID number for citizens of the Republic of Turkey, nationality, passport number or ID number, if any, for foreigners,

1. Residential or workplace address for notification,

1. Electronic mail address, telephone and fax number for notification, if any,

1. Subject of request

information is mandatory. Otherwise, the application will not be considered as a valid application. For applications to be made without filling out the application form, the matters listed herein must be submitted to our Company in full.

In order for third parties to make an application request on behalf of the persons whose personal data are processed, there must be a special power of attorney issued by the relevant person through a notary public on behalf of the person who will make the application.

IDENTITY OF THE DATA CONTROLLER

Mersis No                  :  0645035252400001
Internet Address       :  www.orbond.com  

Telephone Number :  0 232 502 14 15
E-Mail Address        :  info@orbond.com

KEP Address                 :  oranpolyester@hs01.kep.tr
Address                      :  Kemalpaşa Organized Industrial Zone İzmir Kemalpaşa Asfaltı No:44 Kemalpaşa / İzmir

This Policy, www.orbond.com awas announced at the time. In this context, the right to make changes in the Policy is reserved in accordance with legislative changes and our Company’s policies. Current version of the Policy with the amendments made www.orbond.com is announced at the address.

ANNEX-1 DEFINITIONS

Explicit Consent: Consent on a specific subject, based on information and expressed with free will.

Anonymization: It is the modification of personal data in such a way that it loses its personal data nature and this situation cannot be reversed. Ex: Masking, aggregation, data corruption, etc. techniques to render personal data unattributable to a natural person.

Application Form: “Application Form Regarding the Applications to be made by the Relevant Person to the Data Controller in accordance with the Law No. 6698 on the Protection of Personal Data”, which includes the application to be made by the relevant persons whose personal data are processed to exercise their rights.

Employee Candidate: Real persons who have applied for a job at Oran Polyester Keçe Dış Ticaret Sanayi ve Ticaret Anonim Şirketi by any means or who have opened their resume and related information.

Employees, Shareholders and Authorities of Cooperating Organizations: Real and legal persons, including, but not limited to, employees, shareholders and authorities of the organizations (such as business partners, suppliers) with which the Company has any kind of business relationship.

Business Partner: Parties with whom the Company has established business partnerships for purposes such as carrying out various projects and receiving services, either personally or together with the Company while carrying out its activities.

Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Data Subject: The natural person whose personal data is processed. For example; visitor, staff, customer, etc.

Personal Data: Any information relating to an identified or identifiable natural person (e.g. name, surname, TRKN, e-mail, address, date of birth, credit card number, etc.). The processing of information on legal entities is not covered by the LPPD.

Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Supplier: Parties that provide services to the Company on a contractual basis in accordance with the Company’s orders and instructions while carrying out the Company’s activities.

Third Person: Real persons whose personal data are processed within the scope of the policy, which are not defined differently within the scope of the policy. For example, family members, former employees.

Data Processor: Natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller. For example; companies from which the Company receives services, etc.

Data Controller: The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system). Within the scope of this policy, Oran Polyester Keçe Dış Ticaret Sanayi ve Ticaret Anonim Şirketi is the data controller.

Deletion of Data: It refers to the situation where all relevant users within the company are encrypted in a way that prevents access to personal data and only the data protection officer has this password.

Destruction of Data: It refers to the situation where personal data is completely eliminated physically or by technological methods in an irreversible manner.

Visitor: Real persons who visit the physical premises owned by the Company for various purposes.

ANNEX-2 PERSONAL DATA PROCESSED BY OUR COMPANY AND THEIR PURPOSES

Contact Person	Category of Personal Data Processed	Purposes of Processing Personal Data
Employee	Identity Data Contact Data Professional Experience Data Legal Process Data Finance Data Personal Data Audio and Visual Recordings Military Service Data	In accordance with the Labor Law No. 4857, in particular, and the regulations related to these laws, ü  Execution of Employee Satisfaction and Loyalty Processes, ü  Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees, ü  Execution of Benefits and Benefits Processes for Employees, ü  Execution of Activities in Compliance with the Legislation, ü  Execution of Activities in Compliance with the Legislation, ü  Execution of Finance and Accounting Affairs, ü  Execution of Assignment Processes, ü  Follow-up and Execution of Legal Affairs, ü  Execution of Internal Audit / Investigation / Intelligence Activities, ü  Execution of Communication Activities, ü  Execution/Supervision of Business Activities, ü  Execution of Contract Processes, ü  Planning Human Resources Processes, ü  Providing Information to Authorized Persons, Institutions and Organizations, ü  Conducting Training Activities Personal data belonging to employees are processed for the purposes of the Company.
Employee	Criminal Convictions and Security Measures Data	Pursuant to the general provisions of the Labor Law No. 4857, the employer is under a duty of care towards its employees. Criminal records are processed to ensure that workplace security is ensured.
Employee	Health Data	Law No. 6331 on Occupational Health and Safety and Regulation No. 9 of the Regulation on the Duties, Authorities, Responsibilities and Trainings of Workplace Physicians and Other Health Personnel. Pursuant to the article, the workplace physician is obliged to carry out the recruitment and periodic health examinations of the employees, stating that they are suitable for the work they will do. In accordance with the relevant legislation; health information of employees is processed in order to carry out occupational health and safety activities and to monitor the fitness of our Company’s employees for duty.
Visitor	Physical Space Security Data	In order to monitor the entry and exit of visitors to our Company and to ensure the security of the Company building, in line with the legitimate interests of our Company, the images of the visitors are recorded with the camera records within our Company.
Visitor	Identity Data Process Security Data	Pursuant to Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through These Publications, the identity information, IP address information, website login and exit information of our website visitors are processed in order to record who and for what purpose the internet service provided is used, to carry out the activities of our corporate website and to confirm user information.
Employee Candidate	Identity Data Contact Data Professional Experience Data Audio and Visual Recordings Process Security Data Health Data Criminal Convictions and Security Measures Data	Our Company processes identity information, contact information, professional experience information, transaction security data, health information and criminal conviction and security measures data of employee candidates in order to carry out preparatory procedures related to employment in order to be the basis for the evaluation of employee candidates for the appropriate position in recruitment processes.
Product or Service Recipient	Identity Data Contact Data Finance Data Customer Transaction Data Legal Process Data Audiovisual Recording Data	Identity, communication, financial, visual and audio recording, customer transaction and legal transaction data of persons who receive products or services are processed, limited to the data groups and duration specified in the relevant legislation for the purposes of our Company’s fulfillment of its commercial activities, execution of goods / services sales processes and execution of goods / services production and operation processes.
Product or Service Recipient	Identity Data Contact Data	Our Company is obliged to evaluate the requests and complaints of people who receive products or services in order to ensure that services are carried out in a planned, programmed, effective, efficient and harmonious manner. In this context, the identity and contact information of the persons receiving products or services who contact our Company through the Call Center are processed.
Supplier Official/Employee	Identity Data Contact Data Finance Data Legal Action Process Security Data Professional Experience Data	In accordance with the contracts we have made with our suppliers for the continuity of our services, to ensure that the purchasing transactions of all products needed by the unit are realized and paid to the relevant supplier based on the nature of the demands in the units, To organize the preparation of the relevant documents and the preparation of the purchase file according to the method determined in the purchase of products and services within the scope of purchasing activities, To coordinate the creation of the list of Suppliers from which the products/services directly used in the final product are purchased and to monitor the currency of this list, Coordinate the performance evaluations of suppliers and the maintenance of relevant quality records, Ensuring the execution of logistics activities, To make discovery calculations for the approved product and service needs of the departments and to ensure that they are made by the relevant department.

ANNEX-3 THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED BY OUR COMPANY AND THE PURPOSES OF TRANSFER

Persons to whom data can be transferred	Contact Persons	Data Transfer Purpose
Business Partner	Product or Service Recipient Supplier Employee/Authority	Transfers are made on a limited basis to ensure the preparation and implementation of business strategies and the fulfillment of the purposes for which the joint venture was established.
Suppliers	Product or Service Recipient	Transfers are made on a limited basis in order to ensure that the services outsourced by our Company from the supplier and necessary to fulfill our Company’s activities are provided to our Company.
Authorized Public Institutions and Organizations	Product or Service Recipient Supplier Employee/Authority Employee	In cases where public institutions and organizations request and provide a legal basis, transfers are made limited to the purpose.
Natural Persons or Private Law Legal Entities	Product or Service Recipient Supplier Employee/Authority Employee	It is transferred on a limited basis within the scope of work carried out with individuals and institutions such as lawyers, banks, private insurance and software companies.
Shareholders and Company Officials	Product or Service Recipient Supplier Employee/Authority Employee	Our Company is transferred limited to the purposes for which it was established and to ensure the fulfillment of its administrative and commercial activities.