Personal Data Protection and Privacy Policy​

1000 YATIRIMLAR HOLDİNG A.Ş.
PERSONAL DATA PROTECTION AND PRIVACY POLICY


As 1000 Yatırımlar Holding A.Ş. ("1000 Yatırımlar" or the "Company”), we venerate  great importance to the protection of personal data belonging to all natural persons with whom we come into contact in any way while carrying out our commercial activities and to fully fulfill the requirements set forth in the 6698 coded Personal Data Protection Law ("KVKK" or "Law"). This Personal Data Protection and Privacy Policy ("Policy") has been prepared to inform you about the processes and principles of collecting, using, sharing and storing personal data by the Company. In this Policy, the principles regarding the processing of personal data belonging to data subjects by the Company are included in accordance with the order of regulation in the KVKK, and these explanations cover our Company employees, active and potential customers, visitors and other real persons in a relationship with the Company.

2. ​
PROCEDURES AND PRINCIPLES REGARDING THE PROTECTION OF PERSONAL DATA  

A. ​
DEFINITIONS
Explicit consent: Consent on a specific subject, based on information and expressed with free will,
Anonymization: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Relevant person: The natural person whose personal data is processed,
Personal data: Any information relating to an identified or identifiable natural person,
Processing of personal data: Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system,
Board: The Personal Data Protection Board,
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller,
Data Recording System: The recording system in which personal data is structured and processed according to certain criteria,
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.


B. ​
GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
The Company processes personal data in accordance with the procedures and principles stipulated in KVKK and other relevant laws. Within this framework, the Company complies with the following principles in KVKK when processing personal data. 
Compliance with the law and honesty rules: ​Pursuant to this principle, the Company's data processing processes are carried out within the limits required by the Constitution of the Republic of Turkey and all relevant legislation, especially KVKK, and good faith. 
Being accurate and up-to-date when necessary: ​Necessary measures are taken to ensure that the personal data processed by the Company are accurate and up to date, and the necessary opportunities are provided to the data subjects by informing them in order to ensure that the data being processed reflect the actual situation. 
Processing for specific, clear and legitimate purposes: ​The Company processes personal data only for clear and precisely determined legitimate purposes and does not engage in data processing activities other than these purposes. In this context, the Company processes personal data only in connection with the relationship established with the data subjects and if necessary. 
Being relevant, limited and proportionate to the purpose for which they are processed: ​Data are processed by the Company in accordance with KVKK and other relevant legislation, in a manner that is suitable for the realization of the purposes determined according to the data categories, relevant and proportionate to the realization of the purpose, and the processing of personal data that is not needed is avoided. 
Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed: ​Personal data processed by the Company are retained only for the period stipulated in the relevant legislation or required for the purpose for which they are processed. In this context, if there is a period stipulated in the relevant legislation for the storage of data, the Company complies with this period; if there is no such period, it retains the data only for the period required for the purpose for which they are processed. 

C. ​CONDITIONS FOR PROCESSING PERSONAL DATA 
​​ Personal data are processed by the Company in accordance with the following conditions:  Except for the exceptions listed in KVKK, the Company processes personal data only by obtaining the explicit consent of the data subjects. In the presence of the following cases listed in KVKK, personal data can be processed even without the explicit consent of the data owner:
 - It is explicitly stipulated in the laws,  
- ​​ It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose their consent due to actual impossibility or whose consent is not legally valid,   
- ​ It is necessary to process personal data of the parties to a contract, provided that it is directly related to the conclusion or performance of the contract, 
- ​ It is mandatory for the data controller to fulfill its legal obligation,  
- ​ It has been made public by the data subject himself/herself, 
- ​ Data processing is mandatory for the establishment, exercise or protection of a right,  
- ​ Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. 
 ​ Explicit consent statements have been prepared for data processing activities and data categories that require the explicit consent of the data subject in order for the Company to carry out its commercial activities. In the explicit consent declarations prepared for data subjects, in parallel with the European Union regulations that constitute the basis of KVKK, data subjects are given the right to choose whether their personal data can be processed by the Company ng and informed about the consequences that may occur if explicit consent cannot be obtained.  

D. ​PURPOSES OF PROCESSING PERSONAL DATA
 ​Personal data obtained by the Company may be processed within the scope described below:
- Planning and Execution of Business Activities
- Realization of Company and Corporations Law and Legislation Transactions
- Ensuring that Data is Accurate and Up-to-Date
- Planning and Execution of Corporate Communication Activities
- Management and Supervision of Relations with Subsidiaries
- Management of Relations with Business Partners and Suppliers
- Planning and Execution of Fringe Benefits and Benefits for Employees
- Performance and Employee Satisfaction Management
- Execution of Personnel Recruitment Processes
- Planning Recruitment and Personnel Processes
- Planning and Execution of Occupational Health and Safety Processes
- Planning and Execution of Intern and Student Recruitment, Placement and Operation Processes
- Follow-up of Finance and Accounting Affairs
- Planning and Execution of Corporate Sustainability Activities
- Planning and Execution of Business Continuity Ensuring Activities
- Follow-up of Contract Processes and Legal Requests
- Planning and Execution of Employees' Authorization to Access Information Systems
The categories mentioned above are listed for informational purposes, and personal data may be processed for other purposes in order for the Company to carry out its future commercial and operational activities. In such cases, the categories in this Policy will be updated periodically by the Company. 

E. ​STORAGE OF PERSONAL DATA 
 ​The personal data obtained are stored securely in physical or electronic media for an appropriate period of time in order to fulfill the Company's commercial activities. Within the scope of these activities, the Company acts in accordance with the obligations stipulated in all relevant legislation, especially KVKK, regarding the protection of personal data. Pursuant to the relevant legislation, except for the cases where it is permitted or required to store personal data for a longer period of time, in the event that the purposes of processing personal data are terminated, it is prepared by the Company in accordance with this Policy. The data will be deleted, destroyed or anonymized ex officio within the framework of the Personal Data Retention and Destruction Policy or upon the request of the data owners through the attached data owner application form. In the event that personal data is destroyed through various methods, this data will be destroyed in such a way that it cannot be used and recovered in any way again.  However, in cases where the data controller has a legitimate interest, personal data may be stored until the expiration of the general statute of limitations (ten years) regulated in the Turkish Code of Obligations, provided that the fundamental rights and freedoms of the data subjects are not harmed despite the expiration of the purpose of processing and the periods specified in the relevant laws. After the expiration of the aforementioned statute of limitations, personal data will be deleted, destroyed or anonymized according to the procedure specified above.  

F. ​TRANSFER OF PERSONAL DATA TO PERSONS ABROAD  
 The Company carefully complies with the conditions regulated in the Law regarding the sharing of personal data with third parties, without prejudice to the provisions of other laws. Within this framework, personal data are not transferred by the Company to third parties without obtaining the explicit consent of the data subject. However, personal data may be transferred without obtaining the explicit consent of the data subject in the presence of one of the following conditions stipulated in KVKK: 
​ - It is explicitly stipulated in the laws, 
- It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
- Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract,
- It is mandatory for the data controller to fulfill its legal obligation,
- It has been made public by the data subject himself/herself,
- Data processing is mandatory for the establishment, exercise or protection of a right,
- Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.  

G. ​TRANSFER OF PERSONAL DATA ABROAD
 ​ Regarding the transfer of personal data abroad, the explicit consent of the data subject is sought in accordance with Article 9 of KVKK. However, in the presence of conditions permitting the processing of personal data, including sensitive personal data, without the explicit consent of the data subject, the Company may transfer personal data abroad without seeking the explicit consent of the data subject, provided that there is adequate protection in the foreign country to which the personal data will be transferred. If the country to be transferred is not among the countries with adequate protection to be determined by the Board, the Company and the data controller/data processor in the relevant country will undertake adequate protection in writing.  You can access the groups of persons with whom your personal data is/may be shared from the list of groups of persons with whom personal data is shared in Annex 2 of this Policy. The list in question has been prepared for informational purposes and will be updated by the Company in case of any changes.

H. ​DISCLOSURE OBLIGATION OF THE COMPANY 
 ​ Pursuant to Article 10 of KVKK, data subjects must be informed before or at the latest during the acquisition of personal data. The information that should be communicated to data subjects within the framework of the said disclosure obligation are as follows:  
 - Identity of the data controller and its representative, if any, 
- The purpose for which personal data will be processed,
- To whom and for what purpose the processed personal data may be transferred, 
- The method and legal grounds for collecting personal data, 
- Other rights listed in Article 11 of KVKK.  
​ The Company fulfills its obligation to inform in every situation where personal data is processed. For this purpose, it has prepared and implemented disclosure statements on the basis of process and data subject category.  On the other hand, within the framework of Article 28(2) of KVKK, the Company shall not have an obligation to inform in the following cases:  
- Processing of personal data is necessary for the prevention of crime or criminal investigation,
- Processing of personal data made public by the data subject himself/herself,
- Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law, 
- Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters. 
- In cases where personal data is not obtained from the data subject, the Company fulfills its obligation to inform within a reasonable period of time from the acquisition of personal data, if personal data is used for communication with the data subject, at the latest when the first communication with the data subject is established, and if personal data is to be transferred, at the latest when personal data will be transferred.  

I. ​RIGHTS OF THE DATA SUBJECT 
 ​ Regarding the personal data processed by the Company in accordance with the principles set out in this Policy, necessary measures have been taken to ensure that the rights granted to data subjects in Article 11 of KVKK are exercised. The rights in question are as follows:  
​ a) Learn whether personal data is being processed, 
b) Request information if personal data has been processed,
c) To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
d) To know the third parties to whom personal data are transferred domestically or abroad,
e)  To request correction of personal data in case of incomplete or incorrect processing,
f)  To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
g)  Request notification of the transactions made pursuant to (e) and (f) above to third parties to whom personal data are transferred,
h) To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
i)  In case of damage due to unlawful processing of personal data, to demand compensation for the damage.  
 ​ Data owners can exercise their rights listed above by sending a wet signed copy of the data owner application form in Annex No. 1 of this Policy to the Company's Head Office address by registered mail with return receipt requested, including a copy of their identity card. Detailed information about filling out the form and sending it to the Company is included in the application form in Annex No. 1. The Company will deliver the response to the relevant applications physically or electronically to the relevant data subject.  Depending on the nature of the request, the Company will finalize the request free of charge as soon as possible and within thirty (30) days at the latest. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board will be charged by the Company. In addition, the Company may request additional information or documents from the applicants during the process of finalizing the requests of the data subjects.  On the other hand, within the framework of Article 28(2) of KVKK, the above rights listed in Article 11 of KVKK, except for the right to compensation for damages, cannot be exercised in the following cases:   
- ​​ Processing of personal data is necessary for the prevention of crime or criminal investigation,
- Processing of personal data made public by the data subject himself/herself,
- Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law, 
- Processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters.  

J. ​PRECAUTIONS TAKEN FOR DATA SECURITY 
 ​ ​ The Company takes all necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data within the scope of Article 12(1) of KVKK.  The measures taken by the Company in this context are listed below:  Within the scope of administrative measures;
- The Company takes the necessary technical measures to implement the principle of "all transactions related to personal data are prohibited unless necessary" within the Company. It limits in-house access to stored personal data to the personnel who are required to access it by job description. In limiting access, whether the data is of special nature and the degree of importance are also taken into consideration. 
- It takes the necessary technical measures to ensure that the processed personal data is not obtained by others through unlawful means, and in case the relevant personal data is obtained, it notifies the relevant person and the Board as soon as possible.  - Regarding the sharing of personal data, it signs a framework agreement on the protection of personal data and data security with the persons with whom personal data is shared, or ensures data security with the provisions added to the existing agreement. 
- It employs personnel who are knowledgeable and experienced in the processing of personal data and provides its personnel with the necessary up-to-date training within the scope of personal data protection legislation and data security.
- Carries out and has carried out the necessary audits in order to ensure the implementation of the provisions of the Law within its own legal entity. It eliminates the confidentiality and security weaknesses that arise as a result of the audits, and in this regard, it also takes into account whether the personal data is special quality data, the degree of confidentiality required by its nature, and the nature and quantity of the damage that may arise for the person concerned in case of security breach. 
- It regularly checks the timeliness of the processed personal data and safely destroys the personal data that is not needed within the scope of the retention and destruction policy.   Within the scope of technical measures; 
- Carries out the necessary internal controls within the scope of the systems established to monitor personal data security and develops data backup strategies to ensure personal data security against malicious software. 
- Carries out information technologies risk assessment and business impact analysis processes within the scope of the established systems.  - Ensures the provision of technical infrastructure to prevent or monitor the leakage of data outside the organization and the creation of relevant matrices. Ensures that the necessary software to ensure cyber security (including network security, application security, anti-virus systems) is available and up-to-date.
- Ensures the control of system vulnerabilities by obtaining penetration testing services on a regular basis and when the need arises.
- It ensures that the access authorizations of employees working in information technology units to personal data are kept under control.
- Destruction of personal data is ensured in a way that cannot be recycled and leaves no audit trail.
- Pursuant to Article 12 of KVKK, all kinds of digital media where personal data are stored are protected by encrypted or cryptographic methods to ensure information security requirements. For personal data stored in physical media, necessary physical security measures are taken and entry-exit records are organized.  

K. ​IN TERMS OF PERSONAL DATA OF SPECIAL NATURE 
 ​ The Company shows special sensitivity in the processing of special categories of personal data, the protection of which is believed to be more critical for data subjects for various reasons. In this context, provided that adequate measures determined by the Board are taken, such data are not processed without the explicit consent of the data subjects. However, special categories of personal data other than data relating to health and sexual life may be processed without the explicit consent of the data subject in cases stipulated by law. However, data relating to health and sexual life may be processed without the explicit consent of the data subject, provided that adequate measures are taken, for the purposes listed below and by persons under the obligation of confidentiality or authorized institutions and organizations:  
​ - Protection of public health,
- Preventive medicine measures,
- Medical diagnosis,
- Carrying out treatment and care services,
- Planning and management of health services and financing.
- It will also be possible to transfer sensitive personal data to third parties within the aforementioned purposes and provided that adequate measures are taken.  In addition to the administrative and technical measures stipulated in this Policy regarding personal data, in electronic media where special categories of personal data are processed, stored and/or accessed;
a) Transaction records of all actions performed on the data are securely logged,
b) Security updates of the environments where the data are located are continuously monitored, necessary security tests are regularly performed/conducted, and test results are recorded,
c) In cases where data is accessed through a software, user authorizations of this software are made / being made, and test results are recorded,
d) In cases where remote access to data is required, at least a double authentication system is provided. In physical environments where sensitive personal data are processed, stored and/or accessed 
a) Adequate security measures are taken according to the nature of the environment where sensitive personal data is located,
b) Unauthorized entry and exit are prevented by ensuring the physical security of these environments.  If sensitive personal data will be transferred to third parties;
a) If the data must be transferred via e-mail, encrypted corporate e-mail  address or by using a Registered Electronic Mail (REM) account,
b) If it needs to be transferred via media such as portable memory, CD, DVD, etc., it is encrypted with cryptographic methods and the cryptographic key is kept in a different medium,
c) If data is transferred between servers in different physical environments, data transfer is performed by setting up a VPN between servers or by sFTP method,
d) If it is necessary to transfer data via paper media, necessary precautions are taken against risks such as theft, loss or unauthorized viewing of the document and the document is sent in the format of "confidential documents".
 
2. ​MISCELLANEOUS 
- ​​ In case of incompatibility between the provisions of KVKK and other relevant legislation and this Policy, the provisions of KVKK and other relevant legislation shall apply first.
- ​​ In the event of changes in this Policy, the effective date of the Policy and the relevant articles will be updated accordingly.