PDP And Processing Policy

1. INTRODUCTION

The protection of personal data of employees, customers, potential customers, company officials, visitors, and the parties and institutions cooperating with ADT Elastomer Çözümleri Sanayii AŞ (“ADT” or the “Company”), as the data controller, is of utmost importance.

The purpose of this Policy and other written policies within ADT that govern the processes of personal data processing and protection is to ensure that the personal data of our customers, potential customers, employees, job applicants, visitors, employees of cooperating institutions, and third parties are processed and protected in a lawful manner.

With this Policy, the Company establishes and implements the fundamental rules regarding the processing of personal data, which is the most critical aspect of this matter.

2. DEFINITIONS

KVK Law: The Personal Data Protection Law No. 6698 dated March 24, 2016, published in the Official Gazette No. 29677 on April 7, 2016.

Constitution: The Constitution of the Republic of Turkey No. 2709 dated November 7, 1982, published in the Official Gazette No. 17863 on November 9, 1982.

KVK Board: Personal Data Protection Board.

Policy: ADT Elastomer Personal Data Protection and Processing Policy.

Company: ADT Elastomer Sanayii AŞ.

Turkish Penal Code: Turkish Penal Code No. 5237 dated September 26, 2004, published in the Official Gazette No. 25611 on October 12, 2004.

Explicit Consent: Consent given freely and explicitly based on information about a specific subject.

Anonymization: The process by which personal data is altered in such a way that it can no longer be associated with an identified or identifiable real person, even by matching with other data, resulting in the permanent loss of personal data characteristics.

Data Subject: The natural person whose personal data is processed.

Personal Data: Any information relating to an identified or identifiable natural person. Data relating to legal entities are not within the scope of this Law.

Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal convictions and security measures, biometric and genetic data.

Processing of Personal Data: Any operation performed on personal data, whether fully or partially by automatic means or otherwise as part of any data recording system, such as collection, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, acquisition, classification, or prevention of use.

Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and manages the place where data is systematically kept (data recording system).

3. PURPOSE AND SCOPE OF THE POLICY

The main purpose of this Policy is to inform our employees, customers, potential customers, job applicants, employees of cooperating institutions, and other individuals whose personal data is processed by the Company about the personal data processing activities conducted lawfully by the Company, the systems adopted for personal data protection, measures taken within this scope, data subjects’ rights, and methods to exercise those rights.

The scope of this Policy covers all personal data processed automatically or otherwise as part of any data recording system concerning our employees, job applicants, customers, potential customers, visitors, company officials, employees of cooperating institutions, and other third parties whose data is processed.

In case of any conflict between the applicable legislation and this Policy, the provisions of the legislation shall prevail. If there are other policies or regulations established on the same subject for more specific purposes, those special provisions shall take precedence. Any provisions in other policies or documents that conflict with this Policy and related legislation shall not be applied.

4. RULES REGARDING THE PROCESSING OF PERSONAL DATA

4.1. PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES SET FORTH IN LEGISLATION

The relevant legal regulations in force regarding the processing and protection of personal data shall primarily be applied. In case of any inconsistency between the legislation in force and this Policy, the Company agrees that the applicable legislation will prevail.

The Company processes personal data in accordance with the provisions and rules set forth in the Law No. 6698 on the Protection of Personal Data ("Law") and other relevant legislation. The Law establishes the principles of personal data processing. The Company acts in accordance with these principles in every data processing activity.

4.1.1. Processing in Compliance with Lawfulness and Fairness Principles

The Company acts in accordance with the principles of legality, trust, and fairness in the processing of personal data. Within this scope, the Company processes personal data in compliance with data protection legislation and related regulations and does not process personal data for purposes other than those notified to the data subjects.

4.1.2. Ensuring the Accuracy and Updating of Personal Data When Necessary

The Company takes necessary measures to ensure that the personal data processed, considering the fundamental rights of the data subjects and its own interests, are accurate and up-to-date.

4.1.3. Processing for Specific, Clear, and Legitimate Purposes

The Company processes personal data only for specific, legitimate, and lawful purposes. Before starting data processing activities, the Company determines the purposes of personal data processing clearly and definitively, and explicitly informs the data subjects of these purposes at the time of data collection. If the purposes of personal data processing change, the Policy is updated and efforts are made to notify the data subjects of the change through various possible channels.

4.1.4. Being Related, Limited, and Proportionate to the Purpose for Which They Are Processed

Personal data is processed by the Company only to the extent necessary for achieving the specified purposes, and processing of personal data unrelated to the purpose is avoided. Only data necessary for achieving the determined purposes is collected from the data subjects.

4.1.5. Retention for the Period Required by Legislation or the Purpose for Which They Are Processed

The Company retains personal data only for the period prescribed by the relevant legislation or as long as necessary for the purposes for which they are processed. In this context, the Company primarily retains personal data within the periods prescribed by the relevant legislation for the storage of personal data. If there is no period specified by legislation or no legal reason requiring longer retention, the Company retains personal data only for the period necessary for the purposes for which they are processed. Upon expiry of the period or cessation of reasons requiring processing, personal data is deleted, destroyed, or anonymized by the Company.

4.2. CONDITIONS FOR PROCESSING PERSONAL DATA

Personal data is processed by the Company based on one or more of the personal data processing conditions specified in the Law.

CONDITIONS FOR PROCESSING PERSONAL DATA

  • If the data subject has given explicit consent: The explicit consent of the data subject must be specific, informed, and freely given regarding a certain matter.
  • If there is an explicit legal regulation authorizing the processing of personal data: Personal data of the data subject can be processed lawfully if explicitly provided by law.
  • If explicit consent cannot be obtained due to factual impossibility: If the data subject cannot express consent due to factual impossibility or if the data subject whose consent is not legally recognized needs to protect their own or another person's life or bodily integrity, data may be processed.
  • If directly related to the establishment or performance of a contract: If processing personal data related to the parties of a contract is necessary, such processing is permitted.
  • To fulfill the Company’s legal obligations: Processing is mandatory to fulfill the legal obligations of the Company as the data controller.
  • If required for the establishment, use, or protection of a right: If processing is necessary for establishing, using, or protecting a right, personal data can be processed.
  • If necessary for the legitimate interests of the Company: Personal data can be processed provided that it does not harm the fundamental rights and freedoms of the data subject.
  • If the data subject has made their personal data public: Personal data that the data subject has made public may be processed. Example: Publishing contact details of a job applicant on job application websites.

CONDITIONS FOR PROCESSING SPECIAL CATEGORY PERSONAL DATA

The Company strictly complies with the provisions set forth in the Law on the Protection of Personal Data for the processing of "special category" personal data as defined in the Law. Article 6 of the Law defines certain personal data as "special category" because unlawful processing may lead to discrimination or victimization. These data include race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing and appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, biometric and genetic data. Special category personal data can only be processed with the explicit consent of the data subject.

  • Special category personal data other than health and sexual life can be processed without explicit consent only in cases provided by law.
  • Special category personal data concerning health and sexual life can be processed without explicit consent only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, health services and their financing, by persons under confidentiality obligations or authorized institutions and organizations.

4.3. TRANSFER OF PERSONAL DATA

4.3.1. Transfer of Personal Data to Third Parties

The Company may transfer personal data it processes within the scope of its processing purposes to third parties in the cases stipulated by the Law. The categories of third parties to whom personal data is or may be transferred are listed in Section 7. The Company acts in accordance with the regulations set forth in the Law when sharing personal data.

The Company may transfer personal data to third parties based on one or more of the conditions for processing personal data specified in the Law.

The Company takes the measures and necessary security precautions prescribed by the Board and exercises utmost care to transfer special category personal data to third parties only when the conditions for processing special category personal data are met.

4.3.2. Transfer of Personal Data Abroad

The Company may transfer the personal data it processes to third parties located abroad by taking necessary security measures. The categories of third parties to whom personal data may be transferred are listed categorically in Section 7.

The Company may transfer personal data to foreign countries where the data controller has sufficient protection or undertakes sufficient protection, based on legitimate and lawful personal data processing purposes, the measures prescribed by the Board, and when one of the conditions for processing personal data or special category personal data exists.

4.4. NOTIFICATION AND INFORMATION OF THE PERSONAL DATA OWNER

The Company, in compliance with the notification obligation under the Law, informs personal data owners at the time of collection about how and for what purpose their personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal basis of personal data collection, and the rights of the personal data owner under Article 11 of the Law. Within this scope, the Company informs data owners at a minimum about the following matters:

  • Identity of the Company and its representative (if any),
  • The purposes of processing personal data,
  • To whom and for what purposes personal data may be transferred,
  • The method and legal reasons for collecting personal data,
  • The rights of the personal data owner.

Furthermore, the Company announces compliance with all matters stipulated in the Law and especially with the principle of lawful and fair processing of personal data through this Policy document and other publicly available documents, ensuring accountability and transparency in personal data processing activities.

4.4.1 Types of Personal Data Processed by the Company

Personal data is processed by the Company

  • after informing the relevant persons pursuant to Article 10 of the Law,
  • based on one or more of the personal data processing conditions specified in Article 5 of the Law and in a limited manner,
  • in line with the Company’s legitimate purposes and in accordance with the principles of lawfulness and fairness.

Below you can find the categories of personal data processed by the Company in compliance with the principles and obligations specified in the Law, along with the related categories of data subjects:

Personal Data Category | Related Data Subject Category

Identity Information

Information in documents such as driver’s license, ID card, residence permit, passport, attorney identity card, marriage certificate, which identifies or can identify a natural person, processed fully or partially automatically or non-automatically as part of a data recording system.

Data subjects: Customer, Potential Customer, Employee, Job Applicant, Consultant, Company Shareholder, Company Official, Visitor, Employees, Shareholders, and Officials of Partner Institutions, Third Parties

Visual and Audio Information

Data identifying or potentially identifying a natural person, including photographs and camera recordings (excluding records within Physical Space Security Information), voice recordings, and copies of documents containing personal data.

Same data subjects as above.

Contact Information

Data such as phone number, address, email identifying or potentially identifying a natural person.

Same data subjects as above.

Location Data

Data identifying or potentially identifying a natural person, automatically or non-automatically processed, concerning the location of the data subject during the use of products and services or during the use of Company vehicles by employees of partner institutions.

Data subjects: Customer, Employee, Employees of Partner Institutions

Customer Information

Data obtained and produced about a person in connection with commercial activities and operations of business units.

Data subject: Customer

Family and Close Relatives Information

Data about family members and close relatives of the data subject, held in the data recording system, related to products and services provided or for protecting the legal interests of the Company and the data subject.

Data subjects: Customer, Visitor, Employee, Job Applicant, Third Party, Employees, Shareholders, and Officials of Partner Institutions

Customer Transaction Information

Records related to the use of products and services and instructions and requests necessary for the customer's use.

Data subject: Customer

Physical Space Security Information

Data related to entry and stay in physical premises recorded in the data recording system.

Data subjects: Employee, Visitor, Company Officials, Employees, Shareholders, and Officials of Partner Institutions

Transaction Security Information

Data processed for ensuring technical, administrative, legal, and commercial security during commercial activities.

Data subjects: Customer, Visitor, Third Party, Company Officials, Employees, Shareholders, and Officials of Partner Institutions

Risk Management Information

Data processed according to generally accepted legal, commercial customs, and fairness rules to manage commercial, technical, and administrative risks.

Data subjects: Customer, Potential Customer, Job Applicant, Company Shareholder, Company Official, Visitor, Employees, Shareholders, and Officials of Partner Institutions, Third Parties

Financial Information

Information, documents, and records showing any financial results generated according to the legal relationship established with the personal data subject.

Data subjects: Customer, Employee, Company Shareholder, Company Official, Employees, Shareholders, and Officials of Partner Institutions

Personnel Information

Data processed for obtaining personnel rights of employees or individuals working with the Company.

Data subjects: Employee, Employees, Shareholders, and Officials of Partner Institutions

Job Applicant Information

Data processed related to persons who have applied to become employees or evaluated as candidates for human resources needs.

Data subjects: Job Applicant, Employees of Partner Institutions

Employee Transaction Information

Data processed regarding all work-related transactions of employees or individuals working with the Company.

Data subjects: Employee, Employees of Partner Institutions

Employee Performance and Career Development Information

Data processed for performance measurement and career development planning of employees or individuals working with the Company within human resources policies.

Data subjects: Employee, Employees of Partner Institutions

Fringe Benefits and Interests Information

Data processed for planning fringe benefits and interests offered to employees or individuals working with the Company.

Data subjects: Employee, Employees of Partner Institutions

Legal Transaction and Compliance Information

Data processed for identification, monitoring, and fulfillment of legal receivables and liabilities, legal obligations, and compliance with Company policies.

Data subjects: Customer, Potential Customer, Employee, Job Applicant, Company Shareholder, Company Official, Visitor, Employees, Shareholders, and Officials of Partner Institutions, Third Parties

Audit and Inspection Information

Data processed in compliance with the Company's legal obligations and policies.

Same data subjects as above.

Special Category Personal Data

Data defined in Article 6 of the Law.

Data subjects: Customer, Employee, Job Applicant, Company Shareholder, Company Official, Employees, Shareholders, and Officials of Partner Institutions

Marketing Information

Data processed to customize marketing of products and services according to usage habits, preferences, and needs of the data subject.

Data subjects: Customer, Potential Customer

Request/Complaint Management Information

Data related to receiving and evaluating any requests or complaints directed to the Company.

Data subjects: Customer, Potential Customer, Job Applicant, Company Shareholder, Company Official, Visitor, Employees, Shareholders, and Officials of Partner Institutions, Third Parties

Other

Health Data: Data related to health history

Vehicle Data: Data related to tracking of vehicle information

Visual and Audio Data: Photos, voice recordings, camera recordings, copies of driver's licenses/ID cards/passports

Digital Trace Data: Logs

Professional Data: Data related to past experiences

Education Data: Diplomas, previous education, training within the company

Signature Data: Wet signature, e-signature, signature scans

Visa/passport data

Clothing and Appearance data

Distinguishing data group for purchasing and departmental identification

Sanction Data

Criminal Record

Data related to past disciplinary penalties/defense within the company

Data subjects: Customer, Potential Customer, Employee, Job Applicant, Company Shareholder, Company Official, Visitor, Employees, Shareholders, and Officials of Partner Institutions, Third Parties

4.4.2. Purposes of Processing Personal Data by the Company

The conditions for processing personal data or special category personal data are listed in Section 3. One of these conditions is obtaining the explicit consent of the data subject. In the presence of other conditions, explicit consent is not sought, and personal data is processed without the explicit consent of the data subject.

The general purposes for which the Company processes personal data of data subjects are listed below. These purposes may change from time to time.

  • Planning and execution of operational activities necessary for carrying out the Company’s procedures or relevant legislation
  • Planning and execution of business activities
  • Planning and execution of corporate governance activities
  • Planning and execution of business continuity activities
  • Planning and execution of human resources processes and needs
  • Planning and execution of product and service sales and marketing activities
  • Planning and execution of product or service sales processes
  • After-sales support services
  • Planning and execution of customer relationship management processes
  • Monitoring of customer requests and/or complaints
  • Planning or monitoring of customer satisfaction processes
  • Monitoring of contract processes and/or legal claims
  • Planning or execution of the Company’s financial risk processes
  • Monitoring of finance and/or accounting operations
  • Realization of risk management
  • Salary management
  • Planning and execution of Company audit activities
  • Providing information to authorized persons and/or institutions as required by legislation
  • Legal affairs monitoring
  • Planning and execution of corporate communication activities
  • Planning and execution of supplier or business partner management processes
  • Planning and execution of operational processes
  • Planning, auditing, and execution of information security processes
  • Establishment and management of information technology infrastructure
  • Execution of personnel recruitment processes
  • Fulfillment of obligations arising from legislation
  • Planning and execution of fringe benefits and interests for employees
  • Planning and monitoring of employee performance evaluation processes
  • Planning and execution of talent and career development activities
  • Planning or execution of corporate communication/responsibility/activity projects for employees
  • Monitoring or auditing of employees' work activities
  • Planning and execution of internal or external training activities
  • Planning and execution of employee satisfaction or engagement processes
  • Creating and tracking visitor records
  • Planning and execution of emergency management processes
  • Conducting company and partnership law transactions
  • Ensuring the security of company premises, assets, and resources
  • Planning and execution of the company’s operational risk processes

Such purposes may require explicit consent depending on the specific circumstances. In such cases, consent is obtained in accordance with the Law. If the data subject does not provide consent, the data may be processed only under the conditions permitted by the Law without explicit consent and for purposes compliant with these conditions.

4.4.3 Third Parties to Whom Personal Data Is Transferred and the Purposes of Transfer

The Company may transfer personal data to third parties in accordance with Articles 8 and 9 of the Law. The scope of third parties and purposes of data transfer are stated below.

  • To ensure fulfillment of purposes for establishing partnership with business partners,
  • To ensure that services necessary for the Company's commercial activities are provided by suppliers,
  • To enable execution of commercial activities involving the Company,
  • For planning and auditing purposes related to the Company's commercial strategies,
  • For planning and auditing purposes related to shareholders in accordance with applicable legislation,
  • For purposes requested by legally authorized public institutions and organizations within their legal authority,
  • For purposes requested by legally authorized private legal entities within their legal authority,
  • In any case, within the purposes listed in Section 4.4.2.

Definition of Persons to Whom Data May Be Transferred and Purpose of Transfer

Person Purpose of Data Transfer
Business Partner Parties with whom the Company directly or jointly with Group Companies conducts projects or receives services to fulfill the purpose of establishing a partnership, limited to that purpose
Supplier Parties providing contractual services to the Company based on the Company's orders and instructions to supply outsourced services necessary for the Company's commercial activities, limited to that purpose
Shareholders Real person shareholders of the Company, limited to purposes related to corporate law, activity management, and corporate communication processes as per relevant legislation
Company Officials Board members and other authorized persons, limited to purposes related to planning, top-level management, and auditing of the Company's commercial activities
Legally Authorized Public Institutions and Organizations Public institutions authorized to request information and documents from the Company, limited to purposes within their legal authority
Legally Authorized Private Legal Entities Private legal entities authorized to request information and documents from the Company, limited to purposes within their legal authority
4.4.4 Retention Periods of Personal Data

The Company retains personal data for the periods prescribed in relevant laws and regulations.

If there is no period regulated by law regarding the duration of personal data retention, the Company processes the data for the period necessary according to its business practices and commercial customs related to the activity during which the data is processed, and then deletes, destroys, or anonymizes the data.

If the purpose of processing personal data has ceased; the legal retention periods and those determined by the Company have expired; personal data may only be retained for potential legal disputes to serve as evidence or to enable the exercise or defense of rights related to the personal data. During this period, access to such data is restricted and only allowed when necessary for the legal dispute. After the expiration of this period, the personal data is deleted, destroyed, or anonymized.

5. ENSURING THE SECURITY OF PERSONAL DATA

The Company, in accordance with Article 12 of the Law, takes the necessary technical and administrative measures to ensure the security of personal data within its organization, to prevent unlawful access to personal data and unlawful processing of such data, and to ensure the preservation of the data by providing an appropriate level of security.

The Company may also conduct audits for the lawful processing of personal data, ensuring the security of personal data, and the enforcement of other provisions of the Law.

The Company exercises maximum care to ensure that, in case the personal data it processes are obtained unlawfully by others, this situation is promptly reported to the relevant personal data owner and the Board.

5.1 TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE LAWFUL PROCESSING OF PERSONAL DATA
The Company takes technical and administrative measures according to technological possibilities and implementation costs to ensure the lawful processing of personal data.

5.1.1 Technical Measures Taken to Ensure the Lawful Processing of Personal Data

  • Personal data processing activities carried out within the Company are monitored through established technical systems.
  • The technical measures taken are periodically reported to the relevant parties as part of the internal audit mechanism.

Personnel knowledgeable in technical matters are employed.

5.1.2 Administrative Measures Taken to Ensure the Lawful Processing of Personal Data

  • Employees are informed and trained regarding personal data protection law and lawful processing of personal data.
  • All activities conducted by the Company are analyzed in detail per business unit, and personal data processing activities related to the commercial activities of these units are determined based on this analysis.
  • Personal data processing activities carried out by the Company's business units are specified in detail, including the requirements to ensure compliance with the personal data processing conditions stipulated by the PDPL (KVK Kanunu).
  • To ensure compliance with legal requirements determined per business unit, awareness is raised among relevant units and application rules are established; administrative measures necessary to ensure the continuity of supervision and application are implemented through internal policies and trainings.
  • Contractual documents managing the legal relationship between the Company and employees include clauses imposing obligations not to process, disclose, or use personal data except as required by the Company’s instructions or by law, and employees are informed that these obligations continue after termination of employment. Necessary commitments are obtained from employees accordingly, and audits are conducted.

5.2 TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO PREVENT UNLAWFUL ACCESS TO PERSONAL DATA
The Company takes technical and administrative measures based on the nature of the data to be protected, technological opportunities, and implementation costs, to prevent negligent or unauthorized disclosure, access, transfer, or any other form of unlawful access to personal data.

5.2.1 Technical Measures Taken to Prevent Unlawful Access to Personal Data

  • Technical measures appropriate to technological developments are taken and are periodically updated and renewed.
  • Access and authorization technical solutions are implemented according to legal compliance requirements determined per business unit.
  • Access rights are restricted, and authorizations are regularly reviewed.
  • Technical measures taken are periodically reported to the relevant parties as part of the internal audit mechanism, and risks are reassessed to develop necessary technological solutions.
  • Virus protection systems and firewalls including related software and hardware are installed.
  • Personnel knowledgeable in technical matters are employed.
  • Security scans are regularly conducted to detect security vulnerabilities in applications where personal data is collected, and identified vulnerabilities are resolved.

5.2.2 Administrative Measures Taken to Prevent Unlawful Access to Personal Data

  • Employees are trained on the technical measures to prevent unlawful access to personal data.
  • Within the company, access and authorization processes to personal data are designed and implemented in compliance with legal requirements for personal data processing on a business unit basis.
  • Employees are informed that they cannot disclose personal data unlawfully or use it for purposes other than processing and that this obligation continues after termination, and necessary commitments are obtained accordingly.
  • Contracts with third parties to whom personal data is lawfully transferred include provisions requiring the recipients to implement necessary security measures for personal data protection and to ensure compliance within their organizations. Awareness of all parties is increased; business partners and suppliers are required to take necessary measures to comply with the PDPL regarding personal data processing activities.

5.3 STORING PERSONAL DATA IN SECURE ENVIRONMENTS
The Company takes necessary technical and administrative measures according to technological opportunities and implementation costs to store personal data in secure environments and to prevent unlawful destruction, loss, or alteration.

5.3.1 Technical Measures Taken for Secure Storage of Personal Data

  • Systems appropriate to technological developments are used for secure storage of personal data.
  • Personnel specialized in technical matters are employed.
  • Technical security systems for storage areas are established; technical measures taken are periodically reported to relevant parties as part of internal audits, and risks are reassessed to develop necessary technological solutions.
  • Lawful backup programs are used to ensure secure storage of personal data.
  • Accesses to data storage areas containing personal data are logged, and unauthorized access or access attempts are communicated instantly to relevant parties.

5.3.2 Administrative Measures Taken for Secure Storage of Personal Data

  • Employees are trained to ensure secure storage of personal data.
  • When external services are procured due to technical requirements for storing personal data, contracts with relevant companies include provisions that these companies will take necessary security measures for personal data protection and ensure compliance within their organizations.

5.4 AUDIT OF MEASURES TAKEN TO PROTECT PERSONAL DATA
The Company conducts or commissions necessary audits in accordance with Article 12 of the PDPL.

5.5 MEASURES TO BE TAKEN IN CASE OF UNAUTHORIZED DISCLOSURE OF PERSONAL DATA
The Company operates a system that ensures that, in case personal data processed under Article 12 of the PDPL is unlawfully obtained by others, the situation is reported promptly to the relevant personal data owner and the Personal Data Protection Board.

If deemed necessary by the Board, this situation may be announced on the Board’s website or by other means.

6. PRESERVATION, DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

The Company retains the personal data it processes in accordance with the principles stated in the Law for the duration prescribed in the legislation. If no specific retention period is prescribed for relevant types of personal data, the data are kept until the purpose of processing is fulfilled.

If no retention period is specified in the legislation, retention periods are determined specifically for each data processing purpose, considering the Company’s practices and commercial customs.

Personal data may be retained for purposes outside of the processing purpose, such as serving as evidence in potential legal disputes, asserting a right provable with personal data, establishing a defense, and responding to requests for information from authorized public institutions. In determining these periods, statutory limitation periods related to the assertion of such rights and the Company’s practices on the same matters are considered.

Upon expiry of these periods, the Company deletes or anonymizes the relevant personal data. Additionally, personal data is deleted, destroyed, or anonymized upon the request of the personal data owner.

Pursuant to Article 28 of the Law, anonymized personal data may be processed for purposes such as research, planning, and statistics. Since anonymized data is not considered “personal data,” it is outside the scope of the Law.

6.1 OBLIGATION TO DELETE, DESTROY, AND ANONYMIZE PERSONAL DATA
Although processed in compliance with relevant legal provisions, if the reasons requiring processing cease, personal data shall be deleted, destroyed, or anonymized upon the Company’s decision or the personal data owner’s request, as stipulated in Article 138 of the Turkish Penal Code and Article 7 of the PDPL.

The Company has developed necessary technical and administrative measures and operational mechanisms to fulfill this obligation; it educates relevant business units and ensures assignments and awareness accordingly.

6.2 TECHNIQUES FOR DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA
6.2.1 Techniques for Deletion and Destruction of Personal Data
Although processed in accordance with relevant laws, if reasons requiring processing cease, the Company may delete or destroy personal data upon its own decision or at the request of the personal data owner.

The most commonly used deletion or destruction techniques by the Company are:

  • Physical Destruction: Personal data, even if processed in non-automated ways, as part of any data recording system, are physically destroyed in a way that they cannot be reused.
  • Secure Deletion Software: Data stored in digital environments are deleted in a manner that prevents recovery, using software tools designed for secure deletion.
  • Secure Deletion by Specialist: In some cases, the Company may engage a specialist for secure deletion of personal data, who deletes data irretrievably.

6.2.2 Techniques for Anonymizing Personal Data
Anonymization refers to rendering personal data in a way that the identity of the person cannot be determined or linked, even when combined with other data.

The Company may anonymize personal data once the reasons for processing cease to exist, in compliance with the law.

According to Article 28 of the PDPL, anonymized personal data can be processed for purposes such as research, planning, and statistics without requiring explicit consent and fall outside the scope of the Law. Therefore, the rights regulated in Section 6 of this Policy do not apply to anonymized data.

The anonymization techniques used include:

  • Masking: Removing key identifying information from the data set to anonymize the personal data.
  • Aggregation: Aggregating multiple data points so that personal data cannot be associated with any individual.
  • Data Derivation: Creating more general content from the data to prevent association with any individual.
  • Data Shuffling: Mixing data values within a data set to break the link between values and individuals.

7. RIGHTS OF THE DATA SUBJECT AND RULES REGARDING THE EXERCISE OF THESE RIGHTS

The Company manages necessary channels, internal processes, and administrative and technical arrangements to evaluate data subject rights and provide required information in compliance with the PDPL. Data subjects may submit their requests in writing to the Company regarding the rights listed below, and the Company shall conclude these requests as soon as possible depending on the nature of the request.

7.1 RIGHTS OF THE DATA SUBJECT

  • To learn whether personal data is being processed or not
  • To request information if personal data is processed
  • To learn the purpose of processing and whether data is used accordingly
  • To know third parties at home or abroad to whom personal data is transferred
  • To request correction of incomplete or incorrect data and notification of this correction to third parties
  • To request deletion or destruction of personal data when reasons requiring processing cease and notification of this action to third parties
  • To object to results against themselves arising from exclusively automated data processing
  • To claim compensation for damages resulting from unlawful processing of personal data.

Cases Where Data Subjects Cannot Exercise Their Rights
Data subjects cannot exercise the above rights in the following cases excluded from the scope of the PDPL under Article 28:

  • Processing personal data for official statistics by anonymization
  • Processing personal data for arts, history, literature, scientific purposes or freedom of expression without violating national security, privacy, or rights
  • Processing personal data by public institutions for preventive, protective, and intelligence activities for national security
  • Processing personal data related to judicial processes by judicial authorities.

According to Article 28/2 of the PDPL, provisions on the Company’s obligation to inform, the right to compensation, and registration to the data controller registry do not apply in certain cases such as crime prevention, public authority duties, economic and financial interests of the State, or personal data made public by the data subject.

7.2 EXERCISING THE RIGHTS OF THE DATA SUBJECT
Data subjects may submit their requests in writing to the Company pursuant to Article 13/1 of the PDPL, through the “Personal Data Protection - Application Form” available at www.adtelastomer.com.tr, using one of the methods specified by the Company.

As a rule, the Company processes requests free of charge up to one page. If additional costs arise, fees determined by the Board may be charged.

Incomplete applications are not processed. The Company may request additional information and documents to clarify the nature of the request.

A third party may apply on behalf of the data subject only with a special power of attorney.

7.3 COMPANY’S RESPONSE TO APPLICATIONS
The Company responds to the request as soon as possible based on the nature of the request received through the form described in Section 7.2.

If the request is rejected or the response is insufficient or not given on time, the data subject may complain to the Board within thirty days of learning the Company’s response and in any case within sixty days of the application date.

7.4 COMPANY’S RIGHT TO REJECT APPLICATIONS
The Company may reject applications with reasons if:

  • The request may infringe on the rights and freedoms of others
  • The request requires disproportionate effort
  • The requested information is publicly available
  • Requests not included in Article 11 of the PDPL.

8. PERSONAL DATA PROCESSING ACTIVITIES WITHIN COMPANY FACILITIES AND VIA WEBSITE

8.1 VIDEO SURVEILLANCE WITHIN COMPANY FACILITIES
This section explains the Company's video surveillance system and how personal data privacy and fundamental rights are protected.

The Company operates video surveillance for protecting the safety of the Company and others.

8.1.1 Legal Basis for Video Surveillance
The video surveillance activity is conducted in compliance with the Private Security Services Law and related legislation.

8.1.2 Compliance with PDPL in Video Surveillance
The Company conducts video surveillance within buildings and facilities for security purposes in accordance with the Constitution, Law, Private Security Services Law, and personal data processing conditions under PDPL.

8.1.3 Notification of Video Surveillance
The Company posts notices at entrances of monitored areas and places warning signs near cameras, ensuring transparency and protection of data subject rights.

This Policy is published on ADT Elastomer’s website, and notifications are placed at monitored area entrances.

8.1.4 Purpose and Limitation of Video Surveillance
The Company processes personal data limitedly and proportionally, solely for purposes stated in this Policy such as safety and service quality.

Surveillance does not cover areas where privacy would be infringed (e.g., toilets).

8.1.5 Security of Data Obtained from Video Surveillance
Security, retention, and deletion rules applicable to personal data also apply to video recordings.

8.1.6 Retention Period for Video Surveillance Data
Retention rules of personal data apply to video surveillance data as well.

8.1.7 Access and Disclosure of Video Surveillance Data
Access is limited to IT, senior management, and security personnel bound by confidentiality. Data may be shared with third parties only as permitted by law or for investigations, complaints, or legal disputes.

8.2 TRACKING OF GUESTS ENTERING COMPANY FACILITIES
The Company processes personal data related to guest entry and exit to ensure security and fulfill Policy purposes.

Guest names are obtained, and guests are informed via notices. Data are processed solely for this purpose and deleted after retention periods expire.

8.3 STORAGE OF INTERNET ACCESS LOGS FOR COMPANY GUESTS
Internet access logs of guests within Company facilities may be recorded pursuant to Law No. 5651 and related legislation.

Access to these logs is limited to a few Company employees under confidentiality agreements.

Logs may be shared only with authorized public institutions or for internal audits fulfilling legal obligations.

8.4 WEBSITE VISITORS
The Company’s website may collect data on visitor activities via technical means (e.g., cookies) to monitor visits, customize content, and enable online advertising.

9. ORGANIZATIONAL MEASURES FOR PERSONAL DATA PROTECTION

The Company establishes a management structure to enforce the Personal Data Protection and Processing Policy.

A PDPL Board is established to manage this Policy and related policies, with responsibilities including:

  • Preparing and updating fundamental policies
  • Deciding on policy implementation and audits
  • Ensuring compliance with laws
  • Raising awareness and training
  • Identifying and mitigating risks
  • Resolving data subject requests at the highest level
  • Monitoring developments and regulations.

10. EFFECTIVENESS AND UPDATABILITY

This Policy is dated 15.05.2018 and may be updated in whole or in part.

It is published on the Company website (www.adtelastomer.com.tr) and made accessible to data subjects upon request.

In case of any discrepancy between the Turkish original and translations, the Turkish version prevails.