KVKK

PERSONAL DATA PROTECTION POLICY

CONTENTS

CHAPTER ONE

Purpose and Enforcement of the Policy

CHAPTER TWO

Scope of the Law and Our Company's Rights and Obligations Arising from the Law

General Principles Regarding the Processing of Personal Data

Purposes of Processing and Sharing Personal Data Under the Law

Purposes of Processing Personal Data

Purposes Regarding Sharing of Personal Data

Cases Outside the Scope of the Law

CHAPTER THREE

Processing of Personal Data by Our Company

Classification of Personal Data Processed by Our Company

Purposes of Processing Personal Data by Our Company

Transfer of Personal Data by Our Company and Classification of Parties to Whom Data is Transferred

Procedure for Processing Personal Data by Our Company

Personal Data Security

CHAPTER FOUR

Data Owners' Rights Arising from the Law

Data Owners' Rights

Exercise of Rights

CHAPTER ONE

Purpose and Enforcement of the Policy

The Law on the Protection of Personal Data No. 6698 (“Law”), which entered into force on 07.04.2016, sets out the procedures and principles regarding the processing of personal data by real or legal persons who are classified as “data controllers” and who determine the purposes and means of processing personal data and are responsible for the establishment and management of the data recording system.

This document (“Policy”) has been prepared for the purpose of informing the real persons whose personal data our Company processes as the data controller, within the scope of the article mentioned above.

Within the scope of the law, personal data is defined as “any information relating to an identified or identifiable natural person”; and processing is defined as “any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, in whole or in part, by automatic means or, provided that it is part of any data recording system, by non-automatic means”.

In addition to its other regulations, the Law imposes an obligation on data controllers to inform/enlighten data subjects whose personal data will be processed during the collection of personal data. According to Article 10 of the Law, data controllers shall inform data subjects;

The identity of the data controller and its representative, if any,

The purpose for which personal data will be processed,

To whom and for what purpose the processed personal data can be transferred,

The method and legal reason for collecting personal data,

He/she should be informed about the other rights listed in Article 11 of the Law.

The subject of this Policy is our Company's customers, shareholders, officers and employees of our corporate customers, potential customers, shareholders, officers and employees of our business partners and suppliers, our prospective employees, former employees and interns of our Company, persons who have retired from our Company, our visitors, company officers and shareholders, business partner and supplier candidates and other third parties, and the issues regarding the processing of personal data of our employees are regulated within the scope of a separate policy text presented to employees in accordance with the Law.

CHAPTER TWO

 Scope of the Law and Our Company's Rights and Obligations Arising from the Law

1. General Principles Regarding the Processing of Personal Data

According to Article 4 of the Law, personal data must be processed in accordance with the procedures and principles stipulated in the Law and other relevant legislation. In this context, data controllers are obliged to comply with the following general principles regarding the processing of personal data, in addition to fulfilling the obligation to inform as specified in Section One:

Being in compliance with the law and the rules of honesty.

Being accurate and up to date when necessary.

Processing for specified, explicit and legitimate purposes.

Being relevant, limited and proportionate to the purpose for which they are processed.

Preservation for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.

2. Purposes of Processing and Sharing Personal Data Under the Law
3. Purposes of Processing Personal Data

Our Company does not process Personal Data without the explicit consent of the data owner. Our Company may process Personal Data without the explicit consent of the data owner if one of the following conditions is met. The Law has determined certain situations in which data may be processed without explicit consent in terms of personal data and special personal data within the scope of its articles 5 and 6.

Personal data in accordance with the article,

Data processing is clearly prescribed by law,

Processing of the relevant data is mandatory for the protection of the life or physical integrity of the person or another person who is unable to give his/her consent due to a de facto impossibility or whose consent is not legally valid,

It is necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract,

Data processing is mandatory for the data controller to fulfill its legal obligations,

Personal data has been made public by the relevant person himself/herself,

Data processing is mandatory for the establishment, exercise or protection of a right,

In cases where data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person, data may be processed even without the prior explicit consent of the data owner (provided that the necessary information has been provided).

On the other hand, the Law defines data related to individuals’ race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data as “special” or “sensitive” personal data and sets forth more stringent conditions for their processing. Accordingly, special personal data may only be processed under the following conditions, except for cases where explicit consent has been obtained from the data owner:

Data regarding individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, membership of associations, foundations or unions, criminal convictions and security measures, as well as biometric and genetic data, may be processed in cases prescribed by law.

Personal data related to health and sexual life may only be processed by persons or authorized institutions and organizations that are under a confidentiality obligation for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.

1. Purposes Regarding Sharing of Personal Data

In accordance with data processing, sharing personal data with a third party (transfer) is also subject to obtaining explicit consent from the relevant data owner. However, data transfer can also be carried out under conditions that permit data processing according to Article 8 of the Law, and in this context, personal data or special personal data can be transferred even if the data owner does not consent, provided that the conditions specified in Section 2.2.a above are met.

The law places special conditions on the transfer of personal data abroad to third parties. Accordingly, personal data;

If the data owner has given his/her explicit consent, or

In cases where the data owner does not give explicit consent but one or more of the other conditions mentioned above are met;

If there is sufficient protection in the country to which the data is transferred, or if there is not sufficient protection in the country to which the data is transferred, the data controller can be transferred abroad, provided that the data controller undertakes in writing to provide sufficient protection together with the data controller in the relevant foreign country and the permission of the Personal Data Protection Board is obtained.

3. Cases Outside the Scope of the Law

According to Article 28 of the Law, the Law will not be applied in the following cases:

Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not disclosed to third parties and that obligations regarding data security are complied with.

Processing of personal data by making them anonymous with official statistics for purposes such as research, planning and statistics.

Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy or personal rights or does not constitute a crime.

Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.

Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

CHAPTER THREE Processing of Personal Data by Our Company

1. Classification of Personal Data Processed by Our Company

Data Category: Personal Data Categorization Description

Identity Information: Information included in documents such as driver's license, identity card, residence, passport, attorney's ID, marriage certificate (e.g. TR ID No., passport no., identity card serial no., name-surname, photograph, place of birth, date of birth, age, place of registration, certified identity card copy)

Contact Information: Information used to communicate with the person (e.g. e-mail address, telephone number, mobile phone number, address)

Location Data: Data used to determine the location of the data owner (e.g. location data obtained during vehicle use)

Customer Information: Information about customers who benefit from our products and services (e.g. customer number, occupation information, etc.)

Customer Transaction Information: Information regarding all transactions made by customers who benefit from our products and services (e.g. requests and instructions, order and basket information, etc.)

Physical Space: Security Information Personal data regarding records and documents taken at the entrance to the physical space and during the stay in the physical space (e.g. entry and exit logs, visit information, camera recordings, etc.)

Transaction Security Information: Personal data processed to ensure the technical, administrative, legal and commercial security of our company and related parties (e.g. information such as website password and passcode that match the transaction associated with the personal data owner with that person and that the person is authorized to perform that transaction)

Risk Management Information: Personal data processed to manage our company's commercial, technical and administrative risks (e.g. IP address, Mac ID, etc. records)

Financial Information: Personal data within the scope of information, documents and records showing all kinds of financial results created according to the type of existing legal relationship with the personal data owner (For example: information showing the financial results of the transactions made by the data owner, loan amount, card information, loan payments, interest amount and rate to be paid, debt balance, receivable balance, etc.)

Personal Information: All kinds of personal data processed to obtain information that will form the basis for the protection of personal rights of real persons who are in a working relationship with the Personal Data Owner (all kinds of information and documents that are required to be included in the personnel file by law).

Candidate Information: Personal data of data owners who share their information to apply for a job with our company, used in the application evaluation process (e.g. CV, interview notes, personality test results, etc.)

Employee Transaction Information: Personal data regarding all kinds of business-related transactions carried out by the Company's supplier employees (e.g., work entry and exit records, business travel, information on meetings attended, security checks, e-mail traffic monitoring information, vehicle usage information, company card spending information)

Marketing Information: Data to be used by our company in marketing activities (e.g. reports and evaluations showing the person's habits and tastes collected for marketing purposes, targeting information, data enrichment activities)

Legal Transaction and Compliance Information: Personal data processed for the purpose of determining and following up legal receivables and rights and fulfilling debts and legal obligations (e.g. data included in documents such as court and administrative authority decisions)

Audit and Inspection Information: Personal data processed within the scope of our company's legal obligations and compliance with company policies (e.g. audit and inspection reports, relevant interview records and similar records)

Special Personal Data: Data regarding individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Request/Complaint Management Information: Personal data regarding the receipt and evaluation of any requests or complaints directed to our Company.

Visual and Audio Data: Visual and audio records associated with the personal data owner (e.g. photographs, camera recordings and sound recordings)

2. Purposes of Processing Personal Data by Our Company

Our company processes personal data within the scope specified above for the following purposes:

• Planning, auditing and execution of information security processes
• Creation and management of information technologies infrastructure
• Planning and execution of fringe benefits and benefits for employees
• Planning and/or execution of corporate communication for employees and/or corporate social responsibility and/or non-governmental organization activities in which employees participate.
• Planning and execution of employees' access to information
• Monitoring and/or auditing of employees' work activities
• Monitoring of finance and/or accounting affairs
• Following up on legal affairs
• Planning of human resources processes
• Planning and/or executing activities to perform effectiveness/efficiency and/or appropriateness analyses of business activities.
• Planning and execution of business activities
• Planning and execution of business partners and/or suppliers' access to information
• Management of relationships with business partners and/or suppliers
• Planning and/or execution of occupational health and/or safety processes
• Planning and/or execution of business continuity activities
• Planning and execution of corporate communication and management activities
• Planning and execution of logistics activities
• Planning and execution of customer relationship management processes
• Planning and/or execution of customer satisfaction activities
• Follow-up of customer requests and/or complaints
• Carrying out personnel recruitment processes
• Fulfillment of obligations arising from employment contracts and/or legislation for company employees
• Planning and execution of company audit activities
• Planning and execution of external training activities
• Planning and execution of operational activities required to ensure that company activities are carried out in accordance with company procedures and/or relevant legislation.
• Planning and/or execution of in-company training activities
• Ensuring the security of company operations
• Ensuring the security of company premises and/or facilities
• Planning and/or executing processes to create and/or increase loyalty to the products and/or services offered by the company.
• Planning and/or execution of the company's production and/or operational risk processes
• Carrying out corporate and partnership law transactions
• Monitoring contract processes and/or legal requests
• Execution of strategic planning activities
• Fee management
• Planning and execution of supply chain management processes
• Planning and execution of production and/or operation processes
• Planning and execution of market research activities for sales and marketing of products and services
• Planning and execution of marketing processes of products and/or services
• Planning and execution of sales processes of products and/or services
• Ensuring that data is accurate and up-to-date
• Providing information to authorized institutions based on legislation
• Creation and tracking of visitor records

3. Transfer of Personal Data by Our Company and Classification of Parties to Whom Data is Transferred

Our Company may transfer personal data to our Company officials, affiliates, business partners, suppliers, shareholders, legally authorized public institutions and organizations and private institutions for the purposes stated above.

4. Procedure for Processing Personal Data by Our Company

Our company, as the data controller, informs data owners in accordance with Article 10 of the Law before obtaining personal data from data owners within the scope of its obligations arising from the Law. If any data processing process carried out by our company does not meet the conditions specified in the Law and detailed in Section 2.2.a and b above, explicit consent is obtained from data owners and the relevant processes are carried out within the framework of the aforementioned explicit consent.

Within the scope of the Law, explicit consent is defined as “consent related to a specific subject, based on information and expressed with free will” and in this regard, our Company obtains the explicit consent of data owners after informing them in accordance with Article 10 of the Law.

Although no period has been determined for the storage of personal data under the law, it is essential that personal data be stored for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed, in accordance with general principles. In order to determine the storage periods in accordance with the said principle, our Company makes an assessment based on the legislation in force and the purpose of the process for each data processing process. In this context, our Company stores personal data for at least the period required by its legal obligations and in any case until the relevant limitation periods expire.

Our Company anonymizes, deletes or destroys personal data in accordance with the Law, once the purpose of processing the relevant personal data is no longer valid, including after the expiration of the aforementioned periods. Anonymization is defined within the scope of the Law as "rendering personal data in a way that it cannot be associated with an identified or identifiable natural person, even by matching it with other data", and our Company's anonymization activities are carried out in accordance with the current legislation.

5. Personal Data Security

Our Company takes reasonable technical and administrative measures to prevent unauthorized access risks, accidental data loss, deliberate deletion or damage to data in order to ensure the security of personal data. In this context, our Company takes the following actions at a minimum:

• Taking appropriate software and hardware security measures for the personal data processed.
• Carrying out inspections foreseen under the law
• Ensuring compliance of the Company and employees with the Law through in-house training, policies and procedures.
• Providing and recording access to information based on necessity through in-company authorizations
• Monitoring of personal data processing activities on a process basis
• Obtaining contractual commitments regarding the protection and security of personal data in relations with suppliers.

CHAPTER FOUR

Data Owners' Rights Arising from the Law

1. Data Owners' Rights

According to Article 11 of the Law, personal data owners;

• To learn whether personal data about him/her is being processed,
• To request information regarding the processing of his/her personal data,
• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
• To know the third parties to whom personal data is transferred, either domestically or abroad,
• To request correction of personal data if it is processed incompletely or incorrectly,
• Requesting the deletion or destruction of personal data in case the reasons requiring processing are eliminated, even though the data has been processed in accordance with the Law and other relevant legal provisions,
• Request that the actions taken as a result of requests for correction, deletion and destruction be notified to third parties to whom personal data has been transferred,
• To object to a result that is to the detriment of the person himself/herself, as a result of the analysis of the processed data exclusively through automatic systems,
• To request compensation in case of damages due to unlawful processing of personal data.

has the rights.

The second paragraph of Article 28 of the Law regulates that in certain cases, the data owner cannot claim anything other than compensation for damages from the data controller. Accordingly,

• Processing of personal data is necessary for the prevention of crime or criminal investigation,
• Processing of personal data made public by the relevant person,
• Personal data processing is necessary for the execution of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law.
• The processing of personal data is necessary to protect the economic and financial interests of the State in relation to budget, tax and financial matters.

In such cases, the rights specified above cannot be exercised regarding the relevant data.

2. Exercise of Rights

Data owners may use the Application Form to exercise the above-mentioned rights.

Applications can be made by hand, through a notary, or by other methods specified in the Law, along with a wet-signed copy of the form, together with documents that will identify the relevant data owner, to the address “Huzur Mah. Ayazağa Cad. 4B/601 Maslak -Sarıyer / İstanbul” or by using a secure electronic signature, mobile signature or the e-mail address that you have previously notified us and that is registered in our system. info@homeramodular.com or [email protected] It can be done in writing by sending an e-mail. If the Personal Data Protection Board foresees a method other than the methods mentioned above, applications can also be sent by this method.

Data owner requests submitted through one of the methods specified above are evaluated and answered by our Company within a maximum of thirty days. Our Company reserves the right to request additional information and documents from the applicant, particularly for the purpose of assessing whether the applicant is the relevant data owner.

As a rule, data owner applications are evaluated free of charge by our Company. However, if a fee has been determined by the Personal Data Protection Board for the data owner's request, our Company will have the right to request payment based on this fee.

The Company reserves the right to make changes to this Policy and other policies related to and affiliated with this Policy due to changes in the Law, in accordance with the decisions of the Personal Data Protection Board or in line with the developments in the sector or in the field of informatics.

Any changes made to this Policy are immediately incorporated into the text and explanations regarding the changes are provided at the end of the Policy.

VLM 4 BUILDING SYSTEMS INVESTMENT INC.

Mersis No. 0925-0718-1480-0001