Internet Clarification Policy - Sümer Uluslararası Sanayi ve Ticaret A.Ş.

Internet Clarification Policy

LIGHTING TEXT (INTERNET)

1. COMPANY DISCLOSURE

Data controller SÜMER ULUSLARARASI SANAYİ VE TİCARET A.Ş. All kinds of personal data processed within our company are protected within the scope of the provisions of the relevant national and international legislation, especially the Law on the Protection of Personal Data No. 6698. Our company takes the necessary technical and administrative measures in a timely manner in order to provide the necessary protection, and in case of any suspicion of violation, it makes the necessary notifications to the relevant persons, institutions and organizations within the framework of legal provisions as soon as possible.

The information of the Data Controller is as follows:

Title : SUMER INTERNATIONAL INDUSTRY AND TRADE INC.

Mersis No / Tax No: 7860018595

E-mail Address: info@sumeras.com

Postal Address: BAŞKENT OSB MAHALLESİ BAŞKENT BULVARI NO:81 SİNCAN/ANKARA

Tel: 0312 418 4129

1. EXPLANATIONS ON THE CONCEPT OF PERSONAL DATA AND THE DEVELOPMENT OF THIS CONCEPT

Personal data can be defined as any information that is suitable for identifying individuals. In this context, the identity, communication, health and financial information of the person, as well as the information related to his private life, religious belief and political opinion are considered as personal data. For example; name, surname, date of birth, mobile phone number, e-mail, gender, address, profession, education, shopping point and time, how much he paid, which campaign he used, the amount of discount he received, product information in his shopping, browsing and clicking on the application information, location information where he opened the application, etc.

Today, these data are frequently used by both the private and public sectors by automated means over information systems. Although the use of this information provides some conveniences or advantages for individuals and those who provide goods and services , this situation brings the risk of abuse of the information in question. Obtaining, using and disclosing this data by unauthorized persons is a violation of both the contracts we are a party to and the fundamental rights protected by our Constitution. A reasonable balance must be struck between these two interests. The absence of a special law and an effective control mechanism regarding the processing of personal data causes a negative perception in our society. In order to eliminate this perception, it is necessary to determine the principles regarding the processing, storage and control of personal data under certain conditions.

Parallel to the development of the awareness of the protection of human rights in our age, the importance of the protection of personal data is increasing day by day. For this reason, it is seen that detailed legal regulations are being implemented in the field of personal data protection in developed countries.

On the other hand, in our country, there is no law that regulates the field of personal data protection as a whole, and the provisions regarding this issue are included in different laws. In addition, there is no institution in our country to control and supervise the processing of personal data. As a result of this, personal data can still be used by many individuals or institutions without adequate regulation and supervision, and this may cause some violations of rights.

In our country, there are various reasons that require the entry into force of a law that will ensure the protection of personal data. First of all, the illegal acquisition, recording or disclosure of personal data is regulated as a crime and sanctioned in Articles 135 and the following of the Turkish Penal Code No. 5237. However, due to the lack of a special law for the processing of personal data, it is seen that there are hesitations in determining when these acts are illegal and when they are legal.

On the other hand, with the amendment made in Article 20 of the Constitution with the Law No. 5982, which was accepted as a result of the referendum held on 12 September 2010, the protection of personal data was guaranteed as a basic human right and the details were envisaged to be regulated by law.

Again, in the ongoing European Union full membership process regarding our country, four of the negotiation chapters are directly related to personal data. In order for the process regarding these chapters to progress, a fundamental law on the protection of personal data should be enacted in our country.

The issue of protection of personal data has started to take place in international documents since the 1980s. First of all, "Guidelines on the Protection of Personal Space and Transboundary Personal Information Traffic" were adopted by the Organization for Economic Cooperation and Development (OECD), of which our

country is a member, on 23/9/1980. 108 "Convention on the Protection of Individuals Against Automatic Processing of Personal Data", which was prepared by the Council of Europe in order to protect personal data at the same standards in all member countries and to determine the principles of cross-border data flow, was opened for signature on January 28, 1981 and signed by our country.

The Council of Europe has also adopted recommendations for the protection of personal data that set out the principles to be applied in various sectors such as medical data banks, scientific research and statistics, direct marketing, social security, insurance, police records, employment, electronic payment, telecommunications and the Internet. While the aforementioned recommendations were taken into consideration during the preparation of the Draft, the "framework draft" character of the Draft was preserved. Considering that if regulations related to all sectors are included, the volume of the Draft Bill would be greatly expanded, the aforementioned recommendations were not included in the Draft. It has been evaluated that the principles contained in these recommendations may be included in the regulations to be made regarding different sectors in the future.

On the other hand, the European Union has put into effect the "Protection of Real Persons During the Processing of Personal Data and the Free Data Traffic Directive" (95/46/EC) on 24/10/1995 in order to harmonize the legislation of the member states on the protection of personal data. With this Directive, it is aimed to protect the personal data of individuals in member countries at a high level and to make a clear and permanent regulation that will ensure the free movement of personal data within the European Union. Considering the international documents on the protection of personal data; In the law to be prepared on this subject, it is seen that the conditions for the processing of personal data, the clarification of individuals, the establishment of an authority to supervise and regulate this area, and taking the necessary measures regarding data security are accepted as basic principles.

In view of the inadequacy of the agreements and directives before the VKD and the current events, and the differences in the agreements and directives signed from country to country, a consensus was reached on a reform that would cover the entire EU on 15 December 2011. In this context, GDPR, which was prepared in 2012, was adopted by the EU Parliament on April 14, 2016. While repealing Article 94 of GDPR 95/46 VKD, it expanded the scope of application of the 2002/58/EC Electronic Data Protection Directive.

An additional paragraph was added to Article 20 of the Constitution with the constitutional amendment made in 2010 with the Law No. 5982. In the mentioned paragraph; “Everyone has the right to demand the protection of their personal data. This right; It also includes being informed about the personal data about the person, accessing these data, requesting their correction or deletion and learning whether they are used for their purposes. Personal data can only be processed in cases stipulated by law or with the explicit consent of the person. The principles and

procedures regarding the protection of personal data are regulated by law. provision is included.

It is stated in the Constitution that detailed regulations regarding the protection of personal data will be made by law. In this context, the “Draft Law on the Protection of Personal Data” was submitted to the Presidency of the Turkish Grand National Assembly on December 26, 2014. The Draft Law was enacted on March 24, 2016 and the Law on the Protection of Personal Data No. 6698 was published in the Official Gazette dated April 7, 2016 and numbered 29677 and entered into force.

With the Draft, which was prepared by taking into account international documents, comparative law practices and the needs of our country, it is aimed to process and protect personal data in modern standards.

1.DESCRIPTION OF THE OPERATOR

This clarification and information text is addressed to all interlocutors who have a relationship with our company in any way, and to those who are legally concerned. The relevant persons within this scope are:

• All users connecting/using our company's channels (our company's websites and social networking site names are: http://sumeras.com )
• Those who connect to the guest network (wifi) in the Company's offices, warehouses and stores
• Those who use company mobile applications and those who use company- dedicated special programs
• All customers in the company database (CRM System)
• Customers shopping at company stores or online channels
• Visitors to our company stores for any purpose
• All customers who contact the COMPANY (including but not limited to sharing comments, making requests) through the Company's social media accounts
• Third parties that enter into commercial relations with our company directly or through intermediary consultancy firms
• Company employees and company partners
• Those who are in the candidacy process before our company
• All customers who fill out surveys and forms in order to take advantage of the opportunities offered by the Company to its customers.
• Employee candidates who send their CVs to the Company through career portals, İŞKUR, e-mail, reference, physically by filling out the application form in order to apply for a job,
• Employees currently working within the Company
• Persons who do internship at our company or work during the probationary period
• Former employees whose employment contract has been terminated for any reason

• To all our business partners and their employees within the scope of our commercial activity
• Have/will share their personal data with the company face to face, at a distance, verbally, in writing or electronically; to all real persons who have given/will give directly or have/will enable them to be obtained by the company.

Except for the relevant persons mentioned above, anyone who enters into any legal, humanitarian, commercial or other relationship with our company is the addressee of this text.

Personal data obtained within the scope of the services offered by our company (data processed through online form environments or the … application allocated to our company at the cash register) are never shared with third parties, and they are only kept by the relevant data processors within the framework of our privacy and security policies, within the scope of legal obligations with the enlightened consent texts signed by the relevant persons. is being done. In case of business necessity or in the presence of express consent, your information may be shared with support companies such as shipping companies or service providers within the scope of privacy policies.

1. PROCESSING OF PERSONAL DATA AND BASIC PRINCIPLES GOVERNING

THE PROCESSING

Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data completely or partially by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking, is considered as the processing of personal data. All kinds of activities carried out in the process from the collection of personal data to the deletion, destruction or anonymization process are considered as processing of personal data within the scope of the Law.

Your personal data, in connection with the requirements of the commercial activity, workplace order and general functioning within our company, the Labor Law No.

4857, the Law on the Protection of Personal Data No. 6698, the Turkish Code of Obligations No. 6098, Social Insurances No. 5510, General Health Insurance Law No. 6331 Occupational Health and Safety It is processed within the scope of the provisions of other laws, especially the Law No. 6502 on the Protection of Consumers and the Law No. 29166 on the Regulation of Electronic Commerce, and other legislations enacted in line with these provisions. The said data is obtained from the information within the scope of employment contracts, commercial contracts, other contractual relations, the personal file of the party, the information and documents submitted by you, and the information and documents legally obtained from the relevant institutions or notified to us by the institutions.

Your personal data may be collected verbally, in writing or electronically, automatically or non-automatically, through our company's units and offices, website, social media channels, mobile applications and similar means. When you use our call centers or website or visit our website or social media channels, your personal data may be created and updated.

The data in question is processed by the personnel or personnel of the Human Resources, Data Protection Unit (DPO), Accounting, Data Processing, Call Center, Support Services and other service units under the supervision and responsibility of our data controller company, limited to their exclusive purposes, within legal frameworks. Again, it may be possible to process data by the doctor and lawyer/attorneys of the institution on a limited basis, in line with the work and legal requirements.

There are basic principles regarding the processing of personal data, which are accepted in international documents and reflected in the practices of many countries. In Article 4 of the Personal Data Protection Law, the procedures and principles regarding the processing of personal data are regulated in parallel with the Convention No. 108 and the European Union Directive No. 95/46/EC. According to this; The general (basic) principles listed in the law in the processing of personal data are as follows:

• Compliance with the law and the rules of honesty,
• Being accurate and up-to-date when necessary,
• Processing for specific, explicit and legitimate purposes,
• Being connected, limited and restrained with the purpose for which they are processed,
• To be kept for the period required by the relevant legislation or for the purpose for which they are processed.

Principles regarding the processing of personal data should be at the core of all personal data processing activities and all personal data processing activities should be carried out in accordance with these principles. In the center of the above principles, we take the necessary technical, legal and administrative measures for the protection of data. In this context, necessary studies have been carried out within our company, and the said activities are updated in line with the decisions of the General Assembly of the Personal Data Protection Authority and legislative changes.

1. PERSONAL DATA PROCESSING CONDITIONS

The processing of personal data is defined in paragraph 3/e of the Law No.

6698 as follows:

“Processing of personal data: Obtaining, recording, storing, preserving,changing,rearranging,disclosing,transferring,taking over, making available, of personal data fully or partially automatically or non-automatically provided that it is a part of any data recording system. All kinds of operations carried out on the data such as bringing, classifying or preventing its use,

How the personal data in question will be processed is stated in Article 5 of the same law as follows:

''ConditionsfortheprocessingofpersonaldataARTICLE5-

Personal data cannot be processed without the explicit consent of the person concerned.

In case of existence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the data subject:

a) It is clearly stipulated in the laws.
b) It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally recognized.
c) It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.

ç) It is mandatory for the data controller to fulfill its legal obligation.

d) The person concerned has been made public by himself.
e) Data processing is mandatory for the establishment, exercise or protection of a right.
f) Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

4.SPECIAL PERSONAL DATA AND PROCESSING CONDITIONS

Some data are more indispensable than other personal rights due to their nature and nature. For this reason, the protection and processing of these rights are regulated separately and with strict form requirements within the scope of the said law. Special personal rights are defined and counted as follows in paragraph 6/1 of the law:

Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. is a special category of personal data.

How these rights can be exercised is stated in the other paragraphs of the same article as follows:

'' (2) It is forbidden to process sensitive personal data without the explicit consent of the person concerned.

3) Personal data other than health and sexual life listed in the first paragraph may be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws. Personal data related to health and sexual life are only for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, by persons or authorized institutions and organizations under the obligation of secrecy without seeking the explicit consent of the person concerned. can be processed.

(4) In the processing of sensitive personal data, it is also obligatory to take adequate measures determined by the Board.

It is regulated that some of the personal data of special nature can be processed by non-profit organizations or formations such as political parties, foundations, associations or trade unions. Accordingly, these organizations and entities will be able to process the private data of their members and members in accordance with the purposes of their establishment and the legislation they are subject to, limited to their fields of activity and provided that they are not disclosed to third parties. For example, if a political party or trade union keeps the identity and contact information of its members under the conditions specified in the paragraph, it will be considered within the scope of this paragraph. These organizations will only be able to process sensitive data limited to their fields of activity. For example, a trade union will only be able to process data on union membership in relation to its field of activity and purpose. On the other hand, it will not be able to process the personal data of the members regarding health or religion or sect, as it is not related to the field of activity and purpose.

Special categories of personal data disclosed to the public by the person concerned may be processed. Because, it is accepted that the legal benefit that needs to be protected disappears in the processing of such data, which is made public by the person concerned and thus known to everyone.

If it is necessary to process personal data of a special nature for the establishment, exercise or protection of a right, the said data may be processed even without consent. For example, an employer's processing of reports and documents regarding the persons employed in this status, within the scope of the obligation to employ disabled people, will be considered within this scope. Again, in order for a disabled person to benefit from the right to purchase a specially equipped vehicle exempt from special consumption tax, the acquisition and processing of health

reports related to his disability by the tax office will also be evaluated within the scope of this paragraph.

1. REQUESTED PERSONAL DATA AND THEIR PURPOSE OF PROCESSING

Contracts concluded with the relevant persons, information and documents submitted to each other by the parties as a legal requirement of the legal relationship, forms filled on the internet or physically, information you have left to our call center or the relevant unit representative, data obtained within the scope of the cookie policy and information obtained from other contacts and Documents are the main data sources.

Our company's websites are as follows; http://www.sumeras.com

Our company contact numbers; 0312 418 4129

Again, cookie policies are implemented in digital environments to provide better service to customers and other third parties and to inform them of discounts and other opportunities in their favor. Cookies: small files in browsers where users are stored when a web page is visited. It records what people search on websites in the browser history. It allows a website by keeping the movements on the site in browser logs. Cookies were started to be used by Netscape company in 1994. Its original purpose was to check if a user re-entered the site. Today, cookies are used to get much more information without deviating from their main purpose. Cookies that enable us to be remembered are text files that we call cookies or cookies.

When our information is written to these files, we do not need to write our information again by recognizing us when we enter the same sites. We browse through various websites on the Internet and become a member of some of them. We click on the remember me icon so that we do not enter our username and password every time we enter these sites that we are a member of. Cookies are activated from the moment we click on this icon. Our information is saved in our special text file. Thanks to the information read from the cookies, from the moment we open the site, our information reaches the site and recognizes us. There is also a cookie policy within our company and you can access these policies from the following link; http://www.sumeras.com

Your data obtained from the said cookie policy and virtual environments will be protected within the framework of legal provisions for the purpose of creating marketing and advertising policies. Again, job applications, forms filled in the virtual environment for educational purposes, surveys and other information forms will be protected within legal frameworks limited to their exclusive purposes. Within the framework of the execution of the Human Resources policy, the data in question

can only be processed separately within this department for this purpose. In case of notification in the forms, it may be possible to evaluate the data by another data processing unit within our organization. Again, the said data may be used as a requirement of the legal relationship entered into with the customers. For example, if the delivery will be made, the residence address and identity information, if the payment will be taken from the bank, or the customer account information, credit card information.

Although the requested data vary according to the relations of the persons

concerned with our company, they can be categorized as follows:

Credentials	Clearly belonging to an identified or identifiable natural person; proce partially or fully automatically or non-automatically as part of the data recording system; data that contains information about the identity of person; Documents such as driver's license, identity card and passpor containing information such as name-surname, TR identity number, n information, mother's name-father's name, place of birth, date of birth tax number, SGK number, signature information, vehicle plate, etc. inf
Communication information	Clearly belonging to an identified or identifiable natural person; proce partially or fully automatically or non-automatically as part of the data recording system ; information such as telephone number, address, e address, fax number, IP address
Family Members and Close Information	Clearly belonging to an identified or identifiable natural person; proce partially or fully automatically or non-automatically as part of the data recording system; Information about family members (e.g. spouse, mo father, child), relatives and other persons who can be reached in case emergency, as reported to our Company by the personal data owner, the framework of the operations carried out by our company's busine
Safety Information	Clearly belonging to an identified or identifiable natural person; proce partially or fully automatically or non-automatically as part of the data recording system; Personal data regarding the records and document the entrance to the company headquarters, branches, sales offices an kinds of facilities, during their stay in these places; camera records, fin records and records taken at the security point, etc.
Financial Information	Clearly belonging to an identified or identifiable natural person; proce partially or fully automatically or non-automatically as part of the data recording system; Personal data processed for all kinds of financial inf documents and records created according to the type of legal relatio Company has established with the personal data owner, as well as da bank account number, IBAN number, financial profile, asset data, inco information.
Audio/Visual Information	Clearly belonging to an identified or identifiable natural person; proce partially or fully automatically or non-automatically as part of the data recording system; Photographs and camera recordings (excluding the recordings included in the scope of Security Information), audio recor

	data contained in documents that are copies of documents containing data
Personal Information	Clearly belonging to an identified or identifiable natural person; proce partially or fully automatically or non-automatically as part of the data recording system; All kinds of personal data processed to obtain the information that will form the basis of the personal rights of real perso are in a working relationship with our company
Special Qualified Personal Data	Clearly belonging to an identified or identifiable natural person; proce partially or fully automatically or non-automatically as part of the data recording system; Data specified in Article 6 of the KVK Law (eg, healt including blood group, biometric data, religion and membership infor
Request/Complaint Management Information	Clearly belonging to an identified or identifiable natural person; proce partially or fully automatically or non-automatically as part of the data recording system; Personal data regarding the receipt and evaluation request or complaint directed to our Company
Other

The conditions for the processing of personal data are listed in Article 5 of the Law, and accordingly, it is possible to process personal data in case of at least one of the following conditions:

• Existence of the explicit consent of the person concerned,
• clearly stipulated in the law,
• It is compulsory for the protection of the life or bodily integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally recognized,
• It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
• It is mandatory for the data controller to fulfill its legal obligation, • The data subject has been made public by himself,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

The conditions for the processing of personal data, that is, their compliance with the law, are determined by counting in the Law, and these conditions cannot be extended.

Personal data of a private nature can only be processed with the consent of the person concerned. In addition, personal data of a special nature, excluding data related to health and sexual life, can be processed within the scope of legal

conditions without seeking consent (KVKK 6/2). Personal data related to health and sexual life are only for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, by persons or authorized institutions and organizations under the obligation of secrecy without seeking the explicit consent of the person concerned. can be processed.

The information and documents obtained as mentioned above will be protected by our company, and the ways of protection and retention are as follows:

Electronic Media	Non-Electronic Media
Servers (Domain, backup, email, database, web, file sharing, etc.) Software (office software, portal, EBYS, VERBIS.) Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.) Personal computers (Desktop, laptop) Mobile devices (phone, tablet, etc.) Optical discs (CD, DVD, etc.) Removable memories (USB, Memory Card etc.) Printer, scanner, copier	Paper Manual data recording systems ( forms, visitor logbook) Written, printed, visual media

In Article 3 of the Law , the concept of processing personal data is defined, in Article 4 it is stated that the personal data processed should be related to the purpose for which they are processed, limited and measured and should be kept for the period required for the purpose for which they are processed or as stipulated in the relevant legislation . counted.

Accordingly, within the framework of the activities of our Institution, personal data is stored for a period of time stipulated in the relevant legislation or suitable for our processing purposes.

Legal Reasons for Concealment

Personal data processed in the organization within the framework of its activities are kept for the period stipulated in the relevant legislation. In this context, personal data;

• Law No. 6698 on the Protection of Personal Data,
• Turkish Code of Obligations No. 6098,
• Public Procurement Law No. 4734,
• Social Insurance and General Health Insurance Law No. 5510,
• Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts,
• Public Financial Management Law No. 5018,
• Occupational Health and Safety Law No. 6331,
• Law on Access to Information No. 4982,
• Law No. 3071 on the Use of the Right to Petition,
• Labor Law No. 4857,

• Retirement Health Law No. 5434,
• Turkish Commercial Code No. 6102
• Law No. 6502 on the Protection of Consumers
• Law No. 29166 on the Regulation of Electronic Commerce
• Tax Procedure Law No. 213
• Income Tax Law No. 193
• Regulation on Distance Contracts Published in the Official Gazette No. 27866
• Regulation on Commercial Communication and Commercial Electronic Messages Published in the Official Gazette No. 29417 dated 15.07.2015
• After Sales Services Regulation Published in the Official Gazette No. 29029 and dated 13.06.2014
• Regulation No. 26751 on Measures Regarding the Prevention of Laundering Proceeds of Crime and Financing of Terrorism

It is stored as long as the storage periods stipulated in the framework of other secondary regulations in force in accordance with these laws.

Processing Purposes Requiring Storage

The Company stores the personal data it processes within the framework of its activities for the following purposes.

• Managing human resources processes.
• Ensuring internal communication.
• To ensure the safety of the company and its employees and third parties,
• To be able to do statistical studies.

• Providing in-house event management
• Management of relations with business partners or suppliers
• Request and complaint management
• To be able to perform work and transactions as a result of signed contracts and protocols.
• In line with the Law on the Protection of Personal Data and the Board decision, obtaining the necessary information and documents for the VERBIS system and notifying the Authority
• To ensure the fulfillment of legal obligations as required or mandated by legal regulations.
• To liaise with real / legal persons who have a business relationship with the company.
• To carry out transactions within the scope of the company's production and commercial policies.
• Making legal reports.
• Obligation of proof as evidence in legal disputes that may arise in the future.

The data obtained within the scope of the above legislation provisions and contract requirements will be protected by the data processors within the legal period by protecting their confidentiality under the supervision of the data controller. Our company's data processors are:

• Our company's accounting department/unit
• Our company's human resources department/unit
• Our company's disciplinary committee
• Persons Responsible for the Protection of Personal Data of our Company
• Our company contact person (this person is also the person responsible for the protection of personal data)
• Administrative staff in recruitment and in-house authorization and worker interviews
• Company doctor
• Unit chiefs in terms of performance evaluations
• Company lawyers
• financial advisors
• Private service providers

Depending on the nature of the work in question, other persons may enter this status as a data processor as required by the situation and the business. Whoever has taken the title of data processor will try to ensure data security in accordance with the relevant legislation and will use the said data for a limited purpose. For example, health records will not be reviewed by the accounting unit.

Personal data will be kept locked by the data processors, where they cannot be accessed by everyone, with the key assigned to the processor only. The security of the said data will be ensured by cameras working 24 hours a day.

If the said data is processed in digital media, it will be kept in special locked files, and the security of the said digital environment will be ensured, and the file passwords will be reserved only to the processors.

1.STORAGE AND DISPOSAL OF PERSONAL DATA

For the destruction of data within our company, January and July of the year have been determined as destruction periods. Personal data obtained from the data subjects will be deleted, destroyed or anonymized by the personnel/personnel responsible for data protection within the company within the following destruction period from the end of the storage period. The minutes of the destruction process will be kept for 3 (three) years by the personnel/personnel responsible for data protection within the company in an independent place. After three years, the said minutes will be destroyed. Regarding the disposal process, the provisions of the Regulation on the Deletion, Destruction or Anonymization of Personal Data dated 28 October 2017 and numbered 30224 and the Law on Protection of Personal Data No. 6698 will be taken as basis.

The reasons for destruction are:

• Amendment or repeal of the provisions of the relevant legislation, which are the basis for processing,
• The disappearance of the purpose requiring its processing or storage,
• In cases where the processing of personal data takes place only on the basis of express consent, the data subject withdraws his explicit consent,
• In accordance with Article 11 of the Law, the application made by the Authority regarding the deletion and destruction of personal data within the framework of the rights of the person concerned,
• In the event that the Institution rejects the application made by the person concerned with the request for the deletion, destruction or anonymization of his personal data, finds the answer insufficient or does not respond within the time stipulated in the Law; Making a complaint to the Board and this request being approved by the Board,
• The maximum period for keeping personal data has passed and there is no condition that justifies keeping personal data for a longer period of time.

In accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law, in accordance with the adequate measures determined and announced by the Board for the personal data to be stored securely, illegally processed and accessed,

and for the destruction of personal data in accordance with the law, the technical and administrative measures are taken.

The technical measures taken by the company regarding the personal data it processes are listed below:

• As a result of real-time analyzes with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.
• Access to information systems and authorization of users are made through security policies through the access and authorization matrix and the corporate active directory.
• Necessary measures are taken for the physical security of the company's information systems equipment, software and data.
• In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 employee monitoring system, physical security of the edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software. Measures are taken (firewalls, attack prevention systems, network access control, systems preventing malware, etc.).
• Risks to prevent unlawful processing of personal data are determined, appropriate technical measures are taken against these risks, and technical controls are carried out for the measures taken.
• Access procedures are established within the company, and reporting and analysis studies are carried out regarding access to personal data.
• Inappropriate access or access attempts are kept under control by recording the accesses to the storage areas where personal data is stored.
• The Company takes the necessary measures to make the deleted personal data inaccessible and reusable for the relevant users.
• In the event that personal data is obtained unlawfully by others, a system and infrastructure has been established by the Authority to notify the relevant person and the Board.
• Security vulnerabilities are followed and appropriate security patches are installed and information systems are kept up-to-date.
• Strong passwords are used in electronic environments where personal data is processed.
• Secure record keeping (logging) systems are used in electronic environments where personal data is processed.
• Data backup programs are used to keep personal data safe.
• Access to personal data stored in electronic or non-electronic media is limited according to access principles.
• A separate policy has been determined for the security of sensitive personal data.
• Special quality personal data security trainings have been provided for employees involved in special quality personal data processing,

confidentiality agreements have been made, and the authorizations of users who have access to data have been defined.

• Electronic environments in which sensitive personal data are processed, stored and/or accessed are preserved using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of environments are constantly monitored, necessary security tests are regularly performed/have the test results recorded, to be taken under,
• Adequate security measures are taken for physical environments where sensitive personal data is processed, stored and/or accessed, and unauthorized entry and exit is prevented by ensuring physical security.
• If sensitive personal data needs to be transferred via e-mail, it is transferred in encrypted form with a corporate e-mail address or by using a KEP account. If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment. If transferring is carried out between servers in different physical environments, data transfer is carried out by establishing a VPN between servers or using the sFTP method. If it is required to be transferred via paper media, necessary precautions are taken against the risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in a "confidential" format.

Of these items, the company will specify which of them it can do.

The administrative measures taken by the Company regarding the personal data it processes are listed below:

• Trainings are provided on prevention of illegal processing of personal data, prevention of illegal access to personal data, protection of personal data, communication techniques, technical knowledge and skills, Labor Law and other relevant legislation in order to improve the quality of employees.
• Confidentiality agreements are signed by the employees regarding the activities carried out by the company.
• A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.
• Before starting to process personal data, the Authority fulfills the obligation to inform the relevant persons.
• Personal data processing inventory has been prepared.
• Periodic and random audits are carried out within the company.
• Information security trainings are provided for employees.

Personal data is destroyed by the request of the person concerned or ex officio by the company, upon the expiry of the legal period, in the following ways.

DATA RECORDING ENVIRONMENT			EXPLANATION
Personal Data on Servers			The system administrator removes the access authorization of the relevant users and deletes personal data on the servers for those whose period has expired.
Personal Data in Electronic Media			Among the personal data in the electronic environment, the ones whose period has expired rendered inaccessible and non-reusable for other employees (related users) except the datab administrator.
Personal Data in Physical Environment			Personal data kept in the physical environment is made inaccessible and non-reusable in an for other employees, except for the unit manager responsible for the document archive, for whose period of time has expired. In addition, the process of blackening is applied by drawing/painting/erasing in a way that cannot be read.
Personal Data in Portable Media			Of the personal data kept in flash-based storage media, the expired ones are encrypted by th system administrator and the access authorization is given only to the system administrator they are stored in secure environments with encryption keys.
Personal Data in Physical Environment			Of the personal data in the paper medium, the ones that need to be kept, which have expire irreversibly destroyed in the paper clipping machines.
Personal Data in Optical / Magnetic Media			The physical destruction of the personal data in optical media and magnetic media, such as melting, burning or pulverizing, is applied. In addition, magnetic media is passed through a special device, and the data on it is rendered unreadable by exposing it to a high magnetic f

Personal data to be obtained from workers are stored and destroyed in different time periods depending on their qualifications. The storage periods of the said data are as follows. These data, whose storage period has expired, are destroyed in the nearest destruction period and the minutes of destruction are kept for 3 years.

PERSONAL DATA	STORAGE PERIOD
With the recruitment documents to the Social Security Institution; Personnel data that is the basis for notifications regarding length of service and wages	It is retained for a period of 15 (fifteen) years as of t continuation of the service contract and from its e

With the recruitment documents to the Social Security Institution; Personnel data other than the personnel data that are the basis for notifications regarding the length of service and wages.	It is retained for a period of 10 (ten) years from the beginning of the calendar year following the conti the service contract and the end of it.
Customer Information	Pursuant to Article 82 of the Turkish Commercial C information that is the basis for the issuance of inv which constitute the basis for commercial books a records, is kept for 10 years in accordance with th aforementioned law, and Customer Information ot this is kept for the period required for the purpose they are processed.
Contracts on the basis of the commercial relationship and their data	10 years in accordance with the provisions of the C Obligations No. 6098 and other legislation
Personal Health Files of Employees	According to the Occupational Health and Safety legislation, personal health files must be kept for 1
Employee Candidate Information	It is stored for a maximum of 2 years until it is out
Visitor Information	Stored for 2 years
Partner and Advisor Information	It is kept for a period of 10 years in accordance wit 146 of the Turkish Code of Obligations, during and relationship with the company.
Information Shared with the Company by the Companies	It is kept for a period of 10 years in accordance wit 146 of the Turkish Code of Obligations, during and relationship with the company.
Customer	Each product/service purchased by the Custome for 10 years in accordance with the Turkish Code o Obligations art.146 and Turkish Commercial Code
Customer/Potential Customer Requests and Complaints	It is stored for 10 years from the date of request an complaint.
The relevant personal data is subject to a crime within the scope of the Turkish Penal Code or other penal provisions.	During the statute of limitations
Log Tracking Systems	10 years
Execution of Hardware and Software Access Processes	2 years
Records of Visitors and Meeting Participants	If there is no contractual relationship, 2 years from of the event
Non-employee trainee, trainee information	For the duration of training and other activities wit company and 1 year from the end of the relations
Personal data received from employee candidates	In case the candidacy application is negative, until nearest destruction period.

The person concerned, pursuant to the 13th article of the Law, SUMER ULUSLARARASI SANAYİ VE TİCARET A.Ş. when he requests the deletion or destruction of his personal data by applying to the company;

If all the conditions for processing personal data have disappeared; The company deletes, destroys or anonymizes the personal data subject to the request with the appropriate destruction method, explaining the reason within 30 (thirty) days from the day it receives the request. In order for the Company to be deemed to have received the request, the person concerned must have made the request in accordance with the Personal Data Processing and Protection Policy. In any case, the company informs the person concerned about the transaction.
If all the conditions for processing personal data have not been eliminated, this request may be rejected by the Company by explaining the reason in accordance with the third paragraph of Article 13 of the Law and the refusal is notified to the relevant person in writing or electronically within thirty days at the latest. The right of the person concerned to complain to the institution is reserved. In this context, the persons concerned may apply to the Board within 60 (sixty days) after they learn that their requests have been rejected.
In this context, applications to be made to our Company in “written” form,

• With the personal application of the Applicant,
• through a notary,
• By signing by the Applicant with the “secure electronic signature” defined in the Electronic Signature Law No. 5070

It can be forwarded to us by sending it to the registered e-mail address of the company. To exercise this right, our contact information is as follows:

Title : SUMER INTERNATIONAL INDUSTRY AND TRADE INC.

Mersis No / Tax No: 7860018595

E-mail Address: info@sumeras.com

Postal Address: BAŞKENT OSB MAHALLESİ BAŞKENT BULVARI NO:81 SİNCAN/ANKARA

Tel: 0312 418 4129

1.TRANSFERRING PERSONAL DATA

How and under what conditions personal data will be transferred to third parties within the borders of the country is regulated within the scope of Article 8 of the Personal Data Protection Law. According to this article, it is possible to transfer personal data only if the individuals give their explicit consent. However, in the same article of the law, it is written that personal data can be transferred without explicit consent, provided that the conditions within the scope of articles 5 and 6 are met.

The result of the interpretation of the said articles of law;

• Obtaining the explicit consent of the person concerned,
• clearly stipulated in the law,
• It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid,
• Provided that it is directly related to the establishment or performance of a contract, it is necessary to process the personal data of the parties to the contract,
• It is mandatory for the data controller to fulfill its legal obligation,
• The person concerned has been made public by himself,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• It is possible to transfer personal data if data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

In order to transfer private personal data;

• In case of obtaining the explicit consent of the person concerned,
• In case it is expressly stipulated in the law in terms of sensitive personal data other than health and sexual life,
• In terms of personal data related to health and sexual life, personal data of special nature by persons or authorized institutions and organizations under the obligation to keep confidential for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. may be transferred to third parties.

Contrary to the fact that personal data can only belong to real persons, "data controller" and "data processor" can be both natural and legal persons. Any natural or legal person who processes personal data is either a data controller or a data processor, depending on the purposes and methods of data processing. In this context, it is necessary to comply with the regulations in Article 8 of the Law for all kinds of data transfer between the persons in these two categories.

It is possible to transfer personal data to public and private legal entities abroad within the scope of our company's scope of activity and commercial interests, in accordance with legal conditions. According to Article 9 of the Law, data transfer abroad;

• Having the express consent of the person concerned,
• In the presence of the situations specified in the Law (conditions specified in the 2nd paragraph of Article 5 and the 3rd paragraph of Article 6 of the Law), there is sufficient protection in the country to which the data will be transferred (countries deemed safe by the Board),
• In the presence of the cases specified in the Law (conditions specified in the 2nd paragraph of Article 5 and 3rd paragraph of Article 6 of the Law), in the absence of sufficient protection in the country to which the data will be transferred (countries that are not considered safe by the Board), adequate protection must be committed in writing and the Board It can be carried out in cases where permission is found.

As a data controller, it is possible to transfer personal data and private personal data to third parties in line with the existence of the above conditions, in line with the requirements of the third parties, in line with their requests, for the purposes of the company, for the fulfillment of obligations to public institutions, for the performance of legal obligations and for other purposes. These data are related to the personnel of our company, our affiliated companies, our direct / indirect domestic / foreign affiliates, the organizations we receive service from, the domestic and international servers (servers) we use, the domestic / foreign institutions from which we receive cloud services, the data controller on behalf of the data controller. It can be shared with individuals and organizations that provide measurement, targeting and profiling support, audit companies, business and solution partners, suppliers, public and private legal entities.

The list of relevant data processors according to personal data categories is as follows;

Credentials	Company Stakeholders, Company Officials, Company Employees, C Business Partners, Employee Candidates, Visitors, Company and Gr Company Customers, Potential Customers and Third Parties
Communication information	Company Stakeholders, Company Officials, Company Employees, C Business Partners, Employee Candidates, Visitors, Company and Gr Company Customers, Potential Customers and Third Parties

Location Data	Company Stakeholders, Company Officials, Company Employees
Transaction Security Information	Company Stakeholders, Company Officials, Company Employees, C Business Partners, Employee Candidates, Visitors, Company and Gr Company Customers, Potential Customers and Third Parties
Family Members and Close Information	Company Stakeholders, Company Officials, Company Employees, C Business Partners
Physical Space Security Information	Company Stakeholders, Company Officials, Company Business Part Employee Candidates, Visitors, Company and Group Company Cus Potential Customers and Third Parties
Financial Information	Company Stakeholders, Company Officials, Company Business Part Employee Candidates, Visitors, Company and Group Company Cus Potential Customers and Third Parties
Audio/Visual Information	Company Stakeholders, Company Officials, Company Business Part Employee Candidates, Visitors, Company and Group Company Cus Potential Customers and Third Parties
Personal Information	Company Stakeholders, Company Officials, Company Business Part
Legal Transaction Information	Company Stakeholders, Company Officials, Company Business Part Employee Candidates, Visitors, Company and Group Company Cus Potential Customers and Third Parties
Special Qualified Personal Data	Company Stakeholders, Company Officials, Company Business Part Employee Candidates, Visitors, Company and Group Company Cus Potential Customers and Third Parties
Request/Complaint Management Information	Company Stakeholders, Company Officials, Company Business Part Employee Candidates, Visitors, Company and Group Company Cus Potential Customers and Third Parties

1.RELATED PERSON RIGHTS

rights as the person whose data is processed are written in the 11th article of the

Law No. 6698 as follows;

• You can learn whether we process personal data about you, and if we do, you can request information about it.
• You can learn the purpose of processing your personal data and whether they are used in accordance with the purpose.
• You can find out whether your personal data is transferred domestically or abroad and to whom.
• You can request the correction of your incorrect and incomplete personal data and the notification of the recipients to whom this data has been or may have been transferred.
• You can request the destruction (deletion, destruction or anonymization) of your personal data within the framework of the conditions stipulated in Article 7 of the KVKK. However, by evaluating your destruction request, we will

evaluate which method is appropriate according to the conditions of the concrete case. In this context, you can always request information from us about why we have chosen the destruction method we have chosen.

• You can request the third parties to whom your personal data has been or may be transferred to be informed about your destruction request.
• You may object to the results of your personal data analysis, created exclusively using an automated system, if these results are contrary to your interests.
• If you suffer damage due to the unlawful processing of your personal data, you can request the removal of the damage.

Your requests included in your Application Subject to Personal Data Violation will be concluded free of charge within thirty days at the latest [1] , depending on the nature of the request. However, if the transaction requires a separate cost for the Company, the fee in the tariff determined in the Communiqué on the Procedures and Principles of Application to the Data Controller may be charged by the Personal Data Protection Board.

You can make your application regarding the processing of your personal data by filling out the application form on the Company's website or by following the procedures and principles set forth in Article 5 of the Communiqué on Application Procedures and Principles to the Data Controller:

• Written and signed, notarized or registered with return receipt
• By e-mail from your registered e-mail (KEP) address
• With secure electronic signature or mobile signature
• With a notification to your e-mail address
• With the notification you will make on the line 0312 418 4129

It will be beneficial not to lose the registration numbers given to you for the above notifications in terms of file and transaction tracking.

THE INFORMATION REQUIRED FOR YOU TO MAKE YOUR APPLICATIONS has been

stated above within the scope of the first page.

UPDATE AND COMPLIANCE

The Company reserves the right to make changes in this Policy and other related and related policies due to the changes made in the Law, in accordance with the decisions of the KVK Board or in line with the developments in the sector or in the field of informatics.

Changes made in this Policy are immediately written down in the text and explanations regarding the changes are explained at the end of the Policy.

This Policy SUMER INTERNATIONAL INDUSTRY AND TRADE INC. Approved by the

Executive Committee on 1/1/2021. It will be valid and binding as of this date.

The complaint form you can make to our company, the complaint form you can make to the KVK Institution and this clarification text and KVKK Policies can be found at the link below; http://www.sumeras.com

you can reach.

• The following principles are included in the Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/9 on the Calculation of the Application and Complaint Periods to the Data Controller:

• If the data controller responds to the application made by the data subject within 30 days, the data subject can file a complaint within 30 days following the data controller's response, therefore, in such cases, the data subject does not have 60 days from the date of application to the data controller,
• If the data controller does not respond to the application made by the data subject, the data subject may file a complaint with the Board within 60 days from the date of application to the data controller,
• Considering that the data controller is not obliged to wait for a response after the 30-day period given to the data controller in the Law, if the data controller responds to the application made by the data controller after the 30-day period defined in the Law, and he/she may file a complaint with the Board after the deadline given to the data controller. that the data controller may file a complaint with the Board within 60 days from the date of application to the data controller, not 30 days from the date on which he/she replied ,

It has been deemed appropriate to announce the issues to the public with the Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/9.