PERSONAL DATA PROTECTION AND PROCESSING POLICY

LENIDIA DIŞ TİCARET
PERSONAL DATA PROTECTION AND PROCESSING POLICY

CONTENTS
INTRODUCTION……………………………………………………………………………………. 3
PURPOSE ………………………………………………………………………………………………3
I. PRINCIPLES TO BE APPLIED IN THE PROCESSING OF PERSONAL DATA ……………. 3
1.1. Engaging in PD Processing Activities in Compliance with the Law and the Rule of Integrity……………………………………………………………………………………………………. 3
1.2. Ensuring Personal Data Accuracy and Up-to-Dateness When Necessary………. 4
1.3. Processing with Specific, Explicit and Legitimate Purposes…………………………. 4
1.4. Being Limited, Proportional and Expedient to Purpose of Data Processing ….. 4
1.5. Retaining Personal Data for the Period Required for the Purpose stipulated in the Legislation or for the Purpose for Which They are Stored……………………………..4

II. CONDITIONS FOR PROCESSING PERSONAL DATA…………………………… 4.
III. LENIDIA DIŞ TİCARET OBLIGATIONS…………………………………………………………. 5.
3.1. The Company’s Obligation to Inform Personal Data Owner…………………………… 5.
3.2. Obligation to Respond to Applications of Personal Data Owners ……………………….. 5.
3.3. Obligation to Ensure the Security of Personal Data ……………………………………………….. 6
3.3.1. Technical and Administrative Measures for the Provision of Legal Data Processing ……………………………………………………………………………………….6
3.3.2. Technical and administrative measures to prevent unlawful access to personal data……………………………………………………………………………………7
3.4. Obligation to Register in the Data Controllers Registry …………………………………………..7
IV. ORGANIZATIONAL STRUCTURE WITHIN LENIDIA …………………………………………………………………………………………………………………………….. 8.
ANNEX-1 DEFINITIONS………………………………………………………………………….9.

INTRODUCTION
This Policy sets out the principles to be adopted by Lenidia companies and to be taken into account at the point of implementation regarding the processing and protection of personal data. With this Policy
The matters to be fulfilled by Lenidia are set forth in the Law on the Protection of Personal Data No. 6698 (“ KVKK ”), the basic principles on how to comply with the envisaged regulations are determined.

PURPOSE
This Policy has been prepared with the aim of ensuring the highest level of management and coordination of compliance activities to be carried out for all related group companies in order to comply with the KVKK on the processing and protection of personal data at the Lenidia level.

In line with the principles determined by Lenidia, it will make the necessary arrangements for compliance with its internal operations and create the necessary system for the awareness of its employees and business partners.

I. PRINCIPLES TO BE APPLIED IN THE PROCESSING OF PERSONAL DATA

This Policy provides guidance on how Lenidia Company will implement the rules set forth by the KVKK and related legislation in concrete terms.

By following this Policy, Lenidia will analyze the personal data processing activities they carry out within their own organization, determine the necessary actions to comply with this Policy and take all kinds of technical and administrative measures. After the determined actions are implemented, internal control mechanisms will be operated and the continuity of compliance with the Policy will be ensured.

Within Lenidia, efforts will be made to raise awareness of employees in order to ensure compliance with this Policy, necessary compliance processes will be run for new employees and necessary arrangements will be made in their relations with Lenidia business partners.

In order to ensure compliance with the KVKK, personal data should be processed by Lenidia in accordance with the general principles and provisions stipulated in the legislation. In this context, the principles and conditions that must be taken into account by Lenidia in all personal data processing activities will be discussed in this section.

The principles to be taken into account during the processing of personal data are examined under the following headings.

1.1. Engaging in Personal Data Processing Activities in Compliance with the Law and the Rule of Integrity

Lenidia must act in accordance with the law and integrity rules within the scope of personal data processing activities. In this context, Lenidia should apply the principles of proportionality and necessity in the processing of personal data, and process only as much personal data as necessary, in accordance with the purposes of data processing.

1.2. Ensuring Personal Data Accuracy and Up-to-Dateness When Necessary

Lenidia must ensure that the personal data they are processing is correct and up-to-date and must take the necessary measures accordingly. For example, Lenidia should develop systems that will allow personal data owners to correct and update their personal data.

1.3. Processing with Specific, Explicit and Legitimate Purposes

Lenidia must process personal data for specific, clear and lawful reasons. In this context, Lenidia should determine the purpose for which personal data will be processed and submit these purposes to the information of the data owners before the personal data is processed. Personal data should not be processed for purposes other than those specified. The data processing purposes set by Lenidia must be legitimate and lawful.

1.4. Being Limited, Proportional and Expedient to Purpose of Data Processing

Lenidia should process personal data in a way that is suitable for the realization of the determined purposes and should avoid the processing of personal data that is not related or needed for the realization of the purpose. For example, personal data processing should not be carried out for the realization of a new purpose that emerged after the personal data was obtained.

1.5. Retaining Personal Data for the Period Required for the Purpose stipulated in the Legislation or for the Purpose for Which They Are Stored

Lenidia should retain personal data only for the periods prescribed by law or for the purpose for which they are processed. In this context, if a period is determined for the storage of personal data in the relevant legislation, it must comply with this period. If a period has not been determined, personal data should be retained for as long as is necessary for the purpose for which they are processed.

II. CONDITIONS FOR PROCESSING PERSONAL DATA

As a rule, personal data should be processed based on one or more of the personal data processing conditions specified in Article 5 of the KVKK. In this context, Lenidia should evaluate whether personal data processing activities fall within the scope of one of these conditions and personal data processing activities that are not based on one of these conditions should be stopped.

It is regulated in the KVKK that special measures can be introduced for the processing of personal data of a special nature. In this context, measures to be determined by the Board should be taken while processing sensitive personal data.

Necessary organizational systems should be established to act in accordance with the regulations stipulated in Articles 8 and 9 of the KVKK regarding the transfer of personal data to third parties in the country or abroad. When transferring personal data, necessary security measures should be taken in line with the processing purposes.

In order to prevent the unlawful processing of personal data, necessary systems should be established within companies and internal awareness should be created.

III. OBLIGATIONS OF LENIDIA AFFILIATES

3.1. The Company’s Obligation to Inform Personal Data Owner

Lenidia should inform the persons whose data will be processed during the acquisition of personal data about how their data will be processed. In the KVKK, the minimum issues that should be included in the information are listed. This information is as follows:

(1) Identity of Lenidia as the data controller and its representative, if any,
(2) For what purpose the personal data is to be processed,
(3) To whom and for what purpose the processed personal data shall be transferred,
(4) Method and legal reasons for collecting personal data,
(5) Rights of the personal data owner.

In this context, personal data collection channels should first be determined by Lenidia, and lighting points and texts should be determined for each channel.

3.2.Obligation to Respond to Applications of Personal Data Owners

Personal data owners can use their rights in KVKK regarding their own data by applying in writing or by other methods to be determined by the Board.

In this context, Lenidia should take the necessary administrative and technical measures to fulfill its obligations under Article 13 of the KVKK in order to fulfill the rights of personal data owners.

Within the scope of KVKK, personal data owners have the following rights:

• To learn whether personal data has been processed or not,
• Requesting information if personal data has been processed,
• to learn the purpose of processing personal data and whether they are used in line with their purpose,
• to receive information on the third persons to whom the personal data is transferred within and out of the country,
• if the personal data is processed incompletely or incorrectly, request correction thereof and, in this extent, request notification of the same to the third persons to whom the personal data have been transferred,
• In the event that, even though the personal data have been processed in compliance with the KVKK and other relevant laws, the causes for processing disappear, request deletion or disposal of the personal data and, in this extent, request notification of such deletion or disposal to the third persons to whom the personal data have been transferred,
• To object to any adverse consequences arising as a result of processed data being analyzed solely by automatic systems,
• To claim compensation in case of suffering loss due to illegal processing of the personal data.

Only requests of personal data owners sent to Lenidia in writing should be processed. In the future, different application methods may be determined by the Board. Lenidia should respond to the relevant request as soon as possible and within thirty days at the latest, depending on the nature of the request. As a result of the evaluation, Lenidia can accept the applications and take the necessary actions, as well as reject the applications with justification.
It should be emphasized that the personal data owner may file a complaint to the Board within 30 days in case his application is rejected, the answer given is insufficient or the application is not answered in due time. In order to prevent these complaints, it is important to give timely and satisfactory answers to personal data owners.

3.3. Obligation to Ensure the Security of Personal Data

Lenidia Companies must take the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data they are processing, to prevent the data from being accessed unlawfully, and to ensure the preservation of the data.

In the future, the Board will be able to introduce detailed regulations on obligations regarding data security. Therefore, in order to comply with the obligations within this scope, maximum security should be ensured by making reasonable efforts.

In terms of technical and administrative measures to be taken, Lenidia should set up systems to carry out and have the necessary inspections done regarding the operation of the measures. These audit results should be examined by the units within Lenidia and necessary actions should be taken.

Lenidia is obliged to inform the relevant personal data owner and the Board, if required by the legislation, as soon as possible, in case the processed personal data is obtained by others through illegal means. In this context, the necessary organizational structure should be established.

If situations that pose a security risk are detected by Lenidia, measures should be taken to eliminate the risk without wasting time.

3.3.1. Taking Technical and Administrative Measures for the Provision of Legal Data Processing

The following measures should be taken by Lenidia for the legal processing of personal data:

• All processes related to data processing activities within Lenidia should be analyzed on the basis of business units, and a ‘’personal data processing map’’ should be drawn up in this context.
• Pursuant to the personal data processing map, the works to be performed in order to ensure compliance with the law are identified on a unit basis.
• The personal data processing processes carried out should be audited with the technical systems to be developed and reported to the relevant person.
• Lenidia employees should be informed and trained about the legal processing of personal data and the sanctions of illegal data processing.
• Regular audits should be conducted to raise awareness among employees and necessary administrative measures should be implemented through Lenidia’s internal policies and training.
• Lenidia should make entries regarding the confidentiality of shared personal data and how they should be processed and stored, in contracts and documents governing the legal relationship among the Company, its employees, subsidiaries, business partners, suppliers and customers.
• Access to personal data should be limited to the employees assigned to data processing. Employees are restricted from accessing personal data that they do not use as a requirement for their tasks.

3.3.2. Taking Technical and Administrative Measures to Prevent Unlawful Access to Personal Data

The following measures should be taken by Lenidia to prevent unlawful access to personal data:

• Technological technical measures should be taken to prevent access to systems and locations where personal data are stored, and these measures should periodically be updateded.
• Access and authorization technical processes should be designed and activated by Lenidia in accordance with business unit-based legal compliance requirements.
• The technical measures taken should be reported to the relevant person periodically, and technological solutions are produced for issues with security risks.
• Required software and systems, including virus protection systems and firewalls should be installed.
• Lenidia’s employees should be trained on the technical measures taken in this context and staff knowledgeable in technical matters should be employed.
• A commitment should be obtained from Lenidia employees that they will not disclose the personal data they have learned to others in violation of the provisions of the KVKK and cannot use them for purposes other than processing. This commitment shall continue to effect even after they have left the job.
• Provisions regarding taking the necessary security measures for the protection of personal data should be added to the contracts concluded by Lenidia with the persons to whom personal data is transferred.

3.4.The Company’s Obligation to Register in the Data Officers Registry

Before starting data processing, Lenidia must register in the Data Controllers Registry by submitting the application information and documents listed in the KVKK within the period to be determined and announced by the Board. The information to be submitted is as follows (secondary regulations to be issued by the Board and additional information and documents can be requested):

(1) Identity and address information of Lenidia as data controller and its representative, if any,
(2) For what purpose the personal data is to be processed,
(3) Explanations about the data subject group and groups and the data categories of these persons,
(4) Recipient or recipient groups to whom personal data can be transferred,
(5) Personal data intended to be transferred to foreign countries,
(6) Measures taken regarding personal data security,
(7) The maximum period required for the purpose for which personal data is processed.

IV. ORGANIZATIONAL STRUCTURE WITHIN LENIDIA

Within Lenidia, the “Personal Data Protection Committee” responsible for the fulfillment of the actions determined by the senior management for compliance, or the person who will be responsible for this matter, should be appointed to manage this policy and other policies connected to and related to this policy.

In this context, the following minimum actions should be taken by the Committee or the person to be appointed:
• To determine the basic policies regarding the processing and protection of personal data and what needs to be done to comply with the legislation,
• Submitting the determined basic policy and action steps to the approval of the senior management; to monitor and coordinate its implementation,
• To decide how the policies regarding the processing and protection of personal data will be implemented and how the audit will be carried out, to make necessary assignments after obtaining the approval of the senior management,
• To ensure that required measures are taken by identifying the risks that may incur in the Company’s personal data processing activities, and to submit to the approval of the senior management the rectifying proposals.
• To ensure that employees are trained on the protection of personal data and Company policies,
• To finalize the applications of personal data subjects at the top level,
• To make necessary arrangements within the company for the company to fulfill its obligations under KVKK,
• To follow the developments on the protection of personal data; To advise the senior management on what needs to be done within the scope of these developments, to manage the relations with the institution and the board.

ANNEX-1 DEFINITIONS

Explicit Consent : Consent based on being informed on a particular subject and expressed with free will.
Anonymization : It is the change of personal data in such a way that it loses its quality as personal data and this situation cannot be undone. For instance, making personal data unassociated with a real person with techniques of masking, consolidation, data destruction, etc.
Personal Data Owner : It means the real person whose personal data is processed. For example; Customers and employees.
Personal Data : Any information related to real person who is identified or identifiable. The processing of data relating to legal persons is hereby not within the scope of the Law. For instance; name-surname, TR identity number, e-mail, address, date of birth, credit card number, etc.
Sensitive Personal Data : Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data are special data.
Processing of Personal Data : It means all kinds of processes performed on personal data including obtaining, recording, storing, keeping, changing, re-arranging, disclosure, transmission, acquisition, making available, classification or prevention of use in whole or in part, automatically or in non-automatic ways, being part of any data recording system.
Data Processer : It is the natural and legal person who processes personal data on behalf of the data controller based on the authority given by the data controller. For example, an IT firm that stores customer data of a company.
Data Responsible : The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system) is the data controller.