2. Conditions for Transferring Personal Data Abroad

3. Purposes of Transferring Personal Data and Third Parties to which it may be Transferred

4. Personal Data Envisioned to be Transferred to Foreign Countries

CHAPTER SIX: METHOD OF COLLECTING PERSONAL DATA AND LEGAL REASON

1. Method and Legal Reason for Personal Data Collection

CHAPTER SEVEN: RIGHTS OF THE DATA OWNER

1. Disclosure of Personal Data Owner

2. Rights of the Data Owner

3. Circumstances in which the Personal Data Owner cannot assert his rights

4. Use of Personal Data Owner's Rights

5. The Company's Response Procedure and Time to Applications

6. Right of Personal Data Owner to Complain to the Board

CHAPTER EIGHT: PERSONNEL IN DUTY FOR COMPLIANCE WITH THE POLICY

CHAPTER NINE: UPDATES AND CHANGES

POLICY ON THE PROTECTION, PROCESSING AND TRANSFER OF PERSONAL DATA

CHAPTER ONE: GENERAL INFORMATION REGARDING POLICY

1. Introduction

MRY Tekstil Deri Mağazacılık San. Tic. Ltd. Şti. (“Company”), in the capacity of “data controller” within the scope of the Law on Protection of Personal Data No. 6698 (“Law”), to ensure that the personal data of real persons related to our Company, including our customers, users of our website and our employees, are subject to the Law and its related and relevant legislation. It is our priority to ensure that the data subject is processed in accordance with the law and the rights arising from the legislation are used effectively. We carry out the procedures regarding the protection, processing and transfer of the personal data of all data subjects we are in contact with during our activities, in accordance with hereby Personal Data Protection, Processing and Transfer Policy (“Policy”). Protection of personal data and observance of the fundamental rights and freedoms of the persons whose personal data are collected are the basic principles of hereby  Policy regarding the processing of personal data.

2. Purpose of the Policy

The main purpose of hereby Policy is to determine the methods we follow for the protection, processing, storage and transfer of personal data shared by data owners during our commercial activities, within the framework of the principles referred to in the Law, by our Company, which has the title of "data controller" under the Law. In this way, it is aimed to ensure full compliance with the legislation in the processing, protection and transfer of personal data carried out by our Company and to protect all the rights of personal data owners arising from the legislation regarding personal data.

3. Scope of the Policy

The personal data of our employees, customers, visitors, business contacts, business partners, potential customers, suppliers, dealers, users visiting our website, in short, all real person data owners with whom we are in contact during our activities, including but not limited to those listed, are within the scope of this Policy.

The protection of personal data covers only the data of real persons, and information belonging to legal entities that do not contain information about the real person is excluded from personal data protection under the Law. Therefore, hereby Policy is not applied to data belonging to legal entities.

4. Definitions

The terms used in this Policy have the following meanings:

5. Enforcement of the Policy

This Policy was approved by the Company's Board of Directors and entered into force on 26/12/2019. If changes are required in the Policy, the relevant articles will be updated accordingly. Changes made in hereby Policy are immediately processed in the text and explanations regarding the changes are stated in the Ninth section of hereby Policy.

CHAPTER TWO: CLASSIFICATION OF PERSONAL DATA

1. Personal Data

Personal data is any information relating to an identified or identifiable real person. In line with the legislation, in this Policy, the concept of personal data will also include sensitive personal data.

2. Sensitive Personal Data

Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership of associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive personal data.

CHAPTER THREE: DATA SUBJECT GROUPS AND DATA CATEGORIES

1. Personal Data Categorization

Personal data in the following categories are processed by the Company by informing the relevant persons in accordance with Article 10 of the Law. It is also stated in this chapter that the personal data processed in these categories are related to which persons are regulated within the scope of hereby Policy.

The following table details the above-mentioned categories of personal data owners and what types of personal data are processed by the persons in these categories.

CHAPTER FOUR: PROCESSING PERSONAL DATA

1. General Principles in the Processing of Personal Data

Personal data is processed by our Company in accordance with the procedures and principles stipulated in the Law and this Policy. The company acts with the following principles when processing personal data:

• Compliance with the law and the rules of good faith: Personal data is processed in accordance with the relevant legal rules and the requirements of the rule of good faith.

• Being accurate and up-to-date when necessary: It is ensured that personal data are correct and kept up-to-date. In this context, issues such as determining the sources from which the data is obtained, confirming its accuracy, and evaluating whether it needs to be updated are carefully considered.

• Processing for specific, clear and legitimate purposes: Personal data is processed for specific, clear and legitimate purposes. Being legitimate means that the personal data processed by the Company is related to and necessary for the work it has done or the service it has provided.

• Being connected, limited and proportional to the purpose for which they are processed: Personal data is related to the purpose in order to achieve the purposes determined by the Company, and the processing of personal data that is not related to the realization of the purpose or is not needed is avoided. It limits the processed data only to what is necessary for the realization of the purpose. Personal data processed in this context are related, limited and measured for the purpose for which they are processed.

• Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed: If there is a period stipulated in the relevant legislation for the storage of data, personal data is kept in accordance with these periods, otherwise for the period required for the purpose for which they are processed. In the event that there is no valid reason for further preservation of personal data, the data in question is deleted, destroyed or anonymized.

2. Terms of Processing Personal Data

The company does not process personal data without the explicit consent of the person concerned. However, in the presence of one of the following conditions, personal data may be processed without seeking the explicit consent of the person concerned:

• Explicitly stipulated in the laws: The Company may process the personal data of the persons concerned, even if there is no explicit consent, in cases expressly stipulated by the laws. E.g; In accordance with Article 230 of the Tax Procedure Law, the explicit consent of the person concerned will not be sought to include the name of the person on the invoice.

• Being obligatory for the protection of life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally recognized: The life or body of the person himself or another person, who is unable to express his consent or whose consent cannot be validated, due to actual impossibility. In order to protect its integrity, personal data may be processed without explicit consent. For example, in a situation where the person is unconscious or whose consent is not valid due to mental illness, the personal data of the person concerned may be processed during medical intervention in order to protect his life or physical integrity. In this context, data such as blood type, diseases and surgeries, and medications used can be processed through the relevant health system.

• Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process the personal data of the parties to the contract: Personal data of the parties to the contract can be processed, provided that it is directly related to the establishment or performance of a contract by the Company. For example, according to a contract made, the account number of the creditor can be obtained for the payment of money.

• Obligatory for the data controller to fulfill its legal obligations: The company may process the personal data of the data subjects if it is necessary to fulfill its legal obligations as a data controller. For example, companies have to report certain data of their employees to SSI.

• Having been made public by the data subject himself: Personal data of the data subject, which has been made public by himself, in other words, disclosed to the public in any way, can be processed without explicit consent, since the legal benefit that needs to be protected is no longer valid.

• Obligatory data processing for the establishment, exercise or protection of a right: In cases where data processing is necessary for the exercise or protection of a legally legitimate right, the Company may process the personal data of the persons concerned without seeking explicit consent.

• Obligation to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject: The Company may process the personal data of the persons concerned in cases where it is necessary to process personal data in order to ensure their legitimate interests, provided that the fundamental rights and freedoms of the persons concerned are protected under the Law and this Policy. The company shows all necessary care and sensitivity to comply with the basic principles regarding the protection of personal data and to observe the balance of interests of the persons concerned.

3. Conditions of Processing of Sensitive Personal Data

The Company does not process Sensitive Personal Data without the explicit consent of the person concerned. The Company also carries out the necessary actions to take adequate measures determined by the Board in the processing of personal data of special nature.

4. Our Purposes of Processing Personal Data

Personal Data collected by the Company is processed for the purposes listed below within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law. In case the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated in the Law, the explicit consent of the data owner regarding the relevant processing process is provided by the Company.

• Execution of our commercial and administrative activities,

• Execution of information security processes,

• Execution of employee candidate application, selection and placement processes,

• Fulfilling the obligations arising from the employment contract and legislation for the employees,

• Execution of audit activities,

• Arrangement of access authorizations,

• Execution of activities in accordance with the legislation,

• Execution of finance and accounting works,

• Ensuring physical space security,

• Execution of assignment processes,

• Follow-up and execution of legal affairs,

• Execution of communication activities,

• Planning of human resources processes,

• Execution and supervision of business activities,

• Execution of occupational health and safety activities,

• Receiving and evaluating suggestions for improvement of business processes,

• Execution of logistics activities,

• Execution of goods/service purchasing processes,

• Execution of goods / services sales process and after-sales support services,

• Execution of goods / services production and operation processes,

• Execution of customer relationship management processes,

• Carrying out activities for customer satisfaction,

• Organization and event management,

• Carrying out marketing analysis studies,

• Execution of Advertising / Campaign / Promotion processes,

• Execution of storage and archive activities,

• Execution of contract processes,

• Follow-up of requests and complaints,

• Ensuring the security of movable property and resources,

• Execution of supply chain management processes,

• Execution of the wage policy,

• Execution of marketing processes of products and services,

• Ensuring the security of the company's operations as a data controller,

• Providing information to authorized persons, institutions and organizations,

• Execution of management activities,

• Creation and follow-up of visitor records,

• To send all kinds of commercial electronic messages, primarily SMS, voice and/or other kinds of marketing messages, within the scope of the Law No. 6563 on the Regulation of Electronic Commerce.

CHAPTER FIVE: TRANSFERRING PERSONAL DATA

1. Terms of Transfer of Personal Data

As a company, we act in accordance with the decisions and regulations stipulated in the Law and taken by the Board regarding the transfer of personal data. Without prejudice to the exceptional circumstances in the legislation, personal data and sensitive data are not transferred by us to other real persons or legal entities without the explicit consent of the person concerned. However, personal data may be transferred without seeking explicit consent in the cases described in article 2 of Chapter Four of hereby Policy.

2. Conditions for Transferring Personal Data Abroad

As a rule, personal data is not transferred abroad without the explicit consent of the person concerned. However, in cases where one of the exceptions stated in Article 2 of the Fourth Section of hereby Policy exists, the third parties abroad can only:

• Located in countries with adequate protection declared by the Board,

• If it is located in countries where there is no adequate protection, the data controllers in Turkey and in the foreign country in question undertake to provide adequate protection in writing and have the permission of the Board;

In such cases, personal data may be transferred abroad without explicit consent.

3. Purposes of Transferring Personal Data and Third Parties to which it may be Transferred

Personal data, for the purposes listed in Article 4 of Section 4 of this Policy,

• To our suppliers,

• To our business partners and business contacts,

• To our group companies,

• Legally authorized public institutions and organizations,

• Legal advisor and financial advisor,

• Company officials,

can be transferred in accordance with the principles and rules described in hereby Policy.

4. Personal Data Envisioned to be Transferred to Foreign Countries

There is no personal data transferred by our company to third parties residing in foreign countries during our operation.

CHAPTER SIX: METHOD OF COLLECTING PERSONAL DATA AND LEGAL REASON

1. Method and Legal Reason for Personal Data Collection

Personal data is collected by our Company through technical and in-process methods carried out in different channels such as our website, mobile applications, call center, registration forms and physical channels, or verbally, in writing or electronically, fully or partially automated or as part of any data recording system. It also aims to  carry out legal responsibilities and to fulfill the requirements of the business relationship we have established and to constitute, use and protect the rights we have mutually in this direction, and to protect the legitimate interests of our Company by taking into account the fundamental rights and freedoms of the related persons with whom we are in contact within the framework of legal reasons arising and executed based on the relevant legislation, contract, demand, commercial practice and honesty rules that can be implemented in terms of providing our commercial services to you and carrying out our commercial activities.

SECTION SEVEN: RIGHTS OF THE DATA SUBJECT

1. Disclosure of Personal Data Owner

Our company fulfills its obligation to inform the relevant persons during the acquisition of personal data in accordance with Article 10 of the Law. In this context, information is provided on the identity of the company, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the legal reason, and the rights of the person concerned.

2. Rights of Data Subject

Our company, pursuant to Article 11 of the KVKK;

• Learning whether personal data is processed or not,

• If personal data has been processed, requesting information about it,

• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,

• Knowing the third parties to whom personal data is transferred in the country or abroad,

• Requesting correction of personal data in case of incomplete or incorrect processing,

• Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,

• Requesting notification of the transactions made pursuant to subparagraphs (d) and (e) of Article 11 of the Law, to third parties to whom personal data has been transferred,

• Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,

• Requesting the compensation of the damage in case of damage due to the unlawful processing of personal data,

explains that they have rights.

3. Circumstances in which the Personal Data Owner cannot assert his rights

Pursuant to Article 28 of the KVKK, the persons concerned cannot claim their above-mentioned rights in the following cases and the processing of personal data will be outside the scope of KVKK and this Policy in the following cases:

• Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.

• Processing personal data for purposes such as research, planning and statistics, by making them anonymous with official statistics.

• Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.

• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.

• Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

In accordance with the article no 28/2 of KVKK, the persons concerned cannot claim the above-mentioned rights, except for the right to demand the compensation of the damage in the cases listed below:

• The processing of Personal Data is necessary for crime prevention or criminal investigation.

• Processing of personal data made public by the Personal Data Owner.

• The processing of Personal Data is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution, based on the authority given by the law.

• The processing of Personal Data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.

4. Use of Personal Data Owner's Rights

By filling in and signing the "Relevant Person Application Form" on our website, with the information and documents that will identify the requests of the relevant persons regarding their rights listed in this Policy, and with the methods specified below;

• By personal application,

• Via notary public,

• By mail,

• By sending it to the registered e-mail address of our Company, [email protected], signed by the applicant with the "secure electronic signature" defined in the Electronic Signature Law No. 5070,

They can forward it to our company.

Informing about how written applications will be delivered to us, specific to application channels:

5. The Company's Response Procedure and Time to Applications

Our company concludes the requests in the application as soon as possible and within thirty days at the latest, depending on the nature of the request. It reserves the right to request additional documents and information for identification and authority determination, in order to eliminate legal risks that may arise from illegal and unfair data sharing and especially to ensure the security of personal data. All responsibility arising from illegal or illegitimate, misleading or erroneous applications will belong to the person who made the request. Within the scope of the Communiqué on the Procedures and Principles of Application to the Data Controller, if our Company's response to the application exceeds 10 pages, a processing fee of 1 Turkish Lira will be applied for each page after page 10. Our company may accept the request or reject it by explaining the reason; gives its answer in writing or electronically. In case the request in the application is accepted, the Company fulfills the requirements of the request.

6. Right of Personal Data Owner to Complain to the Board

In cases where the application is rejected, the answer is found insufficient, or the application is not answered in due time, the data owner has the right to file a complaint with the Board within thirty days from the date of finding out the answer, and in any case within sixty days from the application date.

CHAPTER EIGHT: PERSONNEL IN CHARGE OF COMPLIANCE WITH THE POLICY

In order to manage hereby Policy and other policies related and relevant to this Policy, within the company, employees authorized and assigned to audit KVKK Compliance have been determined in accordance with the decision of the Company's senior management. These employees are authorized and responsible for taking the necessary actions for the storage, processing and transfer of the data of the persons concerned in accordance with the law, hereby Policy and other related and relevant policies. The main duties of the employees responsible for auditing on KVKK are as follows:

• To decide how the implementation and supervision of the directives and all other policies, internal directives etc. regarding the Protection, Processing and Transfer of Personal Data will be carried out, to make internal assignments within the company and to submit the issues of ensuring coordination to the approval of the senior management.

• To supervise and coordinate the implementation of the issues that need to be done in order to ensure compliance with the KVKK and the relevant legislation.

• To raise awareness within the Company and the institutions with which the Company cooperates on the Protection and Processing of Personal Data.

• To ensure that the necessary measures are taken to eliminate the risks that may arise in the personal data processing activities of the company.

• To plan and implement trainings on the protection of personal data and the implementation of policies.

• To decide on the applications of the relevant persons as quickly as possible.

• To prepare the changes in the basic policies regarding the Protection and Processing of Personal Data and submit them to the approval of the senior management in order to put them into effect.

• To follow the developments and regulations on the Protection of Personal Data; To advise senior management on what needs to be done within the Company in accordance with these developments and regulations.

• Coordinating the relations with the Personal Data Protection Board and Institution.

• To perform other duties to be assigned by the senior management of the company regarding the protection of personal data.

CHAPTER NINE: UPDATES AND CHANGES

The Company reserves the right to make changes in hereby Policy and other affiliated and related policies in line with the changes made in the Law and its related legislation, Board decisions and/or developments in the sector or in the field of informatics. Changes made in hereby Policy are immediately processed in the text and explanations regarding the changes are stated in this chapter

26/12/2019 : Personal Data Processing and Protection Policy was accepted by the Company's Board of Directors and entered into force.