KVKK Content

PERSONAL DATA PROTECTION POLICY

CONTENTS:

• Clarification text regarding the purpose and basis of processing your personal data and your related rights,
• Personal data retention and destruction policy,
• Deletion and destruction of personal data application form by the personal data owner to the data controller within the scope of Law No. 6988,

INFORMATION TEXT ON THE PURPOSE OF THE PROCESSING OF YOUR PERSONAL DATA, THE BASIS AND YOUR RELATED RIGHTS

A. Information on Data Controller

Ist. Organ. Leather Industry Region Alsancak Sk. Located at J6 Parcel No:3 TUZLA / İSTANBUL / TURKEY, Modax Plastik Furniture Accessories Industry and Trade. Ltd. Sti. As (“Company”), within the scope of the Personal Data Protection Law No. 6698 (“The Law”), < Data Controller > within the framework of our title; We collect and process the personal data we have listed below and personal data of special nature for the purposes stated below, in accordance with the law, and we can transfer them to third parties abroad and at home.

Your personal data collected here and for the legal reasons specified in Articles 5 and 6 of the Law (fulfillment of legal obligations, establishment and performance of the contract, legitimate interests, protection of life/body integrity, express consent) It will be processed and stored by taking the necessary information security measures, provided that it is not used outside of the purposes and scope determined by this Clarification Text, based on your express consent or the exceptions granted in the Law.

B. Information on Processed Personal Data and Processing Purposes

B.1. The data subject groups whose personal data are processed by our company in the personal data processing processes and activities related to these processes are as follows:

• a. Employee and Employee Candidates
• b. Product or Service Users and Potential Product or Service Users
• c. Supplier Employees
• d. Shareholders
• e. Regular Application Members
• f. Reference Contacts

B.2. The categories of personal data processed by our company and the types of personal data in these categories are as follows:

a. For Employees and Employee Candidates:

• i. Identity Information: name, surname, T.C. ID number, date of birth, place of birth, place of registration, nationality, name of parents, gender, name of dependents, surname, marital status
• ii. Contact Information: phone number, e-mail address, address
• iii. Personnel Information: salary, diploma, discharge certificate, whether or not she has a driver's license, driver's license, annual leave information, performance evaluation
• iv. Financial Information: IBAN number
• v. Criminal Conviction and Security Measures: criminal record
• vi. Health Information: health report, disability information, blood group, temperature measurement value
• vii. Visual and Audio Information: photo
• viii. Professional Experience Information: professional experience information, work experiences, trainings received, trainings given within the company
• ix. Biometric Data: fingerprint
• x. Transaction Security Information: signature, user name, password, IP address information, log record, time information of transactions, mobile device information, mobile device directory and traffic information
• xi. Physical Space Information: entry and exit records, camera records
• xi. Location Information: Location
• xiii. Other: Clothing size, wage information at the last place of employment, evaluations about the person, birth and death of relatives

b. For People Who Buy Products or Services and People Who Buy Potential Products or Services:

• i. Identity Information: name, surname, T.C. ID number, birthday
• ii. Contact Information: address, phone number, e-mail address, address

c. For Supplier Employees:

• i. Credential: name, surname
• ii. Contact Information: address, phone number, e-mail address, title

d. For Shareholders:

• i. Identity Information: name, surname, T.C. ID number, information on identity card
• ii. Contact Information: phone number, address
• iii. Transaction Security Information: signature
• xii. Other: number of shares and ratio

e. For Regular Loyalty Program Application Members:

• i. Identity Information: name, surname, date of birth, gender
• ii. Contact Information: phone number, e-mail
• iii. Marketing Information: type of product purchased, date of purchase, purchase price
• iv. Customer Transaction Information: type of product purchased, date of purchase, purchase price

f. For Reference Persons:

• i. Identity Information: name, surname,
• ii. Contact Information: phone number, workplace

B.3. The processing purposes and processes of personal data of data subject groups whose personal data are processed by our company are as follows:

a. For Employees and Employee Candidates:

• i. Evaluation of the employee candidate
• ii. Making a job offer to the employee candidate
• iii. Keeping employee personal records and executing payroll processes
• iv. Communicating with the employee
• v. Making SGK records, İşkur inquiries and notifications of the employees
• vi. Confirmation that the activities are carried out in accordance with the legislation
• vii. Determination of wages and fringe benefits of employees and their payment
• viii. Execution and supervision of business activities
• ix. Ensuring the occupational health and safety of employees
• x. Execution of the assignment processes of the employees
• xi. Execution of talent/career development activities of employees
• xii. Execution of compensation policy
• xiii. Allocating e-mail addresses to employees
• xiv. Giving domain passwords to employees
• xv. Authorizing employees to access the ERP system
• xvi. Ensuring workplace physical space security
• xvii. Execution of information security processes
• xviii. Intra-company birthday celebration, in-company social information

b. For People Who Buy Products or Services and People Who Buy Potential Products or Services:

• i. Receiving an order
• ii. Carrying out shipments
• iii. Contacting about orders and shipping
• iv. Keeping accounting records
• v. Invoicing
• vi. Execution of customer relationship management processes
• vii. Utilizing Wi-Fi service

c. For Supplier Employees:

• i. Execution of goods / services purchasing processes

d. For Shareholders:

• i. Execution of the company's General Assembly meeting processes

e. For Regular Application Members:

• i. Registering a member
• ii. Execution of the regular application
• iii. Conducting market research within the scope of regular practice
• iv. Sending commercial electronic messages for advertising and marketing purposes
• v. Execution of customer relationship management processes

f. For Reference Persons:

• i. Evaluation of the employee candidate

C. Persons and Transfer Purposes of Processed Personal Data

The Company transfers personal data to third parties only for the purposes listed above and in accordance with Articles 8 and 9 of the Law.

In this context, the employee's identity information, personal information, financial information, contact information, professional experience information, transaction security information and physical space security information are shared with business partners in order to receive consultancy services in legal disputes; with banks for the purpose of making wage and financial information labor payments; Identity information, personal information, financial information, contact information, criminal conviction and security measures and disability information are shared with official institutions and organizations in order to fulfill legal obligations

The name, surname, telephone and address information of the Persons Receiving the Product or Service and the Persons Receiving the Potential Product or Service with the cargo companies for the purpose of sending the purchased product; Name-surname, email, phone and birthday information, execution of customer relations management processes, providing wi-fi internet access service within this scope with the business partner serving our Company and abroad due to the presence of the servers of the said business partner abroad; and the name, surname, TCKN and address information of the invoiced persons are shared with official institutions and organizations in order to fulfill their legal obligations.

The name, surname, TR identity number, address, share rate and signature data of the shareholders, information in the identity card are shared with authorized institutions and organizations within the scope of the execution of the procedures regarding the Company's general assembly meetings.

The mobile phone number and/or e-mail address of the Regular Application Members, in line with their shopping preferences, tastes and habits, in order to make promotions, advertisements, offer benefits and opportunities, in this context, with the business partner providing infrastructure services to our Company and the servers of the said business partner abroad. Due to its location abroad, name, surname, date of birth, gender, phone number, e-mail address, type of product purchased, date of purchase and purchase data Muavim Application is provided within the scope of providing infrastructure services, execution of the application and conducting market analysis studies. It is shared with the provider business partner and abroad because the servers of the said business partner are abroad.

D. Personal Data Collection Method and Legal Reason

Your personal data mentioned above and personal data of special nature can be sent verbally, electronically or in writing through our website, our mobile application of our loyalty program called Regular, contact forms, job applications, e-mail, and other communication channels. It is collected in accordance with the data processing conditions and in line with the legal reasons stated here.

E. Your rights

As a personal data owner, you can use the following rights at any time by applying to our Company, which is the Data Controller, within the scope of Article 11 of the Law

• a. Learning whether his personal data is processed,
• b. Requesting information about the processed personal data, if any,
• c. Learning the purpose of processing personal data and whether this data is used in accordance with the purpose,
• d. Knowing the third parties to whom personal data has been transferred, correcting the errors in their personal data and requesting this correction from the relevant third party if the transfer has been made,
• e. In the event that the reasons requiring the processing of personal data disappear, to request that these data be deleted, destroyed or anonymized within thirty days in accordance with the Regulation on the Deletion, destruction or Anonymization of Personal Data, and if the transfer has been made, to request that this request be forwarded to the transferred third party,< /li>
• f. Objecting to a negative result related to the person as a result of the processed data,
• g. In case of damage due to illegal data processing, they have the right to claim the damage within the framework of the law.

F. Application Path

In order to convey your requests listed above, using the Application Form on our website and the Regular Mobile Application and to the contact addresses specified in the Application Form; (i) by notary public, (ii) by registered letter with return receipt via PTT, (iii) by electronic signature to our Company's registered electronic mail (KEP) address within the scope of Law No. 5070 or (iv) via your electronic mail address previously notified to our Company and registered in our Company's system. You can always contact our Company by making an application.

Written applications containing the above-mentioned requests to our company from the data owner will be responded to within a maximum of 30 (thirty) days and necessary actions will be taken. Applications will be made free of charge, unless the Personal Data Protection Board publishes a fee schedule. If the answers to the applications exceed 10 (ten) pages, a processing fee of 1.00 (one) TL will be charged for each page. If the answer is requested to be given in a recording medium such as CD, flash memory, a fee will be charged according to the cost of the requested recording medium.

PERSONAL DATA STORAGE AND DISPOSAL POLICY

1. Purpose, Scope and Enforcement of Personal Data Policy

Our company Modax Plastik Furniture Accessories Industry and Trade. Ltd. Sti. (“Company”) is extremely sensitive to the protection of personal data and has been subject to legislation since 7 April 2016, the effective date of the Personal Data Protection Law (“Law”). carries out the necessary studies to ensure full compliance with its provisions.

This Personal Data Storage and Disposal Policy prepared within the framework of these studies (“Policy”), < data controller > Regarding the processing, storage and destruction of personal data and/or sensitive personal data (collectively, "Personal Data") within the scope of the Law of real persons who are in contact with our Company (whose groups of persons are specified in our Clarification Text) It has been prepared for the purpose of determining the procedures and principles and covers the persons listed in our Clarification Text.

This Policy text entered into force on __ _______ 2019. In case of changes or updates in the policy text, you will be able to see the information on the changed issues under the relevant heading at the end of the Policy.

2. Recording Media

Your Personal Data is kept securely by our Company in the following environments, in accordance with the law.

3. Storage of Personal Data

3.1. Purposes Requiring Storage of Personal Data

Personal Data are processed within the scope of our Company's activities, within the scope of the purposes set out in our Clarification Text, and are stored in accordance with the burden of proof in case of legal disputes that may arise in the future.

3.2. 3.2. Storage Periods

Personal Data belonging to the persons listed in our Clarification Text used in company activities will be processed during the continuation of the activity, provided that the purpose of use of the data continues, and will be stored for the periods stipulated in the relevant laws and sub-legislation or for the periods required to be kept after the purpose of use disappears, and when these periods expire It will be deleted, destroyed or anonymized in accordance with the provisions of the Regulation on the Deletion, Destruction and Anonymization of Personal Data.

In this context, the relevant legislation regulations that our Company is subject to and that require a retention period for Personal Data are shown below:

Turkish Code of Obligations No. 6098 · Social Insurance and General Health Insurance Law No. 5510 · Law No. 6331 on Occupational Health and Safety · Labor Law No. 4857 · Turkish Commercial Law No. 6102 · Law No. 6563 on the Regulation of Electronic Commerce · In force in accordance with these laws Other secondary regulations

Except for the legislation, Personal Data is stored by our Company for the following periods, after the purpose of use ceases:

4. Technical and Administrative Measures Taken by Our Company

The following technical and administrative measures are taken by our Company, in accordance with the legislation, in order to ensure that your Personal Data is kept securely and to prevent unlawful processing and access.

4.1. Administrative Measures

• Limited access to data is provided within the company.
• Commitment is taken from people who can access the data.
• Confidentiality agreements are made.
• Security of environments containing personal data is ensured.
• Works are carried out to improve the qualifications and technical knowledge/skills of the employees.
• Unlawful processing of personal data is prevented.
• Unlawful access to Personal Data is prevented.
• Personal Data is protected in accordance with the law.
• Employees are trained on communication techniques and relevant legislation.
• A disciplinary procedure is applied for employees who do not comply with security policies and procedures.
• The obligation to inform the relevant persons is fulfilled.
• Periodic and random audits are carried out within the institution.
• Information security trainings are provided for employees.
• Printed materials containing Personal Data are kept in locked cabinets.

4.2. Technical Measures

• Network security and application security are provided.
• A closed system network is used for personal data transfers via the network.
• Key management is implemented. Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
• The authority matrix has been created for the employees.
• Access logs are kept regularly.
• The authorizations of employees who have a change of job or quit their job in this field are removed.
• Current anti-virus systems are used.
• Firewalls are used.
• User account management and authorization control system is implemented and these are also followed.
• Log records are kept without user intervention.

5. Deletion, Destruction and Anonymization of Personal Data

The Company will delete, destroy or anonymize the Personal Data it is processing in accordance with the procedures specified in the relevant provisions of the Law and the Regulation on the Deletion, Destruction and Anonymization of Personal Data, in case the conditions requiring the processing of the data cease to exist.

In addition, Personal Data whose storage and processing periods have expired as set by the law within the framework of the relevant legislation provisions and Article 138 of the Turkish Penal Code will be deleted, destroyed or anonymized by the same procedures.

Personal Data required to be deleted, destroyed or anonymized within the framework of the relevant regulation and the destruction policy specified in this Policy will be destroyed by the Company by following the deletion, destruction or anonymization procedures specified below, as of the date of publication of this Policy.

5.1. Reasons for Destruction

Personal Data;

• Changing or repealing the provisions of the relevant legislation, which are the basis for processing,
• The disappearance of the purpose that requires processing or storage,
• In cases where the processing of Personal Data takes place only on the basis of express consent, the data subject withdraws his explicit consent,
• According to Article 11 of the Law, the application made by the Company for the deletion and destruction of Personal Data within the framework of the rights of the person concerned is accepted by the Company,
• In cases where the application made to the Company with a request for the deletion, destruction or anonymization of Personal Data by the person concerned is rejected, the response of the Company is found to be insufficient, or the Company does not respond within the time stipulated in the Law; the person concerned makes a complaint to KVKK and this request is approved by KVKK,
• The maximum period for keeping the Personal Data specified in this Policy has passed, and there are no conditions to justify keeping the Personal Data for a longer period of time,

, it is deleted, destroyed or anonymized by the Company

5.2. Destruction Techniques

Your Personal Data will be destroyed by the following techniques in accordance with the provisions of the relevant legislation:

a. Delete

b. Destroy

c. Making Anonymous

Personal Data is rendered incapable of being associated with an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning personal data by the Company or third parties and/or matching the data with other data.

5.3. Periodic Disposal Period

Our company has determined the period of periodic destruction as 6 months, and periodic destruction is carried out in May and November every year.