This document cannot be reproduced or distributed without the written permission of Fabcio A.Ş.

PERSONAL DATA PROTECTION POLICY

1. Legal Basis Regulated in Article 20 of the Constitution; this right, that everyone has the right to demand the protection of their personal data; In accordance with the Law on the Protection of Personal Data No. 6698, on the basis of the basic legal basis that the personal data can be processed only in cases stipulated by the law or with the explicit consent of the person. We attach utmost importance to the protection and processing of Personal Data in accordance with the law and we act with this care in all our planning and activities. As the company, we take all administrative and technical measures for the protection and processing of Personal Data, which is the basis of privacy, and we inform and warn our personnel about the legal sanctions regulated in Article 135 of the Turkish Penal Code (TCK) No. 5237 and the following.

2. Purpose The Law No. 6698 on the Protection of Personal Data, which is in force, regulates the protection of fundamental rights and freedoms of individuals, in particular the privacy of private life, and the obligations of natural and legal persons who process personal data, as well as the procedures and principles to be followed in the processing of personal data. The aim of our policy, which was prepared by taking into account the regulation in question; ensuring compliance with the obligations regarding the protection of personal data, processing, transferring and protecting the confidentiality of the information provided within the scope of the activities carried out by our Company, by evaluating with a risk-based approach, determining strategies, internal controls and measures, operating rules and responsibilities, and raising awareness of the employees of the institution on these issues. At the same time; It is aimed to ensure transparency by informing the people whose personal data are processed by our Company, especially our customers, potential customers, employees, employee candidates, Company shareholders, Company officials, visitors, employees, shareholders and officials of the institutions/organizations we cooperate with, and third parties.

3. Scope This policy; It relates to all personal data of our customers, potential customers, employees, employee candidates, Company shareholders, Company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties, which are processed automatically or non-automatically, provided that they are part of any data recording system. .

4. Definitions Explicit Consent: Consent, which is based on being informed about a particular subject and expressed with free will. Anonymization: It is the change of personal data in such a way that it loses its ability to be associated with an identified or identifiable person and this situation cannot be undone. Example: Masking, aggregation, data corruption etc. making personal data incapable of being associated with a natural person with techniques. Employee: Persons working in the Company pursuant to the employment contract concluded with the Company.

Employees, Shareholders and Officials of the Institutions We Collaborate with: Natural persons, including the shareholders and officials of these institutions, working in the institutions (such as but not limited to business partners, suppliers) with which the company has all kinds of business relations. Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use. Personal Data Owner: The real person whose personal data is processed. For example; customers and employees. Personal Data: Any information relating to an identified or identifiable natural person. The processing of information regarding legal persons is not within the scope of the law. For example; name-surname, TR, e-mail, address, date of birth, credit card number etc. Customer: Real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company. Data on foundation or union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data are special data. 

Customer: Natural persons who have requested or interested in using our products and services or who have been evaluated in accordance with the rules of commercial practice and good faith. Third-party real persons (e.g. Family Members and relatives) who are related to these persons in order to ensure the security of commercial transactions with the said parties or to protect the rights of the said persons and to obtain benefits. is a legal person. For example, the firm or companies that hold the Company’s data, etc. Data Controller: The person who determines the purposes and means of processing personal data, manages the place where the data is kept systematically (data recording system), provides the data owner with the necessary information about his personal information as a result of the request / application of the data owner, and makes the referrals. Visitor: Real persons who have entered the physical premises of the company for various purposes or visited our websites.

5. Abbreviations KVKK: Law No. 6698, Law on Protection of Personal Data No. 6698, dated March 24, 2016, published in the Official Gazette No. 29677, dated April 7, 2016. Constitution: Published in the Official Gazette dated 9 November 1982 and numbered 17863; The Constitution of the Republic of Turkey, dated 7 November 1982 and numbered 2709. KVK Board: Personal Data Protection Board KVK Institution: Personal Data Protection Authority Policy: Company Personal Data Protection and Processing Policy TCO: published in the Official Gazette dated February 4, 2011 and numbered 27836; Turkish Code of Obligations dated 11 January 2011 and numbered 6098. TCK: Published in the Official Gazette dated 12 October 2004 and numbered 25611; Turkish Penal Code No. 5237 dated 26 September 2004. TCC: Turkish Commercial Code No. 6102 dated January 13, 2011, published in the Official Gazette dated February 14, 2011 and numbered 27846
6. Categories of Data The Company may save, process or transfer data relating to the following categories of data. Identity Information: Name, surname, name of mother and father, date of birth, place of birth, marital status, identity card serial number, tc identity number Contact: Address no, e-mail address, contact address, registered e-mail address (KEP) Location: Location information such as location Personnel: Payroll information, disciplinary investigation, records of entry-exit documents, resume information, performance evaluation reports Legal Action: Information in correspondence with judicial authorities, information in case file Customer Transaction: Invoice, promissory note Physical Space Security such as check information, order information, request information: Operational Security such as entry and exit registration information of employees and visitors, camera recordings: Risk Management such as IP address information, website entry and exit information, password and password information: Commercial, technical, such as information processed to manage administrative risks Finance: such as balance sheet information, financial performance information, credit and risk information Professional Experience: Diploma b Information such as interests, courses attended, vocational training information, certificates, transcript information Marketing: Information about shopping history, survey, cookie records, information obtained through campaign work Visual and Audio Recordings: Health Information such as visual and audio recordings: Information about disability, blood Criminal Conviction and Security Measures such as group information, personal health information, device and prosthesis information: Information on criminal convictions, information on security measures, etc.

7. Personal Data Processing Purposes The Company may record, process or transfer personal data for the following purposes.

Execution of Emergency Management Processes
Execution of Information Security Processes
Execution of Employee Candidate / Intern / Student Selection and Placement Processes
Execution of Application Processes of Employee Candidates
Execution of Employee Satisfaction and Loyalty Processes
Fulfillment of Employment Contract and Legislative Obligations for Employees
Execution of Benefits and Benefits Processes for Employees
Conducting Audit / Ethical Activities
Conducting Educational Activities
Execution of Access Authorizations
Execution of Activities in Compliance with the Legislation
Execution of Finance and Accounting Affairs
Execution of Company / Product / Service Loyalty Processes
Providing Physical Space Security
Execution of Assignment Processes
Follow-up and Execution of Legal Affairs
Carrying out Internal Audit / Investigation / Intelligence Activities
Execution of Communication Activities
Planning of Human Resources Processes
Execution / Supervision of Business Activities
Execution of Occupational Health / Safety Activities
Receiving and Evaluating Suggestions for Improvement of Business Processes
Ensuring Business Continuity Activity

Execution of meat
Execution of Logistics Activities
Execution of Goods / Services Procurement Processes
Execution of Goods / Services After-Sales Support Services
Execution of Good / Service Sales Processes
Execution of Goods / Services Production and Operation Processes
Execution of Customer Relationship Management Processes
Execution of Activities for Customer Satisfaction
Organization and Event Management
Conducting Marketing Analysis Studies
Execution of Performance Evaluation Processes
Execution of Advertising / Campaign / Promotion Processes
Execution of Risk Management Processes
Execution of Storage and Archive Activities
Conducting Social Responsibility and Civil Society Activities
Execution of Contract Processes
Execution of Sponsorship Activities
Execution of Strategic Planning Activities
Follow-up of Requests / Complaints
Ensuring the Security of Movable Property and Resources
Execution of Supply Chain Management Processes
Execution of Wage Policy
Execution of Marketing Processes of Products / Services
Ensuring the Security of Data Controller Operations
Foreign Personnel Work and Residence Permit Procedures
Execution of Investment Processes
Execution of Talent / Career Development Activities
Providing Information to Authorized Persons, Institutions and Organizations
Execution of Management Activities
Creating and Tracking Visitor Records 8. Personal Data Transfer Recipient Groups The Company may transfer personal data to the following Personal Data Transfer Recipient groups. I. Shareholders ii. Business Partner iii. Affiliates and Subsidiaries iv. Supplier v. Community Company vi. Authorized Public Institutions and Organizations vii. Natural Persons and Private Law Legal Entities 9. Persons Subject to Personal Data The Company may record, process or transfer personal data according to the following types of persons. I. Employee Candidate ii. Employee iii. Shareholder/Partner iv. Potential Product and Service Buyer v. Intern vi. Supplier Employee vii. Supplier Officer viii. Person Receiving Product or Service ix. Visitor 10. Personal Data Retention Periods Personal data retention periods are regulated in detail in the Personal Data Retention and Disposal Policy. 11. Deletion, Destruction or Anonymization of Personal Data
Although the personal data has been processed in accordance with the law, in the event that the reasons for the processing disappear, these data are deleted, destroyed or anonymized by the data controller ex officio or upon the request of the person concerned.
The data controller deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.
The actions to be taken regarding these matters are explained in detail in the Personal data retention and destruction policy. 12. Transfer of Personal Data Personal data obtained for processing within the framework of the general principles specified in the Law may be transferred to third parties by obtaining the explicit consent of the person concerned. Domestic transfer: Details regarding the domestic transfer of personal data and private personal data are regulated in the Personal Data Transfer procedure. Transfer abroad: Personal data can be transferred to countries where adequate protection exists, provided that the explicit consent of the person concerned is present, in case of the existence of the conditions specified in the Law. Data transfer to countries where there is no adequate protection can be carried out in the presence of the conditions specified in the Law, in addition to the express consent, in addition to the written commitment of adequate protection and the permission of the Board. 13. General (Basic) Principles in the Processing of Personal Data Personal data will be processed in accordance with the following basic principles as detailed in the personal data processing procedure.
Compliance with the law and the rules of honesty,
Being accurate and up-to-date when necessary,
Processing for specific, explicit and legitimate purposes,
Being connected, limited and restrained with the purpose for which they are processed,
To be kept for the period required by the relevant legislation or for the purpose for which they are processed. 14. Explicit Consent Consent about a specific subject, based on information and expressed with free will. As detailed in the procedure for obtaining explicit consent, the Explicit Consent must be related to a specific subject, the consent must be based on information and be disclosed with free will. 15. Disclosure Obligation During the acquisition of personal data, the company informs the relevant persons. As detailed in the Clarification Procedure, this information includes at least the following subjects.
Identity of the data controller and its representative, if any,
For what purpose personal data will be processed,
To whom and for what purpose personal data can be transferred,
Method and legal reason for collecting personal data,
Other rights of the person concerned as listed in Article 11 of the Law. 16. Methods of Claiming Rights of the Related Person By applying to the Company; processing of personal data relating to them have the right to learn that the data has not been processed, to request if it has been processed, to correct the content of the data if it is incomplete or incorrect, to delete and destroy it if it is unlawful, to notify the third parties to whom the data has been disclosed, and to request that the damages be compensated due to the illegal processing of the data. . The person concerned can exercise their right of application and complaint as specified in the Relevant Person Application Form. Application: It is obligatory for the persons concerned to apply to the data controller in order to exercise their rights. A complaint cannot be made to the Board before this remedy is exhausted. Complaint: In order for the person concerned to apply for a complaint, the application to the Company must be rejected, the response given is insufficient, or the application must not have been answered within 30 days. It is not possible for the persons concerned to directly complain to the Board without applying to the Company. 17. Obligation to Fulfill Board Decisions If the Board, upon a complaint or ex officio if it learns about the alleged violation, determines the existence of a violation as a result of the examination to be carried out in matters falling within its scope of duty, it decides that the unlawful violations will be eliminated by the Company and notifies the relevant parties of the decision. As detailed in the Fulfillment of Board Decisions procedure, the Company fulfills this decision without delay and within thirty days at the latest as of the date of notification. 18. Data Controllers Registry (VERBIS) Registration Obligation The Company registers and updates the data controllers’ registration system, where they are required to register and where they declare information about data processing activities, as specified in the Data Controllers Registry (VERBIS) registration procedure. 19. Personal Data Violation In case the processed personal data is obtained by others unlawfully, the Company notifies the relevant person and the Board as soon as possible as specified in the Personal Data Breach Procedure. If necessary, the Board may announce this situation on its own website or by any other method it deems appropriate. 20. Personal Data Security Measures The Company takes the following technical and administrative measures in accordance with the Company’s structure in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data.
Network security and application security are provided.
A closed system network is used for personal data transfers via the network.
There are disciplinary regulations that include data security provisions for employees.
Training and awareness activities are carried out periodically for employees on data security.
An authorization matrix has been created for employees.
Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
Confidentiality commitments are made.
The authorizations of employees who have a change in duty or quit their job in this field are removed.
Current anti-virus systems are used.
Firewalls are used.
The signed contracts contain data security provisions.
Personal data security policies and procedures have been determined.
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
The security of environments containing personal data is ensured.
Personal data is backed up and the security of the backed up personal data is also ensured.
User account management and authorization control system are implemented and these are also followed.
Existing risks and threats have been identified.
Protocols and procedures for special quality personal data security have been determined and implemented.
If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using KEP or corporate mail account.
Encryption is done.
Data processing service providers are periodically audited on data security.
Awareness of data processing service providers on data security is provided.