Privacy Policy

COOKIE POLICY

Mhacare Health Tourism Construction Trade Co. Inc. ("Healmedy"), like many websites, uses cookies to enable visitors to experience the website better.

This Cookie Policy has been prepared to inform website visitors about the definition of the cookie, the types of cookies, the cookies used by Healmedy and how to manage cookie preferences. If the cookie usage warning on the website is turned off or the website usage is continued, the consent to the cookies is accepted.

If you do not consent to the use of cookies, we ask that you do not continue with the website or change your cookie preferences in your browser. We would like to remind you that if cookies are not allowed, some features of the website may lose their functionality.

WHAT IS A COOKIE?

A cookie is a small text file that is stored on your computer or mobile device when you visit a website. In these files, data such as your IP address, session information, the pages you access, etc. are stored. Cookies do not contain data such as first and last name or address. Cookies can help you remember your website preferences, keep you logged in, or present you with content you're interested in.

For detailed information about cookies, you can visit www.aboutcookies.org and www.allaboutcookies.org addresses.

TYPES OF COOKIES

Cookies are divided into different types according to criteria such as the length of time they are stored on mobile devices and by whom they are placed. The main distinction under these criteria is as follows:

• Session Cookies/Persistent Cookies: Session cookies are temporary cookies that are deleted from the device after closing the browser. The main function of these cookies is to ensure the proper functioning of the website. Persistent cookies remain on the device after closing the browser until they are deleted or expired by the visitor.

• First Party/Third Party Cookies: First-party cookies are cookies placed on the device by the visited website operator. Third-party cookies are cookies that are placed on the device and controlled by people other than the website operator visited.

WHICH COOKIES DO WE USE?

Healmedy uses different types of cookies in accordance with its  Personal Data Protection and Processing Policy.

Mandatory Cookies: These are technical cookies that ensure the correct operation of the website and allow you to use its features. They are included in the session cookie category. If these cookies are blocked, it is the result of the inability to use the website features. The consent of our visitors is not required for the use of mandatory cookies.

Analytical Cookies: Healmedy uses analytical cookies to improve your website experience. Analytical cookies allow us to understand how our visitors use the website (e.g. which pages they visit, the duration of their visit, etc.). In this way, Healmedy can improve the content it offers or change the website design. Google Analytics, one of the web analysis tools, is used for analytical purposes. Detailed information about web tracking can be found in the Google Privacy Policy. Click here to opt out of Google Analytics.

Functionality Cookies: Allow your language preferences, region selection, etc. to be remembered when you visit the website again.

Targeting/Advertising Cookies: Healmedy uses different first-party and third-party cookies for targeting and advertising purposes on its website. It is possible to block these cookies by changing the settings of your browser.

SOCIAL MEDIA PLUGINS: Various social media plugins are integrated into the Healmedy website and mobile app. When clicking on one of the integrated social media buttons, some of your information is shared with social media providers. If you are logged in to your social media account at the same time or social media cookies are stored in your browser, the social media provider may recognize your visit on our website or mobile application and display these activities on your social media profile.

Even if you do not have an account on a social network (e.g. Facebook), are not logged in to the provider of the plug-in or have not clicked on the plugin, it is possible for social media providers to record information such as the URL or IP address of a visited website.

In order to prevent social networks from associating your visit to the Healmedy website with your user accounts, you must log out of your user account before visiting our website.

For more information on the social media plugins integrated on the Healmedy website and mobile app, we recommend that you read the privacy policy of the relevant social media platform.

Facebook: https://tr-tr.facebook.com/privacy/explanation

Twitter: https://twitter.com/en/privacy#update

Google/Youtube: https://policies.google.com/privacy?hl=tr&gl=ZZ

Pinterest: https://policy.pinterest.com/tr/privacy-policy

Instagram: https://help.instagram.com/155833707900388

Linkedin: https://www.linkedin.com/legal/privacy-policy?_l=tr_TR

HOW CAN YOU CHANGE YOUR COOKIE PREFERENCES?

You can personalize cookies by changing the settings of the browser you are using or block them altogether. You can find detailed information about the steps to follow for different browsers from the links below:

To manage cookie preferences in other browsers, you can review the help or support page of that browser. YOUR RIGHTS REGARDING YOUR PERSONAL DATA

• By applying to Healmedy as the data owner;
• To learn whether your personal data is processed or not,
• If your personal data has been processed, to request information about it,
• To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
• To know the third parties to whom your personal data is transferred at home or abroad,
• In case your personal data is processed incompletely or incorrectly, to request their correction and to request that the transactions carried out within this scope are notified to the third parties to whom your personal data is transferred,
• To request the deletion or destruction of your personal data in the event that the reasons requiring its processing disappear, even though it has been processed in accordance with the provisions of the Law No. 6698 and other relevant laws, and to request that the transactions carried out within this scope be notified to the third parties to whom your personal data is transferred,
• To object to the occurrence of a result against you by analyzing your processed data exclusively by means of automated systems,
• If you suffer damage due to unlawful processing of your personal data, you have the right to request compensation for the damage.

If you submit your requests regarding your rights listed above to Healmedy in accordance with the application procedures stipulated in the Communiqué on the Principles and Procedures of Application to the Data Controller, Healmedy will conclude your request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature. However, if the transaction requires an additional cost, Healmedy may charge the fee in the tariff determined by the Personal Data Protection Board. You can find more detailed information about the processing of your personal data by Healmedy and ensuring data security from the Healmedy Personal Data Protection and Processing Policy.

Mhacare Health Tourism Construction Trade Co. Inc.

PERSONAL DATA PROTECTION POLICY

25/03/2020 1.INTRODUCTION 1. 1. Definitions 1. 2. Purpose and Scope of KVK Policy 2. PROCESSING OF PERSONAL DATA 2. 1. General Principles Regarding the Processing of Personal Data 2. 2. Terms of Processing Personal Data 2. 3. Purposes of Processing Personal Data 2. 4. Method of Collection of Personal Data 3. TRANSFER OF PERSONAL DATA 4. STORAGE AND DESTRUCTION OF PERSONAL DATA 5. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE SECURITY OF PERSONAL DATA 6. RIGHTS OF THE PERSONS CONCERNED OVER THEIR PERSONAL DATA 7. CHANGES TO BE MADE IN THE KVK POLICY 1. INTRODUCTION Protection of personal data, Mhacare Sağlık Turizm İnşaat Ticaret A.Ş. (hereinafter referred to as the "Company") is an important issue for . The Company has kept the personal data obtained from real persons confidential within the scope of the activities it has carried out since the day it was established and has taken all kinds of technical and administrative measures to protect personal data and ensure data security. The Company adopted and implemented the confidentiality of personal data as a working principle before April 7, 2016, when the Law on the Protection of Personal Data No. 6698 entered into force.   The Company carries out all its activities in the T.C. In order to carry out in accordance with the Constitution and the KVK Law and the secondary legislation on the subject, it adopts all the principles stipulated by the KVK Law and fulfills its obligations regarding the processing, deletion, destruction, anonymization, transfer, clarification of the relevant person and ensuring data security of personal data. This KVK Policy, which is regulated within this scope, is offered to the access of real persons whose personal data are processed. 1.1. DEFINITIONS

1.2. PURPOSE AND SCOPE OF THE KV POLICY This KVK Policy explains the issues related to the acquisition, use, transfer, destruction and other processing of personal data by the Company, the technical and administrative measures taken by the Company for the protection of personal data and the rights of the relevant persons. This KVK Policy;

• Employees
• Employee candidates,
• Shareholders of the company,
• Company officials,
• Visitors
• Employees of the institutions with which they cooperate,
• Those who access all types of applications and services offered by the Company, and
• Third parties

It is applied for personal data processed within the scope of KVK Law. The personal data obtained by obtaining the explicit consent of the relevant persons or within the scope of other cases of compliance with the law listed in the KVK Law are processed for the purposes of fulfilling the legal obligations of the Company, providing its services as required, increasing the quality of the services provided and improving the quality policy and other purposes specified in this KVK Policy. 2. PROCESSING OF PERSONAL DATA 2.1. GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA The Company complies with the principles listed in Article 4 of the KVK Law while carrying out personal data processing activities. Being in compliance with the law and good faith: The Company questions the source of the personal data obtained from the relevant person or third parties and attaches importance to the fact that they are obtained and processed in accordance with the law and within the framework of honesty rules. In this context, the Company makes the necessary warnings and notifications to the third parties to whom it transfers personal data for the protection of personal data. Being accurate and up-to-date when necessary: The Company attaches importance to the fact that all data within its legal entity are correct information, do not contain false information and finally update the personal data in case of changes in these when they are communicated to it. The Company pays reasonable care and attention to the accuracy and timeliness of the personal data declared by its customers or third parties who come into contact with it. Processing for specific, explicit and legitimate purposes: The Company sets out the legitimate and lawful data processing purposes in a specific and clear manner before starting the personal data processing activity. Personal data are not processed except for the purposes determined in this way. Being relevant, limited and proportionate to the purpose for which they are processed: The Company carries out personal data processing activities limited to the purpose for which they are processed. Personal data that are not related to the specified purpose are not processed by the Company. Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed: The Company retains the personal data for the period stipulated by the legislation or required by the purpose of processing. On the other hand, when the period stipulated by the legislation expires or when all the purposes of processing are eliminated, it deletes, destroys or anonymizes personal data. The principles in question are; It applies regardless of whether the Company has processed personal data on the basis of explicit consent or in accordance with other data processing requirements. At this point, the Company processes personal data in accordance with the data processing conditions and general principles and fulfills its obligation to clarify. 2.2. CONDITIONS OF PROCESSING OF PERSONAL DATA The Company processes personal data with explicit consent or in cases where it is considered in accordance with other data processing conditions:

• To be explicitly stipulated in the laws.
• It is mandatory for the protection of the life or bodily integrity of the person who is unable to express his consent due to actual impossibility or whose consent is not recognized as legally valid.
• It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the conclusion or performance of a contract.
• It is mandatory for the data controller to fulfill its legal obligation.
• It has been made public by the person concerned.
• Data processing is mandatory for the establishment, exercise or protection of a right.
• Provided that it does not harm the fundamental rights and freedoms of the data subject, the data processing is mandatory for the legitimate interests of the data controller.

According to the KVK Law, race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing and clothing, association, foundation or union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data are personal data of special nature. In the processing of personal data of special nature, the Company takes additional measures stipulated by the KVK Law and the Personal Data Protection Board. In the processing of personal data of special nature, the data processing conditions listed in Article 6 of the KVK Law and the additional measures announced by the Personal Data Protection Board are complied with. In this context, personal data of special nature are processed in the following cases:

• Explicit consent of the person concerned
• The processing of personal data of special nature other than health and sexual life is stipulated in the laws.
• Processing of data related to health and sexual life by persons under the obligation of secrecy for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing.

The procedures and principles regarding the processing, destruction and protection of personal data of special nature are regulated by the Company's Policy on the Protection and Processing of Personal Data of Special Nature. 2.3. PURPOSES OF PROCESSING PERSONAL DATA The Company processes personal data for the following purposes within the framework of the legal reasons set forth in Article 5 and 6 of the KVK Law: Within the scope of planning and execution of human resources activities; The personal data of the employee candidates are processed for the purpose of evaluating the suitability for the job and carrying out the personnel procurement processes, the personal data of the employees are processed for the purposes of performance of the employment contract, establishment of benefits, execution of promotion/premium/increase processes, fulfillment of obligations arising from the legislation to which the Company is subject, especially the Labor Law, realization of social insurance processes, evaluation of employee performance, etc. In addition, the Company shall disclose personal data within the scope of ordinary company activities and services provided to its customers; planning and execution of corporate sustainability activities, event management, management of relations with business partners or suppliers, execution/follow-up of financial reporting and risk management transactions, execution / follow-up of legal affairs, planning and execution of corporate communication activities, execution of corporate governance activities, realization of corporate and partnership law transactions, demand and complaint management, management of investor relations, Company buildings and facilities security, creation and follow-up of visitor records, determination and implementation of the Company's commercial and business strategies, resolution of the problems and complaints of the relevant persons, ensuring satisfaction and providing an effective service, responding to information requests from administrative and judicial authorities, ensuring compliance with legal processes and legislation, ensuring information and transaction security and preventing malicious use, etc. In the event that the processing activity carried out for the aforementioned purposes does not meet any of the other data processing requirements stipulated under the KVK Law, explicit consent is obtained from the relevant person by the Company regarding the relevant data processing process. 2.4. METHOD OF COLLECTING PERSONAL DATA The Company collects personal data through contracts, digital media, notifications from administrative and judicial authorities, audio, electronic or written media, physical and electronic media in accordance with the personal data processing conditions specified in the KVK Law and in accordance with the legal reasons specified in this KVK Policy. The personal data in question are mainly processed within the scope of this KVK Policy for the purpose of establishing a contract and providing better service to the relevant persons. In this context, personal data can be obtained when the services offered by the Company are utilized, when a legal relationship is established with the Company (purchase, intermediary, work, etc.) or when the Company is contacted by means of (mail, e-mail, etc.) regarding the services. The Company adopts the principle of acting in accordance with the law when obtaining personal data from both its business partners and solution partners. Data is collected from business partners and solution partners with the commitment of data confidentiality and only as much as the service requires, and measures are taken to ensure data security at this point. The Company processes the personal data of its employees as much as it is necessary for business relations and in other cases permitted by the relevant legislation without obtaining consent and ensures the confidentiality and protection of the personal data of its employees. 3. TRANSFER OF PERSONAL DATA The Company transfers personal data to third parties only in line with the purposes specified in this KVK Policy and in accordance with Articles 8 and 9 of the KVK Law. In this context, the Company will be able to transfer the personal data it collects to the following persons and institutions for certain purposes:

• To the business partners of the Company limited to ensure the fulfillment of the purposes for which the business partnership was established,
• To the Company's suppliers, limited to the Company's suppliers, in order to ensure that the services provided to the Company by the Company outsourced from the supplier and necessary to carry out the Company's commercial activities,
• To the Company's customers,
• Upon request, to the authorized public institutions and organizations,
• To the Company's solution partners,

The purpose of the Company's sharing of personal data is to provide access to the services, to fulfill its legal obligations, to ensure the implementation of the contract concluded with the relevant person, to carry out purchase and sale transactions or to prevent and detect fraudulent or illegal activities related to the services and to carry out other commercial activities in accordance with the law. The Company adopts the principle of acting in accordance with the law in its data sharing activities. Data is shared with third parties to whom personal data are transferred only to the extent required by the service. Maximum care is taken to ensure that these parties take measures regarding data security. The personal data subject to the above-mentioned domestic and international transfer, in addition to the technical measures to ensure data security; it is also legally protected through data transfer contracts. The Company processes the personal data; may share this information with public institutions and organizations that are legally authorized to request this information in order to fulfill its obligation to the law (in cases where the Company has a legal or administrative obligation to notify or provide information, including but not limited to the fight against crime, threat to state and public security and so on). 4. STORAGE AND DESTRUCTION OF PERSONAL DATA In accordance with the KVK Law, personal data are kept accurate and up-to-date and kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed. This period is determined separately for each personal data category, and after the expiration of this period, the relevant personal data are deleted, destroyed or anonymized at the end of the periodic destruction periods determined in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data. Deletion of personal data, making personal data inaccessible and unreusable for the relevant users in any way; destruction of personal data, making personal data inaccessible, irretrievable and unreusable by anyone in any way; anonymization of personal data means that personal data cannot be associated with an identified or identifiable real person under any circumstances, even if it is matched with other data. In this context, the Company has determined the necessary periodic destruction periods and established a Personal Data Storage and Destruction Policy. The Company records all transactions related to the deletion, destruction and anonymization of personal data and keeps such records for at least three years, excluding other legal obligations. When the relevant persons apply to the Company and request the deletion or destruction of their personal data, the Company;

• If all the conditions for processing personal data have been eliminated, it deletes, destroys or anonymizes the personal data subject to the request. It concludes the request of the relevant person within thirty days at the latest and informs the relevant person.
• If all the conditions for processing personal data have been eliminated and the personal data subject to the request has been transferred to third parties, it shall notify the third party; ensures that the necessary actions are taken before the third party.
• If all the conditions for processing personal data have not been eliminated, it may reject this request by explaining the reason in accordance with the third paragraph of Article 13 of the KVK Law and notify the relevant person of the rejection response in writing or electronically within thirty days at the latest.

5. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE SECURITY OF PERSONAL DATA The Company takes technical and administrative measures according to technological facilities and application cost to ensure that personal data is processed in accordance with the law. The technical and administrative measures taken for the protection of personal data are implemented with care and additional measures in terms of special quality personal data and the necessary audits are periodically provided at the highest level within the Company. The Company has taken all appropriate security measures to ensure that personal data is processed only within the scope of the purposes specified in this KVK Policy and to reduce risks such as malicious use, unauthorized access, sharing, destruction or modification of personal data. These security measures include other measures taken in matters such as the transfer of personal data to countries that may not provide an adequate level of data protection. Personal data is confidential and the Company respects this confidentiality. Personal data can only be accessed by authorized persons within the Company. In this context, it is ensured that the software complies with the standards, that third parties are carefully selected and that the data protection policy is complied with within the Company. Within the scope of the technical and administrative measures taken by the Company to ensure data security;

• It organizes regular trainings and awareness activities on the protection of personal data for its employees.
• The Company creates policies based on the personal data processing inventory and establishes the necessary processes for the implementation of the policies.
• The Company identifies the risks within the scope of personal data protection law and carefully carries out studies to eliminate the risks. In this context, it creates active lighting and open consent channels.
• It carries out periodic audits within the Company in order to fulfill the obligations related to the protection of personal data law.
• It provides legal consultancy services on a continuous basis on compliance with the updated legislation.
• It establishes a separate policy for the protection of personal data of special nature and implements additional measures determined by the Board.
• It implements the necessary measures such as data sharing agreement etc. in managing the relations with the data processors.
• It uses generally accepted security technology standards such as firewalls and Secure Socket Layer (SSL) encryption.
• It uses virus protection systems, secure databases, servers, firewalls.
• In order to protect personal data in the light of current technological developments, including the encryption of electronic mail information, it analyzes the risk situation and takes the widest and most appropriate preventive security measures.
• It creates a secure technical infrastructure to ensure the security of the databases where personal data will be stored.
• It determines the procedures for reporting the technical measures taken and audit processes.
• It takes other administrative measures regarding the protection of personal data.
• Safety-related measures are periodically renewed and improved.

In the event that personal data is damaged or falls into the hands of unauthorized third parties as a result of attacks on the platforms or the Company's system operated by the Company, despite the Company's taking the necessary information security measures, the Company shall immediately take action to remedy the violation and minimize the damage of the data subject. The Company immediately notifies the relevant persons and the Board of this situation and takes the necessary measures. 6. RIGHTS OF PERSONS CONCERNED OVER PERSONAL DATA According to the Constitution of the Republic of Turkey, everyone has the right to request the protection of personal data concerning him/her. In this context, the rights of the data subject over their personal data are listed as follows in Article 11 of the KVK Law:

• To learn whether your personal data is processed or not,
• Request information about this if personal data is processed,
• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
• To know the third parties to whom their personal data are transferred domestically or abroad,
• If their personal data is processed incompletely or incorrectly, to request their correction,
• Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVK Law,
• Requesting that these deletion, destruction or correction procedures be notified to third parties to whom personal data are transferred,
• To object to the occurrence of a result against the data owner by analyzing the processed data exclusively by means of automated systems,
• Requesting the compensation of the damage in case the personal data is damaged due to the processing of the KVK Law.

In the event that the relevant persons submit their requests regarding the above-mentioned rights to the Data Controller in accordance with the application procedures stipulated in the Communiqué on the Principles and Procedures of Application, the Company shall conclude this request free of charge as soon as possible and within 30 (thirty) days at the latest according to its nature. However, if the transaction requires an additional cost, the Company may receive the fee in the tariff determined by the Board. Within the scope of the above-mentioned rights, the relevant person may submit his / her requests in writing or by using the registered electronic mail (KEP) address, secure electronic signature, mobile signature or the electronic mail address previously notified to the Company by the relevant person and registered in the Company's system. In the application made;

• Name, surname and signature if the application is in writing,
• T.R. identity number for citizens of the Republic of Turkey, nationality for foreigners, passport number or identity number, if any,
• The address of the place of residence or place of business for the notification,
• The electronic mail address, telephone and fax number, if any, for the notification,
• Subject of the request

and information and documents related to the subject must be attached to the application. Applications will only be evaluated if they are in Turkish. In order for third parties to request an application on behalf of the relevant persons, there must be a special power of attorney issued by the relevant person on behalf of the person to be applied through a notary. BC CHANGES TO BE MADE TO THE KVK POLICY The Company may make changes to this KVK Policy at any time. These changes take effect on the day the new amended KVK Policy is published. In order to be informed of the changes in this KVK Policy, necessary information will be provided to the relevant persons.

DATA OWNER APPLICATION FORM

IMPORTANT NOTE: Applications must be in person's person. An application cannot be made on behalf of spouse, relative, child, etc. If the Company suspects the identity of the applicant, it may request verification information from the person. In the event that the information regarding your requests submitted within the scope of the form is not accurate and up-to-date or an unauthorized application is made, our Company does not accept responsibility for such incorrect information or requests arising from unauthorized application.

1. INFORMATION ABOUT THE APPLICANT

Please fill in the following information completely:

2. APPLICANT'S REQUESTS

Within the scope of the Law on the Protection of Personal Data, please specify your request in detail below:

If any, please specify the documents that form the basis of your application: Annex-1: …………………… Annex-2: …………………… Annex-3: ……………………………..

3. APPLICANT'S STATEMENT

In line with the above-mentioned requests, I would like to request that my application to your Company be evaluated and informed to me. I declare and undertake that the documents and information I have provided to you in this application are accurate and up-to-date and belong to me. I consent to the processing of the information and documents I provide in the application form by your Company limited to the purposes of evaluating and replying to the application I have made, delivering my application to me, and determining my identity and address. I would like the application to be answered in one of the ways I have marked below

POLICY ON PROTECTION AND PROCESSING OF PERSONAL DATA OF SPECIAL NATURE

3. PROCESSING OF PERSONAL DATA OF SPECIAL NATURE Race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data of individuals are personal data of special nature. The Company complies with the provisions of the Law and other legislation in the processing of personal data of special nature. Accordingly, personal data of special nature are processed in accordance with the following principles:

• Being in compliance with the law and good faith rules
• Be accurate and up-to-date when necessary
• Being relevant, limited and proportionate to the purpose for which they are processed
• Processing for specific, explicit and legitimate purposes
• Retention for the period stipulated in the legislation or required for the purpose for which they are processed

Personal data of special nature other than health and sexual life are processed by the Company in cases where the explicit consent of the data owner is obtained or in the cases stipulated by the laws. Data related to health and sexual life are processed in cases where the explicit consent of the data owner is obtained or for the purpose of protecting public health, conducting medical diagnosis, treatment and care services, preventive medicine, planning and management of health services and their financing. 4. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA OF SPECIAL NATURE The Company takes all kinds of measures to ensure the processing of personal data of special nature in accordance with the Law and the relevant legislation and to ensure the security of personal data of special nature. The measures taken in this context are listed below: 4.1. ADMINISTRATIVE MEASURES The Company provides regular trainings on the protection and processing of special quality personal data for employees who take part in the processing processes of special quality personal data. The Company concludes confidentiality agreements with its employees to ensure data security. Users who are authorized to access the data, their scope and duration of authorization are clearly defined and periodic authorization checks are carried out. Employees who have a change of duty or leave their job are immediately removed from accessing personal data. The Company immediately receives back the inventories allocated to the employees within this scope. 4.2. TECHNICAL MEASURES 4.2.1. Technical Measures Taken in Respect of Personal Data of Special Nature Stored and/or Accessed in Electronic Environment

• Personal data of special nature are stored using cryptographic methods.
• Cryptographic keys are held in secure and diverse environments.
• Transaction records of all movements performed on personal data of special nature are logged securely.
• Security updates for environments with special quality personal data are constantly monitored, necessary security tests are regularly carried out / performed and test results are recorded.
• User authorizations are made for the software from which special quality personal data are accessed, security tests of these spellings are regularly carried out / made and the test results are recorded.
• Remote access to personal data of special nature is technically prevented.

4.2.2. Technical Measures Taken in Respect of Personal Data of Special Nature Stored and/or Accessed in the Physical Environment

• Adequate security measures are taken according to the nature of the environment in which the personal data of special nature is located.
• The physical security of these environments is ensured and unauthorized entries and exits are prevented.

5. TRANSFER OF PERSONAL DATA OF SPECIAL NATURE The Company transfers personal data of special nature within the framework of the data processing conditions in Articles 8 and 9 of the Law. In order to ensure data security, the following rules are applied by the Company in data transfer and periodic audits are carried out in this context.

• Transfer via Email

In cases where personal data of special nature are transferred via e-mail, the transfer is made encrypted with the corporate e-mail address or by using the Registered Electronic Mail (KEP) account.

• Transfer via media such as portable memory, CD, DVD

In cases where personal data of special nature are transferred through media such as portable memory, CD, DVD, encryption is carried out by cryptographic methods and the cryptographic key is kept in a different environment.

• Transfer between servers in different physical environments

In the transfer of personal data of special nature between servers in different physical environments, data transfer is carried out by establishing VPN between servers or by sFTP method.

• Transfer via Paper Media

If it is necessary to transfer personal data of special nature through paper media, necessary precautions are taken against risks such as theft, loss or unauthorized persons of the document and the document is sent in the format of "confidential documents". 6. STORAGE AND DESTRUCTION OF PERSONAL DATA OF SPECIAL NATURE Personal data of special nature are stored by the Company in accordance with the Law and other legislation and the decision of the Adequate Measures to be Taken by the Data Controllers in the Processing of Personal Data of Special Nature published by the Board in the following cases:

• The explicit consent of the data subject has been obtained
• The storage of special quality personal data other than health and sexual life is stipulated in the laws
• Retention of data on health and sexual life for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing

Personal data of special nature stored by the Company in accordance with the Law and other legislation shall be deleted, destroyed or anonymized ex officio or upon the request of the data owner if the following reasons arise:

• In cases where the personal data storage activity of special nature is based on the explicit consent of the data owner, the explicit consent is withdrawn.
• The purpose of storing personal data of special nature has been realized, has become impossible or has disappeared in any other way
• Amendment or abolition of the provisions of the legislation that form the basis for the storage of personal data of special nature
• The fact that all of the processing conditions in Article 6 of the Law have been eliminated
• The request of the data owner regarding the destruction of the special quality personal data duly transmitted to the Company is justified by the Company and concluded positively by the Company
• In the event that the Company rejects the application made to it by the data owner with the request for the destruction of its personal data of special nature, if the response given is found to be insufficient or if it does not respond within the period stipulated in the Law; A complaint is made to the Board and this request is approved by the Board.

Other issues related to the storage and destruction of personal data of special nature are regulated in the Personal Data Retention and Destruction Policy of the Company. BC UPDATE The changes to this Policy are shown in the table below.