Information (KVKK) Text

PERSONAL DATA PROTECTION AND PROCESSING POLICY

1. PURPOSE AND SCOPE

2. TARGET

3. DEFINITIONS AND ABBREVIATIONS

4. RESPONSIBILITIES

5. PROCEDURES AND PRINCIPLES REGARDING THE PROTECTION OF PERSONAL DATA

5.1-GENERAL PRINCIPLES ON PROCESSING PERSONAL DATA

5.1.1. Carrying out Personal Data Processing Activities in Accordance with Law and the Rule of Honesty

5.1.2. Ensuring Personal Data is Accurate and Up-to-date Where Necessary

5.1.3. Processing for Specified, Clear and Legitimate Purposes

5.1.5. Storage for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for which they are Processed

5.2. Conditions for Processing Personal Data

5.3-Processing of Special Personal Data

5.4-TRANSFER OF PERSONAL DATA

5.4.1-TRANSFER OF PERSONAL DATA TO DOMESTIC PERSONS

5.4.2-TRANSFER OF PERSONAL DATA TO PERSONS ABROAD

5.5-COMPANY'S OBLIGATION TO INFORM

5.6-RIGHTS OF THE RELEVANT PERSON

5.7-MEASURES TAKEN FOR DATA SECURITY

5.7.1. Administrative Measures

5.7.2. Technical Measures

6- IMPLEMENTATION OF THE POLICY AND RELATED LEGISLATION

7- ENFORCEMENT AND UPDATE OF THE POLICY

1. PURPOSE AND SCOPE

The SIENA COUTURE Personal Data Processing and Protection Policy sets out the principles to be adopted by the Company and taken into consideration in practice regarding the protection and processing of personal data.

The Policy aims to determine the framework and ensure coordination of the compliance activities to be carried out specifically for the Company in order to comply with the Personal Data Protection Law No. 6698 on the protection and processing of personal data. In this context, the aim is to continue to carry out the activities in accordance with the principles of lawfulness, honesty and transparency, which have been adopted since the Company's establishment.

2. TARGET

The Company's Personal Data Protection Policy aims to create the necessary systems and establish the necessary order to ensure compliance with the legislation in line with the aim of creating awareness about the legal processing and protection of personal data within the Company.

In this context, the Company's Personal Data Protection Policy aims to provide guidance in terms of the implementation of the regulations set forth in the Personal Data Protection Law and relevant legislation.

3. DEFINITIONS AND ABBREVIATIONS

The important definitions used in the Company's Personal Data Protection Policy are listed below:

EXPLICIT CONSENT: Consent based on informed consent and expressed freely on a specific subject.

ANONYMOUSATION: It is the change of personal data in a way that it loses its personal data quality and this situation cannot be reversed. For example: Making personal data unassociated with a natural person through techniques such as masking, aggregation, data corruption, etc.

CONTACT PERSON: Natural person whose personal data is processed. For example: Customers, employees, job candidates, interns.

PERSONAL DATA: Any information related to an identified and identifiable natural person. Therefore, the processing of information related to legal entities is not within the scope of the Law. For example: name-surname, TR ID No., e-mail, address, date of birth, credit card number, bank account number, etc.

SPECIAL NATURE PERSONAL DATA: Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, dress code, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data are special data.

PROCESSING OF PERSONAL DATA: Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.

DATA CONTROLLER: It refers to the natural or legal person who determines the purposes and means of processing personal data and manages the place where data is systematically kept (data recording system).

DATA OWNER APPLICATION FORM: The application form that the Data Subject will use when applying for their rights stipulated in Article 11 of the Personal Data Protection Law.

CONSTITUTION: Published in the Official Gazette dated 9 November 1982 and numbered 17863; Constitution of the Republic of Türkiye dated 7 November 1982 and numbered 2709

Personal Data Protection Law: Personal Data Protection Law No. 6698 dated 24 March 2016, published in the Official Gazette No. 29677 dated 7 April 2016.

POLICY: Company Personal Data Protection and Processing Policy

NOTIFICATION ON THE PROCEDURES AND PRINCIPLES TO BE FOLLOWED IN FULFILLING THE ILLUMINATION OBLIGATION: Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Disclosure Obligation, which was published in the Official Gazette dated 10 March 2018 and numbered 30356 and entered into force.

4. RESPONSIBILITIES

All our employees, stakeholders, guests, visitors and relevant third parties are obliged to cooperate throughout the Company in the operation, activities and processes and implementation of the Company's Personal Data Protection Policy throughout the Company, and in preventing legal risks and imminent danger. All organs and departments of the Company are responsible for overseeing compliance with the Company's Personal Data Protection Policy.

5. PROCEDURES AND PRINCIPLES REGARDING THE PROTECTION OF PERSONAL DATA

5.1-GENERAL PRINCIPLES ON PROCESSING PERSONAL DATA

One of the issues that is of primary importance for the Company is to act in accordance with the general principles stipulated in the legislation in the processing of personal data. In this context, the Company must act in accordance with the principles listed below in the processing of personal data in accordance with the Constitution and the Personal Data Protection Law.

5.1.1. Carrying Out Personal Data Processing Activities in Accordance with Law and the Rule of Honesty

In accordance with Article 4 of the Personal Data Protection Law, the Company must process personal data in accordance with the law and the rules of honesty; accurately and up-to-date when necessary; for specific, clear and legitimate purposes; and in a purpose-related, limited and proportionate manner.

In this context, the Company takes into account the proportionality requirements in the processing of personal data and should not use personal data other than as required for the purpose.

5.1.2. Ensuring Personal Data is Accurate and Up-to-date Where Necessary

The Company must ensure that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of the Data Subject and its own legitimate interests; and must take the necessary measures and establish systems to ensure this.

5.1.3. Processing for Specific, Clear and Legitimate Purposes

The Company must process personal data for legitimate and lawful reasons and in connection with the activities it carries out and to the extent necessary. The purpose for which personal data will be processed by the Company must be determined before the personal data processing activity begins.

5.1.4. Being Relevant, Limited and Proportionate to the Purpose for Which They Are Processed

The Company processes personal data in a manner that is conducive to achieving the specified purposes and must avoid processing personal data that is not relevant or needed to achieve the purpose.

For example, personal data processing should not be carried out to meet needs that may arise later.

5.1.5. Preservation for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for which they are Processed

In accordance with Article 138 of the Turkish Penal Code and Articles 4 and 7 of the Personal Data Protection Law, the Company must retain the personal data it processes only for the period stipulated in the relevant legislation and laws or required by the purpose of processing personal data.

In this context, the Company first determines whether a period is foreseen in the relevant legislation for the storage of personal data, and if a period is specified, it acts in accordance with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which it is processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the application of the Relevant Person and with the specified destruction methods (deletion and/or destruction and/or anonymization).

Details are set out in the Personal Data Storage and Destruction Policy.

5.2. Conditions for Processing Personal Data

The conditions for processing personal data are regulated by the KVKK, and personal data is processed by the Company in accordance with the conditions stated below.

One of the conditions for processing personal data is the explicit consent of the Relevant Person. Except for the exceptions listed in the law, the Company processes personal data only by obtaining the explicit consent of the Relevant Person. The explicit consent of the Relevant Person must be related to a specific subject, based on information and expressed with free will. In the event that the situations listed in the law exist, personal data can be processed even without the explicit consent of the Relevant Person.

If the personal data processing conditions listed below are met, personal data may be processed without the need for the explicit consent of the Data Subject.

I. Explicitly Provided in Laws

If the personal data of the relevant Person is clearly stipulated in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, the existence of this data processing condition can be mentioned.

ii. Failure to Obtain the Explicit Consent of the Person Concerned Due to Actual Impossibility

If the processing of personal data is necessary to protect the life or physical integrity of the person or another person who is unable to give his/her consent due to a de facto impossibility or whose consent cannot be validated, the personal data of the Relevant Person may be processed.

iii. Direct Interest in the Establishment or Performance of the Contract

This condition may be deemed to be fulfilled if the processing of personal data is necessary, provided that it is directly related to the establishment or performance of a contract to which the Data Subject is a party.

IV. Fulfillment of Legal Obligations by the Data Controller

If processing is necessary for the Company to fulfill its legal obligations, the personal data of the Relevant Person may be processed.

V. Publication of Personal Data by the Personal Data Subject

If the Data Subject has made his/her personal data public, the relevant personal data may be processed limitedly for the purpose of making it public.

VI. Data Processing is Necessary for the Establishment or Protection of a Right

If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the Relevant Person may be processed.

VII. Data Processing is Necessary for the Legitimate Interest of the Data Controller

Personal data of the Data Subject may be processed if data processing is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the Data Subject.

The Company shows special sensitivity in the processing of special personal data, the protection of which is believed to be more critical for the Relevant Person in various respects. In this context, such data is not processed without the explicit consent of the Relevant Person, provided that sufficient measures determined by the Board are taken. However, special personal data, other than data related to health and sexual life, may be processed without the explicit consent of the Relevant Person in cases stipulated by law. However, data related to health and sexual life may be processed without explicit consent, provided that sufficient measures are taken and in the presence of the following reasons.

.Protection of public health,

.Preventive medicine,

.Medical Diagnosis,

.Execution of treatment and care services,

.Planning and management of health services and their financing.

5.4-TRANSFER OF PERSONAL DATA

Our company may transfer the personal data and special personal data of the Relevant Person to third parties (official and special authorities, third real persons) by taking the necessary security measures in line with the purposes of processing personal data in accordance with the law. In this regard, the Company acts in accordance with the regulations stipulated in Article 8 of the Law. In the event of a group of persons with whom personal data is/may be shared, the relevant person is informed with an information text.

5.4.1-TRANSFER OF PERSONAL DATA TO DOMESTIC PERSONS

The Company carefully complies with the conditions set forth in the KVKK regarding the sharing of personal data with third parties, without prejudice to the provisions of other laws. In this context, personal data is not transferred to third parties by the Company without the explicit consent of the Relevant Person. However, if one of the following conditions set forth by the KVKK exists, personal data may be transferred by the Company without the explicit consent of the Relevant Person:

• It is clearly stated in the laws,

• If it is necessary for the protection of the life or physical integrity of a person or someone else who is unable to give his consent due to a physical impossibility or whose consent is not legally valid,

• It is necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract,

• It is mandatory for the data controller to fulfill its legal obligations,

• It has been made public by the Relevant Person himself,

• Data processing is mandatory for the establishment, exercise or protection of a right,

• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the Data Subject.

Provided that adequate measures are taken; as foreseen in the laws for special personal data other than health and sexual life, and for special personal data related to health and sexual life,

• Protection of public health,

• Preventive medicine,

• Medical diagnosis,

• Carrying out treatment and care services,

• Your personal data may be transferred without explicit consent for purposes such as planning and managing healthcare services and their financing.

In the transfer of special personal data, the conditions specified in the processing conditions of this data are complied with.

5.4.2-TRANSFER OF PERSONAL DATA TO PERSONS ABROAD

Regarding the transfer of personal data abroad, the explicit consent of the Relevant Person is sought in accordance with Article 9 of the KVKK. However, if there are conditions that allow the processing of personal data, including special personal data, without the explicit consent of the Relevant Person, the Company may transfer personal data abroad without the explicit consent of the Relevant Person, provided that there is sufficient protection in the foreign country to which the personal data will be transferred. If the country to which the transfer will be made has not been determined by the Board to be among the countries with sufficient protection,

The company and the data controller/data processor in the relevant country will undertake in writing to provide adequate protection.

In case there are groups of people with whom personal data is/may be shared, the relevant person is informed with an information text.

5.5-COMPANY'S OBLIGATION TO INFORM

Within the scope of Article 10 of the KVKK and the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Inform, the Data Subject must be informed before or at the latest during the collection of personal data. The information that must be conveyed to the Data Subject within the framework of the said obligation to inform is as follows:

The identity of the data controller and its representative, if any, and the purpose for which personal data will be processed.

To whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data,

Other rights listed in Article 11 of the KVKK.

In order to fulfill its obligation to inform, the Company has prepared information declarations to be submitted to the Relevant Person within the scope of the above-mentioned KVK provision, on the basis of the process and the persons whose data is processed.

On the other hand, within the framework of Article 28, Paragraph 1 of the KVKK, the Company has no obligation to inform in the situations listed.

• Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not disclosed to third parties and that data security obligations are complied with.

• Processing of personal data for purposes such as research, planning and statistics by making them anonymous through official statistics,

• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy or personal rights or does not constitute a crime,

• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security,

• Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

However, pursuant to Article 28(2) of the KVKK, the Company's obligation to inform will not be applicable in the following cases:

• Processing of personal data is necessary for the prevention of crime or criminal investigation,

• Processing of personal data made public by the Data Subject,

• Personal data processing is necessary for the execution of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law.

• The processing of personal data is necessary to protect the economic and financial interests of the State in relation to budgetary, tax and financial matters.

5.6-RIGHTS OF THE RELEVANT PERSON

Regarding the personal data processed by the Company in accordance with the principles set forth in this Policy, the necessary measures have been taken to ensure that the rights granted to the Data Subject in Article 11 of the KVKK are exercised. The rights in question are as follows:

a) Learning whether personal data is being processed,

b) To request information regarding the processing of personal data,

c) To learn the purpose of processing personal data and whether they are used in accordance with their purpose,

d) To know the third parties to whom personal data is transferred, either domestically or abroad,

to) To request correction of personal data if it is processed incompletely or incorrectly,

f) Request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,

g) To request that the operations carried out in accordance with articles (e) and (f) above be notified to third parties to whom personal data has been transferred,

h) To object to a result that is to the detriment of the person himself/herself, as a result of the analysis of the processed data exclusively through automatic systems,

i) Request compensation for damages in case of damages due to unlawful processing of personal data. Relevant Persons may exercise their rights listed above by submitting the Relevant Person application form at https://www.sienacouture.com. Detailed information on filling out the form or sending it to the Company is included in this form. The Company will deliver the response to the relevant applications to the relevant Persons physically or electronically.

The Company will finalize the request free of charge as soon as possible and within thirty (30) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the Company will charge the relevant parties the fee in the tariff determined by the Board. In addition, during the finalization of the Relevant Person's requests, the Company may request additional information or documents from the applicants.

On the other hand, within the framework of Article 28, Paragraph 1 of the KVKK, the Data Subject cannot exercise the above rights listed in Article 11 of the KVKK in the following cases:

• Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not disclosed to third parties and that data security obligations are complied with.

• Processing of personal data for purposes such as research, planning and statistics by making them anonymous through official statistics,

• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy or personal rights or does not constitute a crime,

• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security,

• Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

However, within the framework of the second paragraph of Article 28 of the KVKK, the above rights listed in Article 11 of the KVKK, excluding the right to compensation for damages, will not be applicable in the following cases:

• Processing of personal data is necessary for the prevention of crime or criminal investigation,

• Processing of personal data made public by the Data Subject,

• The processing of personal data is necessary for the execution of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law,

• The processing of personal data is necessary to protect the economic and financial interests of the State in relation to budgetary, tax and financial matters.

5.7-MEASURES TAKEN FOR DATA SECURITY

Aware of the importance of ensuring security in every respect within the Company, the Company must take the necessary technical and administrative measures to ensure an appropriate level of security in order to prevent the unlawful processing of personal data it processes, to prevent unlawful access to data and to ensure the preservation of data, and to conduct the necessary inspections within this scope, in accordance with Article 12 of the Personal Data Protection Law.

The company must take the necessary technical and administrative measures, within the technological possibilities, to ensure that personal data is processed in accordance with the law.

5.7.1. Administrative Measures

• The Company shall carry out or have carried out the necessary audits in its own institution or organisation in order to ensure the implementation of the provisions of the Law.

• If the processed personal data is obtained by others through illegal means, the Company shall notify the relevant person and the Board of this situation as soon as possible.

• Regarding the sharing of personal data, the Company signs a framework agreement with the persons with whom personal data is shared or ensures data security with the provisions it adds to the agreements.

• The Company employs personnel who are knowledgeable and experienced in the processing of personal data and provides its personnel with the necessary training on the protection of personal data.

5.7.2. Technical Measures

• In order to ensure data security, the Company employs knowledgeable and experienced people and provides its staff with the necessary training on the protection of personal data.

• Performs necessary internal controls within the scope of established systems.

• It carries out the processes of risk analysis, data classification, IT risk assessment and business impact analysis within the scope of the established systems.

• It ensures that the technical infrastructure that will prevent and/or monitor the leakage of personal data outside the institution is provided and the relevant matrices are created.

• It ensures that employees' access to personal data in information technologies companies is kept under control.

6- IMPLEMENTATION OF THE POLICY AND RELATED LEGISLATION

The relevant legal regulations in force regarding the processing and protection of personal data will primarily be applied. In the event of any inconsistency between the current legislation and the Policy, the Company accepts that the current legislation will be applied.

The policy regulates the rules set forth by the relevant legislation by concretizing them within the scope of Company practices.

7. ENFORCEMENT AND UPDATE OF THE POLICY

The policy will come into effect from the date it is published on the Company website. The policy is reviewed as needed and the necessary sections are updated.