Protection of Personal Data

PURPOSE AND SCOPE

This Otokoç Otomotiv Personal Data Protection Policy (“Policy”), which is part of the Otokoç Otomotiv Code of Ethics and Otokoç Otomotiv Code of Ethics, aims to provide a compliance framework and coordinate compliance activities for Otokoç Otomotiv for complying with Legislation on the protection and processing of personal data. In this context, the objective is to ensure the personal data processing activities by Otokoç Otomotiv to be carried out in compliance with the principles of lawfulness, good faith, and transparency.

The employees and executives of Otokoç Otomotiv are obliged to act in accordance with this Policy. Business Partners are also expected to act in accordance with the rules and principles of this Policy to the extent that they are applicable to the relevant transactions.

DEFINITIONS

“Explicit Consent” Consent related to a specific subject, based on information and expressed with a free will.
“Anonymization” Making personal data unrelated to an identified or identifiable natural person under any circumstances, even when by matching with the other data.
“Data Subject” A real person of whom personal data are processed. (customers, visitors, employees and employee candidates, etc.).
“Business Partners” Suppliers, dealers, vendors, authorized service , all kinds of representatives, subcontractors and consultancies acting on in the name of and on behalf of the company.
“Personal Data” Any information related with an identified or identifiable real person.
“Processing of Personal Data” Any activity performed on data such as obtaining personal data by fully or partially automatic means or non-automatic means that are part of a data registration system; recording, storage, retention, revision, modification, disclosure, transfer, receiving of data, rendering the data obtainable or classification or prevention of use.
“Koç Group” Refers to all controlled directly by Otokoç Otomotiv, individually or jointly and the joint ventures included in the consolidated financial report of Otokoç Otomotiv.
“Otokoç Otomotiv” means all of the directly or indirectly, indivually or jointly controlled by Otokoç Otomotiv and the joint venture listed in its latest consolidated financial report.
“Legislation” All of the relevant legislation in force in Turkey and relevant countries regarding the protection of personal data, especially the Law on the Protection of Personal Data No.6698.
“Special Categories of Personal Data” Race, ethnic origin, political view, philosophical belief, religion, religious sect or other beliefs, clothing style, association, foundation or union membership, health, sexual life, criminal convictions, and security measures as well as biometric and genetic data are special categories of personal data.
“VERBİS” Data Controllers Registry Information System
“Data Processor” A real or legal person that processes personal data for and on behalf of the data controller based on the authorization granted by the data controller.
“Data Controller” A real or legal person who determines the objectives and means of personal data processing and is responsible for the establishment and management of the data recording system.

GENERAL PRINCIPLES

Breach of this Policy may result in significant consequences for Otokoç Otomotiv, its associated executives and employees including legal, administrative, and criminal penalties based on the Legislation in the region of operation, and, most significantly, the breach may result in serious harm to the reputation of Otokoç Otomotiv.

One of the most important issues for Otokoç Otomotiv is to act in accordance with the Legislation and the general principles set out in the Legislation with regards to processing of personal data. In this regard, Otokoç Otomotiv and its Business Partners are expected to follow the guidelines outlined below when processing personal data in compliance with the Legislation.

Otokoç Otomotiv carries out the personal data processing practices within the scope of its activities in accordance with the Otokoç Otomotiv Personal Data Protection and Processing Policy¹.

3.1. Processing of personal data in accordance with the law and principle of good faith

The general rule of trust and good faith in compliance with the Legislation must be adhered to on the subject of personal data processing. In this context, personal data should be processed in accordance with general principles of law, good-will and general morality to the extent required by business activities and limited to the these activities.

3.2. Ensuring that personal data is accurate and up-to-date when required

Systems must be established, and necessary measures must be taken to ensure that the personal data being processed are accurate and up-to-date while taking account of data subjects’ rights.

3.3. Processing of personal data for specific, explicit and legitimate purposes

Personal data must be processed for legitimate and lawful purposes. Otokoç Otomotiv and its Business.Partners must only process personal data in connection with their activities and to the extent necessary. Prior to personal data processing operations, the purposes for processing personal data should be determined.

3.4. Being limited, proportionate and relevant to the purpose of processing

Personal data must be processed adequately for carrying out the determined purposes and processing of personal data that is not necessary for fulfilling the purposes must be avoided.

3.5. Storing for the Period Stipulated in the Relevant Legislation or the Period Required for the Processing Purpose

Personal data must only be stored for the period stipulated in the relevant Legislation or for the period required for the personal data processing purpose.

In this regard, firstly determination must be made whether a certain period is stipulated for the storage of personal data in the relevant Legislation, if any period is determined, this period should be complied with. If no period is determined, personal data must be stored for the period required for carrying out the purpose of the processing. Personal data must be erased, destructed, or anonymized in case the period expires or the reason for its processing no longer exists. Personal data must not be stored based on the possibility of future use.

APPLICATION OF THE POLICY

4.1. PROCESSING PERSONAL DATA BASED ON THE DATA PROCESSING CONDITIONS

4.1.1. Execution of Personal Data Processing Activities Based on the Personal Data Processing Conditions Specified in the Legislation

As a rule, personal data must be processed based on at least one of the conditions specified in the Legislation. Determination should be made on whether the personal data processing activities carried out by the company’s business units are based on at least one of the conditions. Personal data processing activities that do not meet this requirement should not be included in the processes.

4.1.2. Execution of Special Categories of Personal Data Processing Activities Based on Special Categories of Personal Data Processing Conditions Stipulated in the Legislation

As a rule, special categories of personal data must be processed based on the conditions specified in the Legislation. It must be ensured that the special categories of personal data processing activities carried out by the company’s business units are in line with these conditions, the necessary technical and administrative measures for the processing of the special categories of personal data must be taken and it must be ensured that the following conditions are met:

(i) Special categories of personal data excluding health and sexual life can be processed without the explicit consent of data subjects if it is explicitly stipulated in the laws, in other words, if there is an explicit provision in the relevant law regarding the processing of personal data. Otherwise, explicit consent of the data subject should be obtained.

(ii) Special categories of personal data regarding health and sexual life can be processed without the explicit consent of data subjects for the purposes of the protection of public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning of financing and management of health services by the persons who are bound with professional secrecy or legally authorized authorities and institutions. Otherwise, explicit consent of the data subject should be obtained.

Processing of special categories of personal data must be carried out in accordance with the provisions set out in the Legislation regarding the processing of special categories of personal data and transfer of data to domestic third parties and abroad. In addition to the above-mentioned matters, in these cases, personal data processing activities must also be carried out by fulfilling the special requirements set forth in the Legislation.

4.2. REQUIREMENTS TO BE COMPLIED WITH FOR TRANSFER OF PERSONAL DATA

Personal data of data subjects should be transferred to third parties in accordance with the purposes and legal basis for personal data processing and by taking the necessary security measures. In this regard, necessary processes for acting in accordance with the conditions stipulated in the Legislation must be designed.

4.3. OBLIGATIONS RELATED TO THE PROTECTION AND PROCESSING OF PERSONAL DATA

4.3.1. Obligation to Register with VERBİS

Otokoç Otomotiv must register with VERBİS as Data Controllers if they are under the obligation to register according to the criteria stipulated in the Legislation. In case of a revision in the registered information, the information in VERBİS must be updated within seven days from the date of revision. Koç Holding Legal and Compliance Department must be given a report and the Legal and Compliance Counsel of Otokoç Otomotiv must be informed twice a year, every 6-month periods (June-December) regarding the updates made by the Otokoç Otomotiv in VERBİS.

4.3.2. Obligation to Inform Data Subjects

Data subjects must be informed at the time of collection of personal data in accordance with the Legislation.

In this regard, the personal data collection channels must be determined for the fulfillment of the obligation to inform; data subjects must be informed through the privacy notices which comply with the scope and conditions specific to these collection activities required in the Legislation; the appropriate processes should be designed accordingly by Otokoç Otomotiv.

Company must keep the personal data collection channels up to date as a list and share the list with the company’s Legal and Compliance Counsel and the Koç Holding Legal and Compliance Department twice a year, every 6-month periods (June-December).

4.3.3. Obligation to Ensure the Security of Personal Data

Along with the awareness on the importance of ensuring data security in all aspects within the Otokoç Otomotiv, necessary and adequate technical and administrative measures must be taken to prevent unlawful processing of personal data or access to data, and to store data in accordance with the Legislation and in this regard necessary audits must be conducted by the company and/or have audits conducted by a third party.

Within the scope of the measures taken by the company, trainings regarding the Legislation should be given to the employees. The company must provide information to company’s Legal and Compliance Counsel and the Koç Holding Legal and Compliance Department regarding the trainings carried out in this context.

4.3.4. Audit of the Measures Taken for the Protection of Personal Data

Systems for conducting and having the necessary audits regarding the functioning of the measures taken in terms of technical and administrative measures must be built. These audit results must be reported to the company's Legal and Compliance Counsel , and the necessary actions must be taken to improve the measures taken. In addition, the annual audit report and the measures taken by the company must be shared with Koç Holding Legal and Compliance Department.

4.3.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

The data subject and the relevant authorities must be informed as soon as possible in compliance with the Legislation in case the processed personal data is illegally obtained by third parties. In this context, the necessary internal structure in which the company’s Legal and Compliance Counsel take part, must be created within the company. Additionally, in such cases, Otokoç Otomotiv Legal and Compliance Department and Koç Holding Legal and Compliance Department must be informed immediately.

4.3.6. Obligation to Inform the Data Subject

The data subjects have the right to request information about their processed personal data by applying data controllers whenever they need.

In this context, the necessary procedures and processes must be established and implemented within the company in the matters of designing the necessary application channels in accordance with the Legislation, evaluating the applications, answering the applications within the periods stipulated in the Legislation in order to evaluate the rights of the data subjects and to provide the necessary information to the data subjects.

In the case that the data subjects submit their requests regarding their rights to the company, the relevant request must be responded as soon as possible and within thirty days at the latest.

While concluding the relevant application of the data subject, the information shall be provided with a wording and format easily understandable to the data subject. Necessary warnings should be given within the company and awareness must be ensured that data subjects have a right to complain to the relevant authority in the case that the data subject's application is rejected, the response is insufficient, or the application is not responded within the stipulated timeframe.

Data subject applications and the response processes should be kept as a list by the Company and must be shared with the company’s Legal and Compliance Counsel and the Koç Holding Legal and Compliance Department twice a year at 6-month periods (June-December). In addition, the opinions of the company’s Legal and Compliance Counsel and of the Koç Holding Legal and Compliance Department must be taken before any action is taken regarding all kinds of information and document requests from the relevant authorities to the company and all kinds of applications to be made by the company to these authorities.

AUTHORITY AND RESPONSIBILITIES

All Otokoç Otomotiv employees and directors are responsible to comply with this Policy. Otokoç Otomotiv expects its Business Partners to comply with this Policy to the extent applicable to the relevant party and operation and takes necessary steps for this.

Otokoç Otomotiv Legal and Compliance Department is the responsible body for the implementation of this Policy.

In case of being aware of any action considered to be contrary to this Policy, the Legislation in force or Otokoç Otomotiv Code of Ethics, you may contact the company’s Legal and Compliance Counsel or the Koç Holding Legal and Compliance Department.

Please contact the department or persons listed above for your queries or concerns. As an alternative method, you can make all your notifications about ethical violations via “koc.com.tr/hotline”.

Breach of this Policy might result in significant disciplinary penalties including dismissal. In the case of breach of this Policy by third parties, the legal relationship between those parties and the Otokoç Otomotiv might be terminated immediately.

REVISION HISTORY

This Policy being effective from the date of 29.11.2021 and Otokoç Otomotiv Legal and Compliance Department is responsible for the execution of the Policy