DISCLOSURE STATEMENT ON THE PROTECTION OF PERSONAL DATA

This Disclosure Statement has been drafted by DORUKSİSTEM MÜHENDİSLİK TEKNOLOJİ DANIŞMANLIK SAN. VE TİC. A.Ş. (“DORUKSİSTEM”), acting in the capacity of data controller, in accordance with the Personal Data Protection Law No. 6698 (“Law”) of DORUKSİSTEM; to make explanations regarding the processing of personal data of “data subjects”, to inform the “data subjects” and to fulfill the disclosure obligation arising from Article 10 of the Personal Data Protection Law (“KVKK”).

This Disclosure Statement aims to inform you about the practices carried out by DORUKSİSTEM for the protection of fundamental rights and freedoms, especially the right to privacy. Ensuring and protecting information security and respect for ethical values are among our prioritized principles.

1. Categories of Personal Data Processed for Related Person Groups

Identity information of shareholders/partners (name, surname, date of birth, T.R. ID number) identification number), identity information (corporate business cards), contact information (residence address, mobile and home phone numbers), legal transaction information (follow-up of lawsuit files opened on behalf of the company), financial information (bank account information, invoice information), transaction security and financial information (user system logs) and risk management information (risk assessment of shareholders) visual records (security camera system) and other information (information security policies, confidentiality and disciplinary agreement, organization activities with news and broadcasting organizations, social organization photos, training videos and photos, posts on company social accounts, training information, vehicle class driver)
Identity information (name, surname, date of birth, T.R. identity information (name, surname, date of birth, T.R. ID number, gender, marital status), identity information (corporate business cards), contact information (residence address, mobile and home phone), criminal conviction and security measures information (criminal record), financial information (salary account information) transaction security information (user system logs), and visual records (security camera system) personal information (service contract, indefinite employment contract, insured employment declaration, wage statement, salary accrual data, payroll data, annual leave-administrative leave and unpaid leave petitions, (information security policies, confidentiality and discipline agreement, passport information, information required for visa, education information, vehicle class driver information, passport photo, passport photo, determination of 1st degree family relatives for minimum subsistence allowance calculations, military status information, health qualification information, organization activities with news and broadcasting organizations, social organization photos, training videos and photos, posts on company social accounts) and other information, (information security policies, confidentiality and discipline agreement, passport information, information required for visa, documents and minutes issued regarding the termination of the service contract, administrative procedures to be carried out in case of work accidents and SSI work accident notifications, work accident report, all kinds of information and documents required by law to be included in the personnel file). degree family relatives for minimum living allowance calculations, military service status information, health qualification information, organization activities with news and broadcasting organizations, social organization photos, training videos and photos, shares of company social accounts),
Supplier employees; identity information (name, surname, date of birth, T.R. ID number), contact information (mobile phone, residence address), personal information (date of employment, diploma), transaction security information, visual records (security camera system) and other information, (vehicle class driver information)
Identity information (name, surname, date of birth, T.R. ID number, gender, marital status), contact information (residence address, mobile and home phone), visual records (security camera system), personal information (work accident report, all kinds of information and documents that are required by law to be included in the personal file), financial information (salary account information) and other information, (education information, passport photo, photograph, health qualification information, organization activities with news and broadcasting organizations, social organization photos, shares of company social accounts),
Identity information (name, surname, date of birth, place of birth, gender, marital status), contact information (residence address, mobile and home phone, e-mail), professional experience information (current job status, certificates, trainings), criminal conviction and security measures information (criminal record), visual records (security camera system) and other information (vehicle class driver information, military service status information, travel disability, possibility to work out of hours, health information in terms of suitability for working conditions, reference information, education information, foreign language information),
Visitors' identity information (name, surname,) contact information (phone number, e-mail address), visual and audio recordings, (reference person switchboard calls), and other information (if any, information about the institution they work for)
Identity information of parents/guardians/representatives (reference person name, surname), contact information (reference person phone, e-mail)
Identity information (name, surname information), contact information (e-mail address, company name, telephone number) of the persons receiving products or services
Identity information (name, surname), contact information (e-mail address, company name, phone number) of fair visitors

2. Purpose of Processing Personal Data

Your personal data and special categories of personal data collected by DORUKSİSTEM, which are detailed below, will be processed for the following purposes within the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law. Accordingly

To carry out employee candidate/intern/student selection and placement processes,
To carry out the application process of employee candidates,
In order to fulfill the obligations arising from the employment contract and legislation for the employee,
In order to carry out new rights and benefits processes for employees,
For the purpose of conducting audit and ethics activities,
For the purpose of conducting training activities,
For the purpose of executing access authorizations,
In order to carry out activities in accordance with the legislation,
For the purpose of conducting financial and accounting affairs,
For the purpose of defining physical space security,
In order to follow up and execute the legal process,
Execution of assignment processes,
To carry out communication activities,
Execution of goods and service production operations,
Execution of customer relationship management process,
To carry out activities for customer satisfaction,
In order to carry out risk management processes,
To carry out social responsibility and civil society activities
For the purpose of executing contract processes,
In order to carry out human resources processes,
In order to ensure the security of movable property and resources,
To carry out supply chain management processes,
To ensure the security of data controller operations,
In order to carry out investment processes,
To provide information to authorized persons, institutions or organizations,
For the purpose of carrying out management activities,
In order to carry out information security processes,

3. Parties to whom Personal Data may be Transferred and Purpose of Transfer

Your personal data collected by DORUKSİSTEM may be shared with the persons, institutions or organizations whose detailed information is given below for the purposes detailed above within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the KVKK. Accordingly

Identity information of shareholders/partners (name, surname, date of birth, Turkish ID number, foreign ID number), contact information of supplier employees, (mobile phone, residence address), personal information of supplier employees (date of employment, diploma), health information of supplier employees (SSI information), contact information of supplier employees, (mobile phone number, residence address) identity number), contact information of supplier employees (mobile phone, residence address), personal information of supplier employees (date of employment, diploma), health information of supplier employees (SSI information), contact information of shareholders/partners (residence address, mobile and home phone), contact information of employees (residence address, criminal conviction and security measures information of employees (criminal record), contact information of interns (residence address, mobile and home phone), other information of shareholders/partners (education information, vehicle class driver information), other information of employees, (education information, vehicle class driver information, identification of 1st degree family relatives for minimum living allowance calculations, military status information, health qualification information, graduation diploma, driver's license), identity information of employees (name, surname, date of birth, T.R. license). degree family relatives for minimum subsistence allowance calculations, military service status information, health qualification information, graduation diploma, driver's license), employees' identity information (name, surname, date of birth, T.R. ID number, gender), employees' personal information (service contract, insured employment declaration, wage calculation sheet, salary accrual data, payroll data, all kinds of information and documents that are required by law to be entered in the personal file), employees' salary account information, supplier employees' identity information (name, surname, date of birth, T. C. identity number), trainees' personal information (work accident report, all kinds of information and documents required by law to be included in the personal file), trainees' financial information (salary account information), other information of prospective employees (vehicle class driver information, military service status information), other information of prospective employees (education information), health information of prospective employees (health problems) with authorized public institutions and organizations,
Legal transaction information of shareholders/partners (follow-up of lawsuit files related to the company) with authorized public institutions and organizations, company's law office,
Transaction security of shareholders/partners (user system logs), transaction security information of employees (user system logs) with public institutions and organizations and ICTA,
Finance (user system logs) of shareholders/partners, financial information of employees with authorized public institutions and organizations, contracted banks,
Risk management information of shareholders/partners (user system logs, risk assessment of shareholders) with authorized public institutions and organizations, if requested, with the KVKK committee and auditor organizations,
Other information of shareholders/partners (social organization photos, posts on company social accounts, organization activities with news and broadcasting organizations), other information of employees (social organization photos, posts on company social accounts, organization activities with news and broadcasting organizations), other information of interns (social organization photos, posts on company social accounts, organization activities with news and broadcasting organizations), identity information of shareholders/partners (corporate business cards), identity information of employees (corporate business cards), publicly available to the relevant persons,
Other information of employees (passport information, information required for visa) may be shared and transferred with business partners or business partners by taking all precautions and, if necessary, by obtaining the consent of the 'data subject'. In addition, personal data may also be shared with public institutions and organizations authorized to request and receive such personal data in line with legal requirements.

4. Method and Legal Grounds for Collecting Personal Data

Your personal data is collected, used, recorded, stored and processed by DORUKSİSTEM through channels such as e-mail, through social media accounts that you allow DORUKSİSTEM to access, electronically and/or through the call center, verbally, in writing or electronically. Your personal data may also be processed and shared within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law and for the legal reasons and purposes specified in Articles 1 and 2 of this Clarification Text.

5. Personal Data Processed by DORUKSİSTEM with Your Explicit Consent and Purposes of Processing

DORUKSİSTEM will be able to process your personal data specified within the scope of this Disclosure Statement for the purposes specified in this Disclosure Statement.

6. Retention Period of Personal Data

Your personal data are stored for the retention periods specified in the relevant legal regulations (if no period is specified in the relevant legal regulations, in accordance with the practices and customs of our Company’s practices and commercial life or for the period required by the above-mentioned processing purposes) and then deleted, destroyed or anonymized in accordance with the KVKK.

If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and our Company have expired; personal data can only be stored for the purpose of constituting evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. In the establishment of the periods here, the retention periods are determined based on the statute of limitations for the assertion of the aforementioned right and the examples in the requests previously addressed to our Company on the same issues despite the expiration of the statute of limitations.

In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. After the aforementioned period expires, personal data are deleted, destroyed or anonymized.

7. Security of Personal Data

In order to ensure that your personal data are not subject to unauthorized access, loss and damage in the environments where they are processed and stored, the requirements of the technical and administrative measures regarding the Security of Personal Data published by the KVKK board are regularly reviewed and provided by our company.

8. Rights of the Personal Data Owner

Within the scope of Article 11 of the LPPD, you, as the personal data owner, are granted the following rights:

Learn whether your personal data is being processed,
Request information if your personal data has been processed,
Learn the purpose of processing personal data and whether it is used in accordance with the purpose,
To know the third parties to whom your personal data is transferred domestically/abroad,
To request correction of your personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
Although it has been processed in accordance with the provisions of Law No. 6698 and other relevant laws, to request the deletion or destruction of your personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom your personal data has been transferred,
To object to the occurrence of a result against you by analyzing your processed data exclusively through automated systems,
To request compensation for damages in case you suffer damage due to unlawful processing of your personal data.

9. Application Methods Regarding the Rights of the Personal Data Owner

Pursuant to paragraph 1 of Article 13 of the KVKK, you can make your request to exercise your rights mentioned above with the following methods and information in accordance with the “Communiqué on the Procedures and Principles of Application to the Data Controller” published in the Official Gazette dated March 10, 2018 and numbered 30356. DORUKSISTEM will finalize the request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, DORUKSİSTEM reserves the right to charge a fee over the tariff determined by the Personal Data Protection Board.

Applications to be made to our Company in writing, by printing out the DORUKSISTEM Disclosure Application Form;

Application Method	Application Address	Information to be specified in the application submission
In Person Application (The applicant comes in person and applies with a document certifying his/her identity)	DORUKSISTEM Consulting Ltd. (ULUCINAR ET AL - 3100626702) HACIHALİL MH. 1207. SK. NO:1 A/11 GEBZE 41700 KOCAELİ.	"Information Request within the scope of the Law on the Protection of Personal Data" will be written on the envelope.
Notification via notary public		"Information Request within the scope of the Law on the Protection of Personal Data" will be written on the envelope.
Signed with a "secure electronic signature" and sent via Registered Electronic Mail (KEP) or by sending an e-mail to the corporate e-mail address.	info@doruksistem.com.tr	"Personal Data Protection Law Information Request" will be written in the e-mail subject section.

Disclosure Statement On The Protection Of Personal Data