ENDER ALÜMİNYUM SANAYİ VE TİCARET ANONİM ŞİRKETİ

PERSONAL DATA PROTECTION COMMITTEE INTERNAL DIRECTIVE

The Internal Directive of the Personal Data Protection Committee of Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi (the Company) has been prepared in accordance with the Law on the Protection of Personal Data No. 6698 (“Law”), published in the Official Gazette dated 07/04/2016 and numbered 29677; the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”), issued by the Personal Data Protection Authority and published in the Official Gazette dated 28/10/2017 and numbered 30224; the Personal Data Protection and Processing Policy of Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi; and the Personal Data Retention and Disposal Policy (“Retention and Disposal Policy”) of Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi.

In accordance with the Law and the Regulation, a Personal Data Protection Committee has been established within our data controller company for the purpose of managing personal data retention and disposal processes and carrying out the necessary business and operations. In this context, necessary internal regulations are made by our company for the storage and destruction of personal data in accordance with personal data protection regulations and Policies, and the required system is established to create awareness.

Purpose:

Article 1- This Internal Directive has been prepared to determine the matters regarding the fulfillment of the Committee's duties, the principles it must comply with within the framework of personal data protection regulations and Policies, and the procedures it will implement based on the Policies.

Scope:

Article 2- This Internal Directive covers the relevant responsibilities, work, and activities of the Committee and its members.

Basis:

Article 3- This Internal Directive is prepared based on the aforementioned regulations related to the Personal Data Protection Law No. 6698.

Personal Data Protection Committee:

Article 4- The Committee is appointed by the board of directors of our company to fulfill the obligations under the Law, ensure and supervise the implementation of the Policies, and make suggestions regarding their functioning. The Committee is responsible for ensuring audit, compliance, and sustainable efficiency within the scope of the company's KVK (Personal Data Protection) regulations. The distribution of duties among Committee members, and the removal or addition of members to the Committee, is carried out by the committee chairman with the authority given by the data controller.

Data Controller Representative:

Article 5– The Data Controller Representative is selected from within the Committee and manages our company's relations with the Authority (KVKK).

Members:

Article 6- The formation of the Committee and the duties of individuals are determined below.

Article 7- The Committee is responsible for managing the processes of protection, storage, processing, and the deletion, destruction, and anonymization of personal data.

In this context, the Committee;

1. Establishes the necessary procedures and ensures the implementation of said procedures.
2. Ensures that internal business and transactions are carried out to comply with new regulations if a change occurs in the legislation regarding personal data.

• Prepares the personal data inventory.

1. Periodically updates the personal data inventory.
2. Notifies the registry of the personal data inventory and ensures it is kept up to date.
3. Conducts correspondence with the Registry and archives the correspondence.

Controls the contracts to be made with third parties that process personal data and confirms their compliance within the scope of regulations. Audits third parties.

Determines and authorizes natural and legal persons who process personal data.

Article 8- The Committee is obliged to take technical and administrative measures for the protection of all personal data within the company, to continuously follow developments and administrative activities, to prepare and announce necessary procedures within the company, and to ensure and supervise compliance with them. The Committee ensures that internal or external audits are carried out periodically within the scope of personal data protection. Regarding the protection of personal data, it periodically convenes senior management to discuss both the current situation and risks. It records meeting decisions with wet signatures and files them. It periodically informs the units related to personal data protection via the portal / e-mail / announcements.

Article 9- The Committee is obliged to ensure that the obligation to inform is fulfilled in terms of all personal data processing processes and that explicit consent is obtained and preserved when necessary.

Regarding personal data, the Committee;

1. Ensures the announcement of the data controller's identity.
2. Ensures that personal data processing purposes are for specific, legitimate, and clear purposes, audits this, and ensures it is announced to both employees and customers.

• Explains to whom and for what purpose the processed data will be transferred.

1. Explains the data collection method and legal reason.
2. Determines and implements the ways of obtaining the person's explicit consent for the processing of personal data and supervises them.
3. Guarantees that in cases where special categories of personal data are recorded, explicit consent is absolutely obtained and kept on record, except for cases that can be processed without consent by law.

• Ensures that explicit consent of the personal data subject is obtained if personal data is to be kept in cloud systems or stored abroad. Ensures that the foreign country to which personal data will be transferred has been announced by the Board.

Article 10- In case of transfer of personal data to third parties, the Committee determines whether explicit consent will be obtained from the data subject according to the status of the place/authority to be shared. Situations where explicit consent will not be obtained are determined below. In any case, it records which data is shared with the following institutions and that the third parties matching the following status comply with the valid basis:

1. Inability to obtain explicit consent due to actual impossibilities
2. When the life or physical integrity of themselves or someone else is at stake

• Being directly related to the establishment or performance of a contract

1. Necessity of processing personal data belonging to the parties of the contract
2. Necessity of data processing for the establishment, exercise, or protection of a right
3. Necessity for the data controller to fulfill its legal obligation

• In case the person has made their own data public
• Necessity of data processing for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned

1. In case of processing data for their own members and participants by non-profit organizations such as political parties, foundations, associations, or unions, provided that they comply with the legislation and purposes they are subject to, are limited to their fields of activity, and are not disclosed to third parties
2. In case of processing by persons under the obligation of secrecy or authorized institutions and organizations for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, and planning, management, and financing of health services

If personal data is to be transferred abroad and explicit consent has not been obtained; it coordinates sharing if there is adequate protection in the place where the data will be transferred, or if there is no adequate protection, if the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and the Board's permission is obtained.

The party sharing the data ensures that the location and purpose of sharing are documented in writing and approved. It is checked and documented whether the consent for the proposed data has been obtained. Sharing is ensured after approval by the legal department and the data controller.

Article 11- The Committee evaluates the applications of personal data subjects and ensures coordination within the company to respond to applications. It provides the necessary coordination and communication in cases where communication with the Board is required.

In case of application by the personal data subject, it ensures the fulfillment of the following rights of individuals within 30 calendar days at the latest:

1. The person knowing whether their own personal data is being processed
2. Requesting information regarding personal data

• Explaining the purpose of processing

1. Explaining the third parties to whom personal data are transferred domestically or abroad
2. Receiving correction requests in case of incomplete or incorrect processing of personal data and providing feedback when the process is completed
3. Receiving requests for deletion or destruction of the person's personal information and providing feedback when the process is completed

• Receiving requests for objection in case a result arises against the data subject as a result of analysis of processed data exclusively through automated systems and providing feedback when the process is completed
• Checking whether personal data is processed unlawfully and following up and concluding requests from the person

Article 12- The Committee takes the necessary measures to eliminate any deficiency or risk identified in the compliance of personal data protection, storage, processing, and destruction processes with the Law and Policies. In this context, the Committee audits each new processing process reported to it.

Article 13- Regarding the storage and destruction of personal data, the Committee;

1. Determines the retention and destruction period stipulated in the relevant legislation or required for the purpose for which they are processed.
2. Pursuant to Article 11/2 of the Regulation on the Deletion, Destruction or Anonymization of Personal Data, it ensures the deletion, destruction, or anonymization of personal data that needs to be deleted, destroyed, or anonymized by auditing processed personal data in periods not exceeding six months.

• Ensures that all operations regarding deletion, destruction, and anonymization of personal data are recorded and that said records are stored for at least three years, excluding other legal obligations.

1. In case of any of the following reasons, it ensures the deletion, destruction, or anonymization of personal data within the framework of the procedures and principles determined in the regulations:

• In case the reasons requiring processing disappear
• In case the period expires
• Upon request of the data subject

Article 14- The Committee creates an action plan in accordance with the regulations regarding violations related to business, transactions, or actions reported to it by the company's employees and which it considers to be contrary to the procedures and principles specified in the Policies. The Committee prepares the notification to be made to the Personal Data Subject or the Authority regarding the violation, taking into account the current legislation provisions on the subject, and carries out correspondence and communication with the Authority.

Other departments provide necessary assistance in related works.

Article 15- It sends the documents and information requested by the Board within 15 calendar days and allows on-site inspection when necessary.

In case of a complaint or for any reason, it follows the Board's notifications and ensures their fulfillment within 30 calendar days.

Article 16- The Committee ensures the informing of company employees for the purpose of lawful processing and destruction of personal data and prevention of illegal access. Necessary procedures are established for employees who need to access company personal data to provide said access, and the Data Controller Representative and the Committee are jointly responsible for the establishment and implementation of this. The list of limited employees authorized to access special categories of personal data and the follow-up of the list are carried out by the Committee.

Entry into Force of the Internal Directive and Amendments

Article 17- The Internal Directive is put into effect by the company management. Amendments to the Internal Directive and the regulation of the Directive are subject to the same procedure.