Personal Data Protection Law Policy

Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi (“COMPANY”) attaches importance to the protection of personal data in the activities it carries out and accepts it among its priorities in its business and operations. The Personal Data Protection and Processing Policy (“Policy”) of our Company is the basic regulation for the adaptation of our company's organization and business processes to the personal data processing procedures and principles determined by the Personal Data Protection Law No. 6698 (“Law”). In line with the principles of this Policy, our Company processes and protects personal data with a high level of responsibility and awareness, and ensures the necessary transparency by informing personal data subjects.

Purpose

The purpose of this Policy is to ensure that the procedures and principles stipulated by the Law and other relevant legislation are adapted to the organization and processes of Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi and implemented effectively in its activities. Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi takes all kinds of administrative and technical measures for the processing and protection of personal data with this Policy, creates necessary internal procedures, increases awareness, and carries out all necessary training to ensure consciousness. All necessary measures are taken for shareholders, officials, employees, and suppliers, customers, consultants, and lawyers from whom the company receives services to comply with the Law processes, and appropriate and effective audit mechanisms are established.

1.2. Scope

The Policy covers all personal data obtained in our company's business processes by automatic means or by non-automatic means provided that they are part of any data recording system.

. Basis

The Policy is based on the Law and relevant legislation. Personal data are processed to fulfill legal obligations arising from the Law No. 6502 on Consumer Protection, Identity Reporting Law No. 1774, Labor Law No. 4857, Occupational Health and Safety Law No. 6331, Social Insurance and General Health Insurance Law No. 5510, Unemployment Insurance Law No. 4447, Turkish Commercial Code No. 6102, Tax Procedure Law No. 213, and other relevant legislation.

In cases where there is a conflict between the current legislation and the Policy, the current legislation applies. The regulations stipulated by the relevant legislation are transformed into Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi practices with the Policy.

1.4 . Definitions

Explicit Consent	Refers to consent regarding a specific subject, based on information and expressed with free will.
Application Form	The application form regarding applications to be made by the data subject (Personal Data Subject) to the data controller, prepared in accordance with the Personal Data Protection Law No. 6698 and the Communiqué on the Procedures and Principles of Application to the Data Controller issued by the Personal Data Protection Authority, containing the application to be made by the personal data subjects to exercise their rights.
Relevant User	Persons who process personal data within the data controller organization or in line with the authority and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.
Destruction	Deletion, destruction, or anonymization of personal data.
Recording Medium	Any medium containing personal data processed by fully or partially automated means or non-automated means provided that they are part of any data recording system.
Personal Data	Any information relating to an identified or identifiable natural person.
Processing of Personal Data	Any operation performed on personal data such as obtaining, recording, storage, preservation, alteration, reorganization, disclosure, transfer, takeover, making available, classification, or preventing the use of personal data by fully or partially automated means or non-automated means provided that they are part of any data recording system.
Anonymization of Personal Data	Rendering personal data impossible to be associated with an identified or identifiable natural person in any way, even by matching with other data.
Personal Data Subject	The natural person whose personal data is processed by or on behalf of Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi.
Deletion of Personal Data	Making personal data inaccessible and unusable for Relevant Users in any way.
Destruction of Personal Data	The process of making personal data inaccessible, unrecoverable, and unusable by anyone in any way.
Board	Personal Data Protection Board (KVKK Board)
Authority	Personal Data Protection Authority (KVKK Institution)
Special Categories of Personal Data	Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Periodic Destruction	The process of deletion, destruction, or anonymization to be carried out ex officio at repeating intervals specified in the personal data storage and destruction policy in case all the conditions for processing personal data set forth in the Law disappear.
Data Processor	The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Recording System	The recording system where personal data are structured and processed according to specific criteria.
Data Subject / Relevant Person	The natural person whose personal data is processed.
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Representative	The natural person appointed to fulfill the duties of the Data Controller within the scope of the relevant law articles in accordance with the Law.
Regulation	Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on October 28, 2017.

MATTERS REGARDING THE PROTECTION OF PERSONAL DATA
- Ensuring the Security of Personal Data

Our company takes necessary measures stipulated in Article 12 of the Law, depending on the nature of the personal data, to prevent unlawful disclosure, access, transfer, or other security problems that may occur. Our company takes measures and carries out audits to provide the necessary personal data security level in accordance with the guides published by the Personal Data Protection Authority.

Protection of Special Categories of Personal Data

Measures taken for the protection of data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of association, foundation or trade-union, health, sexual life, criminal conviction, security measures, and biometric and genetic data, which are of a special nature, are carefully implemented and necessary audits are carried out.

Developing Awareness on Protection and Processing of Personal Data

Our company provides the necessary training to the relevant parties for the lawful processing, access, preservation of personal data, and development of awareness for exercising rights.

In order to increase the awareness of employees on personal data protection, our company creates necessary business processes and receives support from consultants if needed. The deficiencies encountered in practice and the results of the training are evaluated by our company's management. New training sessions are organized if needed depending on the changes in the relevant legislation based on these evaluations.

3. PROCESSING OF PERSONAL DATA

3.1. Processing Personal Data in Compliance with Legislation

Personal data are processed in compliance with the legislation in line with the principles listed below.

Processing in Compliance with Law and Honesty Rules

Personal data are processed in compliance with the law and honesty rules, limited to the extent required by business processes, without harming the fundamental rights and freedoms of persons.

Ensuring Personal Data is Accurate and Up-to-Date

Necessary measures are taken to keep the processed personal data up-to-date and accurate, and work is carried out in a planned and programmed manner.

Processing for Specific, Explicit and Legitimate Purposes

Personal data are processed depending on the legitimate purposes determined and explained in the conducted business processes.

Being Relevant, Limited and Proportionate to the Purposes for which they are Processed

Personal data are collected in the quality and extent required by the business processes and processed limitedly depending on the determined purposes.

Preservation for the Period Required

Personal data are preserved for at least the period stipulated in the relevant legislation and required for the purpose of processing personal data. Firstly, if a period is stipulated for the storage of personal data in the relevant legislation, this period is complied with; if not, personal data are preserved for the period required for the purpose for which they are processed. At the end of the storage periods, personal data are destroyed by appropriate methods (deletion, destruction, or anonymization) in accordance with periodic destruction periods or the application of the data subject.

3.2. Conditions for Processing Personal Data

Personal data is processed based on the explicit consent of the subject or one or more of the other conditions specified below.

Presence of Explicit Consent of the Personal Data Subject

Processing of personal data is carried out with the explicit consent of the data subject. Explicit consent of the personal data subject: occurs by being informed on a specific subject and by obtaining their free will.

Absence of Explicit Consent of the Personal Data Subject

In case any of the following conditions are present, personal data may be processed without the need for the explicit consent of the data subject.

Explicitly Stipulated in Laws

In case there is an explicit regulation in the laws regarding the processing of personal data, personal data may be processed without the consent of the data subject.

Inability to Obtain Explicit Consent of the Subject due to Actual Impossibility

Personal data of the data subject may be processed in case it is mandatory to process personal data to protect the life or physical integrity of the person who is unable to express their consent due to actual impossibility or whose consent cannot be recognized as valid, or of another person.

Direct Relation with the Establishment or Performance of a Contract

Personal data of the data subject may be processed if the processing of personal data is directly related to the establishment or performance of a contract to which the data subject is a party.

Fulfillment of a Legal Obligation

Personal data of the data subject may be processed in case personal data processing is mandatory while Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi fulfills its legal obligations.

Making Personal Data Public by the Personal Data Subject

Personal data belonging to data subjects who have made their personal data public may be processed, limited to the purpose of making it public.

Mandatory Data Processing for the Establishment or Protection of a Right

Personal data of the data subject may be processed if data processing is mandatory for the establishment, exercise, or protection of a right.

Mandatory Data Processing for Legitimate Interest

Personal data of the data subject may be processed in case data processing is mandatory for the legitimate interests of Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi, provided that it does not harm the fundamental rights and freedoms of the personal data subject.

3.3. Processing Special Categories of Personal Data

Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi processes special categories of personal data in accordance with the principles determined in the Law and Policy, taking all kinds of administrative and technical measures with the methods determined by the Board, and with the following procedures and principles:

Processing of special categories of personal data is prohibited. However, processing of these data is possible in the following cases:

a) Presence of explicit consent of the relevant person,
b) Being explicitly stipulated in laws,
c) Being mandatory for the protection of the life or physical integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally recognized as valid, or of another person,

ç) Relating to personal data made public by the relevant person and in accordance with the intention of making it public,

d) Being mandatory for the establishment, exercise, or protection of a right,
e) Being necessary for the protection of public health, preventive medicine, medical diagnosis, treatment, and care services, and planning, management, and financing of health services by persons under the obligation of secrecy or authorized institutions and organizations,
f) Being mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance,
g) Targeted at current or former members and participants of foundations, associations, and other non-profit organizations or formations established for political, philosophical, religious, or trade-union purposes, provided that they comply with the legislation they are subject to and their purposes, are limited to their field of activity, and are not disclosed to third parties.”

In the processing of special categories of personal data, it is also mandatory to take adequate measures determined by the Board.

3.4. Informing the Personal Data Subject

Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi informs personal data subjects on the purposes for which their personal data are processed, with whom they are shared for which purposes, by which methods they are collected, the legal reason, and the rights they have in the processing of their personal data in accordance with the relevant legislation. In this regard, the protection of personal data is carried out depending on other policy documents and disclosure texts prepared within the framework of the principles in the Policy.

3.5. Transfer of Personal Data

Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi may transfer personal data to third parties (shareholders, board of directors, business partners, suppliers, customers, authorized public institutions and organizations, legally authorized private legal entities, auditors, consultants, lawyers, natural or private legal entities from whom we receive contracted services, or with whom we cooperate) lawfully, by taking necessary security measures, in line with personal data processing purposes. Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi carries out transfer operations in accordance with the regulations set forth in Article 8 of the Law.

Transfer of Personal Data

While explicit consent of the personal data subject is sought for the transfer of personal data, personal data may be transferred to third parties by taking all necessary security measures, including methods stipulated by the Board, based on one or more of the conditions specified below.

Being explicitly stipulated in laws,
Being directly related to and necessary for the establishment or performance of a contract,
Being mandatory for our Company to fulfill its legal obligation,
Provided that personal data have been made public by the data subject, limited to the purpose of making it public,
Being mandatory for the establishment, exercise, or protection of the rights of Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi or the data subject or third parties,
Being mandatory for the provision of legitimate interests of our company, provided that it does not harm the fundamental rights and freedoms of the data subject,
Being mandatory for the protection of the life or physical integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally recognized as valid, or of another person.

Article 9 of the law regarding the transfer of personal data abroad is applied. Personal data may be transferred depending on any of the situations listed above to those in foreign country status declared as “Foreign Country with Adequate Protection”, determined by the Board to have adequate protection.

Personal data may be transferred to those in the status of “Foreign Country where the Data Controller Undertaking Adequate Protection is Located”, where data controllers in Turkey and the foreign country undertake adequate protection in writing and where the Board's permission is present, provided that the relevant person has the opportunity to exercise their rights and apply for effective legal remedies in the country where the transfer will be made, according to the conditions stipulated in the legislation.

Transfer of Special Categories of Personal Data

Special categories of personal data may be transferred under the conditions determined below by taking all kinds of administrative and technical measures, including methods to be determined by the Board, in accordance with the principles determined in the Policy:

Special categories of personal data other than health and sexual life, in case there is an explicit provision in laws regarding the processing of personal data, without seeking the explicit consent of the data subject, otherwise in case the explicit consent of the data subject is obtained.
Special categories of personal data relating to health and sexual life, in case the relevant person has explicit consent, it is explicitly stipulated in laws, it is mandatory for the protection of the life or physical integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally recognized as valid, or of another person, it relates to personal data made public by the relevant person and is in accordance with the intention of making it public, it is mandatory for the establishment, exercise or protection of a right, it is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and planning, management and financing of health services by persons under secrecy obligation or authorized institutions and organizations, it is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance, it is targeted at current or former members and participants of foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade-union purposes, provided that they comply with the legislation they are subject to and their purposes, are limited to their field of activity and are not disclosed to third parties, without seeking explicit consent, otherwise in case the explicit consent of the data subject is obtained.

4. PERSONAL DATA INVENTORY PARAMETERS

Data categories and personal data (ANNEX-1) belonging to personal data subject categories consisting of employee candidates, employees, shareholders/partners, potential product or service buyers, interns, supplier officials, persons receiving products or services, parents/guardians/representatives, visitors in the business processes of Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi management, human resources, administrative affairs, financial affairs (accounting-finance), planning, IT, production, quality, marketing-sales, procurement are processed depending on personal data processing purposes (ANNEX-2). Details on processing purposes according to data categories and data subject groups are notified to our company by examining and filling out the information in the Data Subject Application Methods and Application Form area on the website of Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi at [www.enderaluminyum.com](https://www.google.com/search?q=https://www.enderaluminyum.com).tr.

Personal data processing purposes are processed according to the determined purposes to inform relevant persons according to personal data categories, pursuant to Article 10 of the Law and other legislation, based on and limited to at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law, in compliance with general principles specified in the Law, primarily the principles specified in Article 4 of the Law regarding the processing of personal data.

Personal data may be shared with domestic organizations with whom we cooperate for the determined purposes (ANNEX-3) within the principles determined in the Policy “3.5. Transfer of Personal Data” section: shareholders, board of directors, business partners, suppliers, customers, authorized public institutions and organizations, legally authorized private legal entities, auditors, consultants, lawyers, natural or private legal entities from whom we receive contracted services, or with whom we cooperate. There is no transfer of personal information to foreign countries.

5. MEASURES TAKEN REGARDING THE PROTECTION OF PERSONAL DATA

Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi takes necessary technical and administrative measures for the protection of personal data it processes with the procedures and principles determined in the Law, carries out necessary audits in this context, and performs awareness and training activities.

In case processed personal data are captured by third parties through unlawful ways despite all technical and administrative measures taken, our company informs the relevant person and units as soon as possible.

6. STORAGE AND DESTRUCTION OF PERSONAL DATA

Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi preserves personal data for the period required for the purpose of processing personal data and for at least the period stipulated in the relevant legislation. Our company primarily complies with the period if one is determined in the relevant legislation; if a legal period is not stipulated, it stores personal data for the period required for the purpose of processing personal data. At the end of the determined storage periods, personal data are destroyed with the determined method (deletion, destruction, or anonymization) in accordance with periodic destruction periods or the application of the data subject.

7. RIGHTS OF PERSONAL DATA SUBJECTS AND EXERCISE OF THESE RIGHTS

7.1. Rights of the Personal Data Subject

Personal data subjects have the following rights arising from the Law:

To learn whether personal data is processed,
To request information if personal data has been processed,

To learn the purpose of processing personal data and whether they are used in accordance with the purpose,

To know the third parties to whom personal data are transferred domestically or abroad,
To request correction if personal data are processed incompletely or incorrectly and to request notification of the operation performed in this context to third parties to whom personal data are transferred,
To request deletion or destruction of personal data in case the reasons requiring processing disappear, although they have been processed in accordance with the Law and other relevant law provisions, and to request notification of the operation performed in this context to third parties to whom personal data are transferred,

To object to the occurrence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,
To request compensation for the damage in case of loss due to unlawful processing of personal data.

7.2. Exercise of Rights by the Personal Data Subject

Personal data subjects may convey their requests regarding the rights listed in Article 6.1 to our company with the methods determined by the Board. Personal data subjects and those who have the right to apply on their behalf may apply to our company by filling out the “Data Subject Application Form”.

7.3. Responding to Applications

Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi concludes the applications made by the personal data subject in accordance with the Law and other legislation. Requests conveyed to our company in accordance with the procedure are concluded free of charge as soon as possible and within 30 (thirty) days at the latest. However, in case the transaction requires an additional cost, a fee may be charged according to the tariff determined by the Board.

7.4. Refusal of the Personal Data Subject's Application

Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi may refuse the request of the applicant in the following cases, by explaining the reason:

Processing of personal data for purposes such as research, planning, and statistics by anonymizing them with official statistics,
Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public safety, public order, economic security, privacy of private life or personal rights or do not constitute a crime,

Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to provide national defense, national security, public safety, public order, or economic security,

Processing of personal data by judicial authorities or execution authorities regarding investigation, prosecution, trial, or execution proceedings,
Personal data processing is necessary for the prevention of a crime or for crime investigation,
Processing of personal data made public by the personal data subject himself/herself,

Personal data processing is necessary for the execution of auditing or regulation duties and for disciplinary investigation or prosecution by authorized and empowered public institutions and organizations and professional organizations in the nature of public institutions, based on the authority given by the law,
Personal data processing is necessary for the protection of the economic and financial interests of the State regarding budget, tax, and financial matters,

Probability of the personal data subject's request to hinder the rights and freedoms of other persons,
Requests requiring disproportionate effort have been made,
The requested information being public information.

7.5. Right of the Personal Data Subject to Lodge a Complaint with the PDP Board

In cases where the application is refused, the answer is found insufficient or the application is not answered in time pursuant to Article 14 of the Law; a complaint can be filed with the Board within thirty days from the date Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi's answer is learned and in any case within sixty days from the application date.

Information that can be Requested from the Applying Personal Data Subject

Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi may request information from the relevant person to determine whether the applicant is the personal data subject. Our company may direct questions to the personal data subject regarding their application to clarify the matters in the application.

EXECUTION

The Policy has been approved and put into effect by the Board of Directors. The technical execution of the Policy is ensured by the “Personal Data Storage and Destruction Policy”.

The Board of Directors is responsible for the execution and updating of the Law and Policy when necessary, and Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi Personal Data Protection Committee is responsible for the follow-up, coordination, and audit of all business and operations within this scope.

9. ENTRY INTO FORCE and ANNOUNCEMENT

The Policy has entered into force as of the date of publication. Changes that will occur in the Policy are published on the website of Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi ([www.enderaluminyum.com](https://www.google.com/search?q=https://www.enderaluminyum.com).tr) and made available to personal data subjects and relevant persons. Policy changes enter into practice on the date they are announced.

ANNEX 1- Data Categories and Personal Data

Data Categories	Personal Data
Identity	Name, Surname
	Father's - Mother's Name
	Mother's Maiden Name
	Date of Birth
	Place of Birth
	Marital Status
	Identity Card Serial and Sequence Number
	TR Identity Number
	Passport Number
	Temporary TR Identity Number
	Gender Information
	TR Identity Card
	Driver's License
Contact	Address
	E-mail Address
	Communication Address
	Registered Electronic Mail Address (KEP)
	Phone Number
Personnel	Payroll Information
	Disciplinary Investigation
	Employment Entry-Exit Document Records
	CV Information
	Performance Evaluation Reports
Legal Action	Information in correspondence with judicial authorities, information in the case file, etc.
Customer Transaction	Invoice
	Promissory Note
	Check Information
	Entry-Exit Information
	Order Information
	Appointment Information
Physical Space Security	Entry-Exit Record Information of Employees and Visitors
Physical Space Security	Camera Records
Transaction Security	Transaction Security (such as IP address information, website entry-exit information, password and passcode information)
	IP Address Information
	Website Entry-Exit Information
	Password and Passcode Information
Risk Management	Information processed for the management of commercial, technical, and administrative risks
Finance	Balance Sheet Information
	Financial Performance Information
	Credit and Risk Information
	Asset Information
	Bank Account Number
	IBAN Number
Professional Experience	Diploma Information
	Courses Attended
	In-service Training Information
	Certificates
Visual And Auditory Records	Closed Circuit Camera System Image, Voice Recording, Photograph
Appearance and Dress	Information on appearance and dress
Health Information	Information on Disability Status
	Blood Type Information
	Personal Health Information
	Information on Device and Prosthesis Used
	Laboratory and Imaging Results
	Test Results
	Examination Data
	Prescription Information
Criminal Conviction and Security Measures	Information on Criminal Conviction
Criminal Conviction and Security Measures	Information on Security Measures
Family Information and Information on Relatives	Number of Children
	Family Wallet / Marriage Certificate
	Spouse Employment Information
	Child Education and Age Information
	Working Method
	Occupation
	References
	Information on the last company worked for
Signature	Wet or electronic signatures on documents having personal data quality, fingerprints, special marks
	Frequency/Times of Logging into the Site
	Last Login Date
	IP Address
	Personal data regarding receiving and evaluating any request or complaint directed to the Company.
	Social Security Institution Data
Vehicle Information	Vehicle plate, brand, model, model year, engine chassis number, license registration date, license example, no-claim information
Military Service Information	Military service information of employees

ANNEX 2- Categorical Personal Data Processing Purposes

Execution of Emergency Management Processes

Execution of Information Security Processes

Execution of Employee Candidate / Intern / Student Selection and Placement Processes

Execution of Application Processes of Employee Candidates

Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees

Execution of Side Rights and Benefits Processes for Employees

Execution of Audit / Ethics Activities

Execution of Training Activities

Execution of Access Authorizations

Execution of Activities in Accordance with the Legislation

Execution of Finance and Accounting Works

Ensuring Physical Space Security

Execution of Assignment Processes

Follow-up and Execution of Legal Affairs

Execution of Internal Audit/ Investigation / Intelligence Activities

Execution of Communication Activities

Planning of Human Resources Processes

Execution / Audit of Business Activities

CORPORATE