Information Regarding the Protection of Personal Data;

CNG CENGIZ SUPPLY FOREIGN TRADE INC.

PERSONAL DATA PROTECTION POLICY

Effective Date: June 25, 2020

This Personal Data Protection Policy outlines the policies of our company, CNG CENGİZ TEDARİK DIŞ TİCARET ANONİM ŞİRKETİ, as the data controller, regarding the personal data it processes while providing its services.

CONTENTS

1. ABBREVIATIONS USED IN OUR POLICY 3

2. THE AIM OF OUR POLICY IS 4

3. SCOPE OF OUR POLICY 4

4. IMPLEMENTATION OF OUR POLICY 4

5. ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA 4

6. PROTECTION OF SPECIAL CATEGORY PERSONAL DATA 5

7. PERSONAL DATA PROCESSING POLICY 5

7.1. Personal Data Processed 5

7.2. Principles to be Followed Regarding the Processing of Personal Data 6

7.2 Purposes of Our Company's Processing of Personal Data 6

7.2.1 Conditions; 6

7.2.2 Objectives; 7

8. TRANSFER OF PERSONAL DATA 8

8.1 Transfer of Personal Data Within the Country 8

8.2 Transfer of Personal Data Abroad 9

8.3 Institutions and Organizations to Which Data Is Transferred 9

9. BUILDING ENTRANCES, PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT WITHIN THE BUILDING, AND WEBSITE VISITORS 9

10. RIGHTS OF THE PERSON WHOSE PERSONAL INFORMATION IS PROCESSED BY THE COMPANY

11. STORAGE OF PERSONAL DATA 10

12. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN REGARDING THE STORAGE OF PERSONAL DATA 11

13. DELETION, DESTRUCTION, ANONYMIZATION, AND DESTRUCTION OF PERSONAL DATA 11

14. EXERCISE OF RIGHTS OF THE DATA SUBJECT 12

15. CASES WHERE THE DATA SUBJECT CANNOT ASSERTE THEIR RIGHTS 13

16. OTHER MATTERS 13

17. GDPR DATA SUBJECT INFORMATION REQUEST FORM

ABBREVIATIONS USED IN OUR POLICY

KVKK: The Law No. 6698 on the Protection of Personal Data and related legislation, published in the Official Gazette dated April 7, 2016, and numbered 29677.

GDPR: EU (European Union) General Data Protection Regulation

Constitution: The Constitution of the Republic of Türkiye, dated November 7, 1982, and numbered 2709, published in the Official Gazette dated November 9, 1982, and numbered 17863.

Data Processor: A person within the Data Controller's organization, or acting on behalf of the Data Controller under their authority and instructions, who processes personal data, excluding the person or unit responsible for the technical storage, protection, and backup of the data.

Data Subject/Relevant Person(s): The natural person whose personal data is processed, including but not limited to employees, customers, business partners, shareholders, officers, prospective customers, prospective employees, interns, visitors, suppliers, employees of institutions with which the Company collaborates, third parties, and other persons with whom the Company and/or its affiliates/subsidiaries have a commercial relationship.

Data Controller: The authority that determines the purposes and means of processing personal data and the data recording system.

the natural or legal person responsible for its establishment and management.

Explicit consent: Consent given freely and based on informed knowledge regarding a specific matter.

Destruction: The deletion, destruction, or anonymization of personal data.

Recording Medium: Any medium containing personal data processed wholly or partly automatically, or by non-automatic means as part of a data recording system.

Personal Data: Any information relating to an identified or identifiable natural person.

Special Categories of Personal Data: Data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of data, whether wholly or partly automated or non-automated, provided that it is part of a data recording system.

Anonymization of Personal Data: The process of rendering personal data in such a way that it cannot be linked to an identified or identifiable natural person, even when combined with other data.

Deletion of Personal Data: Deletion of personal data means that personal data is no longer accessible to the relevant users in any way.

making it inaccessible and unusable again.

Data Destruction: The process of rendering personal data inaccessible, irretrievable, and unusable by anyone in any way.

Periodic Destruction: When all the conditions for processing personal data stipulated by law cease to exist.

In this case, the deletion, destruction, or anonymization process will be carried out automatically at recurring intervals.

Regulation on the Deletion, Destruction, or Anonymization of Personal Data: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette No. 30224 dated October 28, 2017, and effective as of January 1, 2018.

Personal Data Protection Board / Board: Personal Data Protection Board

Personal Data Protection Authority: Personal Data Protection Authority

Company: CNG CENGIZ TEDARIK DIS TICARET LIMITED COMPANY

THE AIM OF OUR POLICY

The purpose of this document is to regulate the methods and principles to be followed by our company to ensure the processing and protection of personal data in compliance with the Law on the Protection of Personal Data (KVKK), published in the Official Gazette dated April 7, 2016, and numbered 29677. In this context, it aims to ensure transparency by informing individuals whose personal data is processed by our company, primarily our employees, job applicants, customers, potential customers, suppliers, business partners, company shareholders and officials, visitors, employees, shareholders and officials of institutions with which we cooperate, and third parties.

SCOPE OF OUR POLICY

This Policy document applies to all activities carried out by our Company regarding the processing and protection of personal data, and relates to all personal data of our employees, job applicants, customers, prospective customers, suppliers, business partners, company shareholders, company officials, visitors, employees, shareholders and officials of institutions with which we cooperate, and third parties, whose personal data is processed by our company automatically or non-automatically as part of any data recording system.

IMPLEMENTATION OF OUR POLICY

The provisions of the relevant legislation in force shall primarily apply in the process of processing and protecting personal data. In case of any conflict between the provisions of the legislation and the policy provisions, our Company accepts that the current legislation provisions shall prevail.

In accordance with Article 12 of the Law on the Protection of Personal Data, as the data controller, we take all necessary technical and administrative measures to ensure an appropriate level of security in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data.

MATTERS RELATED TO THE PROTECTION OF PERSONAL DATA

Our company conducts a risk analysis to identify what constitutes personal data and the potential risks associated with its protection. In accordance with Article 12 of the Law on the Protection of Personal Data, we take the necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data. The main measures taken are listed below.

All activities carried out by our company have been analyzed in detail for each business unit, and as a result of this analysis, a process-based personal data processing inventory has been prepared. Risky areas in this inventory are identified, and the necessary legal and technical measures are continuously monitored.
Personal data processing activities carried out by our company are monitored through information security systems, technical systems, and legal methods. Our company has established provisions regarding confidentiality and data security in the employment contracts signed during the hiring process and requires employees to comply with these provisions.
Employees are regularly informed and trained on personal data protection law and the necessary measures to be taken in accordance with this law. Employee roles and responsibilities have been reviewed and job descriptions revised within this scope.
Our company and its subcontractors process personal data in accordance with the requirements of the Personal Data Protection Law (KVKK). A commitment to information security has been added to and signed by these parties in their contracts.
The company's contracts have been reviewed in terms of the Personal Data Protection Law (KVKK), and necessary changes have been made. A commitment to information security has been added to the contracts with these individuals, and both parties have signed them.
Appropriate technical measures are being taken in line with technological developments, and these measures are periodically checked, updated, and renewed.
Access permissions are restricted and regularly reviewed. Employees who change roles or leave the company have their access in this area restricted.
The technical measures taken are regularly reported to the relevant authority, and issues posing risks are reviewed to develop the necessary technological solutions.
Software and hardware, including antivirus systems and firewalls, are being installed.
Backup programs are used to ensure that personal data is stored securely.
Security systems are used for safekeeping areas, the technical measures taken are periodically reported to the relevant parties as part of internal controls, and issues posing risks are re-evaluated and necessary technological solutions are developed.
Files/outputs stored in physical form are kept in physically locked or secure areas and are destroyed in accordance with specified procedures after the retention period expires.
Data that had reached the end of its retention period has been destroyed.
Data masking is performed when necessary.
The company's systems are being brought into compliance with the EU General Data Protection Regulation (GDPR).
In order to be prepared for any personal data security breach, crisis and reputation management was discussed, and processes for informing the Personal Data Protection Board and the relevant person were designed within this scope.
Information and consent forms have been prepared and voluntarily signed by the individuals whose personal data is processed by our company.
The technical and administrative measures proposed by the Authority have been reviewed, and the necessary administrative and technical measures have been taken to ensure the security of the personal data processed by our Company.
PROTECTION OF SPECIAL CATEGORY PERSONAL DATA

Our company takes the necessary actions to ensure the security of sensitive personal data and implements all technical and administrative measures to ensure compliance with legal requirements and adequate measures determined by the Board, in order to ensure the lawful processing of this data.

PERSONAL DATA PROCESSING POLICY
Personal Data Processed

Our company processes certain personal data (such as your identity data including name, surname, Turkish National Identity Number, date of birth, place of birth; your contact information including address, email address, and telephone number; data required in your personnel file including profession, education, and residence; vehicle license plate number, visual records, biometric data, visitor records, financial information, health information, location, and clothing data, etc.) in accordance with the Personal Data Protection Law and our legal obligations arising from related legislation, in order to carry out our activities and fulfill our legal obligations. This personal data will be processed and stored, with appropriate information security measures in place, for purposes permitted by law or based on your explicit consent, and will not be used outside the scope and purposes defined in this Personal Data Protection Policy.

Principles to be Followed Regarding the Processing of Personal Data

All personal data processed by our company is processed in accordance with the Personal Data Protection Law (KVKK) and relevant legislation. In accordance with Article 4 of the KVKK, the company processes personal data in a lawful and fair manner, accurately and, where necessary, up-to-date, with specific, clear and legitimate purposes, in a manner that is relevant to the purpose, limited and proportionate.

Processing in Accordance with the Law and the Principle of Fairness: The Company acts in accordance with the principles established by legal regulations and the general rule of trust and fairness in the processing of personal data. In this context, the Company takes into account the proportionality requirements in the processing of personal data and does not use personal data for purposes other than those required.
Ensuring the Accuracy and Timeliness of Personal Data: The company ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of personal data owners and its own legitimate interests.
Processing for Specific, Clear, and Legitimate Purposes: The company clearly and precisely defines the legitimate and lawful purpose of personal data processing. The company processes personal data only to the extent necessary and connected with the products and services it offers. The purpose for which personal data will be processed is determined before any personal data processing activity begins.
Relevant, Limited, and Proportional to the Purpose for Which They Are Processed: The company processes personal data in a manner suitable for achieving the stated purposes and avoids processing personal data that is not related to or needed for the achievement of the purpose.
Retention for the Period Stipulated in Relevant Legislation or Necessary for the Purpose for Which They Are Processed: The Company retains personal data only for the period specified in the relevant legislation or for the period necessary for the purpose for which they are processed. In this context, the Company first determines whether a retention period for personal data is stipulated in the relevant legislation; if a period is specified, it complies with that period; if no period is specified, it retains personal data for the period necessary for the purpose for which they are processed. Upon the expiration of this period or the cessation of the reasons requiring processing, personal data is deleted, destroyed, or anonymized by the Company.
Our Company's Purposes for Processing Personal Data

In accordance with Article 10 of the Law on the Protection of Personal Data, our company informs data subjects during the collection of their personal data. In this context, we provide information about the identity of the company and, if applicable, its representative; the purpose for which personal data will be processed; to whom and for what purpose the processed personal data may be transferred; the method and legal basis for collecting personal data; and the rights that data subjects have under Article 11 of the Law on the Protection of Personal Data.

Our company processes personal data only under the conditions specified in Articles 5 and 6 of the KVKK (Turkish Personal Data Protection Law) and for the purposes listed below.

Conditions;

Except for personal data relating to health and sexual life, the processing of personal data by the Company is subject to the provisions of the relevant laws.,
Personal data may be processed by the Company only if it is directly related to and necessary for the establishment or performance of a contract; prior to the contract, during the contract initiation phase, personal information may be processed for the purpose of preparing offers, preparing purchase forms, or fulfilling the requests of the data subject related to the outcome of the contract. During the contract preparation process, data subjects may be contacted based on the information they have provided.

Example: Obtaining the name and contact information of the authorized person from the contracting company.

The processing of personal data is permissible if it is necessary for the Company to fulfill its legal obligations; it is also permissible to process personal information if the law demands, requires, or permits such processing. Data processing must be necessary in terms of type and scope for the legally permitted data processing activity and must comply with the relevant legal provisions.

Example: Submitting information requested by a court order to the court.

Personal data may be processed by the Company only for the purpose of making it public, provided that the data has been made public.,

Example: If a person on a website indicates they want to buy a product with certain specifications and provides their phone number, this data can be processed without their explicit consent, provided it is limited to this specific context. In this way, individuals wishing to sell a car with those specifications can contact the person without needing any consent.

The processing of personal data by the Company is necessary for the establishment, exercise or protection of the rights of the Company or the persons whose data is processed or third parties,

Example: Storing evidentiary data (sales contract, invoice) and using it when needed.

Personal data processing may be necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subjects; personal data may also be processed when the Company has a legitimate interest.

Legitimate interests include not only material gain but also interests that are in accordance with the law, morality, and public order.

Examples of legitimate reasons for the Company to process personal data include collecting receivables, avoiding breaches of contractual and legal obligations, and utilizing storage, hosting, maintenance, and support services for the purpose of providing IT services in terms of technical and security. The Company may also process employees' personal data for purposes such as promotions, salary increases, or the regulation of social benefits, or for the assignment of duties and roles during the restructuring of the business, provided that this does not harm the fundamental rights and freedoms of the employees. The Company will adhere to the fundamental principles of personal data protection and will consider the balance of interests between the data controller and the data subject.

The company's processing of personal data is necessary for the protection of the life or physical integrity of the data subject or another person, and in this case, the data subject is unable to express their consent due to factual impossibility or legal invalidity.,

Example: A customer who fainted had their blood type information given to doctors by their friends.

Special categories of personal data, excluding those related to the data subject's health and sexual life, may be disclosed in cases stipulated by law:

Example: processing of personal data by persons or authorized institutions and organizations bound by an obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing.

If the above-mentioned conditions are not met, the Company seeks the explicit consent of personal data owners, either directly or through its relevant customers, in order to carry out personal data processing activities.

Objectives;

Our company processes personal data for purposes including, but not limited to, ensuring the legal, technical, and commercial-business security of the Company and related individuals with whom the Company has a business relationship; carrying out necessary work by our relevant business units and managing related business processes for the performance of the commercial activities conducted by the Company; planning and executing the Company's commercial and/or business strategies; planning and executing the Company's human resources policies and processes, etc.

Determining and implementing company strategies and ensuring the execution of our company's human resources policies.,
In order to ensure the implementation of its human resources policies, the company shall: recruit suitable personnel for open positions in accordance with the company's human resources policies; conduct human resources operations in accordance with the company's human resources policies; and fulfill obligations and take necessary measures within the framework of Occupational Health and Safety.,
In order to ensure that the services offered by the company are performed by the relevant business units; the performance of independent audit, accounting services and consultancy services, etc., carried out by the company or obtained from external sources,
Administrative operations related to communication are carried out with the aim of ensuring the legal and commercial security of the company and those with whom the company has business relationships, as well as for the purposes of auditor independence, risk management, and quality control.,
Relationship management, account management, internal financial reporting, provision of information technology (IT) services (including storage, hosting, maintenance, support, and the use of a centralized distributed server system).
The processes and operations carried out for the purpose of determining and implementing the company's commercial and business strategies, financial operations, communication, market research and social responsibility activities, and the execution of purchasing operations (demand, offer, evaluation, order, budgeting, contract).
Determining and implementing company commercial and business strategies, managing internal systems and applications,
Planning, monitoring, and execution of information security processes; establishing and managing information technology infrastructure.,
Planning and executing employee satisfaction and/or engagement processes, planning and executing employee benefits and advantages, planning and executing employee access to information rights, monitoring and/or supervising employee work activities,
Monitoring of financial and/or accounting and legal matters,
Planning and executing market research activities for the sale, marketing and/or promotion of business operations and services.,
Planning and executing information access rights for business partners and/or suppliers, managing relationships with business partners and/or suppliers,
Planning and execution of corporate communications activities, planning and/or execution of corporate risk management activities, planning and execution of corporate sustainability activities, planning and execution of corporate governance activities,
Planning and executing customer relationship management processes, planning and/or monitoring customer satisfaction processes, tracking customer requests and/or complaints,
Fulfillment of obligations arising from employment contracts and/or legislation for company employees,
Ensuring the security of company assets and/or resources,
Planning and execution of external training activities,
Planning and executing the necessary operational activities to ensure that company operations are conducted in accordance with company procedures and/or relevant legislation.,
Ensuring that the data is accurate and up-to-date,
Planning and execution of talent and career development activities.,
Providing information to authorized persons and/or organizations as required by legislation,
Creating and tracking visitor records and ensuring the security of company premises and facilities.
Maintaining information regarding data that must be kept in accordance with relevant legislation, and fulfilling legal obligations.
Execution and follow-up of company legal affairs.
TRANSFER OF PERSONAL DATA
Domestic Transfer of Personal Data

The company is responsible for acting in accordance with the provisions of the Personal Data Protection Law (KVKK) and the decisions and relevant regulations issued by the Personal Data Protection Board regarding the transfer of personal data.

Personal and sensitive personal data of data subjects may not be transferred by the company to other natural or legal persons without the explicit consent of the data subject. However, in cases where required by the Personal Data Protection Law (KVKK) and other laws, data may be transferred to authorized administrative or judicial institutions or organizations without the explicit consent of the data subject, in the manner and within the limits stipulated in the legislation.

Furthermore, data transfer is possible without the consent of the data subject in the cases stipulated in Articles 5 and 6 of the Law. Our company may transfer personal data to third parties located in Türkiye and other companies that are members of the company network under the company's umbrella, in accordance with the conditions stipulated in the Law and other relevant legislation, and by taking all security measures specified in the legislation, provided that there is an existing signed contract with the data subject and unless otherwise stipulated in the said contract and the Law or other relevant legislation. Our company obtains explicit consent from individuals whose data is transferred within the country.

Transfer of Personal Data Abroad

Our company may transfer personal data to third parties in Türkiye, and may also transfer it abroad for processing or storage outside of Turkey, including through outsourcing, in accordance with the conditions stipulated in the Law and other relevant legislation as mentioned above, and by taking all security measures specified in the legislation, or, if there is an existing contract signed with the data subject, unless otherwise stipulated in that contract and the Law or other relevant legislation.

In exceptional cases where explicit consent is not required for the transfer of personal data as specified in the KVKK (Law on the Protection of Personal Data), in addition to the conditions for processing and transfer without consent, the existence of adequate protection in the country to which the data will be transferred is required. The Personal Data Protection Board will determine whether adequate protection is provided; if adequate protection is not provided, both the data controllers in Türkiye and the relevant foreign country must provide a written commitment to adequate protection and obtain the permission of the Personal Data Protection Board. Our company obtains explicit consent from the individuals whose data is processed.

Institutions and Organizations to Which Transfers Are Made

Information requested by public legal entities within the scope of their respective legislation is shared in accordance with Article 8 of the KVKK (Law on Protection of Personal Data). Other individuals or organizations to whom personal data may be transferred for the purposes stated above include: affiliated companies and/or domestic/foreign organizations with which the Company has direct/indirect service agreements, collaborations, or program partnerships, which are jointly responsible with the Company for taking data security measures such as the preservation of all types of personal data, preventing unauthorized access, and preventing unlawful processing; relevant public institutions and organizations; relevant department heads; and other third parties.

BUILDING ENTRANCES, PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT WITHIN THE BUILDING, AND WEBSITE VISITORS

Personal data processing activities carried out by our company in building corridors and offices are conducted in accordance with the Constitution, the Personal Data Protection Law, and other relevant legislation. To ensure security, our company monitors corridors and office interiors in buildings where workplaces are located using security cameras. Additionally, for security reasons, recordings are kept at entrances for visitors.

Our company processes personal data through security cameras, access cards, facial recognition systems, biometric data processing, and entry registration in order to improve the quality of the services provided, ensure reliability, protect the life and property of the company, data subjects, employees, and other individuals, and protect their legitimate interests.

The primary purpose of the company's video surveillance is to ensure security, and this is limited to the purposes listed in this policy. Accordingly, the areas monitored by security cameras, their number, and the timing of surveillance are implemented only to the extent necessary to achieve the security objective. Individuals are not subjected to surveillance in areas where it could result in an intrusion into their privacy beyond the scope of security purposes. The company takes the necessary technical and administrative measures in accordance with Article 12 of the Personal Data Protection Law (KVKK).

Digital records are stored and maintained in a limited manner, and access to these records is granted to only a limited number of company employees and subcontractor security personnel. Those with access to these records are obligated to protect the confidentiality of the data under a confidentiality agreement or information security commitment.

RIGHTS OF INDIVIDUALS WHOSE PERSONAL INFORMATION IS PROCESSED BY THE COMPANY

Individuals whose personal data is processed by our Company may apply to our Company in accordance with the procedures specified in this policy to request information about themselves;

To find out whether your personal data is being processed,
The right to request information regarding the processing of personal data.,
To learn the purpose of processing personal data and whether it is being used appropriately for that purpose.,
Knowing the third parties to whom personal data is transferred, whether domestically or internationally.,
Requesting the correction of personal data if it has been processed incompletely or inaccurately.,
Even if personal data has been processed in accordance with the relevant legal provisions, if the reasons requiring the processing of personal data have ceased to exist, you may request the deletion or destruction of your personal data.,
Requesting that the actions taken pursuant to clauses (d) and (e) be notified to third parties to whom personal data has been transferred,
The right to object to an outcome that is detrimental to oneself, resulting from the analysis of processed data exclusively through automated systems, is considered within this scope. For example, an employee's right to object to their performance being evaluated based on an automated system that processes and analyzes their work would be evaluated accordingly.
Individuals who suffer damages as a result of the unlawful processing of their personal data have the right to claim compensation for those damages.
STORAGE OF PERSONAL DATA

Personal data of employees, job applicants, visitors, and employees of third parties, institutions, or organizations with whom our company has a relationship as a service provider are stored and destroyed in accordance with the Law. Detailed explanations regarding storage and destruction are given below.

Article 3 of the law defines the concept of processing personal data, Article 4 states that processed personal data must be relevant, limited, and proportionate to the purpose for which they are processed, and must be retained for the period stipulated in the relevant legislation or for the period necessary for the purpose for which they are processed, and Articles 5 and 6 list the conditions for processing personal data. Accordingly, personal data obtained within the scope of our company's activities are stored for the period stipulated in the relevant legislation or for the period appropriate to our processing purposes. In our company, personal data processed within the scope of our activities are retained for the period stipulated in the relevant legislation. In this context, personal data;

Law No. 6698 on the Protection of Personal Data,
Turkish Code of Obligations No. 6098,
Public Procurement Law No. 4734,
Civil Servants Law No. 657,
Social Security and General Health Insurance Law No. 5510,
Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through These Publications,
Law No. 5018 on Public Financial Management,
Occupational Health and Safety Law No. 6331,
Law No. 4982 on the Right to Information,
Law No. 3071 on the Exercise of the Right to Petition,
Labor Law No. 4857,
Higher Education Law No. 2547,
Retirement Health Law No. 5434,
Social Services Law No. 2828
Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes,
Regulation on Archival Services
They are stored for the retention periods stipulated within the framework of other legal regulations and other secondary regulations in force pursuant to these laws.

Our company stores personal data processed within the scope of its activities for the following purposes: to conduct recruitment and human resources processes, to ensure corporate communication, to protect the interests of the data controller and ensure company security, to perform business and transactions as a result of signed contracts and protocols, to determine the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors within the scope of the Personal Data Protection Law (KVKK), to organize and update the services provided accordingly, to ensure the fulfillment of legal obligations as required or mandated by legal regulations, to maintain contact with natural/legal persons with whom the company has a business relationship, to make legal reports, to fulfill the burden of proof as evidence in future legal disputes, to ensure occupational health and safety, to ensure physical premises security, and for other reasons specified in the laws and necessary for the conduct of business, for the periods specified in the relevant laws.

TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN REGARDING THE STORAGE OF PERSONAL DATA

In order to ensure the secure storage of personal data, prevent its unlawful processing and access, and to ensure the lawful destruction of personal data, our Company takes technical and administrative measures within the framework of adequate measures determined and announced by the Board for special categories of personal data, as required by Article 12 and Article 6, paragraph four of the Law.

Deletion, destruction, anonymization, and disposal of personal data.

In accordance with Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Law, personal data, even if processed in accordance with the relevant legal provisions, will be deleted, destroyed, or anonymized at the Company's discretion or upon the request of the data subject if the reasons requiring its processing cease to exist. The Company reserves the right not to fulfill the data subject's request in situations where it has the right and/or obligation to retain personal data in accordance with the relevant legislation.

When personal data is processed non-automatically, provided it is part of a data recording system, a system is applied to physically destroy the personal data in a way that prevents its subsequent use. When the company contracts with an individual or organization to process personal data on its behalf, the personal data is securely deleted by that individual or organization in a way that prevents its recovery.

Our company adheres to the following principles in the storage and destruction of personal data:

a. The deletion, destruction, and anonymization of personal data are carried out in full compliance with the Law and relevant legislation, Board decisions, and this Policy.

b. All processes related to the deletion, destruction, and anonymization of personal data are recorded by the Company, and these records are kept for at least 3 (three) years, excluding other legal obligations.

c. Unless the Board decides otherwise, we choose the appropriate method from among the methods of deleting, destroying or anonymizing personal data ex officio. However, if requested by the Data Subject, the appropriate method will be chosen and the reasons for it explained.

d. If all the conditions for processing personal data set forth in Articles 5 and 6 of the Law cease to exist, the personal data is deleted, destroyed, or anonymized by the Company ex officio or upon the request of the data subject. If the data subject applies to the Company regarding this matter, the requests are answered within a maximum of 30 (thirty) days. If the data in question has been transferred to third parties, this is notified to the third party to whom the data has been transferred, and the necessary actions are taken with those third parties.

Personal data of data subjects are stored by our Company, specifically within the limits specified in the Law and other relevant legislation, for (i) the continuation of commercial activities, (ii) the fulfillment of legal obligations, and (iii) the planning and implementation of employee rights and benefits.

Regarding personal data processed by our company within the scope of our activities and legal obligations; retention periods for all personal data related to activities carried out in accordance with the processes are recorded in the Personal Data Processing Inventory on a per-personal data basis; retention periods based on data categories are recorded in the VERBİS registration.

The Personal Data Protection Commission will make updates to these retention periods as needed. For personal data whose retention periods have expired, the Personal Data Protection Commission will automatically delete, destroy, or anonymize the data.

In accordance with the relevant legislation, our company has set the periodic destruction period as 6 months. Accordingly, periodic destruction operations are carried out in our company every year in June and December. All processes related to the deletion, destruction, and anonymization of personal data are recorded, and these records are kept for at least 3 (three) years, excluding other legal obligations.

EXERCISING THE RIGHTS OF THE DATA SUBJECT

As a data subject, you can submit your requests regarding the rights listed above by filling out and signing the Application Form available at www.zelglobal.com, along with information and documents that will help us identify you, and sending it to CNG Cengiz Tedarik Dış Tic. Ltd. Şti. Bağyurdu Yeni Mah. Ova Yolu Küme Evleri No.78-A /1 Kemalpaşa – İZMİR. You can also present the application form to our Human Resources department in person or send it to info@zelglobal.com with the subject line "KVKK Application". For third parties to submit applications on behalf of data subjects, a special power of attorney, notarized by the data subject, must be provided for the person making the application.

If the data subject submits a request to our company, the request will be processed within a maximum of thirty days, depending on its nature. If the requested process requires additional costs, a fee may be charged according to the tariff determined by the Board. If the request is due to an error on the part of the data controller, the fee charged will be refunded to the data subject.

Our company may request information and documents from the applicant to determine whether they are the data subject. Our company may also ask the data subject questions regarding their application to clarify the points raised in their application.

Our company may reject an applicant's application, stating the reasons, in the following cases:

The processing of personal data for purposes such as research, planning, and statistics, through official statistics and by anonymizing it.
Personal data may be processed for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy, or personal rights, or constitute a crime.
Processing of personal data by public institutions and organizations authorized by law to carry out preventive, protective, and intelligence activities aimed at ensuring national defense, national security, public safety, public order, or economic security.
Processing of personal data by judicial authorities or enforcement agencies in relation to investigation, prosecution, trial or execution proceedings.
The processing of personal data is necessary for the prevention of crime or for criminal investigation.
Processing of personal data that has been made public by the data subject.
Personal data processing is permitted only when authorized and competent public institutions and organizations, as well as professional organizations with the status of public institutions, are required for the performance of their supervisory or regulatory duties, or for disciplinary investigations or prosecutions, based on the authority granted by law.
Personal data processing is necessary for the protection of the State's economic and financial interests in relation to budgetary, tax, and financial matters.
The data subject's request may infringe upon the rights and freedoms of other individuals.
The demands made required disproportionate effort.
The requested information must be publicly available.
CIRCUMSTANCES WHERE THE DATA SUBJECT CANNOT ASSERTE THEIR RIGHTS

According to Article 28 of the Personal Data Protection Law (KVKK), the following cases are excluded from the scope of the KVKK, therefore personal data owners cannot exercise the rights listed above in these matters:

The processing of personal data for purposes such as research, planning, and statistics, through official statistics and by anonymizing it.
Personal data may be processed for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy, or personal rights, or constitute a crime.
Processing of personal data by public institutions and organizations authorized by law to carry out preventive, protective, and intelligence activities aimed at ensuring national defense, national security, public safety, public order, or economic security.
Processing of personal data by judicial authorities or enforcement agencies in relation to investigation, prosecution, trial or execution proceedings.

According to Article 28/2 of the KVKK (Law on Protection of Personal Data), personal data owners cannot exercise any of the rights listed in item 9, except for the right to claim compensation for damages, in the following cases:

The processing of personal data is necessary for the prevention of crime or for criminal investigation.
Processing of personal data that has been made public by the data subject.
Personal data processing is permitted only when authorized and competent public institutions and organizations, as well as professional organizations with the status of public institutions, are required for the performance of their supervisory or regulatory duties, or for disciplinary investigations or prosecutions, based on the authority granted by law.
Personal data processing is necessary for the protection of the State's economic and financial interests in relation to budgetary, tax, and financial matters.
OTHER MATTERS

In case of any inconsistency between the provisions of the Personal Data Protection Law (KVKK) and other relevant legislation and this Policy, the provisions of the KVKK and other relevant legislation shall take precedence.

This Policy, prepared by our company as the data controller, has entered into force in accordance with the decision taken by the Company's Board of Directors.

CNG CENGIZ SUPPLY FOREIGN TRADE INC.
DATA SUBJECT INFORMATION REQUEST FORM

Dear Applicants,

The protection of personal data, a constitutional right, is of utmost importance to our company. Article 11 of the Law No. 6698 on the Protection of Personal Data ("Personal Data Protection Law") grants data subjects ("Applicants"), defined as data subjects, the right to make various requests regarding the processing of personal data. In accordance with the PDP, applications concerning these rights must be submitted to our company, which is the data controller, in writing or through other methods determined by the Personal Data Protection Board ("Board").

Applications you submit to us in writing through the channels below will be processed free of charge within a maximum of 30 days from the date your request is received by our Company, in accordance with Article 13 of the Personal Data Protection Law. However, if the process requires additional costs, the fee determined by the Board may be requested from you.

DATA SUBJECT'S IDENTITY AND CONTACT INFORMATION

The personal data you provide through this form is collected solely for the purpose of evaluating and processing your application and contacting you; it will not be processed for any other purpose.

Data Controller: CNG CENGİZ TEDARİK DIŞ TİCARET ANONİM ŞİRKETİ

Applicant's Name and Surname:

Turkish Republic Identity Number:

Phone Number:

Address:

Email Address:
KEP ADDRESS (If any):

Your Relationship with Our Company:
(Customer, visitor, business partner, job applicant,
(former employee, third-party company employee, shareholder, etc.)

Do you still have a relationship with our company?

INFORMATION REGARDING THE RIGHTS THAT THE DATA SUBJECT MAY EXERCISE

(Please check the circles next to the statement that matches your request.)

I would like to know if your company processes personal data.
If you process personal data, I request information about these data processing activities.
If you are processing personal data, I would like to know the purpose of this processing and whether it is being used in accordance with its intended purpose.
If my personal data is transferred to third parties domestically or internationally, I want to know who those third parties are.
I request that my personal data be corrected as it has been processed incompletely or inaccurately.
Although my personal data has been processed in accordance with the law, I request that my personal data be deleted.
I request that my personal data, which I believe has been processed incompletely and incorrectly, be corrected by the third parties to whom it has been transferred.
I request that the personal data I have requested to be deleted also be deleted from the hands of the third parties to whom it has been transferred.
I believe that my personal data processed by your company was analyzed exclusively through automated systems, and that this analysis resulted in a conclusion that is detrimental to me. I object to this conclusion.
Other : …………………………..
EXPLANATION REGARDING THE REQUEST:
HOW TO DELIVER OUR RESPONSE TO YOUR APPLICATION

Please send it to my address.
Please send it to my email address.
I will pick it up in person once you inform me by phone.
APPLICANT'S STATEMENT

This application form has been prepared to identify your contact with our company, CNG Cengiz Tedarik Dış Ticaret Limited Şirketi, and to identify any personal data processed by our company, so that we can provide an accurate and timely response to your application. To prevent errors and ensure the security of your personal data, our company reserves the right to request additional documents and information (such as a copy of your national identity card or driver's license) for identity and authorization verification. Our company is not liable for any legal or criminal consequences arising from inaccurate or outdated information in your applications, unauthorized applications, or applications that are unlawful, misleading, or false.

APPENDICES

(Please indicate if you wish to include any documents with your application.)

APPLICATION PROCEDURE

You can submit your written application by filling out this form; by mail with a wet signature to our company's headquarters address, CNG Cengiz Tedarik Dış Tic. Ltd. Şti., Bağyurdu Yeni Mah. Ova Yolu Küme Evleri No.78-A /1 Kemalpaşa – İZMİR; physically to the Human Resources department representative of our company against signature; or by sending it to info@zelglobal.com with the subject line "KVKK Application".

Data Subject
Name and Surname:
Application Date:
Signature:

Individuals Applying on Behalf of Others
(Individuals applying on behalf of someone else must include documents proving their authorization to apply (such as a notarized power of attorney) with their application.)

Name and Surname:
Application Date:
Signature:

Thank you,

CNG CENGIZ SUPPLY FOREIGN TRADE INC.

Address: Bagyurdu Yeni Mah. Ova Yolu Cluster Houses No: 78 A Inner Door No: 1 Kemal Paşa / İzmir

Phone:0232 880 60 06

Commercial Product Group

Canned

Jars

Beverages

Ready Meals

Soups

Corporate

Product Categories

Contracts