Privacy Notice

As Şef Bilişim Hizmetleri Anonim Şirketi, PlusClouds, we introduce our general policy on protecting the privacy of our customers along with the collection, use, disclosure and sharing of personal data. The purpose of this Privacy Notice is to inform you of our practices regarding the collection, use and disclosure of personal information that may be provided through accessing or using our services. By using the relevant products and services or visiting our website, you consent to the collection, use and disclosure of your personal information (as defined below) in accordance with the following terms and conditions. Personal Information

“Personal Information” refers to any information relating to an identified or identifiable natural person.

Information We Collect?

The information we collect includes::

• Name/Lastname
• Date of Birth
• Phone number
• E-mail address
• In case of corporate use; Taxing body, company address or company title

How We Use Your Personal Data

We use your personal data to do the following in order to provide you with even better and faster service:

• To improve our services
• To personalize and advance our services
• To identify how you use your services and analyze the service we provide
• To develop new services, features and functionalities
• To provide updates and other information about the services
• To offer you special advertisements, campaigns, advantages along with other benefits related to our services and products, and to provide you with the necessary information via e-mail or telephone.

When Do We Disclose Your Personal Information?

We do not sell, license or rent your personal information without your consent.

The circumstances in which we may share your personal information are as follows;

• When we have your consent
• In the event of a court order or summoning to testify, in accordance with the applicable rules of law and regulatory rules
• In the event of an offer or an actual purchase, sale (whether in a liquidation, realization, foreclosure or redemption), lease, merger, amalgamation or any other type of transfer, liquidation, conveyance, transfer or vacation of any part or any portion of PlusClouds' business, assets or shares so that you may continue to receive the same products and services from the third party.

Knowledge and Consent

We only obtain personal information if you provide it voluntarily. We seek consent for the use and disclosure of your personal information especially at the time of collection. There might be some cases where consent is obtained after the information has been collected, but before use (for example, if the information is to be used for a purpose not covered herein). The form of consent we obtain, directly or indirectly, may vary depending on the sensitivity of the personal information and the reasonable expectations of individuals in these situations. You can withdraw your consent at any time, subject to legal and contractual limitations and appropriate notice. If you wish to withdraw your consent at any time, please contact us at [email protected]. We will then inform you of how to withdraw your consent. As a condition of the supply of a product or service, we will not ask you to consent to the collection, use or disclosure of information beyond that which is expressly stated to be provided and which is necessary for the fulfillment of legitimate purposes.

Use and Disclosure for Marketing

If you do not wish to exclude marketing, we may also use your personal information for the marketing of products, services and offers to our affiliates and/or business partners. If you give your consent, we may share your personal information (your name, mail/e-mail address) with our affiliates and third party partners so that they can send you marketing material.

If you do not want us to use your personal information for direct marketing purposes, you can contact us at the contact information below to let us know that you do not want to share your contact information.

Cookies

Our visitors should be aware that information is collected through cookies with the current state of our web server. The information collected this way is not personal information.

Cookies are small text files that a website may use to recognize repeat users, facilitate user access and use of the site, and allow a site to track usage behavior and compile aggregate data that will allow content improvements and targeted advertising. Cookies are not programs that enter into a system and damage files. In general, cookies work by assigning each customer a unique number that has no meaning outside the assigned site. If you do not want cookies to collect information, there is a simple procedure in most browsers that allows a visitor to refuse or accept the cookie feature; however, be aware that cookies may be necessary to provide certain features (e.g., special delivery of information) to visitors of our website.

How We Protect Your Personal Information

We make commercially-reasonable efforts to ensure that personal information collected from you is protected against loss and unauthorized access. This protection applies to information stored in both electronic and hard copy form. Access to your personal information is limited to selected employees or reps. We also use generally accepted information security techniques such as firewalls, access control procedures and encryption to protect personal information against loss and unauthorized access.

Links and Third Parties

The website may offer links to other third party websites. You should be aware that the operators of linked websites may also collect personal information (including information generated with cookies) when you link to their websites. We are not responsible for how such third parties collect, use or disclose your personal information, so it is important that you familiarize yourself with their privacy policies before providing your personal information.

Obtaining and Storing Your Personal Information

Your personal information is collected for the reasons described above and in accordance with the law, and your consent remains valid even after the termination of the relationship between you and us.

Changes to the Privacy Notice

We reserve the right to change the Privacy Notice at any time. The current version of the Privacy Notice can be updated continuously on our website and is valid from that moment on.

Changing and Updating Your Information

In case there are changes to your information, you can help us with ensuring the accuracy of said information. You can contact us with any change or update to be made to your information.

Your rights

Regarding the collection of your information, you have the following rights: a) To learn whether personal data is processed or not, b) Request information if personal data has been processed, c) To learn the purpose of processing personal data and whether they are used in accordance with their purpose, d) To know which third parties your personal data is shared with (domestically or abroad), e) To request correction of personal data in case of incomplete or incorrect processing, f) To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Personal Data Protection Law, g) To request notification of the transactions made pursuant to subparagraphs "d" and "e" to third parties to whom personal data is transferred, h) To object to the emergence of a result to the detriment of the person themselves by analyzing the processed data exclusively through automated systems, i) To demand compensation of damage in case of a damage due to unlawful processing of personal data.

Contact Information

If you have any questions regarding the Privacy Notice, or if you believe that we have violated the Privacy Statement, you can contact us at +90 850 321 88 99 or send an e-mail to [email protected].

Protection of Personal Data and Privacy

The Employee accepts, declares and undertakes that they will undisclose all kinds of personal data belonging to natural persons that they learn, access, obtain, record or process on behalf of the Employer, which is the data controller, as long as their business relationship with the Employer continues; will take the utmost care for its safe storage; will not share it with unauthorized persons within the company; will not use it for personal and unlawful purposes and will not share it with third parties illegally.

The personnel agrees, declares and undertakes to immediately and without delay return and/or destroy any personal data belonging to natural persons that they have learned, accessed, obtained, recorded or processed on behalf of the data controller Employer, while their business relationship with the Employer continues; in the event that their business relationship with the Employer is terminated, they agree, declare and undertake to return it to the Employer or destroy immediately and without delay so that it will not remain in their possession and cannot be recovered. Due to the defective actions of the Personnel contrary to this article; In the event that the data controller Employer is imposed an administrative fine sanction due to violation of the Personal Data Protection Legislation and/or the data controller Employer is under any kind of compensation obligation against the damaged data owner, the Personnel accepts and declares that the Employer is responsible for the damages suffered by the Employer. In this context, the Employer has the right to recourse to the Personnel who is at fault for the financial responsibilities to be incurred due to the unlawful actions of the Personnel. In addition, the Employer reserves the right to terminate the employment contract immediately for just cause.

Clarification Text Regarding Security Cameras

The Purpose and Scope of the Clarification Text

Herein Clarification Text has been prepared by ŞEF BİLİŞİM HİZMETLERİ ANONİM ŞİRKETİ ("Company") as data controller, carrying out the recruitment process as per the scope of Article 10(ten) of Law on the Protection of Personal Data numbered 6698 regarding the Communiqué on the Procedures and Principles to be Followed within the scope of the Obligation to Inform.

*Herein Clarification Text includes details regarding the camera surveillance system in the workplace where our Company operates and information about the security measures to protect personal data, privacy, fundamental rights and legitimate interests of those in the monitoring areas.

Areas with Camera Monitoring Activities

Camera surveillance is implemented in both indoor and outdoor areas. There are a total of ... cameras in all areas. Said number of cameras is necessary to ensure security and does not serve any other purpose. All cameras are recording 24 hours a day, 7 days a week and the images are stored in digital media through recording devices within our Company. Cameras are divided into two as indoor and outdoor cameras. Indoor cameras are able to monitor the corridors, ..., except for restrooms. Outdoor cameras are able to monitor the elevator, the entrance door, ... . The cameras have been carefully positioned to ensure that the monitoring activity is kept to a minimum and limited to the purpose of monitoring.

Purpose of Camera Monitoring Activities

Camera monitoring system includes all video surveillance and recording activities. Carrying out surveillance activities is part of our security policy. Our company carries out this system only for the purpose of ensuring physical security within the company.

Method of Collection of Personal Data Obtained by Camera Monitoring and Legal Grounds

Personal data is processed automatically in digital media through camera recording devices based on the legal reasoning according to the Article 5 of the Law; "It is Mandatory for the Data Controller to Fulfill its Legal Obligation" and "It is Mandatory to Process Data for the Legitimate Interests of the Data Controller, provided that it does not harm the Fundamental Rights and Freedoms of the Data Subject".

Who Has Access to Personal Data Obtained Through Camera Monitoring and Who the data is Shared with

Only a limited number of employees have access to the digitally recorded and stored camera recordings. The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access. Personal data obtained through camera surveillance activities are not shared with third parties without the "Explicit Consent" of the data owner. It may be shared with authorized public institutions and organizations only in cases stipulated by the relevant legislation, in order to resolve legal disputes and to meet this request if requested by authorized public institutions and organizations. During the transfer of personal data, the principles stipulated in Article 8 of the Law are complied with. Personal data obtained through camera surveillance activities are not shared abroad..

Ensuring the Security of Personal Data Obtained through Camera Monitoring

Technical and organizational measures are taken to ensure the integrity of camera monitoring activities and the security of personal data. In this context, an access policy is adopted in which only authorized persons can access the data obtained and the personal data obtained are not transferred to third parties in any way other than authorized public institutions and organizations.

Storage Period of Personal Data Obtained by Camera Monitoring

Although the image records obtained through camera surveillance activities vary according to the importance of the records kept by our Company and the technical capacity of the recording devices, the period of storage of the records is on average ... days and maximum ... days.

Informing Data Subjects about Camera Monitoring

Layered lighting is provided by using symbols, signs and icons in certain areas within the workplace of our Company. In addition, this Clarification Text is published on our website.

Rights of Data Subjects Monitored by Security Cameras

ach personal data owner has the rights; (I) To learn whether their personal data is processed by our Company, (II) To request information if their personal data is processed, (III) To learn the purpose of processing their personal data and whether it is used in accordance with its purpose, (IV) To know the third parties with whom their personal data is shared with, (V) To request correction of personal data if it is incomplete or incorrectly processed, (VI) To request deletion or destruction of personal data within the framework of the conditions stipulated in the Law, (VII) To request notification of the sharing made with 3rd parties in accordance with subparagraphs (v) and (vi), (VIII) To object to the occurrence of a result to the detriment of the person themself by analyzing their personal data exclusively through automated systems, (IX) and to request compensation for the damage suffered due to unlawful processing of personal data. If personal data owners wish to make a request regarding the above-mentioned rights, they will be able to fill out the Data Owner Application Form on our website and submit it to us. Duly submitted requests will be finalized within thirty days at the latest. If the finalization of such requests requires an additional cost, the applicant may be asked for the fee determined by the Personal Data Protection Board. Pursuant to Article 14 of the Law, the personal data owner may file a complaint to the Board within thirty days from the date they get the answer given by our Company, or within sixty days from the date of application in case their application is rejected, the answer given is insufficient or the application is not answered in due time.

Data Controller Information

• Trade Name: Şef Bilişim Hizmetleri Anonim Şirketi
• Trade Registry Number: Istanbul Trade Registry Office - 886402
• MERSIS Number: 0085039895341229
• Tax Office: Maslak Tax Office, Tax Identification Number: 0850398953
• Address: Maslak Mah. Dereboyu 2 Cad. Nurol Plaza No:21/A Sarıyer/Istanbul
• Registered Electronic Mail: [email protected]
• Phone Number: +90 (850) 321 88 99

Data Breach Response Plan

Purpose, Scope and Definitions

Purpose Article 1 - The purpose of this Plan is to protect the fundamental rights and freedom of individuals, especially the privacy of private life, in the processing of personal data as ŞEF BİLİŞİM HİZMETLERİ ANONİM ŞİRKETİ ("COMPANY"). It is also to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to fulfill obligations to take all necessary technical and administrative measures to ensure the appropriate level of security in order to protect personal data, in the event that the personal data processed is obtained by others illegally. The purpose of this Plan is to define the roles and responsibilities, and to regulate the procedures and principles regarding issues such as who will get reported to in the COMPANY in its capacity as the data controller, the notifications to be made within the scope of the Law and the determination of who is responsible for the evaluation of the possible consequences of a data breach.

Scope Article 2 - The scope of this Plan includes the employees in charge of processing personal data processed by the COMPANY, physically or electronically. Definitions Article 3 - In the implementation of this Plan; a) Data subject: The natural person whose personal data is processed, b) Company: Şef Bilişim Hizmetleri Anonim Şirketi c) Law: Law No. 6698 on the Protection of Personal Data, d) Personal data: Any information relating to an identified or identifiable natural person, e) Processing of personal data: Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means, or by non-automatic means provided that it is part of any data recording system, f) Board: Personal Data Protection Board, g) Sensitive personal data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data (the term "personal data" used in the continuation of this Plan includes special categories of personal data to the extent appropriate), h) Plan: COMPANY Data breach response plan, i) Data Breach: Unlawful acquisition of personal data (processed by the data controller) by others, j) Data processor: The natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller, k) Data recording system: The recording system in which personal data is structured and processed according to certain criteria, l) Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data Breach

Data Breach Article 4 - Pursuant to paragraph 5 of Article 12 of the Law, Data Breach occurs when personal data processed by the COMPANY is unlawfully obtained by others. In addition to the above definition; accidental unlawful destruction, loss, alteration, unauthorized disclosure and/or unauthorized access to personal data transmitted, stored or processed will also be considered as a Data Breach under the Plan.

Objectives, Officers and Responsibilities

Objectives Article 5 - In the event of a Data Breach, the COMPANY's objectives within the framework of the Plan are; 1. To investigate the incident that caused the Data Breach internally before all relevant departments (in cooperation with law enforcement and other public institutions and organizations where necessary), 2. To identify the source of the Data Breach, 3. To identify the categories of personal data affected by the Data Breach, 4. To identify the groups of people/parties affected by the Data Breach, 5. To identify the current and/or potential effects that the parties affected by the Data Breach have suffered and are likely to suffer, and to minimize related damages, 6. To determine the extent of the effects of the Data Breach on the COMPANY's organization, commercial loss, reduction in operations, reputational losses and/or financial damages and to ensure that they are minimized in accordance with the law, 7. To determine the time of recovery after the Data Breach; 8. If there is a cyber attack; a. Whether the information systems are affected by the cyber attack, b. The breach element that occurred as a result of the attack, c. The effects of the cyber attack on the COMPANY's organization, and d. To determine the time of recovery after the cyber attack, 9. To determine the steps taken to prevent the breach from recurring and to calculate how long it will take to complete them, 10. To report the event that caused the Data Breach or the loss resulting from the event; a. To the Board within 72 hours in accordance with the law, b. To the relevant persons affected by the Data Breach as soon as possible with appropriate methods, c. To the employees as soon as possible, d. If necessary, to other organizations or institutions in the country in accordance with the relevant legal obligations, 11. To organize internal audits, organize training activities and ensure internal communication after the event that led to the Data Breach in order to minimize possible Data Breaches that may occur in the future; and 12. To record the information, effects and measures taken regarding data breaches and to keep them ready for the Board's review.

Officers and Responsibilities Article 6 - In the event of a Data Breach, the departments that are going to take charge are determined in accordance with this Plan within the COMPANY, according to the nature of the event that caused the Data Breach; however, in all circumstances, at least one representative from each of the departments listed in the table below will be assigned. The responsibilities of the representatives are also specified in the same table.

Customer Explicit Consent Text

At ŞEF BİLİŞİM HİZMETLERİ ANONİM ŞİRKETİ ("Company") as the data controller, we process your personal data within the scope of the "Clarification Text" we have prepared in accordance with Article 10 of the Personal Data Protection Law No. 6698, and “the Communiqué on the Procedures and Principles to be Followed within the scope of the Obligation to Inform”. Some of the personal data that needs to be processed in order to ensure your satisfaction as our customer, depends on your explicit consent, since it is not within the scope of the data processing conditions in the Personal Data Protection Law that are not subject to consent. If you create an account with your explicit consent, some of your personal data may be processed by us and shared with our domestic product/service providers, suppliers and business partners.

Personal Data Processed Depending on Your Explicit Consent

Your personal data is processed with your explicit consent within the scope of sales and marketing processes and data analysis activities carried out by our company for this purpose. In order to inform you about our products and services, to contact you by SMS, e-mail and telephone in order to inform you about advertisements, campaigns and promotions, your "communications data" may be processed depending on the legal reason of "explicit consent" in paragraph 1 of Article 5 of the Law and may be shared with our domestic business partners/suppliers for the same purposes and legal reasons. For purposes such as creating customized advertisements, promotions and campaigns, conducting activities to increase your experience by tracking your user movements, developing our products and services according to your needs; your Identity and Communications Data, such as name-surname, e-mail, telephone and cookies, products and services you have used before, information obtained by us through promotions, campaigns, your user movements within the panel, etc. Your Marketing Data may be processed depending on the legal reason of "explicit consent" in paragraph 1 of Article 5 of the Law and may be shared with our domestic business partners/suppliers for the same purposes and legal reasons.

Clarification Text

The Purpose and the Scope of the Clarification Text, This Clarification Text has been written by ŞEF BİLİŞİM HİZMETLERİ ANONİM ŞİRKETİ ("Company") as the data controller within the scope of Article 10 of the Personal Data Protection Law No. 6698 and the Communiqué on the Procedures and Principles to be Followed within the scope of the Obligation to Inform. This Clarification Text has been prepared in order to inform natural persons who are users of our products and services ("Customer"), representatives of legal entities who are users ("Customer Representative") and potential users ("Potential Customer") and to ensure that these persons can use their rights effectively.

Principles of Processing Personal Data, Your personal data is processed by our Company in accordance with the law and honesty rules; accurate and up-to-date when necessary; for specific, clear and legitimate purposes; connected, limited and measured for the purpose for which they are processed; in accordance with the rules of retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed and for the purposes specified in Article 4 of this Clarification Text.

Personal Data Being Processed;

• Identification (name, surname, tckn, vkn etc.)
• Contact (phone number, e-mail address, address, etc.)
• Marketing (cookie records, customer's membership information, information obtained through promotions, campaigns, user movements, etc.)
• Audiovisual Records (call center voice recordings)
• Financial Data
• Customer Transaction (order information, invoice information, credit card information, etc.)
• Transaction Security (IP address information, location information, system login and logout information, etc.)

Scope of Processing Personal Data

Accessing and using our website or other online services When you access our website or use an online service, information such as your password, IP address and browser settings are recorded in order to comply with the relevant security and legal requirements necessary for the website to function. In addition, information about the transactions you perform during your website visit is also recorded in order to personalize the website experience, such as saving preferences and settings, and to obtain statistics to help improve and further develop our products and services.

Completion of membership/account creation, member/user activation processes; If you request to create an account on our website; your personal data is recorded for transactions such as opening an account, creating membership, and activating the account.

Establishment and performance of a contractual relationship Your personal data processed in connection with a request, order, transaction, contract (or related preparation processes), or to provide the requested product/service is processed as necessary for the establishment and performance of a contract with our customers.

Responding to requests for information, orders or support When you contact our Company to order a product/service or to request support, we receive the information necessary to fulfill your request, provide you with access to products/services, provide you with support, and contact you.

Use of cloud technology services Your information about the use of Cloud services is recorded to ensure the operation of product features, to improve your user experience, to adapt our interactions with you, to inform you about the general use of the services, to provide you with support and to improve and develop our products/services.

Communication with our customers, customer representatives and potential customers Your business contact information (such as name, business contact information, position or title of employees, consultants and authorized users) is recorded for purposes such as contract management, order management, delivery of products and services, provision of support, invoicing, service or relationship management in our relationship with you, Customer representatives or potential customers.

Conducting marketing processes Most of the information we obtain about you comes from our direct interactions with you. When you register for an event, we may obtain information (online or offline) about the event and, for example, participation in sessions during the event or survey results. The personal data we obtain is aggregated to develop aggregated analytics and business intelligence for business and marketing purposes. It is aimed to improve our products and services, increase customer satisfaction, identify the needs of potential customers in similar segments, optimize new customer acquisition, etc. You can choose to receive information about our products and services by e-mail, telephone or mail. Personalized information may be provided to you while visiting our website or using our services.

Purposes of Processing Personal Data; Your personal data is processed for the following purposes within the scope of the activities listed above.

• Execution of contract processes
• Execution of product/service sales processes
• Carrying out communication activities with customers
• Addressing the customer correctly
• Managing user/member activation processes
• Managing marketing processes
• Managing advertising/campaign/promotion/information processes (making calls,sending SMS/mails)
• Conducting marketing analysis studies (product development, optimization, increasing customer satisfaction, identifying the needs of potential customers in similar segments, optimizing new customer acquisition)
• Follow-up of requests/complaints
• Execution of product/service after-sales support services
• Conducting activities for customer satisfaction
• Receiving payment for the product/service sold
• Managing information security processes

The data is processed for these purposes in accordance with the personal data processing conditions specified in Articles 5 and 6 of the Law. Sharing of Personal Data, As a rule, your personal data is not shared with third parties without your "Explicit Consent". Your personal data is shared with 3rd parties only in the following exceptional cases.

To authorized public institutions and organizations upon request in cases stipulated by the relevant legislation,

• Data may be shared with our business partners, solution partners and suppliers from whom we receive support in order to effectively carry out activities related to our products and services. During the sharing of personal data, the principles stipulated in Article 8 of the Law are complied with. Your personal data is not transferred abroad without your "Explicit Consent". Method of Collection of Personal Data and Legal Reasoning Your Personal data is collected through account creation forms on our website, fields in the content of the user page that can be filled in depending on your preference, your requests and applications, contracts, campaigns and third party authentication systems, other printed/electronic documents, printed/electronic forms, call center records, e-mails, information security systems and electronic devices and internet browsers and are processed by automatic and non-automatic methods. Among your personal data listed in Article 3 of this Clarification Text; -While the legal reason for the processing of your Marketing Data (processed within the scope of marketing processes) is "Explicit Consent" regulated in paragraph 1 of Article 5 of the Law
• the legal reason for the processing of rest of your personal data (processed within the scope of other activities) is "Explicit Consent" regulated in paragraph 2 of Article 5 of the Law: "It is Necessary to Process Personal Data of the Parties to the Contract, Provided that it is Directly Related to the Establishment or Execution of a Contract", "Explicitly Stipulated in the Laws", "It is Mandatory for the Data Controller to Fulfill its Legal Obligation" and "Legitimate Interest of the Data Controller". Storage and Destruction of Personal Data Detailed information about the storage and destruction of your personal data, storage periods of personal data, recording media of personal data and techniques of destruction from these media, technical and administrative measures taken for the protection of personal data, destruction periods, etc. is included in our policy titled "Storage and Destruction Policy" published on our website. Rights of Data Subjects Each personal data owner has the rights; (I) To learn whether their personal data is processed by our Company, (II) To request information if their personal data is processed, (III) To learn the purpose of processing their personal data and whether it is used in accordance with its purpose, (IV) To know the third parties with whom their personal data is shared with, (V) To request correction of personal data if it is incomplete or incorrectly processed, (VI) To request deletion or destruction of personal data within the framework of the conditions stipulated in the Law, (VII) To request notification of the sharing made with 3rd parties in accordance with subparagraphs (v) and (vi), (VIII) To object to the occurrence of a result to the detriment of the person themself by analyzing their personal data exclusively through automated systems, (IX) and to request compensation for the damage suffered due to unlawful processing of personal data. If personal data owners wish to make a request regarding the above-mentioned rights, they will be able to fill out the Data Owner Application Form on our website and submit it to us. Duly submitted requests will be finalized within thirty days at the latest. If the finalization of such requests requires an additional cost, the applicant may be asked for the fee determined by the Personal Data Protection Board. Pursuant to Article 14 of the Law, the personal data owner may file a complaint to the Board within thirty days from the date they get the answer given by our Company, or within sixty days from the date of application in case their application is rejected, the answer given is insufficient or the application is not answered in due time. Data Controller Information Trade Name: Şef Bilişim Hizmetleri Anonim Şirketi Trade Registry Number: Istanbul Trade Registry Office - 886402 MERSIS Number: 0085039895341229 Tax Office: Maslak Tax Office, Tax Identification Number: 0850398953 Address: Maslak Mah. Dereboyu 2 Cad. Nurol Plaza No:21/A Sarıyer/Istanbul Registered Electronic Mail: [email protected] Phone Number: +90 (850) 321 88 99

Clarification for Suppliers, Business/Solution Partners and their Authorities, Representatives, etc.

This Clarification Text has been written by ŞEF BİLİŞİM HİZMETLERİ ANONİM ŞİRKETİ ("Company") as the data controller within the scope of Article 10 of the Personal Data Protection Law No. 6698 and the Communiqué on the Procedures and Principles to be Followed within the scope of the Obligation to Inform. This Clarification Text has been prepared in order to inform natural persons who are users of our products and services ("Customer"), representatives of legal entities who are users ("Customer Representative") and potential users ("Potential Customer") and to ensure that these persons can use their rights effectively.Principles of Processing Personal Data Your personal data is processed by our Company in accordance with the law and honesty rules; accurate and up-to-date when necessary; for specific, clear and legitimate purposes; connected, limited and measured for the purpose for which they are processed; in accordance with the rules of retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed and for the purposes specified in Article 4 of this Clarification Text.

Personal Data Being Processed, Our Company requests "Identity Data", "Contact Data" and "Financial Data" in the processes of receiving offers from suppliers, purchasing products/services, as well as in the processes of establishing a business/solution partnership and executing the contract.

Our Company requests "Identity Data", "Contact Data", "Financial Data" in the processes of receiving offers from suppliers, purchasing products/services, as well as in the processes of establishing a business/solution partnership and executing the contract.

Purposes of Processing Personal Data;

• Execution of contract processes,
• Conducting communication activities,
• Execution of goods/service procurement processes,
• Payment for purchased goods/services

The purposes are in accordance with the personal data processing conditions specified in Article 5 of the Law. Personal data are not shared with third parties without "Explicit Consent". Such personal data may be shared with authorized public institutions and organizations only in cases stipulated by the relevant legislation, in order to resolve legal disputes and to meet this request if requested by authorized public institutions and organizations. During the sharing of personal data, the principles stipulated in Article 8 of the Law are complied with. Personal data is not shared abroad. Method of Collection of Personal Data and Legal Reasoning Personal data are processed by automatic and non-automatic methods by obtaining information from electronic and/or non-electronic media, verbally or in writing, during the processes of receiving offers from the supplier, purchasing products/services, as well as during the establishment of the contract for the establishment of a business/solution partnership and the execution of the contract. The legal reason for the processing of personal data listed in Article 3 of this Clarification Text is that "It is Necessary to Process Personal Data of the Parties to the Contract, Provided that it is Directly Related to the Establishment or Execution of a Contract", "It is Mandatory for the Data Controller to Fulfill its Legal Obligation" and "It is Mandatory to Process Data for the Legitimate Interests of the Data Controller, provided that it does not harm the Fundamental Rights and Freedoms of the Data Subject," in paragraph 2 of Article 5 of the Law. 7. Rights of Data Subjects Each personal data owner has the rights; (I) To learn whether their personal data is processed by our Company, (II) To request information if their personal data is processed, (III) To learn the purpose of processing their personal data and whether it is used in accordance with its purpose, (IV) To know the third parties with whom their personal data is shared with, (V) To request correction of personal data if it is incomplete or incorrectly processed, (VI) To request deletion or destruction of personal data within the framework of the conditions stipulated in the Law, (VII) To request notification of the sharing made with 3rd parties in accordance with subparagraphs (v) and (vi), (VIII) To object to the occurrence of a result to the detriment of the person themself by analyzing their personal data exclusively through automated systems, (IX) and to request compensation for the damage suffered due to unlawful processing of personal data. If personal data owners wish to make a request regarding the above-mentioned rights, they will be able to fill out the Data Owner Application Form on our website and submit it to us. Duly submitted requests will be finalized within thirty days at the latest. If the finalization of such requests requires an additional cost, the applicant may be asked for the fee determined by the Personal Data Protection Board. Pursuant to Article 14 of the Law, the personal data owner may file a complaint to the Board within thirty days from the date they get the answer given by our Company, or within sixty days from the date of application in case their application is rejected, the answer given is insufficient or the application is not answered in due time.

Data Controller Information

• Trade Name: Şef Bilişim Hizmetleri Anonim Şirketi
• Trade Registry Number: Istanbul Trade Registry Office - 886402
• MERSIS Number: 0085039895341229
• Tax Office: Maslak Tax Office, Tax Identification Number: 0850398953
• Address: Maslak Mah. Dereboyu 2 Cad. Nurol Plaza No:21/A Sarıyer/Istanbul
• Registered Electronic Mail: [email protected]
• Phone Number: +90 (850) 321 88 99

Personal Data Protection and Privacy Undertaking for Natural Persons/Legal Entities with whom Personal Data is Shared

[Data Shared Person] is obliged to comply with all procedures and principles stipulated by the Personal Data Protection Law No. 6698 ("Law") and the relevant legislation, including but not limited to those regulated in this Letter of Undertaking, while fulfilling its obligations under the [Contract Name] Agreement dated [Contract Date] ("Agreement") concluded with Şef Bilişim Hizmetleri Anonim Şirketi. [Data Shared Person] shall be able to process any personal data processed by the Company or any personal data shared by the Company, which is obtained during the performance of the Agreement or accessed in connection with the performance of the Agreement, only for the purposes specified in the Agreement and only to the extent necessary for the performance of the Agreement. [Data Shared Person] is obliged to take all necessary technical and administrative measures to prevent unlawful processing of such personal data, unlawful access to such data and to ensure the preservation of such data. In the event that the processed personal data contains special categories of personal data within the scope of KVKK(personal data protection law), [Data Shared Person] is also obliged to take the measures specified in the decision of the Personal Data Protection Board dated 31.01.2018 and numbered 2018/10 K. No. in the processing of such special categories of personal data and the measures to be included in the decisions of the Personal Data Protection Board that may be published in the future. [Data Shared Person] shall continue to protect the personal data processed within the scope of the performance of the Agreement as specified in this Undertaking until such data is destroyed even if the Agreement is terminated. [Data Shared Person] shall share the personal data processed within the scope of the performance of the Agreement with its partners, employees, consultants and authorized persons who need to learn this information due to their business, only in mandatory cases, to the extent related to the performance of the Agreement and to the extent necessary; It ensures that these persons will act in accordance with the obligations specified in this undertaking. [Data Shared Person] may not share the personal data processed under the Agreement with third parties and/or abroad under any circumstances. When sharing with third parties and/or abroad is legally obligatory, [Data Shared Person] is obliged to notify the Company immediately and without delay before the transfer takes place. If the legal reasons requiring the processing of personal data disappear, the [Data Shared Person] is obliged to destroy the personal data in question ex officio or upon the request of the Company in a way that cannot be recovered; It is obliged to take all necessary technical and administrative measures to ensure that the destroyed personal data cannot be accessed and reused. When the Company requests information regarding any personal data transmitted under the Agreement, the [Data Shared Person] is obliged to provide the requested information to the Company immediately. In addition, [Data Shared Person] is obliged to immediately notify the Company as soon as they learn about any unlawful access by third parties to the personal data that they are obliged to ensure the security of, or when personal data is unlawfully obtained by third parties, and to take necessary actions to eliminate the violation in question. [Data Shared Person] shall be directly liable for any damages that may arise from the failure of its employees, partners, consultants and authorized persons to comply with the obligations under this undertaking.

Legal Information Note on Notification Obligation in Case of Data Breach

Introduction This Information Note will include explanations about the Personal Data Protection Law No. 6698 ("Law") and the notification obligation of the Company, the data controller within the scope of the Law, in case the personal data within the Company is unlawfully obtained by unauthorized persons. Paragraph 5 of Article 12 of the Law stipulates that in the event that the processed personal data is unlawfully obtained by others, the data controller shall notify the relevant person and the Personal Data Protection Board (“Board”) as soon as possible, and the Board may, if necessary, announce this situation on its website or by any other method it deems appropriate. The purpose of notifying the Board and the persons affected by the breach in data breach notifications is to ensure that measures are taken as soon as possible to prevent or minimize the negative consequences that may arise for these persons due to the breach. Although the framework of the "Obligation to Notify Data Breach" stipulated in paragraph 5 of Article 12 of the Law has not been fully determined, decisions have been taken by the Board in order to avoid any incompatibility and to ensure standardization in practice. With these Board decisions, the procedures and principles of the "Data Breach Notification Obligation" have been determined in detail.Board Decisions on the Obligation to Notify Data Breach 1) According to the Board Decision dated 24.01.2019 and numbered 2019/10;

• The phrase "as soon as possible" in the provision of paragraph 5 of Article 12 of the Law "In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible...." has been determined as 72 hours. In this context, the data controller must notify the Board without delay and within 72 hours at the latest from the date of learning of this situation, and following the determination of the persons affected by the data breach by the data controller, the relevant persons must be notified as soon as reasonably possible, directly if the contact address of the relevant person can be reached, and if not, by appropriate methods such as publishing it on the data controller's own website.
• If the data controller fails to notify the Board within 72 hours for a justifiable reason, the reasons for the delay must be explained to the Board along with the notification to be made.
• In the notification to the Board, the "Personal Data Breach Notification Form" prepared by the Board must be used (Annex-1: Personal Data Breach Notification Form)
• In cases where it is not possible to provide the information in the form at the same time, this information will be provided gradually without delay.
• The data controller is required to record the information on data breaches, their effects and the measures taken, and keep them ready for the Board's review.
• In the event that personal data held by the data processor is unlawfully obtained by others, the data processor must notify the data controller without delay.
• In the event that the data breach occurs in the presence of a data controller residing abroad, if the consequences of this breach affect the data subjects residing in Turkey and the data subjects benefit from the products and services offered in Turkey, this data controller must also notify the Board within the framework of the same principles.
• In the event of a data breach, the data controller must prepare a data breach response plan that includes issues such as who to report to, notifications to be made within the scope of the Law and determining who is responsible for evaluating the possible consequences of the data breach, and review this plan periodically. 2) According to the Board's Decision dated 18.09.2019 and numbered 2019/271; the breach notification to be made by the data controller to the data subject must be made in a clear and plain language and the following issues must be included in the notification;
• When the breach occurred,
• Which personal data is affected by the breach on the basis of personal data categories (by making a distinction between personal data and special categories of personal data),
• Possible consequences of a personal data breach,
• Measures taken or proposed to be taken to mitigate the negative effects of the data breach,
• The names and contact details of the contact persons who will enable the data subjects to receive information about the data breach, or the full address of the data controller's web page, call center, and other similar contact methods.

Information Note on the Rights of the Data Subject

Introduction; In this Information Note, pursuant to the Law No. 6698 on the Protection of Personal Data ("Law"), explanations will be given about the exercise of the rights of personal data owners under the Law. In this context, the communiqué issued by the Personal Data Protection Board ("Board") on the subject based on Article 13 of the Law will be taken into consideration. Pursuant to Article 11 of the Law; the data subject may apply to the data controller to learn whether personal data is processed about them, to request information if personal data has been processed, to learn the purpose of processing personal data and whether they are used in accordance with their purpose, to know the third parties with whom personal data is shared with(domestically or abroad), to request correction of personal data in case of incomplete or incorrect processing, to request correction of personal data within the framework of the conditions stipulated in Article 7 of the Law, to request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law, to request notification of the sharings made pursuant to subparagraphs (d) and (e) of Article 10 of the Law, with third parties with whom personal data are transferred, to object to the occurrence of a result to the detriment of the person themselves by analyzing the processed data exclusively through automated systems, and to demand compensation for the damage in case of damage due to unlawful processing of personal data. Procedures and Principles Regarding the Application Made by the Data SubjectThe Board's Communiqué on the Procedures and Principles of Application to the Data Controller ("Communiqué") published in the Official Gazette dated March 10, 2018 contains explanations on how the application will be made. Accordingly, the data subject may submit their request within the scope of his/her rights set forth in Article 11 of the Law to the data controller in writing or by using their registered electronic mail (REM) address, secure electronic signature, mobile signature or the electronic mail address previously notified to the data controller by the data subject and registered in the system of the data controller or through a software or application developed for the purpose of application. The same communiqué also specifies the minimum amount of specific elements that must be included in the application. Accordingly, the elements that must be included in the application are listed below:

• Name, surname, and signature if the application is in writing;
• TR identification number for citizens of the Republic of Turkey; and for foreigners nationality, passport number or identification number if available,
• Residential or workplace address for notification, if available, electronic mail address, telephone and fax number,
• Information and documents regarding the subject matter of the request should also be attached to the application.
• One of the issues clarified in the Communiqué is the date from which the application will be deemed to have been made. Article 5 of the Communiqué explains this situation as follows;
• In written applications, that is the date on which the document is notified to the data controller or its representative.
• For applications made by other methods; that is the date the application is first received by the data controller.

Procedures and Principles to be Followed in Response to the Application The data controller is obliged to take all necessary administrative and technical measures to finalize the applications to be made by the data subject within the scope of the Communiqué effectively and in accordance with the law and in good faith. In addition, as stated in the Communiqué, the data controller shall either accept the applications made to the data controller and take the necessary actions, or reject the request, provided that the reason is also explained, and notify the relevant person within the 30-day period specified in the Law. Regardless of the application made to the data controller, the data controller must notify the data subject of its decision on the request in writing or electronically. If the request of the data subject is accepted, the data controller shall fulfill the requirements of the request as soon as possible and the data subject shall be informed. The minimum elements that must be included in the response letter to be sent to the data subject are also determined in the Communiqué. Accordingly, the "Response Letter" must contain;;

• Information about the data controller or its representative,
• Name and surname of the applicant, TR identification number for citizens of the Republic of Turkey; and for foreigners nationality, passport number or identification number if available,
• The address of the place of residence or workplace for notification, if available, the e-mail address, telephone and fax number for notification;
• The subject of the request;

The data controller's explanations regarding the application.

As per the second paragraph of Article 13 of the Law, the data controller shall finalize the requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee determined by the Board may be charged. As can be understood from the provision of the Law, it is essential that requests are met free of charge. However, the Board may charge a fee for responding to the application under the circumstances specified in the Communiqué. The Communiqué includes the following provisions regarding the fee; "If the relevant person's application is to be answered in writing, no fee is charged up to ten pages. A transaction fee of 1 Turkish Lira may be charged for each page over ten pages. If the response to the application is given in a recording medium such as CD, flash memory, the fee that may be requested by the data controller cannot exceed the cost of the recording medium."

In addition, as stated in the last paragraph of Article 13 of the Law and the Communiqué, if the application is caused by the data controller's error, the fee charged will be refunded to the data subject.

Best regards.