Personal Data Security Policies

1. PURPOSE

Pursuant to the provisions of the relevant legislation, especially the Personal Data Protection Policy (“Policy”), Personal Data Protection Law No. 6698 (“KVKK”) and Electronic Communications Law No. 5809 (“Law No. 5809”), TurkNet Communication Services Inc. (“TurkNet” or the “Company”) explains the principles to be followed and the methods and processes to be followed while fulfilling its obligations to protect Personal Data.

2. DEFINITIONS

According to the Law on the Protection of Personal Data No. 6698, the table below explains the definitions and abbreviations in this Policy.

3. SCOPE

1. This Policy involves all activities and processes related to Personal Data that TurkNet processes.
2. This Policy relates to the processing of Personal Data of TurkNet’s customers, prospects, employees, employee candidates, interns, suppliers of goods or services, subcontractors, visitors, website visitors, business partners and their employees and representatives.
3. Under the scope of Law No. 5809 on Electronic Communications, Regulation on Information and Network Security in the Electronic Communications Sector published in the Official Gazette dated 13.07.2014 and numbered 29059, and other relevant legislation, TurkNet implements Information Security Management System Policies and Procedures consisting of 91 policies or procedures (ISMS Procedures). ISMS Procedures are revised and updated from time to time in line with legislative changes or new developments. The method and process details followed in the administrative and technical measures taken regarding Personal Data are defined in various ISMS Procedures and reference is made to the relevant ISMS Procedures in this Policy.

In this context, TurkNet has the following quality certificates:

– ISO 27001:2013 Information Security Management System Certificate

– ISO 9001:2015 Quality Management System Certificate

– ISO 20000-1:2011 Information Technologies Service Management System Certificate

– ISO 22301:2012 Business Continuity Management System Certificate

4. PRINCIPLES

TurkNet complies with the following principles when processing Personal Data in accordance with Article 4 of the KVKK and Article 51 of Law No. 5809:

• Compliance with the law and honesty rules,
• To be accurate and up-to-date when necessary,
• For certain explicit and legitimate purposes,
• In connection with the purposes for which they are processed, limited and measured,
• To be kept for the period required by the relevant legislation or for the purpose for which they are processed.

5. PROCESSING PERSONAL DATA

1. After providing information within the scope of the Obligation to Inform in accordance with Article 10 of the Law on the Protection of Personal Data (KVKK) and other relevant legislation, TurkNet processes Personal Data in compliance with the KVKK. The “TurkNet Clarification Text Regarding the Processing and Protection of Personal Data,” which is the information text, is publicly available on the TurkNet website and can be listened to verbally at the Call Center.

2. TurkNet processes Personal Data by obtaining explicit consent from the Data Subject when it is required to do so under Article 5 of the Law on the Protection of Personal Data (KVKK). Personal Data is processed without obtaining explicit consent in the following cases where explicit consent is not required.
3. a) It is clearly stipulated in the laws.
4. b) It being necessary for the protection of the Data Subject’s or another person’s life or physical integrity when it is impossible to obtain consent due to physical impossibility or when the consent of the individual is legally invalid.
5. c) It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.

ç) It is mandatory for the data controller to fulfil its legal obligation.

1. d) It being made public by the related person themselves.
2. e) Data processing is mandatory for the establishment, exercise or protection of a right.
3. f) Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the related person.

3. TurkNet processes Personal Data in accordance with Article 5 and Article 6 of the KVKK, limited to the following purposes:
4. a) To offer, market, promote or provide value-added services of electronic communication products or services,
5. b) Agreements regarding the products or services we offer or purchase (subscription,

device purchase/sale, consultancy, etc.) signing, execution of contract processes,

1. c) Performing billing, conducting identity verification, activation processes, troubleshooting processes, cancellation processes, and handling all subscription-related transactions starting from contract signing until termination to fulfill our contractual commitments,
2. d) Providing call center services, request and complaint management, measuring customer satisfaction, all kinds of customer relations activities,
3. e) Measurement of the services we offer, improvement and diversification of services, strategic planning activities, marketing activities
4. f) To inform you about our products and services in order to sign a subscription agreement upon your request,
5. g) Management of internet traffic, interconnection, billing, irregularity/fraud detection and similar transactions or resolution of disputes, especially consumer complaints and interconnection and billing disputes.
6. h) Carrying out the audit activities of the company
7. i) Ensuring the company’s building, infrastructure, operation and network security
8. j) Execution of finance and accounting works
9. k) Within the scope of fixed telephone services, emergency calls and Disaster and Emergency No. 5902 In cases of disaster and emergency as defined in the Law on the Organization and Duties of the Presidency of Situation Management,
10. l) Fulfilling reporting, informing, auditing and other obligations required by regulatory and supervisory institutions and legal regulations,
11. m) Applying to legal or administrative proceedings.

4. Special Category Personal Data is processed in compliance with Article 6 of the Law on the Protection of Personal Data (KVKK) and relevant legislation, either by obtaining explicit consent or by obtaining relevant employee undertakings without the need for explicit consent as stated in the KVKK. TurkNet Special Qualified Personal Data Security Policy is applied in this regard.

6. DATA MANAGEMENT AND SECURITY

1. Administrative Measures Taken for Personal Data Security

• In order to fulfil TurkNet’s legal obligations regarding Personal Data, to ensure and supervise the implementation of this Policy, a Personal Data Security Committee (“Committee”), whose members and working style are determined by the Board of Directors, has been established. The Committee reports risks, developments and all other issues related to Personal Data security to the Risk Committee and the Board of Directors.
• The inventory regarding Personal Data processed by TurkNet has been prepared in accordance with the legislation and is updated when necessary.
• In cases where Personal Data is processed or transferred within the scope of any relationship with TurkNet employees, customers, suppliers, business partners and other third parties, the necessary obligations, commitments and penalties are imposed on the relevant contract in order to ensure that the relevant processing or transfer complies with the KVKK and relevant legislation or sign a separate contract in this regard.
• If necessary, TurkNet keeps written confidentiality agreements signed by its employees, employees or representatives of its suppliers, business partners or subcontractors, as required by the relevant task, job or process, or ensures that they are kept by the supplier, business partners or subcontractors.
• ISO27001 audits are carried out once a year. In this context, internal and external audits are carried out.
• In terms of compliance with the KVKK and the relevant legislation, an internal audit is carried out or is done once a year.
• There are articles on the protection of Personal Data in the employment contracts signed with the employees or, if necessary, undertakings are signed.
• Sanctions regarding the processing of Personal Data in violation of the law and TurkNet Policies have been determined in the Disciplinary Regulation and employees are informed about these in trainings.
• Personal Data Security Training is given to all employees once a year. In the trainings, general information on KVKK, examples of decisions made by the Personal Data Protection Authority and other regulatory organizations in the world, the measures to be taken for data security and the penalties regulated in the legislation are explained and an exam is held at the end of the training.

2. Technical Measures Taken for Personal Data Security

• ISO 27001 Information Management System is operated in our company. The measures mentioned below are discussed in detail within the scope of the relevant ISMS procedure.
• Personnel knowledgeable in technical matters are employed in the relevant units.
• Access to information systems and authorization of users are done through access authorization matrix and security policies over corporate applications. Necessary authorization definitions for new positions are made as the need arises. In addition, the authority matrix is reviewed once a year.
• Network security and application security are provided.
• Authorization definitions and trainings of employees are made in accordance with the principle of “prohibited unless allowed” and necessary commitments are taken.
• As a result of real-time analysis with information security event management, informatics

the risks and threats that will affect the continuity of the systems are constantly monitored.

• In order to protect information systems against known vulnerabilities, vulnerabilities and penetration tests are carried out regularly and emerging risks, threats, vulnerabilities and vulnerabilities, if any, are revealed and necessary measures are taken.
• Security vulnerabilities are followed and appropriate security patches are installed and information systems are kept up-to-date.
• Risks to prevent unlawful processing of personal data are determined, appropriate technical measures are taken against these risks, and technical controls are carried out for the measures taken.
• Applications such as attack prevention systems, network access control, systems preventing malware, anti-virus and firewall are used to protect the confidentiality, integrity and accessibility of information and software in information systems.
• Personal data is backed up and the security of the backed up personal data is also ensured.
• Strong password algorithm is applied in all user accounts. The number of password entry attempts is limited. Password changes are provided at regular intervals. Administrator authority is available only to authorized users. The accounts of the users who left the job as soon as possible is being closed.
• Disk encryption is used on personal laptop computers.
• The servers where personal data are kept are encrypted.
• The use of external memory is limited on the basis of employee roles, access to external memories is limited and controlled depending on.
• Quarterly PCI scanning and vulnerability and security checks are performed via remote access.
• Access logs are kept regularly.
• Closed system network is used for personal data transfers via network.
• Necessary measures for the physical security of information systems equipment, software and data is taken.
• Security of the buildings (company headquarters and data center) used by TurkNet Personal Data is processed by taking camera recording in order to ensure. The number of cameras, location and recording times are determined in accordance with the principle of limitation with purpose in accordance with legal regulations.
• Services are taken from the security firm for camera recordings. Access to the camera recordings is provided by authorized personnel who have signed a confidentiality agreement.
• The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
• Data masking is applied when necessary.
• The authorizations of employees who have a change in duty or quit their job in this field are removed.
• Data loss prevention software is used. In this context, data loss and data loss in systems DLP module is used to prevent hijacking.

3. Website, Apps and Cookies

TurkNet carries out all kinds of subscription transactions, marketing and customer service activities with its website and OIM application over the internet, and the MOIM application over the mobile phone. In this framework, as security measures, periodic penetration tests are carried out, access is provided with a user name and password, secure software methods such as GUID use, and a Firewall system are used in front of the systems that the Web server system reaches. The cookie policy is published on the TurkNet website.

7. VIOLATIONS

In case of data security weakness or breach, the relevant employee immediately reports the situation to a senior manager and ISMS Manager, first verbally and then by e-mail. Data security breach event is reported and resolved in accordance with P.16-1 and P.16-2 ISMS Procedures. In the Personal Data Trainings given to the employees, the procedures are explained in detail and the procedures are kept open to the access of the employees.

8. RIGHTS OF THE PERSONAL DATA SUBJECT (RELATED PERSON)

1. TurkNet informs the Data Owners (Relevant Persons) that they have the following rights regarding the protection of personal data in accordance with Article 11 of the KVKK:

• Learning whether your personal data is processed,
• If your personal data has been processed, requesting information about it,
• To learn the purpose of processing personal data and whether they are used in accordance with the purpose,
• Knowing the third parties to whom personal data is transferred in the country or abroad,
• Correction of personal data in case of incomplete or incorrect processing.

requesting information to third parties to whom the data is transferred in case of correction,

• Requesting the deletion or destruction of personal data within the framework of Article 7 of the Law, requesting information to third parties to whom the data is transferred in case of deletion or destruction,
• Objection if a result arises against you as a result of the analysis of the processed data exclusively with automated systems,
• Requesting the compensation of the damage in case of damage due to the illegal processing of personal data.

2. Data owners can also submit a petition that they can fill in the application form on the website or prepare themselves in order to exercise the above-mentioned rights and make a request (This petition must contain: your name, surname, your TCKN information, the address to which you want a reply, your e-mail address or fax number, your application date, detailed explanations regarding your request) are informed that they can send it in signed form by the following methods:

3. TurkNet concludes the requests in the application free of charge as soon as possible, within thirty days at the latest, depending on the nature of the request. However, if the transaction in question requires an additional cost, the fee in the tariff determined by the Authority may be charged. The company may accept the request or reject it by explaining the reason; gives its answer in writing or electronically. In case the request in the application is accepted, the Company fulfils the requirements of the request.

ENFORCEMENT OF THE POLICY:

This policy is prepared by the Committee and approved by the Board of Directors. This Policy and the changes made in the Policy are announced to the employees via e-mail and published on the TurkNet website. This Policy is reviewed and updated if necessary, at least once a year, in line with legislative changes or the Company’s needs. Changes are indicated by date and number at the end of the Policy.

Effectiveness and Changes: