RAVANDA CARPET TEXTILE SAN. VE TİC. LTD. ŞTİ.
PERSONAL DATA PROTECTION AND PROCESSING POLICY

Protection of personal data is among the most important priorities of Ravanda Halı Tekstil San. ve Tic. Ltd. Şti. (“Company”) is among the most important priorities. The most important part of this issue is the protection and processing of personal data of our employee candidates, company shareholders, company officials, visitors, employees, customers, suppliers, shareholders and officials of the institutions we cooperate with, and third parties, which are governed by this Policy.
According to the Constitution of the Republic of Turkey; everyone has the right to request the protection of personal data about him/her. Regarding the protection of personal data, which is a right guaranteed by the Constitution, the company pays due attention to the protection of the personal data of our employee candidates, company shareholders, company officials, visitors, employees of the institutions we cooperate with, our customers, suppliers, shareholders and officials and third parties and makes it a Company policy.
In this context, the company takes the necessary administrative and technical measures to protect the personal data processed within the framework of the legal legislation.
The basic principles adopted by the company in the processing of personal data in this Policy are as follows;
– Processing personal data in accordance with the law and honesty rules,
– Keeping personal data accurate and up-to-date when necessary,
– Processing personal data for specific, clear and legitimate purposes,
– Processing personal data in connection with the purpose for which they are processed, limited and measured,
– Keeping personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed,
– Informing and informing personal data owners,
– Establishing the necessary system for personal data owners to exercise their rights,
– Taking necessary measures for the protection of personal data,
– Acting in accordance with the relevant legislation and the regulations of the Personal Data Protection Board in the transfer of personal data to third parties in line with the requirements of the purpose of processing,
– Showing the necessary sensitivity to the processing and protection of special quality personal data.

ARTICLE 1: PURPOSE OF THE POLICY
The main purpose of the Policy is to ensure transparency and trust by informing the persons whose personal data are processed by our company, especially our customers, suppliers, employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties, about the personal data processing activity carried out by the company in accordance with the law.

ARTICLE 2: CONTENT AND DEFINITIONS
This Personal Data Protection and Processing Policy is related to all personal data of our employee candidates, company shareholders, company officials, visitors, employees of the institutions we cooperate with, our customers, suppliers, company shareholders and officials and third parties, which are processed automatically or non-automatically provided that they are part of any data recording system.
The scope of application of this Policy regarding the groups of personal data owners in the categories mentioned above may be the entire Policy or only a part of it.

The definitions of the concepts in this policy text are as follows:
Receiver group : The category of natural or legal person to whom personal data is transferred by the data controller.
Explicit consent : Consent on a specific subject, based on information and expressed with free will
Anonymisation : Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data
Employee : Company personnel
Electronic media : Environments where personal data can be created, read, changed and written with electronic devices
Non-electronic media : All written, printed, visual, etc. other media other than electronic media
Service provider : Real or legal person providing services under a specific contract with the Institution
Contact person : Natural person whose personal data is processed
Related user : Persons who process personal data within the organisation of the data controller or in accordance with the authority and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data
Destruction : Deletion, destruction or anonymisation of personal data
Law : Law No. 6698 on the Protection of Personal Data
Recording media : Any medium containing personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system
Personal data : Any information relating to an identified or identifiable natural person
Personal data processing inventory : Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes and legal grounds for processing personal data, the data category, the group of recipients transferred and the group of data subjects, and by explaining the maximum retention period required for the purposes for which personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security
Processing of personal data : All kinds of operations performed on personal data such as obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system
Board : Personal Data Protection Board
Sensitive personal data : Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data
Periodic destruction : In the event that all of the conditions for processing personal data specified in the law disappear, the deletion, destruction or anonymisation process to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy
Politics : Personal Data Storage and Destruction Policy
Company : Ravanda Carpet Textile San. and Tic. Ltd. Sti.
Data processor : A natural or legal person who processes personal data on behalf of the data controller based on the authorisation granted by the data controller
Data recording system : Recording system where personal data is structured and processed according to certain criteria
Data controller : The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system
Data controllers registry information system : The information system created and managed by the Presidency, accessible via the internet, which data controllers will use in the application to the Registry and other transactions related to the Registry
VERBİS : Data Controllers Registry Information System
Regulation : Regulation on Deletion, Destruction or Anonymisation of Personal Data published in the Official Gazette dated 28 October 2017

ARTICLE 3: APPLICATION OF THE POLICY AND RELATED LEGISLATION
The relevant legal regulations in force regarding the processing and protection of personal data will be applied primarily. In case of incompatibility between the legislation in force and the Policy, our Company accepts that the legislation in force will be applied.
The Policy has been created by concretizing and organizing the rules set forth by the relevant legislation within the scope of Company practices.

ARTICLE 4: ENFORCEMENT OF THE POLICY
This Policy issued by our Company enters into force on the day it is published on our website. If there is any innovation or change in the Policy, the effective date will be updated.
The Policy is published on our Company’s website and made available to the relevant persons upon the request of the personal data owners.

ARTICLE:5 ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
In accordance with Article 12 of the KVKK, our Company takes all necessary administrative, technical and legal measures to prevent unlawful processing of personal data, to prevent unlawful access to data and to provide appropriate security to ensure the preservation of data, and provides all necessary audits within this scope.

ARTICLE 6: SECURITY OF PERSONAL DATA
6.1 Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data
Our Company takes technical and administrative measures to ensure that personal data is processed in accordance with the law, according to technological possibilities and implementation cost.

6.1.1.1 Technical Measures Taken to Ensure Lawful Processing of Personal Data
The main technical measures taken by our Company to ensure the lawful processing of personal data are listed below:
a. Personal data processing activities carried out within our Company are audited by technical systems established.
b. The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
c. Personnel knowledgeable in technical matters are employed.

6.1.2 Administrative Measures Taken to Ensure Lawful Processing of Personal Data
The main administrative measures taken by our Company to ensure the lawful processing of personal data are listed below:
a. Employees are informed and trained about the law on the protection of personal data and the processing of personal data in accordance with the law.
b. All activities carried out by our Company are analyzed in detail for all business units, and as a result of this analysis, personal data processing activities are revealed specific to the commercial activities carried out by the relevant business units.
c. Personal data processing activities carried out by the business units of our Company; The requirements to be fulfilled in order to ensure that these activities comply with the personal data processing conditions sought by Law No. 6698 are determined specifically for each business unit and the detailed activity it carries out.
d. In order to ensure the legal compliance requirements determined by our business units, awareness is raised specific to the relevant business units and implementation rules are determined; the necessary administrative measures to ensure the audit of these issues and the continuity of the implementation are implemented through internal policies and trainings.
e. In the contracts and documents governing the legal relationship between our Company and employees, records that impose an obligation not to process, disclose and use personal data, except for the Company’s instructions and exceptions imposed by law, are included, and employee awareness is raised and audits are carried out.

6.2 Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data
Our Company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and cost of implementation in order to prevent unauthorized or unauthorized disclosure, access, transfer or other forms of unlawful access to personal data.

6.2.1 Technical Measures Taken to Prevent Unlawful Access to Personal Data
The main technical measures taken by our Company to prevent unlawful access to personal data are listed below:
a. Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed.
b. Access and authorization technical solutions are put in place in accordance with the legal compliance requirements determined on a business unit basis.
c. Technical measures taken are periodically reported to the relevant person as required by the internal audit mechanism, the issues that pose a risk are re-evaluated and the necessary technological solution is produced.
d. Software and hardware including virus protection systems and firewalls are installed.
e. Technically knowledgeable personnel are employed.

6.2.2 Administrative Measures Taken to Prevent Unlawful Access to Personal Data
The main administrative measures taken by our Company to prevent unlawful access to personal data are listed below:
a. Employees are trained on the technical measures to be taken to prevent unlawful access to personal data.
b. Access to personal data and authorization processes are designed and implemented within the Company in accordance with business unit-based legal compliance requirements.
c. Employees are informed that they cannot disclose the personal data they have learned to anyone else in violation of the provisions of the KVK Law and cannot use it for purposes other than processing, and that this obligation will continue after they leave their duties, and necessary commitments are obtained from them in this direction.
d. In the contracts concluded with the persons to whom personal data are transferred by our Company in accordance with the law; provisions are added that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.

6.3 Storage of Personal Data in Secure Environments
Our Company takes the necessary technical and administrative measures according to technological possibilities and implementation cost in order to store personal data in secure environments and to prevent the destruction, loss or alteration of personal data for unlawful purposes.

6.3.1 Technical Measures Taken to Store Personal Data in Secure Environments
The main technical measures taken by our Company to store personal data in secure environments are listed below:
a. Systems in accordance with technological developments are used to store personal data in secure environments.
b. Expert personnel are employed in technical matters.
c. Technical security systems are established for storage areas, technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, and the issues that pose a risk are re-evaluated and necessary technological solutions are produced.
d. Backup programs are used in accordance with the law to ensure the safe storage of personal data.

6.3.2 Administrative Measures Taken to Store Personal Data in Secure Environments
The main administrative measures taken by our Company to store personal data in secure environments are listed below:
a. Employees are trained to ensure that personal data is stored securely.
b. In the event that an external service is obtained by our Company due to technical requirements for the storage of personal data, the contracts concluded with the relevant companies to which personal data are transferred in accordance with the law include provisions stating that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.

6.4 Audit of Measures Taken for the Protection of Personal Data
In accordance with Article 12 of the KVKK, our Company conducts or has the necessary audits carried out within its own organization. The results of these audits are reported to the relevant unit within the scope of the internal functioning of the company and necessary activities are carried out to improve the measures taken.

6.5 Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
Our Company will ensure that if the personal data processed in accordance with Article 12 of the KVKK is obtained by others illegally, this situation will be notified to the relevant personal data owner and the KVK Board as soon as possible.
If deemed necessary by the KVK Board, this situation may be announced on the website of the KVK Board or by another method.

ARTICLE: 7 PROTECTION OF THE DATA SUBJECT’S RIGHTS; CREATION OF CHANNELS THROUGH WHICH THE DATA SUBJECT CAN COMMUNICATE THESE RIGHTS TO OUR COMPANY AND EVALUATION OF THE DATA SUBJECT’S REQUESTS
Our Company carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 13 of the KVKK in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.
In case personal data owners submit their requests regarding their rights listed below to our Company in writing, our Company concludes the request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the KVK Board will be charged by our Company. Personal data owners;
a. To learn whether personal data is processed or not,
b. Request information if their personal data has been processed,
c. Learn the purpose of processing personal data and whether they are used in accordance with their purpose,
d. Know the third parties to whom personal data is transferred domestically or abroad,
e. To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
f. To request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
g. To object to the emergence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,
h. In the event that personal data is damaged due to unlawful processing of personal data, it has the right to demand the compensation of the damage.
More detailed information about the rights of data owners is included in this Policy.

ARTICLE:8 PROTECTION OF SPECIAL NATURE PERSONAL DATA
The PDP Law attributes special importance to certain personal data due to the risk of causing victimization or discrimination in case of unlawful processing.
These data are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Our Company acts sensitively in the protection of special quality personal data, which are determined as “special quality” by the KVK Law and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of sensitive personal data and necessary audits are provided within the company.
Detailed information on the processing of sensitive personal data is included in this Policy.

ARTICLE:9 INCREASING THE AWARENESS OF BUSINESS UNITS REGARDING THE PROTECTION AND PROCESSING OF PERSONAL DATA AND SUPERVISION
Our Company ensures that necessary trainings are organized for business units in order to raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the protection of data.
Necessary systems are established to ensure that the existing employees of the Company’s business units and the employees who are newly included in the business unit are aware of the protection of personal data, and professional persons are hired in case of need.

ARTICLE 10: INCREASING Awareness AND AUDIT OF BUSINESS PARTNERS AND SUPPLIERS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
Our Company ensures that trainings and seminars are organized for business partners in order to prevent unlawful processing of personal data, to prevent unlawful access to data and to increase awareness to ensure data protection.
The trainings conducted for the company’s business partners are repeated periodically, the necessary systems are established to ensure that the existing employees of the business partners and the employees who are newly included in the business unit are aware of the protection of personal data, and if necessary, professional persons are hired.
The results of the trainings conducted to increase the awareness of the company’s business partners on the protection and processing of personal data are reported to the holding. In this direction, our Company evaluates the participation in the relevant trainings, seminars and information sessions and conducts or has the necessary audits carried out. Our Company updates and renews its trainings in parallel with the updating of the relevant legislation.

ARTICLE 11: ISSUES REGARDING THE PROCESSING OF PERSONAL DATA
In accordance with Article 20 of the Constitution and Article 4 of the KVK Law, our Company carries out personal data processing activities in accordance with the law and honesty rules; accurate and up-to-date when necessary; pursuing specific, clear and legitimate purposes; in a purpose-related, limited and measured manner. Our Company retains personal data for the period stipulated by law or required by the purpose of personal data processing.
Our Company processes personal data based on one or more of the conditions in Article 5 of the KVK Law on the processing of personal data in accordance with Article 20 of the Constitution and Article 5 of the KVK Law.
Our Company processes personal data in accordance with Article 20 of the Constitution and Article 10 of the KVK Law. In accordance with Article 20 of the Constitution and Article 10 of the PDP Law, our Company informs personal data owners and provides the necessary information in case personal data owners request information.
Our Company acts in accordance with the regulations stipulated in the law for the processing of special categories of personal data in accordance with Article 6 of the PDP Law.
In accordance with Articles 8 and 9 of the PDP Law, our Company acts in accordance with the regulations stipulated in the law and set forth by the PDP Board regarding the transfer of personal data.

ARTICLE 12: PROCESSING PERSONAL DATA IN COMPLIANCE WITH THE PRINCIPLES PRESCRIBED BY LEGISLATION
12.1 Processing in Compliance with the Law and the Rule of Honesty
Our Company acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, our Company takes into account the proportionality requirements in the processing of personal data and does not use personal data for purposes other than those required by the purpose.

12.2 Ensuring that Personal Data is Accurate and Up-to-Date When Necessary
Our Company ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and their legitimate interests. It takes necessary measures in this direction.

12.3 Processing for Specific, Explicit and Legitimate Purposes
Our Company clearly and precisely determines the purpose of processing personal data that is legitimate and lawful. Our Company processes personal data in connection with and to the extent necessary for the services it provides.

12.4 Being Relevant, Limited and Proportionate to the Purpose of Processing
Our Company processes personal data in a manner that is conducive to the achievement of the specified purposes and avoids the processing of personal data that is not related to the achievement of the purpose or is not needed. For example, personal data processing activities are not carried out to meet the needs that may arise later.

12.5 Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed
Our Company retains personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed. In this context, our Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period of time is determined, it acts in accordance with this period, and if a period of time is not determined, it keeps personal data for the period required for the purpose for which they are processed. Personal data are deleted, destroyed or anonymized by our Company in the event that the period expires or the reasons requiring their processing disappear. Personal data are not stored by our Company with the possibility of future use. Detailed information on this subject is included in this Policy.

ARTICLE 13: PROCESSING PERSONAL DATA BASED ON AND LIMITED TO ONE OR SOME OF THE CONDITIONS FOR PERSONAL DATA PROCESSING STATED IN ARTICLE 5 OF THE PDPA
Protection of personal data is a constitutional right. Fundamental rights and freedoms may be restricted without prejudice to their essence only for the reasons specified in the relevant articles of the Constitution and only by law. Pursuant to the third paragraph of Article 20 of the Constitution, personal data can only be processed in cases stipulated by law or with the explicit consent of the person. In this direction and in accordance with the Constitution; our Company processes personal data only in cases stipulated by law or with the explicit consent of the person. Detailed information on this subject is provided in this Policy.

ARTICLE 14: DISCLOSURE AND INFORMATION OF PERSONAL DATA OWNER
In accordance with Article 10 of the KVK Law, our Company enlightens personal data owners during the acquisition of personal data. In this context, it informs about the identity of the Holding and its representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data and the rights of the personal data owner. Detailed information on this subject is provided in this Policy.
Article 20 of the Constitution stipulates that everyone has the right to be informed about personal data related to him/her. In this direction, “requesting information” is also listed among the rights of the personal data owner in Article 11 of the KVK Law. In this context, our Company provides the necessary information in case the personal data owner requests information in accordance with Article 20 of the Constitution and Article 11 of the KVK Law. Detailed information on this subject is included in this Policy.

ARTICLE 15: PROCESSING PERSONAL DATA OF SPECIAL NATURE
Our Company sensitively complies with the regulations stipulated in the KVK Law in the processing of personal data determined as “of special nature” by the KVK Law.
In Article 6 of the KVK Law, some personal data that have the risk of causing victimization or discrimination when processed unlawfully are determined as “of special nature”. These data are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
In accordance with the KVK Law, special quality personal data are processed by our Company in the following cases, provided that adequate measures to be determined by the KVK Board are taken:
a. If the personal data owner has explicit consent or
b. If the personal data owner does not have explicit consent;

1) Sensitive personal data other than the health and sexual life of the personal data owner, in cases stipulated by law,
2) Sensitive personal data relating to the health and sexual life of the personal data subject are processed only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality.

ARTICLE 16: TRANSFER OF PERSONAL DATA
Our Company may transfer the personal data and sensitive personal data of the personal data owner to third parties (third party companies, business partners, third real persons) by taking the necessary security measures in line with the personal data processing purposes in accordance with the law. In this direction, our Company acts in accordance with the regulations stipulated in Article 8 of the KVK Law. Detailed information on this subject is included in this Policy.

16.1 Transfer of Personal Data
In line with legitimate and lawful personal data processing purposes, our Company may transfer personal data to third parties based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Law listed below:
a. If the personal data owner has explicit consent;
b. If there is a clear regulation in the laws regarding the transfer of personal data,
c. If it is mandatory for the protection of the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to disclose his consent due to actual impossibility or his consent is not legally valid;
d. If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
e. If personal data transfer is mandatory for our company to fulfill its legal obligation,
f. If personal data has been made public by the personal data owner,
g. If personal data transfer is mandatory for the establishment, exercise or protection of a right,
h. If personal data transfer is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

16.2 Transfer of Special Categories of Personal Data
By taking due care, taking the necessary security measures and taking adequate measures stipulated by the PDP Board; in line with legitimate and lawful personal data processing purposes, our company may transfer the special categories of personal data of the personal data owner to third parties in the following cases.
a. If the personal data owner has explicit consent or
b. If the personal data owner does not have explicit consent;

1) Sensitive personal data other than the health and sexual life of the personal data owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data), in cases stipulated by law,

2) Sensitive personal data relating to the health and sexual life of the personal data subject can only be collected by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

ARTICLE 17: TRANSFER OF PERSONAL DATA ABROAD
Our Company may transfer personal data and sensitive personal data of the personal data owner to third parties by taking necessary security measures in line with the lawful personal data processing purposes. Personal data are transferred by our Company to foreign countries declared to have adequate protection by the PDP Board (“Foreign Country with Adequate Protection”) or, in the absence of adequate protection, to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and where the PDP Board has permission (“Foreign Country Where the Data Controller Undertakes Adequate Protection”). In this direction, our Company acts in accordance with the regulations stipulated in Article 9 of the KVK Law. Detailed information on this subject is included in this Policy.

17.1 Transfer of Personal Data Abroad
In line with legitimate and lawful personal data processing purposes, our Company may transfer personal data to Foreign Countries with Adequate Protection or to Foreign Countries where there is a Data Controller Committed to Adequate Protection in the presence of one of the following situations:
If there is a clear regulation in the laws regarding the transfer of personal data,
a. If it is mandatory for the protection of the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to disclose his consent due to actual impossibility or his consent is not legally valid;
b. If it is necessary to transfer personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
c. If personal data transfer is mandatory for our company to fulfill its legal obligation,
d. If personal data has been made public by the personal data owner,
e. If personal data transfer is mandatory for the establishment, exercise or protection of a right,
f. If personal data transfer is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

17.2 Transfer of Special Categories of Personal Data Abroad
By taking due care, taking the necessary security measures and taking adequate measures stipulated by the PDP Board; in line with the legitimate and lawful personal data processing purposes, our Company may transfer the special categories of personal data of the personal data owner to Foreign Countries with Adequate Protection or to Foreign Countries where there is a Data Controller Committed to Adequate Protection in the following cases.
a. If the personal data owner has explicit consent or
b. If the personal data owner does not have explicit consent;

1) Sensitive personal data other than the health and sexual life of the personal data owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data), in cases stipulated by law,

2) Personal data of special nature related to the health and sexual life of the personal data owner can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

ARTICLE 18: CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY, PURPOSES OF PROCESSING AND RETENTION PERIODS
In accordance with Article 10 of the KVK Law, our company informs the personal data owner which personal data owner groups’ personal data are processed within the scope of the disclosure obligation, the purposes and retention periods of the personal data owner’s personal data.

ARTICLE 19: CATEGORISATION OF PERSONAL DATA
In accordance with Article 10 of the KVK Law, by informing the relevant persons in accordance with Article 10 of the KVK Law, in line with the legitimate and lawful personal data processing purposes of our Company, based on one or more of the personal data processing conditions specified in Article 5 of the KVK Law and limited to the subjects within the scope of this Policy by complying with the general principles specified in the KVK Law, especially the principles specified in Article 4 regarding the processing of personal data, and all obligations regulated in the KVK Law, personal data in the following categories are processed. It is also stated in this Policy which data subjects the personal data processed in these categories are related to within the scope of this Policy.
IDENTIFICATION INFORMATION; All information contained in documents such as Driver’s Licence, Identity Card, Residence Card, Passport, Lawyer’s ID, Marriage Certificate, which are processed partially or completely automatically or non-automatically as part of the data recording system, which clearly belongs to an identified or identifiable real person.
CONTACT INFORMATION; Information such as telephone number, address and e-mail, which is processed partially or completely automatically or non-automatically as part of the data recording system, which clearly belongs to an identified or identifiable real person.
CUSTOMER INFORMATION; Information obtained and produced about the relevant person as a result of our commercial activities and the operations carried out by our business units within this framework, which is processed partially or completely automatically or non-automatically as part of the data recording system, which clearly belongs to an identified or identifiable natural person.
PHYSICAL SPACE SECURITY INFORMATION; Personal data relating to the records and documents taken during the entrance to the physical space and during the stay in the physical space, which clearly belong to an identified or identifiable natural person and are included in the data recording system.
TRANSACTION SECURITY INFORMATION; Your personal data that clearly belongs to an identified or identifiable natural person and is included in the data recording system; Your personal data processed to ensure our technical, administrative, legal and commercial security while conducting our commercial activities.
RISK MANAGEMENT INFORMATION; Data that clearly belongs to an identified or identifiable natural person and is included in the recording system of our data risks; data that can be used and processed in accordance with generally accepted legal, commercial custom and good faith in these areas in order for us to manage commercial, technical and administrative.
FINANCIAL INFORMATION; Personal data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by our company with the personal data owner.
PERSONAL INFORMATION; All kinds of personal data that clearly belong to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; processed to obtain information that will be the basis for the formation of the personal rights of our employees or natural persons who have a working relationship with our Company.
EMPLOYEE CANDIDATE INFORMATION; Personal data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; Personal data processed about individuals who have applied to become an employee of our company or who have been evaluated as an employee candidate in line with the human resources needs of our company in accordance with the commercial custom and honesty rules or who are in a working relationship with our company.
EMPLOYEE TRANSACTION INFORMATION; Personal data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; Personal data processed regarding all kinds of business-related transactions carried out by our employees or natural persons in a working relationship with our company.
EMPLOYEE PERFORMANCE AND CAREER DEVELOPMENT INFORMATION; Data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; Data processed for the purpose of measuring the performance of our employees or natural persons in a working relationship with our Company and planning and executing the career development of our employees or natural persons in a working relationship with our Company within the scope of our company’s human resources policy.
BENEFITS AND BENEFITS INFORMATION; Your personal data, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; processed for the planning of the fringe benefits and benefits that we offer and will offer to employees or other natural persons who are in a working relationship with our Company, determining the objective criteria for entitlement to them and monitoring the entitlement to them.
LEGAL PROCESS AND COMPLIANCE INFORMATION; Your personal data, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; Your personal data processed within the scope of the determination, follow-up and fulfilment of our legal receivables and rights and the performance of our debts and compliance with our legal obligations and our company’s policies.
AUDIT AND INSPECTION INFORMATION; Your personal data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system; Your personal data processed within the scope of our company’s legal obligations and compliance with company policies.
SPECIAL NATURE PERSONAL DATA; Data specified in Article 6 of Law No. 6698, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system.
REQUEST / COMPLAINT MANAGEMENT INFORMATION; Personal data relating to the receipt and evaluation of all kinds of requests or complaints addressed to our Company, which clearly belong to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system.

ARTICLE 20: PURPOSES OF PROCESSING PERSONAL DATA
According to the categorization prepared by our Company, the top purposes for processing personal data are shared below:
a. Carrying out the necessary work by our relevant business units for the realization of the commercial activities carried out by our Company and the execution of related business processes,
b. Planning and execution of our Company’s Commercial and / or business strategies,
c. Carrying out the necessary work by our business units and carrying out the relevant processes in order to benefit the relevant persons from the products and services offered by our Company,
d. Planning and execution of our Company’s human resources policies and processes,
e. Ensuring the legal, technical and commercial business security of the relevant persons who have a business relationship with our Company.

The data processing purposes within the scope of the above-mentioned top purposes are as follows:
1. Event Management
2. Planning and Execution of Research and Development Activities
3. Planning and Execution of Business Activities
4. Planning and Execution of Corporate Communication Activities
5. Planning and Execution of Information Security Processes
6. Creation and Management of Information Technologies Infrastructure
7. Planning and Execution of Authorizations of Business Partners and/or Suppliers to Access Information and Facilities
8. Planning and Execution of Fringe Benefits and Benefits for Supplier and/or Business Partner Employees
9. Monitoring Financial and/or Accounting Affairs
10. Planning and Execution of Logistics Activities
11. Management of Relations with Business Partners and/or Suppliers
12. Conducting Activities to Identify Financial Risks of Customers
13. Planning and Execution of Customer Relationship Management Processes
14. Monitoring Contract Processes and/or Legal Requests
15.
Planning Human Resources Processes
17. Execution of Personnel Recruitment Processes
18. Follow-up of Legal Affairs
19. Planning and Execution of Operational Activities Required to Ensure that Company Activities are Conducted in Accordance with Company Procedures and/or Relevant Legislation
20. Collection of Entry and Exit Records of Business Partner/Supplier Employees
21. Creation and Follow-up of Visitor Records
22. Planning and Execution of Company Audit Activities
23. Planning and/or Execution of Occupational Health and/or Safety Processes
24. Ensuring that Data is Accurate and Up-to-Date
25. Management and/or Supervision of Relations with Affiliates
26. Ensuring the Security of Company Premises and/or Facilities
27. Ensuring the Security of Company Assets and/or Resources
28. Planning and/or Execution of Company Financial Risk Processes

In order to carry out personal data processing activities within the scope of personal data processing purposes other than the above-mentioned situations, our Company applies for the explicit consent of personal data owners; The following personal data processing activities are carried out by the relevant business units in accordance with the explicit consent of the personal data owners. Within this framework; In the absence of the above-mentioned conditions, the personal data processing purposes for which the explicit consent of the personal data owners is applied;
I. Planning and Execution of Business Partners and/or Suppliers’ Authorizations to Access Information and Facilities
II. Planning and Execution of Logistics Activities
III. Management of Relations with Business Partners and/or Suppliers
IV. Follow-up of Contract Processes and/or Legal Requests
V. Planning of Human Resources Processes
VI. Execution of Personnel Procurement Processes
VII. Planning and/or Execution of Customer Satisfaction Activities
VIII. Planning and Execution of Operational Activities Required to Ensure that Company Activities are Conducted in Compliance with Company Procedures and/or Relevant Legislation
IX. Collection of Entry and Exit Records of Business Partner/Supplier Employees
X. Planning and Execution of Company Audit Activities
XI. Planning and/or Execution of Occupational Health and/or Safety Processes
XII. Ensuring the Security of Company Campuses and/or Facilities.

ARTICLE 21: PERSONAL DATA RETENTION PERIODS
If stipulated in the relevant laws and regulations, our Company retains personal data for the period specified in these regulations.
If a period of time is not regulated in the legislation regarding how long personal data should be retained, personal data is processed for the period required to be processed in accordance with the practices and customs of our Company’s commercial life, depending on the services provided by our company while processing that data, and then deleted, destroyed or anonymized. Detailed information on this subject is provided in this policy.
If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and the company have come to an end; personal data can only be stored in order to constitute evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. In the establishment of the periods here, the retention periods are determined based on the statute of limitations for the assertion of the right in question and the examples of the requests previously addressed to our Company on the same issues despite the expiration of the statute of limitations. In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. After the aforementioned period expires, personal data are deleted, destroyed or anonymized.

ARTICLE 22: CATEGORIZATION OF THE OWNERS OF PERSONAL DATA PROCESSED BY OUR COMPANY
Although the personal data of the categories of personal data owners listed below are processed by our company, the scope of application of this Policy is limited to our customers, potential customers, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with and third parties.
The personal data protection and processing activities of our employees will be evaluated under the Holding Employees Personal Data Protection and Processing Policy.
Although the categories of persons whose personal data are processed by our Company are within the scope of the above-mentioned scope, persons outside of these categories may also direct their requests to our Company within the scope of the KVK Law; the requests of these persons will also be evaluated within the scope of this Policy.
Below, the concepts of customer, potential customer, visitor, employee candidate, shareholder and board member, real persons in the institutions we cooperate with and third parties related to these persons within the scope of this Policy are clarified.

ARTICLE 23: CATEGORIES AND EXPLANATIONS
Visitors; real persons who have entered the physical premises owned by our Company for various purposes or who visit our websites.
Third Parties; third party real persons who are related to these persons in order to ensure the security of our Company’s commercial transactions with the parties or to protect the rights of the aforementioned persons and to provide benefits, or real persons who are not covered by this policy and the policy of protection and processing of personal data of company employees.
Employee Candidate; real persons who have applied for a job to our company by any means or who have opened their resume and related information to our company.
Company Shareholder; real persons who are shareholders of our company.
Company Official; members of the company’s board of directors and other authorized real persons.
Shareholders and officials of the institutions of employees with whom we cooperate; Real persons who work in the institutions with which our company has all kinds of business relations (including, but not limited to, shareholders and officials of these institutions such as business partners, offices, suppliers).

ARTICLE 24: THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED BY OUR COMPANY AND THE PURPOSES OF TRANSFER
Our Company notifies the personal data owner of the groups of persons to whom personal data are transferred in accordance with Article 10 of the KVKK.
In accordance with Articles 8 and 9 of the KVK Law, our Company may transfer the personal data of service recipients to the following categories of persons:
a. Company business partners,
b. Company suppliers,
c. Company affiliates,
d. Company Shareholders,
e. Legally Authorized public institutions and organizations,
f. Legally authorized private law persons.

The scope of the above-mentioned persons to whom data is transferred and the purposes of data transfer are as follows;
1. Limited to ensure the fulfillment of the purposes for which the business partnership was established,
2. Limited to ensure that the services outsourced by our company from the supplier and necessary to fulfill our company’s commercial activities are provided to our company,
3. Limited to ensuring the execution of our company’s commercial activities that require the participation of subsidiaries,
4. Limited to the purpose of designing and auditing our company’s strategies and audit activities regarding our company’s commercial activities in accordance with the provisions of the legal legislation,
5. Limited to the purpose requested by legally authorized public institutions and organizations within the framework of our legal authorities in case they request information and documents from our company within the framework of legal legislation,
6. In the event that legally authorized private law persons request information and documents from our company within the framework of legal legislation, limited to the purpose requested within our legal powers,
In the transfers carried out by our company, we act in accordance with the matters regulated in the policy.
Our company informs the personal data owner about the personal data it processes in accordance with Article 10 of the KVK Law.
Although the legal grounds for the processing of personal data by our Company may differ, all kinds of personal data processing activities are carried out in accordance with the general principles specified in Article 4 of Law No. 6698.
In order to process personal data based on the explicit consent of the personal data owner, explicit consent is obtained from visitors and 3rd parties.

The personal data of the data subject may be processed in accordance with the law if it is clearly stipulated in the law.
The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his consent due to actual impossibility or whose consent cannot be validated in order to protect the life or physical integrity of himself or another person.
Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process personal data belonging to the parties to the contract.
Personal data of the data subject may be processed if processing is mandatory for our company to fulfill its legal obligations as a data controller.
Personal data of the data subject may be processed if the personal data has been made public by the data subject.
Personal data of the data subject may be processed if data processing is mandatory for the establishment, exercise or protection of a right (invoice, etc.)
Personal data of the data subject may be processed if data processing is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data subject (for internal calculations, etc.)
Personal data processing activities carried out by our Company at the building facility entrances and within the facility are carried out in accordance with the Constitution, KVK Law and other relevant legislation.
In order to ensure security, our Company carries out personal data processing activities for the monitoring of guest entrances and exits with security cameras in our Company’s buildings and facilities.
Personal data processing activities are carried out by our Company by using security cameras and recording guest entrances and exits.

In this context, our Company acts in accordance with the Constitution, KVK Law and other relevant legislation. Within the scope of security camera surveillance activity, our Company aims to increase the quality of the service provided, to ensure its reliability, to ensure the security of the company, employees and other persons and to protect the interests of third parties regarding the service they receive. The camera surveillance activity carried out by our Company is carried out in accordance with the Law on Private Security Services and the relevant legislation. Our Company acts in accordance with the regulations in the PDP Law in carrying out camera surveillance activities for security purposes.
Our Company carries out security camera surveillance activities in order to ensure security in its buildings and facilities, for the purposes stipulated in the laws and in accordance with the personal data processing conditions listed in the PDP Law.
The announcement of the surveillance activity by our Company is made in accordance with Article 10 of the PDP Law.
In addition to the clarification regarding general issues, our Company notifies more than one method regarding the camera surveillance activity in accordance with the model regulations in the EU. Thus, it is aimed to prevent damage to the fundamental rights and freedoms of the personal data owner, to ensure transparency and enlightenment of the personal data owner.
In accordance with Article 4 of the KVK Law, our Company processes personal data in a limited and measured manner in connection with the purpose for which they are processed.

The purpose of video camera monitoring by our Company is limited to the purposes listed in this Policy. Accordingly, the monitoring areas, the number and the time of monitoring of the security cameras are sufficient to achieve the security purpose and are limited to this purpose. Areas that may result in interference with the privacy of the person in a way that exceeds the security purposes (for example, toilets) are not subject to monitoring.
In accordance with Article 12 of the KVK Law, necessary technical and administrative measures are taken by our company to ensure the security of personal data obtained as a result of camera surveillance.
Only a limited number of company employees have access to the records recorded and stored in digital media. Live camera footage can be monitored by outsourced security services. The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.
Our Company carries out personal data processing activities to ensure security and to monitor guest entrances and exits in company buildings and facilities for the purposes specified in this Policy.
While the names and surnames of the persons who come to the company buildings as guests are obtained, or through the texts posted in the Company or otherwise made available to the guests, the personal data owners in question are enlightened in this context. The data obtained for the purpose of tracking guest entry-exit are processed only for this purpose and the relevant personal data are physically recorded in the data recording system.

For camera surveillance activities by our Company; this Policy is published on our Company’s website (online policy regulation) and a notification letter regarding the monitoring is posted at the entrances of the areas where the monitoring is carried out (on-site disclosure).
On the websites owned by our Company; In order to ensure that the visitors of these sites perform their visits in accordance with the purpose of their visit; In order to show them customized content, their internet movements within the site are recorded by technical means.
Detailed explanations regarding the protection and processing of personal data regarding these activities carried out by our company can be accessed from the Human Resources department and the website www.ravandacarpet.com.
Although our company has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVK Law, personal data is deleted, destroyed or anonymized upon the Company’s own decision or upon the request of the personal data owner if the reasons requiring its processing disappear. Our Company fulfills this legal obligation with legal methods.

ARTICLE 25: TECHNIQUES FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
25.1 Techniques for Deletion and Destruction of Personal Data
Although our Company has been processed in accordance with the provisions of the relevant law, it may delete or destroy personal data based on its own decision or upon the request of the personal data owner if the reasons requiring its processing disappear. The most commonly used deletion or destruction techniques used by our Company are listed below:

25.1.1 Physical Destruction
Personal data may also be processed by non-automatic means, provided that they are part of any data recording system. When such data is deleted/destroyed, the system of physical destruction of personal data in a way that cannot be used later is applied.

25.1.2 Secure Deletion from Software
When deleting/destroying data processed by fully or partially automated means and stored in digital media; methods are used to delete the data from the relevant software in a way that cannot be recovered again.
25.1.3 Secure Deletion by Expert
In some cases, the Company may agree with an expert to delete personal data on its behalf. In this case, personal data is securely deleted/destroyed by the person who is an expert in this field in a way that cannot be recovered again.

25.2 Techniques for Anonymizing Personal Data
Anonymization of personal data refers to making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching personal data with other data. Our Company can anonymize personal data when the reasons requiring the processing of personal data processed in accordance with the law disappear.
In accordance with Article 28 of the KVK Law; anonymized personal data can be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the PDP Law and the explicit consent of the personal data owner will not be sought. Since personal data processed by anonymization will be outside the scope of the PDP Law, the rights set out in the Policy will not apply to these data.
The most commonly used anonymization techniques used by our Company are as follows;
a- Masking
Data masking is the method of anonymizing personal data by removing the basic determinant information of personal data from the data set.
b- Aggregation
With the data aggregation method, many data are aggregated and personal data are made unassociated with any person.
c- Data Derivation
With the data derivation method, a more general content is created from the content of personal data and personal data are made unassociated with any person.
d- Data Hashing
With the data hashing method, it is ensured that the values in the personal data set are mixed and the link between the values and the persons is broken.
Our Company informs the personal data owner of the rights of the personal data owner in accordance with Article 10 of the KVK Law, guides the personal data owner on how to exercise these rights, and our Company carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 13 of the KVK Law in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.

ARTICLE 26: DATA OWNER’S RIGHTS AND USE OF THESE RIGHTS
26.1 Rights of Personal Data Owner
Personal data owners have the following rights:
a. To learn whether personal data is processed
b. To request information if personal data has been processed
c. To learn the purpose of processing personal data and whether they are used in accordance with their purpose
d. To know the third parties to whom personal data are transferred domestically or abroad
e. To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred
f. To request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and to request notification of the transaction made within this scope to third parties to whom personal data is transferred
g. To object to the emergence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems
h. In case of damage due to unlawful processing of personal data, to request compensation for the damage

26.2 Cases where the Personal Data Owner cannot assert his/her rights
Pursuant to Article 28 of the PDP Law, personal data owners cannot assert the following rights of personal data owners in these matters, as the following cases are excluded from the scope of the PDP Law:
a. Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics
b. Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime

c. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security

d. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution procedures
Pursuant to Article 28/2 of the KVK Law; In the cases listed below, personal data owners cannot assert their other rights listed below, except for the right to claim compensation for the damage:
1. Processing of personal data is necessary for the prevention of crime or criminal investigation.
2. Processing of personal data made public by the personal data owner.
3. Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations in the nature of public institutions, authorized and authorized by law.
4. Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution procedures.
26.3 Exercise of Rights by Personal Data Subject
Personal data subjects may submit their requests regarding their rights listed above in this section to our Company by the following method:
a. The Personal Data Access Information Request Form, which is available at www.ravandacarpet.com and can be obtained from the Human Resources department, is filled in and signed with wet signature and then sent to Körkün Mh. Ebufeyz Elçibey Bulv. No:8 Oğuzeli/Gaziantep with a personal application to our company located at
. The Personal Data Access Information Request Form, which can be obtained from the Human Resources department at www.ravandacarpet.com, is filled in and signed with wet signature and sent to Körkün Mh. Ebufeyz Elçibey Bulv. No:8 Oğuzeli/Gaziantep via a notary public or by registered mail,
. The Personal Data Access Information Request Form, which can be obtained from the Human Resources department at www.ravandacarpet.com, can be filled in and signed with your “secure electronic signature” within the scope of the Electronic Signature Law No. 5070, and the form with secure electronic signature can be sent by e-mail to www.ravandacarpet.com.
It is not possible for third parties to make requests on behalf of personal data owners.
In order for a person other than the personal data owner to make a request, there must be a special power of attorney issued by the personal data owner on behalf of the person who will make the application.
Personal data owners will fill out the “Application Form Regarding Applications to be Made to the Data Controller by the Relevant Person (Personal Data Owner) in accordance with the Personal Data Protection Law No. 6698” linked above in the application they will make to exercise their rights. The method of the application to be made in this form is also explained in detail.

26.4 Personal Data Owner’s Right to File a Complaint to the PDP Board
Pursuant to Article 14 of the PDP Law, the personal data owner may file a complaint to the PDP Board within thirty days from the date of learning the response of our Company and in any case within sixty days from the date of application in case the application is rejected, the response is insufficient or the application is not responded in due time.

ARTICLE 27: COMPANY’S RESPONSE TO APPLICATIONS
27.1 Procedure and Duration of Our Company’s Response to Applications
In the event that the personal data owner submits his request to our Company in accordance with the procedure in the above section of this section, our Company will finalize the relevant request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request.
However, if the transaction requires an additional cost, our Company will charge the applicant the fee in the tariff determined by the PDP Board.

27.2 Information Our Company May Request from the Applicant Personal Data Subject
Our Company may request information from the applicant to determine whether the applicant is a personal data subject.
Our Company may ask questions to the personal data subject about his/her application in order to clarify the issues in the application of the personal data subject.

27.3 Our Company’s Right to Reject the Application of the Personal Data Owner
Our Company may reject the application of the applicant in the following cases by explaining the reason:
a. Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
b. Processing of personal data for the purposes of national defense, national security, public security, public order,

c- Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate economic security, privacy or personal rights or constitute a crime.
d- Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
e- Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution procedures.
f- Processing of personal data is necessary for the prevention of crime or criminal investigation.
g- Processing of personal data made public by the personal data owner himself/herself.
h- Processing of personal data is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.
i- Personal data processing is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial issues
j- The request of the personal data owner is likely to prevent the rights and freedoms of other persons
k- Requests requiring disproportionate effort have been made.
l- The requested information is public information.

ARTICLE 28: RELATIONSHIP OF THE COMPANY’S POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA WITH OTHER POLICIES
The basic policies written on the protection and processing of personal data that are related to the principles set forth by the Company with this Policy are specified. By linking these policies with the basic policies carried out by the Company in other areas, harmonization is also ensured between the processes that the Company operates with different policy principles for similar purposes.
A “Personal Data Protection Board” has been established within the Company in accordance with the decision of the Company’s senior management to manage this policy and other policies related and related to this policy. The duties of this board are stated below.
a. To prepare basic policies on the Protection and Processing of Personal Data and to submit them to the approval of senior management to put them into effect.
b. To decide how the implementation and supervision of the policies on the Protection and Processing of Personal Data will be carried out and to submit the issues of making internal assignments and ensuring coordination within this framework to the approval of senior management.
c. To determine the issues that need to be done to ensure compliance with the Law on the Protection of Personal Data and the relevant legislation and to submit the necessary actions to the senior management for approval; to oversee and coordinate their implementation.
d. To raise awareness within the Company and before the institutions with which the Company cooperates on the Protection and Processing of Personal Data.
e. To ensure that necessary measures are taken by identifying the risks that may arise in the personal data processing activities of the Company; to submit improvement suggestions to the senior management for approval.
f. To design and ensure the execution of trainings on the protection of personal data and the implementation of policies.
g. To decide on the applications of personal data owners at the highest level.
h. To coordinate the execution of information and training activities to ensure that personal data owners are informed about personal data processing activities and their legal rights.
i. To prepare amendments to the basic policies on the Protection and Processing of Personal Data and submit them to the senior management for approval to put them into effect.
j. To follow the developments and regulations on the Protection of Personal Data; to advise senior management on what needs to be done within the Company in accordance with these developments and regulations.
k. To coordinate relations with the Personal Data Protection Board and the Authority.
l. To perform other duties to be assigned by the senior management of the Company regarding the protection of personal data.
Some of the policies mentioned are for internal use. The principles of the internal policies of the Company are reflected in the public policies to the extent relevant, and it is aimed to inform the relevant parties within this framework and to ensure transparency and accountability regarding the personal data processing activities carried out by the Company.
Sincerely,
RAVANDA CARPET TEXTILE SAN. VE TİC. LTD. ŞTİ.