​

1) OBJECTIVE 3

2) SCOPE 3

3) DEFINITIONS 3

4) OUR PRINCIPLES 4

5) PURPOSES OF PROCESSING PERSONAL DATA 6

6) CATEGORIES OF PERSONAL DATA PROCESSED 7

7) CATEGORIES OF PARTIES WITH WHOM PERSONAL DATA IS SHARED 8

8) ENSURING THE SECURITY OF PERSONAL DATA 8

9) RIGHTS HELD BY THE DATA OWNER 9

10) PERIODIC DESTRUCTION PERIOD 10

11) UPDATE AND COMPLIANCE 10

12) ENFORCEMENT AND ANNULMENT OF THE POLICY 10

​

OBJECTIVE

As Varcad Makina A.Ş ("Varcad"), we care about the protection and processing of your personal data in accordance with the Law on the Protection of Personal Data No. 6698 (the "Law"). This Personal Data Protection and Processing Policy (the "Policy") has been prepared in order to make statements about the personal data processing activity and the processes for the protection of personal data, to ensure transparency and compliance with the law in practice and to inform the real persons whose personal data has been processed by Varcad.

SCOPE

This Personal Data Protection and Processing Policy is related to all personal data processed for our company's employees, business partners, suppliers, visitors and real third parties, provided that they are a part of our system in any manner.

DEFINITIONS

Explicit Consent : The statement of consent given by the personal data owner about a specific subject based on information and expressed in free will.

​

Law : Law on Protection of Personal Data No. 6698

Recording Environment : Shall refer to any environment in which personal data has been processed, which is fully or partially automated or non-automated provided that it is part of any data recording system.

Personal Data : Any information related to the identitied or identifiable real person

Processing of Personal Data : Any transaction performed on the data such as obtaining, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, acquisition, recapture, classification or preventing the use of the same by non-automated means provided that personal data is a part of a wholly or partially automated data

recording system.

Personal Data Owner : The real person whose data has been processed

Board : Personal Data Protection Board

Sensitive Personal Data : Shall refer to the data about the race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership to an association, foundation or trade union, medical condition, sexual life, criminal conviction and security measures as well as biometric and genetic data of

persons.

Policy : Personal Data Protection and Processing Policy of Varcad

Data Processor : Shall refer to the real person or the legal entity who processes personal data on behalf of the data controller based on the authority vested to it by the same,

Data Recording System : The recording system where Personal Data is processed by

means of configuring the same according to certain criteria,

Data Controller : Varcad

Regulation : The Regulation on the Deletion, Destruction or Anonymization of Personal Data,

Business Partner : The parties with whom V has established business partnerships for purposes such as carrying out various projects and receiving services while conducting company commercial activities. Data will be transferred only limited to the fulfillment of the purpose of establishing a business partnership.

Legally Authorized Public Institutions and Organizations : Shall refer to public institutions and organizations authorized to receive information and documents from Varcad in accordance

with the provisions of the legislation.

OUR PRINCIPLES

1. Varcad carries out its personal data processing activities in accordance with the data processing principles stipulated by the Law and other legislation. Pursuant to this Varcad acts in accordance with the below principles while processing personal data.

    

   Acting in accordance with the law and integrity rules, Being correct and up-to-date when required,

   Processing with certain, explicit and legitimate objectives,

   Personal Data being linked to, limited and measured with the purpose of being processed

   Personal data being maintained for the time stipulated in the relevant legislation or for the time required regarding the purpose for which they are being processed.

    

2. Varcad carries out data processing activities in accordance with the conditions for processing personal data stipulated by the Law except for the explicit consent of the data owner. Varcad may process data without obtaining the explicit consent of the data owner under the following conditions stipulated by the Law.

    

   The Processing of Personal Data is clearly prescribed by the law

   No explicit consent of the related person being available due to actual impossibilities

   Direct relation with the establishment or execution of the contract Performance of the legal obligations by Varcad

   Personal data owner declaring the personal data as public

   Data processing being compulsory for the establishment or protection of a right

   Data processing being necessary for the legitimate interest of Varcad

    

3. Sensitive personal data will only be processed in accordance with the principles specified in this Policy and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, should the following conditions exist:

    

   Sensitive personal data other than health and sexual life may be processed without seeking for explicit consent if this is explicitly stipulated by the law, otherwise with the explicit consent of the data owner.

   Sensitive personal data relating to health and sexual life may be processed by the authorized institutions and organizations and the persons under the obligation of keeping secret for planning and managing the financing planning and healthcare services and executing protective medicine, medical diagnosis, treatment and care services and protecting public health without seeking for any explicit consent, otherwise with the explicit consent of the data owner.

    

4. Even if the personal data subject has not given his/her explicit consent, if one or more of the following conditions are present, personal data may be transferred to third persons by Varcad by taking all due care and all necessary security precautions including those stipulated by the Board:

    

   Relevant activities related to the transfer of personal data being explicitly stipulated in the law,

   The transfer of personal data by the Company is directly related to and required for the establishment or execution of a contract;

   The transfer of personal data is compulsory for our Company to fulfill its legal obligations;

   The transfer of personal data by our Company in a limited manner for the purpose of making it public, provided that it has been made public by the data owner;

   The transfer of personal data by the Company is mandatory for the establishment, use, or protection of the rights of the Company or the data owner or third parties,

   Personal data transfer activity is mandatory for the legitimate interests of our Company, provided that such transfer does not violate the fundamental rights and freedoms of the data owner,

   The existence of an obligation to protect the life or bodily integrity of the person who cannot explain his/her consent due to actual impossibility or whose consent is not deemed valid in legal terms.

    

5. Furthermore, personal data may be transferred to the foreign countries announced by the Board to have adequate protection if any of the conditions are met. In the absence of adequate protection, personal data may be transferred to foreign countries where

   data controllers in Turkey and in the relevant foreign country undertake the adequate protection in written form under Article 9 of the Law and where the Board has given consent for the transfer of personal data.

    

PURPOSES OF PROCESSING PERSONAL DATA COLLECTED BY VARCAD

Any personal data obtained by Varcad and included in this Policy may be processed for the following purposes.

• Conducting the Process of Employee Candidate/Trainee/Student selection and recruitment,

• Conducting the process of employee candidate application processes,

• Performance of assignment processes,

• Planning of Human Resources Processes,

• Conducting the communication activities,

• Conducting the wage policy,

• Conducting the finance and accounting activities,

• Fulfillment of the obligations arising from the employment contract and legislation for the employees,

• Conducting the fringe benefits and interests processes for employees,

• Tracking and conduct of legal affairs,

• Conducting the communication activities,

• Execution of goods/services purchasing processes,

• Execution of goods/service sales processes,

• Conducting customer relationship management processes,

• Conduct of investment processes,

• Conduct of contract processes,

• Conduct of information security processes,

• Conduct of goods/services after sales support services,

• Performance of marketing analysis procedures,

• Creating and tracking visitor records,

• Conduct of management activities,

• Providing information to authorized persons, institutions and organizations,

• Tracking of requests/complaints,

• Assuring physical field security,

• Conduct of information security processes,

• Management of access authorizations,

• Performance of storage and archive activities,

• Receiving and assessment of suggestions of the improvement of business processes,

• Conduct of activities for customer satisfaction,

• Conduct of marketing processes of products / services,

• Performance of Advertising/Campaign/Promotion Processes

​