MEG CONSTRUCTION TOURISM INDUSTRY AND TRADE LTD. CO. PERSONAL DATA PROTECTION LAW INFORMATION TEXT

1. PURPOSE AND IDENTITY OF THE DATA CONTROLLER

This privacy notice has been prepared in accordance with Article 10 of the Law No. 6698 on the Protection of Personal Data (KVKK), titled "Data Controller's Obligation to Inform," to inform and enlighten data subjects in accordance with the KVKK and relevant legislation regarding the purposes for which personal data collected by MEG İNŞAAT TUR. SAN. VE TİC. LTD. ŞTİ. will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal basis for collecting personal data, and the procedures and principles regarding the rights that the personal data owner may exercise against the data controller.

Identity of the Data Controller

Data Controller: MEG CONSTRUCTION TOURISM INDUSTRY AND TRADE LTD.

Address:

Mersis Number:

Email:

(Hereinafter referred to as the DATA CONTROLLER)

2. PERSONAL DATA PROCESSED

Your personal data that will be processed within the scope of the contractual or commercial relationship you have or will have with the data controller includes: your name and surname and Turkish Republic identity number, tax number, addresses, telephone numbers, e-mail address, IBAN number, financial data, signature, order information, communication preferences, campaign participation information, and cookie and usage data.

3. PURPOSE OF PROCESSING PERSONAL DATA

Your personal data collected is processed by the Data Controller in accordance with the law and principles of fairness; accurately and, when necessary, updatable; for clear, legitimate and specific purposes; in a manner that is relevant to the processing purpose, limited and proportionate; only for the necessary period; and in line with the purposes stated in Article 4 of this Disclosure Statement. The purpose of processing your personal data is: The services provided include: offering products and services, managing order processes, completing payment transactions, accounting activities, managing customer relations processes and providing support services, evaluating requests, complaints, and suggestions, conducting marketing activities, communicating campaigns and information (with explicit consent), conducting analysis to improve your website experience, fulfilling obligations arising from relevant legislation, managing membership creation processes, taking and tracking preliminary accounting records, managing and tracking the e-invoice transition application process, managing user support processes through the web request system, managing user/member activation processes (SMS or email activation), invoicing sales made by users/members online, sending invoices related to online sales to the Revenue Administration, managing communication processes for advertising, campaigns, promotions, and informational purposes, conducting marketing analysis studies (with sub-objectives such as product development, optimization, increasing customer satisfaction, identifying potential customer needs, and optimizing new customer acquisition), providing after-sales support services, conducting special activities aimed at customer satisfaction, and managing database storage processes. It is the implementation of information security processes.

Your personal data will be retained for a reasonable period specified in the relevant legislation or until the purpose of processing ceases to exist, and in any case, for the duration of the statutory limitation periods.

4. TRANSFER OF PERSONAL DATA

As a rule, your personal data is not transferred to third parties without your explicit consent. However, in the exceptional circumstances listed below, and in accordance with Article 8 of the KVKK (Law on Protection of Personal Data), your personal data may be shared with relevant individuals and institutions after taking the necessary security measures:

• In accordance with duly requested requests from authorized public institutions and organizations, for the purpose of fulfilling legal obligations, establishing, exercising or protecting a right,
• To ensure the provision of services and products offered by the data controller, the execution of after-sales processes, and the delivery of technical support services, our company collaborates with service providers, suppliers, and solution partners.

During data transfer, full compliance with privacy principles and the obligations stipulated in the Personal Data Protection Law (KVKK) is ensured in all cases. Your personal data will be used only for the purposes stated in Article 3;
• To cargo and logistics companies,
• To payment infrastructure providers,
• To firms that provide accounting and financial consulting services,
• To companies that provide marketing and communication infrastructure (email/SMS service providers),
• Data may be transferred to third-party companies providing website analytics services, in accordance with Articles 8 and 9 of the Turkish Personal Data Protection Law (KVKK).

5. TRANSFER OF PERSONAL DATA ABROAD

Your personal data is not transferred to third parties abroad without your explicit consent. However, with your explicit consent, your Identity, Contact, Customer Transaction, Marketing, and Transaction Security data, as well as some audio-visual recordings (such as call center voice recordings or screenshots), may be shared with our service providers operating in the information technology field and located abroad, solely for the purpose of improving service quality and ensuring system continuity.
In this context, the transfer of your data is carried out in accordance with Article 9 of the KVKK (Personal Data Protection Law), by taking the necessary technical and administrative security measures; and it is ensured that the companies to which the data is transferred have an infrastructure compliant with international standards in data security.
Your data transferred abroad via cloud systems, software, or platform services used by the Data Controller is processed solely for the purpose of carrying out the specified services and is never shared with other individuals or organizations without the knowledge and instructions of the Data Controller.

Furthermore, these service providers have committed to operating in compliance with international data protection legislation, primarily the European Union's General Data Protection Regulation (GDPR).

6. METHOD AND LEGAL BASIS FOR COLLECTING PERSONAL DATA

The Data Controller processes personal data through all kinds of auditory, written, visual and electronic methods, within the framework of the purposes stated in this disclosure text, in order to provide the services it offers in accordance with the laws and relevant legislation, and also for purposes arising from contracts and laws.
This is based on several legal grounds, such as the ability to fully fulfill its obligations. Legal grounds include: the establishment or performance of a contract (KVKK Article 5/2-c), in accordance with the conditions specified in the Law; and the fulfillment of the data controller's legal obligations.
These include bringing about (KVKK Article 5/2-ç), establishing, exercising or protecting a right (KVKK Article 5/2-e), obtaining the explicit consent of the data subject (KVKK Article 5/1) and other relevant provisions.

7. RIGHTS OF PERSONAL DATA SUBJECTS AND PROTECTION OF THESE RIGHTS

Data subjects may, within the framework of Article 11 of the Law, apply to the data controller regarding the following matters concerning them:

a) To find out whether personal data is being processed,
b) Requesting information regarding the processing of personal data,
c) To learn the purpose of processing personal data and whether it is being used appropriately for that purpose.
c) Knowing the third parties to whom personal data is transferred, whether domestically or internationally.
d) Requesting the correction of personal data if it has been processed incompletely or incorrectly.
e) Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7,
f) Requesting that the actions taken pursuant to clauses (d) and (e) be notified to third parties to whom personal data has been transferred,
g) The right to object to a result that is detrimental to the individual, arising solely from the analysis of processed data by automated systems.
g) Individuals have the right to claim compensation for damages incurred as a result of the unlawful processing of their personal data.
To exercise these rights, data subjects may apply to the Data Controller in writing or through other methods determined by the Personal Data Protection Board. Applications will be processed as soon as possible, but in any case within a maximum of 30 days, depending on the nature of the request.

8. STORAGE AND DESTRUCTION OF PERSONAL DATA

Our company stores your personal data only for the periods stipulated in the relevant legislation or for the duration required by the processing purposes. Personal data whose storage period has expired or whose processing purpose has ceased to exist are deleted, destroyed, or anonymized by us as the Data Controller, either through periodic destruction processes or upon your request.