PRIVACY AND DATA PROTECTION NOTICE

1. Purpose and Scope of the Disclosure Text

The primary purpose of the Disclosure Text ("Notice") of Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi ("Company") is to inform and enlighten our employees, employee candidates, visitors, customers, suppliers, employees of collaborating institutions, and other individuals whose personal data are processed by our company regarding the Company's personal data processing activities, measures taken in this context, the rights of data subjects, and methods for exercising these rights within the scope of the Personal Data Protection Law (“Law”). Under the Law, Ender Alüminyum Sanayi ve Ticaret Anonim Şirketi, located at Başpınar(Organize) Osb Mahallesi O.S.B. 4.Bölge 83422 Nolu Cadde No: 3/ Şehitkâmil/Gaziantep, acts as the Data Controller.

1. Definitions

2. Processing of Personal Data

• Fundamental Rules

Our company acts in accordance with the principles explained below pursuant to Article 4 of the Law within the scope of all Personal Data Processing activities.

1. Acting in accordance with the law and honesty rules:

In every Personal Data Processing process, our Company acts in accordance with the current legislation and complies with the rules of honesty.

2. Ensuring Personal Data is Accurate and Up-to-Date when necessary:

Our Company takes the necessary measures to ensure that the personal data it processes is accurate and up-to-date.

3. Processing for Specific, Explicit, and Legitimate Purposes:

Our Company limits its Personal Data Processing activities to specific and legitimate purposes and clearly informs Data Subjects regarding these purposes through disclosure texts.

4. Being relevant, limited, and proportionate to the purposes for which they are processed:

Personal Data is processed by our Company to the extent required for the purpose notified to the Data Subject at the time of procurement, being relevant and limited to this purpose.

5. Preservation for the period stipulated in the relevant legislation or required for the relevant purpose: Our Company preserves Personal Data for the period determined within the scope of the current legislation, if such a period is specified. If no such period is specified in the legislation, reasonable storage periods are determined considering the purpose of data use and our Company's procedures, and data is stored limited to this period.

• Conditions for Processing Personal Data

• If there is explicit consent of the personal data subject;
• If there is an explicit regulation in the laws regarding the processing of personal data;
• If the personal data subject is unable to express their consent due to actual impossibility or if it is mandatory for the protection of the life or physical integrity of the person or someone else whose consent is not legally valid;
• If it is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract;
• If personal data processing is mandatory for our Company to fulfill its legal obligation;
• If the personal data has been made public by the personal data subject;
• If personal data processing is mandatory for the establishment, exercise, or protection of a right;
• If personal data processing is mandatory for the legitimate interests of our company, provided that it does not harm the fundamental rights and freedoms of the personal data subject;

Personal data is processed by our Company based on one or more of the above personal data processing conditions specified in the Law and in accordance with the regulations introduced in the Law.

The processing of special categories of personal data is prohibited. However, the processing of these data is possible in the following cases:

- Explicit consent of the person concerned,

- Explicitly stipulated in the laws,

- Mandatory for the protection of the life or physical integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally valid, or for someone else,

- Relating to personal data made public by the person concerned and in accordance with the intention of making it public,

- Mandatory for the establishment, exercise, or protection of a right,

- Necessary for the protection of public health, preventive medicine, medical diagnosis, treatment, and care services, and the planning, management, and financing of health services by persons under the obligation of secrecy or authorized institutions and organizations,

- Mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance,

- Targeted at current or former members and employees of foundations, associations, and other non-profit organizations or formations established for political, philosophical, religious, or trade-union purposes, or persons who are in regular contact with these organizations and formations, provided that they comply with the legislation they are subject to and their purposes, are limited to their field of activity, and are not disclosed to third parties.

3. Types of Personal Data Processed by the Company

Your personal data collected by our Company may vary depending on the nature of the legal relationship you have established with our Company (employee, employee candidate, visitor, etc.). The categories of personal data processed by informing the relevant persons in accordance with the principles and processing conditions specified in the Law and pursuant to Article 10 of the Law can be listed as follows.

• Identity Information (varying as necessary: all information in documents such as driver's license, identity card, residence permit, passport, identity register copy, marriage certificate, photograph, etc.)

• Contact Information (E-mail address, phone number, mobile phone number, address, etc.)

• Personnel Information: Any personal data processed for obtaining information that will form the basis for the personnel rights of our employees or natural persons in a working relationship with our company.

• Legal Action Information: Data in information requests or decisions received from judicial and administrative authorities and your personal data processed within the scope of our legal obligations.

• Customer Transaction
  Call center records, invoice, promissory note, check information, information on teller receipts, order information, request information, etc.

• Physical Space Security Information: Personal data relating to records and documents taken during entry to the physical space and during the stay in the physical space (e.g., entry-exit records, fingerprint records, camera records, visitor information).

• Transaction Security Information: Your personal data such as IP address information, website entry-exit information, password and passcode information processed to ensure our technical, administrative, legal, and commercial security while conducting our commercial activities.

• Risk Management
  Information processed for the management of commercial, technical, and administrative risks, etc.

• Financial Information: Data regarding information, documents, and records showing all kinds of financial and accounting results created according to the type of legal relationship our Company has established with the personal data subject.

• Professional Experience: Diploma information, courses attended, in-service training information, certificates, transcript information, etc.

• Visual And Auditory Records

• Appearance And Dress: Body measurement information is obtained to provide appropriate work clothes for our employees in terms of occupational health and safety.

• Special Categories of Personal Data: Data specified in Article 6 of the Law, health (obtained from our employees for employment purposes, due to the occupational health and safety law, and for the purpose of keeping in personnel files), criminal conviction data, etc.

• Family Members and Relative Information: Information such as identity information and contact information about the family members and relatives of the personal data subject in order to protect the legal interests of the company and the data subject.

• Signature Information

• Vehicle Plate information

• Military Service Information

4. Monitoring the Company Work Area with Cameras

If you visit our Company's work area, your visual data may be obtained via a closed-circuit camera system and stored only for the period necessary for the purposes listed below. The use of a closed-circuit camera system aims to prevent and monitor anti-social and criminal behavior, ensure the security of our Company and the tools and equipment within our Company, and protect the health and safety of visitors and employees. Areas that could result in interference with personal privacy beyond security purposes are not monitored. In addition to the general disclosure, our Company places notification texts and warning signs at the entrances of the monitored areas indicating that monitoring is being conducted. Thus, it is aimed to protect the rights of data subjects whose personal data are processed and ensure transparency in personal data processing. All necessary technical and administrative measures are taken by our Company to ensure the security of your data obtained through the closed-circuit camera system. For detailed information, you can review the Disclosure Text for Camera Recording at www.enderaluminyum.com.tr.

5. Our Personal Data Processing Purposes

Your personal data obtained may be processed automatically by our Company for the purposes listed below, based on the legal grounds of "being mandatory for the data controller to fulfill its legal obligation" and "being mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject" specified in Articles 5 and 6 of the Law:

6. Storage, Deletion, Destruction, and Anonymization of Personal Data

When determining the storage periods of personal data, our Company makes an assessment by considering the current legislation and the processing purposes of the data subject to the process. In this context, legal obligations regarding Personal Data Processing activities and statute of limitations are strictly taken into account. In cases where the legislation does not foresee a specific period for the storage of the relevant personal data types, storage periods are determined specifically for each data processing purpose. In this context, storage periods are determined by taking into account the practices of our company and the customs of commercial life.

Personal data may be stored beyond the processing purpose to constitute evidence in possible legal disputes, to assert a right that can be proven with personal data, to establish a defense, and to respond to information requests from authorized public institutions. In the establishment of the periods here, the statute of limitations for asserting the mentioned right and the company practices on the same issues are taken into account. When the specified periods expire, our Company deletes or anonymizes the relevant personal data if there is no other legal reason. Furthermore, upon the request of the personal data subject, personal data is deleted, destroyed, or anonymized if there is no other legal basis requiring the storage of the data.

7. Transfer of Personal Data

Your personal data may be shared with shareholders, the board of directors, business partners, suppliers, customers, authorized public institutions and organizations, legally authorized private legal entities, auditors, consultants, lawyers, and natural or private legal entities from whom we receive contracted services or with whom we cooperate; for the purposes of managing human resources processes, fulfilling obligations arising from contracts and laws, ensuring and developing occupational safety, and ensuring the legal and commercial security of our Company and persons in a business relationship with our Company; and for the purposes of administration of our Company, conduct of business, and determination and implementation of company policies, based on the legal grounds of explicit provision in the laws, establishment or performance of a contract, fulfillment of our legal obligations, mandatory for the establishment, exercise, or protection of a right, and legitimate interest.

In these cases where your personal data is shared, our Company takes the necessary measures to ensure that the party with whom the data is shared acts in accordance with the rules in this Policy and the provisions in the legislation regarding processing and transfer activities.

Transfer of your Personal Data abroad can only be done in accordance with Article 9 of the Personal Data Protection Law.

8. Data Security

Our Company, in accordance with Article 12 of the Law, takes the necessary technical and administrative measures to ensure the security of personal data within its organization, to prevent illegal access to personal data, and to prevent illegal processing of these data.

In this context, our Company ensures the necessary audits are carried out in order to ensure the implementation of the provisions of the Law pursuant to Article 12 of the Law, ensures the compliance of data processing activities with the Law, makes authorizations appropriate to the nature of the data accessed within the company, takes necessary actions to train and inform all its employees, especially those authorized to access personal data, regarding their duties and responsibilities under the Law, and adds provisions regarding taking necessary security measures for the protection of personal data to the contracts concluded with the persons to whom personal data is transferred by the Company.

9. Rights of Data Subjects

According to Article 11 of the Law, Data Subjects have the following rights against the Data Controller:

• To learn whether Personal Data concerning them is being processed, and if so, to request information regarding this.
• To learn the purpose of processing Personal Data and whether they are used in accordance with their purpose.
• To know the third parties to whom Personal Data are transferred domestically or abroad.
• To request correction of Personal Data if it is processed incompletely or incorrectly.
• To request deletion or destruction of Personal Data within the framework of the conditions stipulated in the relevant legislation, and to request notification of the operations performed to third parties to whom Personal Data are transferred.
• To object to the occurrence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems.
• To request compensation for the damage in case of loss due to unlawful processing of Personal Data.

Paragraph 2 of Article 28 of the Law lists the cases where data subjects do not have the right to request, and in this context;

• Personal Data processing is necessary for the prevention of a crime or for a crime investigation,
• Processing of personal data made public by the Data Subject himself/herself,
• Personal Data processing is necessary for the execution of auditing or regulation duties and for disciplinary investigation or prosecution by authorized and empowered public institutions and organizations and professional organizations in the nature of public institutions, based on the authority given by the law,
• Personal Data processing is necessary for the protection of the economic and financial interests of the State regarding budget, tax, and financial matters,

The rights specified above cannot be exercised in these cases, except for the right to request compensation for the damage towards the data.

10. Exercise of Rights by Data Subjects

If you submit your requests regarding your rights to us by filling out the Data Subject Application Form, which you can access at www.enderaluminyum.com.tr, your request will be concluded free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of your request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be charged.

In order for third parties to make an application request on your behalf, you must have given a special power of attorney issued by a notary public to this third person.

Our Company may request information from the Relevant Person in order to determine whether the person making the application is the Data Subject, and may direct questions to the Data Subject regarding their application in order to clarify the matters specified in the application.