KALAMOS TURİZM VE TİCARET ANONİM ŞİRKETİ

POLICY ON THE PROTECTION OF PERSONAL DATA

1. PURPOSE AND SCOPE

At Kalamos, we comply with our obligations to take all kinds of necessary technical and administrative measures necessary for protecting the personal data of all our guests to whom we provide services and the natural persons with whom we keep in touch as we carry out our operations in the capacity of data controller, preventing the unlawful processing of, and unlawful access to, the personal data set forth in the Law No. 6698 on the Protection of Personal Data, and ensuring their retention. Being totally aware of our responsibility in this regard, we process and protect your personal data in accordance with this Policy.

Kalamos sets forth all our processes and systems and main principles related to personal data in this Policy on the Protection and Processing of Personal Data.

2. DEFINITIONS

Company / Kalamos :	shall refer to KALAMOS TURİZM VE TİCARET ANONİM ŞİRKETİ.
Explicit Consent	shall refer to the informed consent given freely for a specific matter.
Application Form	shall refer to the "Application Form for Applications to be Filed by the Relevant Persons (Data Subjects) to the Data Controller Pursuant to the Law No. 6698 on the Protection of Personal Data" containing the application to be filed by personal data subjects for exercising their rights.
Employee	shall mean Kalamos employees.
Candidate Employee	shall mean natural persons who have applied to Kalamos for a job in any manner, and made their relevant information available for examination by our company.
Destruction	shall refer to the deletion, destruction or anonymization of personal data.
Law/LPPD	shall refer to the Law No. 6698 on the Protection of Personal Data.
Personal Data	shall refer to any kind of information related to an identified or identifiable natural person.
Processing of Personal Data	shall refer to any operation, which is performed on personal data, such as collection, recording, storage, retention, alteration, adaptation, disclosure, transmission, acquisition, making retrievable, classification or making it impossible to be accessed, whether with fully or partially automated methods, or with non-automated methods, provided that it is a part of a data recording system.
Deleting Personal Data:	shall refer to making personal data completely non-reusable and inaccessible by relevant users.
Destruction of Personal Data	shall refer to making personal data completely non-reusable, irretrievable and inaccessible by anyone.
Anonymizing Personal Data	Anonymizing personal data shall refer to making it impossible to associate personal data with an identified or identifiable natural person in any manner whatsoever even if they are matched with other data.
Board	refers to the Personal Data Protection Board.
Authority	refers to the Personal Data Protection Authority.
Customer / Guest	shall refer to natural persons who benefit from the products and services offered by the Company and acquire personal data regardless of whether there is a contractual relationship with them.
Sensitive Personal Data	refers to personal data related to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics.
Periodic Destruction	shall refer to the periodic sua sponte deletion, destruction or anonymization of personal data, as specified in the policy on retention and destruction of personal data, when requirements for processing personal data under the do not apply anymore.
Policy	shall refer this policy on the protection and processing of personal data prepared in accordance with the Law.
Supplier	shall refer to the parties providing services on a contract basis while carrying out the commercial activities of the Company.
Data Processor	shall refer to the natural or legal person processing personal data relying on the powers granted by the data controller.
Data Recording System	shall refer to any recording system through which personal data are processed by structuring according to specific criteria.
Data Controller	shall refer to a natural person or legal entity who determines the purposes and means of processing of personal data and is responsible for establishing and managing a data recording system.
Data Subject/Relevant Person	shall refer to the natural person whose personal data is processed.
Regulation	shall refer to the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.
Visitor	shall refer to the natural persons who have entered the physical facilities where the Company carries out its operations for various reasons or who visit our websites.

3. PRINCIPLES AND PROCEDURES GOVERNING THE PROTECTION OF PERSONAL DATA

3.1. GENERAL PRINCIPLES

In line with the rights granted for personal data to the data subjects under the Constitution and the LPPD, Kalamos processes personal data in accordance with the principles and exceptions set forth in the applicable legislation and where the person's explicit consent has been obtained:

• Processing in Line with the Law and Good Faith Principle:

All kinds of legal regulations and the good faith principle are complied with while processing Personal Data.

• Ensuring Accuracy and Currency of Personal Data When Needed

Kalamos takes necessary measures for ensuring the accuracy and currency of Personal Data, informs Data Subjects to make sure that the processed data reflect reality and provides them with necessary facilities.

• Processing for Definite, Explicit and Legitimate Purposes

Kalamos processes personal data to the extent related to, and required for, its commercial operations.

• Being Relevant, Limited and Proportionate to the Purposes for which Data are Processed

Kalamos processes Personal Data in a manner suitable for the achievement of the intended purpose, and avoids processing the Personal Data that are not related to achievement of the relevant purpose or are not required.

• Being Retained for the Term Required for the Fulfillment of the Intended Processing Purpose or Specified in the Applicable Legislation.

Personal data processed by Kalamos are retained for the term required for the fulfillment of the intended processing purpose or specified in the applicable legislation. In this connection, if there is any term specified in the applicable legislation for retaining data, Kalamos complies with such term, and if not, for the time required for the purpose of processing.

3.2. PROCESSING PURPOSES OF PERSONAL DATA

Your Personal Data acquired by Kalamos may be processed in accordance with the following scope:

● Creating and Following Visitor Records
● Carrying out Management Operations
● Informing the Authorized People, Institutions and Organizations
● Conducting Investment Processes
● Ensuring the Security of Data Controller Operations
● Conducting the Product/Services Marketing Processes
● Conducting Supply Chain Management Processes
● Following up Requests/Complaints
● Conducting Strategic Planning Activities
● Carrying out Sponsorship Operations
● Conducting Agreement Processes
● Carrying out Retention and Archiving Activities
● Carrying out Advertisement/Campaign/Promotion Processes
● Conducting Marketing Analysis Activities
● Organization and Event Management
● Carrying out Activities for Customer Satisfaction
● Conducting Customer Relations Management Processes
● Conducting Goods/Service Production and Operation Processes
● Conducting Goods/Service Sales Processes
● Conducting After-Sales Support Services for Goods/Services
● Conducting Goods/Service Procurement Processes
● Carrying out Activities for Ensuring Business Continuity
● Collection and Assessment of Recommendations for Improvement of Business Processes
● Carrying out/Supervising Business Operations
● Carrying out Communication Operations
● Carrying out Internal Audit/Investigation/Intelligence Activities
● Following up and Conducting Legal Affairs
● Ensuring Security of Physical Locations
● Conducting Finance and Accounting Works
● Carrying out Operations in line with the Legislation
● Managing Access Authorizations
● Carrying out Training Operations
● Carrying out Supervision / Ethics Operations
● Conducting Employees' Fringe Benefits and Social Benefits Processes
● Fulfillment of Obligations Related to Employees Arising from Labor Contract and the Legislation
● Carrying out Application Processes for Candidate Employees
● Conducting Selection and Placement Processes for Candidate Employees/Interns/Students
● Conducting Information Security Processes
● Maintaining Emergency Management Processes

3.3. CONDITIONS FOR PROCESSING OF PERSONAL DATA

The Law sets forth the conditions for the processing of personal data, and Kalamos processes personal data under the following terms and conditions.

Except for the exceptions listed in the Law, Kalamos processes personal data provided that it obtains the explicit consent of data subjects. As set forth in the law, personal data may be processed even without the explicit consent of the data subject

● if it is explicitly stipulated in the law;
● if it is necessary [to process personal data] to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent;
● if it is necessary to process personal data of parties to a contract, provided that it is directly related to the execution or performance of a contract to which the data subject is party;
● if it is necessary to process personal data for fulfillment of a legal obligation of the data controller;
● if such personal data has been made public by the data subject itself;
● if processing is mandatory to establish, exercise or protect a right; and
● if it is mandatory to process data for the legitimate interest of the data controller provided that the fundamental rights and freedom of data subject are not harmed.

4. MEASURES FOR THE PROTECTION OF PERSONAL DATA

In line with Article 12 of the LPPD, Kalamos takes the necessary technical and administrative measures for preventing the unlawful processing of personal data it processes, preventing the unlawful access to data and ensuring the retention of data, and performs the necessary supervisions in this regard.

Kalamos takes technical and administrative measures to the extent allowed by technological facilities and application costs to make sure that personal data are processed in accordance with the law.

5. PROCESSING CONDITIONS FOR PROCESSING OF SENSITIVE PERSONAL DATA

Kalamos exerts maximum care while processing Sensitive Personal Data.

Article 6 of the Law defines sensitive personal data as data related to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, as well as data related to biometrics and genetics.

Sensitive Personal Data are processed by Kalamos, provided that the explicit consent has been obtained from the Relevant Person.

6. MEASURES FOR THE PROTECTION OF SENSITIVE PERSONAL DATA

While processing the Sensitive Personal Data set forth in Article 6 of the Law, Kalamos takes the following measures in the capacity of data controller pursuant to the Board Decision dated 31 January 2018 and 2018/10:

For the Employees involved in the processing of sensitive personal data;

● regular trainings are provided regularly for the security of Sensitive Personal Data;
● confidentiality agreements are concluded;
● the scope and term of authorization of the users that have access authorization are defined;
● periodic authorization controls are performed;
● the authorizations of the Employees whose positions have been changed or who quit job are immediately cancelled. In this connection, the Data Controller accepts the return of the inventory allocated to it by the Data Controller.

If the environments where Sensitive Personal Data are processed, retained and/or accessed are electronic environments,

● the transaction logs of all movements performed on Personal Data are logged securely;
● the security updates related to the environments containing Personal Data are continuously followed up, necessary security tests are regularly performed/ensured to be performed, and test results are recorded;
● if Personal Data are accessed by means of a software application, user authorizations for such software application are defined, and the security tests of these applications are regularly performed/ensured to be performed, and test results are recorded; and
● if remote access to the Personal Data is required, an identity confirmation system with at least two steps is ensured.

If the environments where Sensitive Personal Data are processed, retained and/or accessed are electronic environments,

● adequate security measures are taken depending on the nature of the environment containing Sensitive Personal Data (against electric leakage, fire, flood, theft, etc.); and
● physical security of these environments is ensured, and unauthorized entries and exists are prevented.
In case of transfer of Sensitive Personal Data,
● if Personal Data need to be transferred by e-mail, they should be transferred in encrypted form via corporate e-mail address;
● If transfer is performed between servers in different physical environments, a VPN should be established between the servers and data transfer should be performed by means of sFTP method;
● If Personal Data need to be transferred in hardcopy form, necessary measures are taken against risk of theft, loss of the document or the risk of the document to be viewed by unauthorized people, and the document is sent in "Confidential" form.

7. PROCESSING VISUAL RECORDS

The interior and surrounding of the building are monitored by means of security cameras for ensuring company security and the legitimate interests of the visitors. Camera records are used only for the purpose of ensuring the company security and protection of the company's legitimate interests. Legal legislation and the Law on the Protection of Personal Data are complied with when processing personal data.

8. TRANSFER OF PERSONAL DATA

Kalamos may transfer the Personal Data acquired in accordance with the law for the purposes of data processing by taking necessary security measures and the Data Subject's Personal Data and/or Sensitive Personal Data to third parties. In this connection, Kalamos may transfer Personal Data to third parties in case of any of the processing conditions set forth herein or any of the following cases:

● If Data Subject has given his/her explicit consent;
● If the Laws stipulate clearly that the Personal Data will be transferred;
● If transfer is mandatory to protect the life or physical integrity of the Data Subject or others and the data subject is physically or legally incapable of giving consent;
● If it is necessary to transfer personal data of parties to a contract, provided that it is directly related to the execution or performance of a contract to which the data subject is party;
● If transfer of personal data is mandatory for the fulfillment by Kalamos of its legal obligation;
● If Personal Data have been made public by the Data Subject;
● If transfer of Personal Data is mandatory to establish, exercise or protect a right; and
● If it is mandatory to transfer personal data for the legitimate interests of Kalamos provided that the fundamental rights and freedom of data subject are not harmed.

9. EXPORT OF PERSONAL DATA

For the legitimate and lawful Personal Data processing purposes, Kalamos shall be entitled to export the Data Subject's personal data if the Data Subject's explicit consent has been obtained, or if not, in the event of any of the following cases, to foreign countries where an adequate protection is in place for personal data or where the Data Controller who undertook to provide an adequate protection for personal data is located:

• If the Laws stipulate clearly that the Personal Data will be transferred;
• If transfer is mandatory to protect the life or physical integrity of the Data Subject or others and the data subject is physically or legally incapable of giving consent;
• If it is necessary to transfer personal data of parties to a contract, provided that it is directly related to the execution or performance of a contract to which the data subject is party;
• If transfer of personal data is mandatory for the fulfillment by Kalamos of its legal obligation;
• If Personal Data have been made public by the Data Subject;
• If transfer of Personal Data is mandatory to establish, exercise or protect a right; and
• If it is mandatory to transfer personal data for the legitimate interests of Kalamos provided that the fundamental rights and freedom of data subject are not harmed.

9.1. EXPORT OF SENSITIVE PERSONAL DATA

In the following cases, Kalamos shall be entitled to export the Data Subject's Sensitive Personal Data to foreign countries where an adequate protection is in place for personal data or where the Data Controller who undertook to provide an adequate protection for personal data is located, in line with the legitimate and lawful Personal Data processing purposes by exercising necessary care and taking necessary security measures, as well as the sufficient measures required by the Board:

• If Data Subject has given his/her explicit consent, or
• If Data Subject has not given his/her explicit consent,
- Data Subject's sensitive personal data except for his/her health and sexual life (data related to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, , membership of association, foundation or trade-union, criminal conviction and security measures, as well as data related to biometrics and genetics) in the event of the cases set forth in the laws;
- Data Subject's sensitive personal data relating to health and sexual life, only if they are processed for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations.

10. PRINCIPLES GOVERNING THE RETENTION PERIOD FOR PERSONAL DATA

Kalamos retains the personal data for the term required for their processing purpose and the minimum term set forth in the applicable legal legislation. In this connection, first of all it is determined whether the applicable legislation provides for any term for the retention of personal data, and if such term has been determined, personal data are retained during such term. If there is no legal term, personal data are retained for the term required for the purpose of personal data processing. At the end of the determined retention periods, personal data are destroyed at periodic destruction intervals or in line with the data subject's application and using the destruction method determined (deletion, destruction or anonymization).

11. DELETION, DESTRUCTION OR ANONYMIZATION OF PERSONAL DATA

7

As set forth in Article 7 of the LPPD and Article 138 of the Law on Protection of Personal Data, when the requirements for processing personal data no longer apply even though they were processed in accordance with the provisions of the applicable law, Personal Data shall be deleted, destroyed or anonymized sua sponte or upon request by the data subject.

12. OBLIGATIONS AND RIGHTS

Kalamos shall inform the relevant people during the acquisition of personal data in line with Article 10 of the Law. In this connection, Kalamos provides Data Subject with information on

● the identity of the data controller and if any, its representative;
● for which purpose his/her Personal Data will be processed;
● to whom and for which purposes the processed Personal Data may be transferred;
● method and legal basis for collecting personal data, and
● the rights of Data Subject.

Please visit http://www.lesottomans.com/KVK/Aydinlatma-Metni to see the Information Notice.

13. RIGHTS OF THE DATA SUBJECT

Data Subjects shall have the following rights:

● learning whether Kalamos processes the Data Subject's personal data;
● if Kalamos processes Personal Data, requesting information about this data processing activity;
● if Kalamos processes Personal Data, learning the processing purpose of the personal data and whether such data are used for the intended purpose;
● if Personal Data are transferred to third parties in the country or abroad, requesting information about these third parties;
● requesting correction of any of the Personal Data which is processed incompletely or inaccurately;
● If Personal Data are processed by Kalamos incompletely or inaccurately, requesting provision of information to third parties to whom Personal Data are transferred of such situation;
● In the event the reasons for processing personal data cease to exist, although such data had been processed in compliance with the Law and other applicable legal provisions, requesting their Personal Data to be deleted or destroyed, or anonymized;
● In the event the reasons for processing personal data cease to exist, requesting provision of information to third parties to whom Personal Data are transferred of such situation;
● If the Personal Data processed by Kalamos are analyzed exclusively by automated systems and the relevant person (Data Subject) believes that an outcome against him/her arises as a result of this analysis, objecting to this outcome; and
● Claiming compensation of any damages suffered as a result of unlawful processing of the Personal Data.

14. EXCEPTIONS

Pursuant to Article 28 of the Law, the Data Subjects may not claim the aforementioned rights as the following cases are exempted from the scope of the Law:

● Processing of personal data by natural persons in the course of a purely personal or household activity, provided that obligations relating to data security are complied with and data are not transferred to third parties;
● Processing of personal data for research, planning and statistical purposes after being anonymized with official statistical methods;
● Processing of personal data for artistic, historical, literature or scientific purposes or as part of freedom of expression, provided that national defense, national security, public security, public order, economic security, privacy of personal life or personal rights are not violated, and no crime is committed;
● Processing of personal data within the scope of preventive, protective and intelligence-related activities by public institutions and organizations who are assigned and authorized for providing national defense, national security, public safety, public order or economic safety;
● Processing of personal data by judicial authorities or departments related to an investigation, prosecution, trial, or enforcement.

The Information Obligation of Kalamos shall not apply in the following cases pursuant to Article 28/2 of the Law:

● If processing personal data is required to prevent commitment of a crime or for a criminal investigation;
● In case of processing of personal data revealed to the public by the data subject herself/himself;
● If processing personal data is needed for performance of supervision or regulation duties, or disciplinary investigation or prosecution by competent public institutions and organizations, and professional organizations with public institution status that are authorized by law;
● If processing personal data is necessary for protection of economic and financial interests of the State, related to budget, tax, and financial issues.

15. CATEGORIES OF PERSONAL DATA

Kalamos processes the personal data in the following categories by informing the relevant people pursuant to Article 10 of the Law in line with the legitimate and lawful personal data processing purposes of Kalamos, on the basis of, and with limitation to, one or more than one personal data processing conditions set forth in Article 5 of the Law and by means of complying with the general principles set forth in the Law including mainly those in Article 4 governing the processing of personal data and all obligations specified in the Law, provided that such processing will be limited to the subjects covered by the scope of the Policy (Customers, Visitors, Candidate Employees, Company's Authorized Representatives, Suppliers, Business Partners, etc.).

CATEGORIZATION OF PERSONAL DATA	DESCRIPTION
Identity Data	data containing information on the identity of individuals: documents such as driving license, ID card and passport including information on the name and last name, Turkish ID No, nationality, mother's and father's name, birth place, birth date, as well as information on tax number, SSI number, vehicle registration plate, etc.
Contact Information	Information such as phone number, address, e-mail address, fax number and IP address
Data on Family Members and Relatives	Information on the family members (e.g. spouse, mother, father, child), relatives and other emergency contacts of the personal data subject who may be contacted about the products and services offered by Kalamos or for protecting the legal and other interests of Kalamos and the personal data subject
Physical Workspace Security Information	Personal data related to records and documents obtained at the time of entrance to physical workspaces and during the stay at the physical workspace, camera records and records obtained at the security point, etc.
Customer Transaction Information	Information such as records related to the use of our products and services included in the data recording system, which are clearly related to an identified or identifiable natural person and customer's instructions and requests that are necessary for the use by the customer of products and services, as well as the information acquired and produced about the relevant person as a result of the operations carried out by our business units in this connection
Financial Information	Personal data processed in relation to the information, documents and records showing any and all kinds of financial results arising as a result of the legal relationship established by Kalamos with the personal data subject, and information such as bank account number, IBAN number, credit card information, financial profile, data on personal assets, revenue information, etc.
Audio/Visual Information	Data included in documents that have the nature of a copy of the personal data including photo and camera records (excluding records covered by the scope of Physical Workspace Security Information), audio records and personal data
Personal File Information	All kinds of personal data processed for the acquisition of information to be taken as the basis for the establishment of personal rights of natural persons with whom Kalamos is in an employment relationship
Transaction Security Information	Your personal data processed for ensuring our technical, administrative, legal and commercial security as we carry out our commercial operations
Request Management Information	Personal data related to the receipt and assessment of all kinds of requests or complaints filed with Kalamos
Candidate Employee Information	Personal data processed in relation to individuals who have filed an application for being a Kalamos employee and who were assessed as candidate employees in line with the human resources requirements of our company in accordance with commercial customs and good faith principle, or who are in an employment relationship with our Company
Marketing Information	Personal data processed for the marketing of our products and services after they are customized in line with the usage habits, appreciation and requirements of the personal data subject, and the reports and assessments produced as a result of these processing procedures
Audit and Supervision Information	Personal data processed during the internal and external audit procedures within the scope of compliance by Kalamos of its legal obligations and company policies

In line with the provisions of the Policy and Articles 8 and 9 of the Law, Kalamos may transfer the personal data of the data subjects governed by the Policy to the below-listed recipient categories, its business partners, suppliers, shareholders, authorized representatives, authorized public institutions and organizations and authorized private entities. The scope of the aforementioned recipients to whom data are transferred and the data transfer purposes are set forth below.

People to Whom Data May be Transferred	Description	Purpose of Data Transfer
Business Partner	The parties with whom Kalamos establishes a business partnership while it carries out its commercial operations for purposes such as conducting various projects or procuring services	Limited to the achievement of the purpose of business partnership
Supplier	The parties providing services on a contract basis while carrying out the commercial activities of the Company.	Limited to the provision to Kalamos of the services outsourced by Kalamos from the supplier and required for performance by Kalamos of its commercial activities
Shareholders	Natural persons holding shares in Kalamos	Limited to the purposes of the activities carried out by Kalamos in accordance with the applicable legislation provisions within the scope of corporate law, event management and corporate communication processes
Company's Authorized Representatives	Members of the Board of Directors and other authorized natural persons of Kalamos	Limited to the purposes of designing of the strategies for the commercial activities of Kalamos in accordance with the applicable provisions, ensuring the highest-level management and auditing purposes
Legally Authorized Public Organizations and Institutions	Public legal organizations and institutions authorized to request information and documents from Kalamos in accordance with the applicable legislation provisions	Limited to the purpose requested by the relevant public organizations and institutions in line with their legal authorization
Legally Authorized Private Entities	Private entities authorized to request information and documents from Kalamos in accordance with the applicable legislation provisions	Limited to the purpose requested by the relevant private entities in line with their legal authorization