The text provided is a Turkish document outlining OneDataLake's Personal Data Processing and Protection Policy. It establishes principles for the protection and processing of personal data adopted by OneDataLake in compliance with the regulations outlined in the Personal Data Protection Law No. 6698. The policy aims to guide OneDataLake and its partners in adhering to these regulations and ensuring the sustainable implementation of data security principles endorsed by OneDataLake. The objectives include creating awareness within the company regarding the protection of personal data and establishing the necessary systems and procedures to ensure compliance with the legislation on the protection and processing of personal data. Furthermore, the document provides definitions for key terms used in the policy, such as Explicit Consent, Anonymization, the Regulation on Procedures and Principles to be Followed in Fulfilling the Obligation to Inform, Employee Personal Data Protection Policy, Regulation on the Processing and Privacy of Personal Health Data, and Personal Health Data. Here's a translation of the provided text into English: ________________________________________ 1. PURPOSE AND SCOPE The OneDataLake Personal Data Processing and Protection Policy ("OneDataLake PDPP Policy") regulates the principles adopted by OneDataLake for the protection and processing of personal data. In line with the importance OneDataLake attaches to the protection of personal data, the OneDataLake PDPP Policy sets out the fundamental principles for compliance with the provisions of Law No. 6698 on the Protection of Personal Data ("PD Law") concerning OneDataLake and its business partners' activities. This policy outlines what OneDataLake needs to fulfill in this regard. The implementation of the OneDataLake PDPP Policy regulations will sustain the data security principles adopted by OneDataLake. 2. OBJECTIVE OneDataLake should establish the necessary system to raise awareness within the company regarding the protection of personal data and establish the required framework for ensuring compliance with the legislation on the protection and processing of personal data within its internal operations. The OneDataLake PDPP Policy aims to provide guidance for the implementation of regulations outlined in the PD Law and relevant legislation. With the OneDataLake PDPP Policy, OneDataLake aims to ensure the adoption and careful execution of the compliance process with the PD Law, which is considered important by OneDataLake. 3. DEFINITIONS The important definitions used in the OneDataLake PDPP Policy are as follows: • Explicit Consent: Consent based on information regarding a specific subject matter and declared with free will. • Anonymization: Rendering personal data incapable of being associated with a specific or identifiable natural person, even through the combination with other data. • Regulation on Procedures and Principles to be Followed in Fulfilling the Obligation to Inform: Regulation published in the Official Gazette dated March 10, 2018, and numbered 30356, regarding the procedures and principles to be followed in fulfilling the obligation to inform. • Employee PD Protection Policy: "OneDataLake Information Systems Industry and Trade Inc. Employee Personal Data Protection and Processing Policy," which regulates the principles of protecting and processing employee personal data at OneDataLake. • Regulation on the Processing and Privacy of Personal Health Data: Regulation published in the Official Gazette dated October 20, 2016, and numbered 29863, regarding the processing and privacy of personal health data. • Personal Health Data: Any information related to the physical and mental health of an identified or identifiable natural person, including information about the health services provided to the person. Personal Data: Any kind of information relating to an identified or identifiable natural person. Data Subject: The natural person whose personal data is processed. For example; Customers and employees. Personal Data Protection Unit: A unit within OneDataLake responsible for ensuring compliance with personal data protection legislation, preservation, and maintenance of personal data within the Company. Processing of Personal Data: Any operation performed on personal data, whether fully or partially automated or not, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, taking over, making available, classification, or prevention of use. PD Law: Law No. 6698 on the Protection of Personal Data, published in the Official Gazette dated April 7, 2016, and numbered 29677. DPA: Personal Data Protection Authority. Special Categories of Personal Data: Race, ethnicity, political opinion, philosophical belief, religion, sect, or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction, and security measures-related data, as well as biometric and genetic data. OneDataLake / Company: OneDataLake Information Systems Industry and Trade Inc. OneDataLake Business Partners: Parties with which OneDataLake has entered into partnerships for various purposes while conducting its commercial activities. OneDataLake PDPP Policy: OneDataLake Information Systems Industry and Trade Inc. Personal Data Protection and Processing Policy. OneDataLake Suppliers: Parties providing services to OneDataLake based on contracts. OneDataLake Data Subject Application Form: The form that data subjects will use when applying for their rights specified in Article 11 of the PD Law. Legal Advisors: Natural and legal persons providing consultancy to OneDataLake Information Systems Industry and Trade Inc. for the conduct of legal transactions. OneDataLake Employee PDPP Policy: "OneDataLake Employees' Personal Data Protection and Processing Policy," which regulates the principles of protecting and processing the personal data of employees within companies affiliated with OneDataLake. Turkish Constitution: The Constitution of the Republic of Turkey, published in the Official Gazette dated November 9, 1982, and numbered 17863. Turkish Penal Code: The Turkish Penal Code, published in the Official Gazette dated October 12, 2004, and numbered 25611. Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authorization given by them. Data Controller: The person who determines the purposes and means of processing personal data and manages the place where the data is systematically kept. Communiqué on Principles and Procedures for Application to the Data Controller: Communiqué published in the Official Gazette dated March 10, 2018, and numbered 30356, regarding the principles and procedures for applying to the data controller. Registry of Data Controllers: The Registry of Data Controllers kept under the supervision of the DPA, managed by the Presidency of the Personal Data Protection Authority, and publicly available. Regulation on the Registry of Data Controllers: Regulation published in the Official Gazette dated December 30, 2017, and numbered 30286, which entered into force on January 1, 2018, regarding the Registry of Data Controllers. 4. RESPONSIBILITIES Regulations, procedures, guidelines, standards, and training activities prepared in accordance with the OneDataLake PDPP Policy will be a source of advice and guidance for Legal Advisors in the implementation within the company. All employees, stakeholders, guests, visitors, and relevant third parties throughout OneDataLake are obliged to collaborate with Legal Advisors to prevent legal risks and imminent dangers, alongside compliance with the OneDataLake PDPP Policy. All organs and departments of OneDataLake are responsible for ensuring compliance with the OneDataLake PDPP Policy. 5. POLICY PRINCIPLES 5.1. BASIC PRINCIPLES ADOPTED BY ONEDATALAKE The following basic principles should be adopted by OneDataLake to ensure compliance with personal data protection legislation and its sustainability: [Remainder of the policy principles would follow this section.] 5.1.1. Processing Personal Data in Accordance with Legal and Integrity Principles OneDataLake must conduct its personal data processing activities in compliance with the legislation for the protection of personal data, including the Constitution of the Republic of Turkey, and in accordance with the principles of lawfulness and integrity. 5.1.2. Ensuring the Accuracy and Currency of Processed Personal Data OneDataLake should ensure the accuracy and currency of the personal data they process by taking necessary administrative and technical measures and conducting required processes. In this context, OneDataLake should establish mechanisms for correcting and confirming the accuracy of personal data if they are found to be inaccurate. 5.1.3. Processing Personal Data in a Purpose-Related, Limited, and Proportional Manner OneDataLake should process personal data in connection with data processing conditions and to the extent necessary for the services provided. The purpose of processing personal data should be determined before initiating the data processing activity. In other words, personal data should not be processed solely on the assumption that they may be used in the future. OneDataLake should consider the fundamental rights of data subjects and their legitimate interests in this regard. 5.1.4. Retaining Personal Data for the Period Prescribed by Applicable Legislation or for the Purpose for Which They Were Processed OneDataLake should retain personal data for a period prescribed by applicable legislation or as long as necessary for the purpose of data processing. In this regard, OneDataLake should comply with the time limit arising from Article 138 of the Turkish Penal Code and Articles 4 and 7 of the Personal Data Protection Law. Upon expiration of the prescribed period or cessation of the reasons requiring the processing of personal data, OneDataLake should delete, destroy, or anonymize the personal data. 5.2. ENSURING COMPLIANCE OF PERSONAL DATA PROCESSING ACTIVITIES WITH DATA PROCESSING CONDITIONS While conducting personal data processing activities, OneDataLake must act in accordance with the data processing conditions specified in Articles 5 and 6 of the Personal Data Protection Law and the Regulation on the Processing of Personal Health Data, provided that the basic principles are followed. In this regard, OneDataLake must determine whether the data processing conditions are met for the personal data processing activities carried out; if the conditions are not met, they should not carry out the personal data processing activity. OneDataLake should establish necessary mechanisms within their internal systems for ensuring compliance with personal data protection and create internal awareness regarding the protection of personal data, and carry out necessary audit mechanisms. OneDataLake must comply with relevant legislation, including the Constitution of the Republic of Turkey, the Turkish Penal Code, the Personal Data Protection Law, and other relevant regulations, as well as the rules set forth in OneDataLake's Personal Data Protection Policy. 5.3. ENSURING COMPLIANCE WITH DATA TRANSFER CONDITIONS IN PERSONAL DATA TRANSFERS In personal data transfers conducted by OneDataLake (actively sharing personal data with third parties or granting access to personal data to third parties), they must act in accordance with the personal data transfer conditions specified in Articles 8 and 9 of the Personal Data Protection Law. 5.4. ENSURING THE SECURITY OF PERSONAL DATA To prevent the unlawful disclosure, transfer, or unauthorized access to personal data, or any other security vulnerabilities, OneDataLake must take all necessary measures according to the nature of the data to be protected, within their means. In this context, OneDataLake should take necessary (i) administrative and (ii) technical measures, (iii) establish an audit system within the company, and (iv) take measures as stipulated in the Personal Data Protection Law in case of unlawful disclosure of personal data. 5.4.1. Administrative Measures to Ensure the Lawful Processing of Personal Data and Prevent Unauthorized Access to Personal Data by OneDataLake • OneDataLake should educate and raise awareness among its employees regarding the protection of personal data. • In cases where personal data is subject to transfer, OneDataLake should add records to contracts concluded with the parties to whom personal data is transferred, stating that the recipient will undertake the obligations to ensure the security of personal data and commit to taking all necessary measures for the protection of personal data within their organization. • Detailed examination of processes conducted by OneDataLake should be carried out, and the personal data processing activities conducted within each unit during the process should be identified. In this context, the necessary steps to ensure compliance of the personal data processing activities with the personal data processing conditions stipulated in the Personal Data Protection Law should be determined. • OneDataLake should identify the practices to be implemented for compliance with the Personal Data Protection Law according to the company's structures and regulate these practices through internal policies. 5.4.2. Technical Measures to Ensure the Lawful Processing of Personal Data and Prevent Unauthorized Access to Personal Data by OneDataLake • Technical measures should be taken for the protection of personal data to the extent allowed by technology, and these measures should be updated and improved in line with developments. • Expert personnel should be employed for technical matters. • Regular audits should be conducted for the implementation of the measures. • Software and systems ensuring security should be established. • Access to personal data processed by OneDataLake should be limited to relevant company employees based on the defined processing purpose. 5.4.3. Conducting Audit Activities Related to the Protection of Personal Data by OneDataLake The technical measures, administrative measures, and practices taken by OneDataLake to ensure the protection and security of personal data must be audited by the Internal Audit Units of OneDataLake to ensure compliance with relevant legislation, policies, procedures, and instructions, as well as their operation and effectiveness. OneDataLake may conduct the audit activity internally or may engage external audit firms with the approval of the OneDataLake Board of Directors. In necessary cases, the OneDataLake Board of Directors may directly carry out the audit activity within OneDataLake. The results of the conducted audit activities must be reported to the relevant OneDataLake Board of Directors and relevant functional managers. The regular monitoring of planned actions regarding audit results is the primary responsibility of process owners. The relevant OneDataLake should carry out the monitoring, verification tests, and audits of actions within the scope of this report. Activities aimed at improving and enhancing the measures taken for data protection, beyond the audit results, should be carried out by the relevant executive units within OneDataLake. 5.4.4. Measures to Be Taken in Case of Unauthorized Disclosure of Personal Data If personal data processed by OneDataLake is obtained unlawfully by unauthorized persons, OneDataLake must promptly report the situation to the Personal Data Protection Authority (KVKK) and the relevant data owners. The internal structure required to fulfill this obligation should be established within each entity of OneDataLake. 5.5. OBLIGATIONS RELATED TO PERSONAL DATA PROCESSING ACTIVITY OneDataLake must comply with the obligations prescribed for data controllers by the Personal Data Protection Law (KVKK). In this context, the main obligations that OneDataLake must comply with are listed below: 5.5.1. Obligation to Register with and Notify the Data Controllers Registry OneDataLake must register with the Data Controllers Registry in accordance with Article 16 of the KVKK and the Regulation on the Data Controllers Registry. The information to be submitted to the Data Controllers Registry in the registration application includes: • Identification and addresses of OneDataLake as the data controller and, if any, its representative, • Purpose of processing personal data, • Information about the data subject groups and the categories of personal data processed for these individuals, • Persons or groups to whom personal data may be transferred, • Personal data that may be transferred abroad, • Measures taken to ensure the security of processed personal data, • Maximum retention period required by the purpose of processing personal data. 5.5.2. Obligation to Inform the Data Subject OneDataLake must ensure that data subjects are informed during the acquisition of personal data in accordance with Article 10 of the KVKK and the Principles and Procedures to Be Followed in Fulfilling the Obligation to Inform. The information that must be provided to data subjects within the scope of the obligation to inform includes: • Identification of the data controller and, if any, its representative, • Purpose of processing personal data, • Persons to whom and for what purpose processed personal data may be transferred, • Method and legal reason for collecting personal data, • Rights of the data subject, including the right to: • Learn whether personal data is processed, • Request information if personal data has been processed, • Learn the purpose of processing personal data and whether they are used appropriately for their purpose, • Know third parties to whom personal data are transferred domestically or abroad, • Request correction of personal data if it is incomplete or incorrectly processed and request notification of the transaction made to third parties to whom personal data are transferred, • Request the deletion or destruction of personal data within the framework of the conditions prescribed, and request notification of the transaction made to third parties to whom personal data are transferred, • Object to the occurrence of a result against the person by exclusively analyzing the processed data through automated systems, • Demand compensation in case of damage due to processing of personal data unlawfully. 5.5.3. Obligation to Ensure the Security of Personal Data OneDataLake must take all necessary technical and administrative measures to ensure an adequate level of security to prevent unlawful processing of personal data, unauthorized access to personal data, and ensure the protection of personal data, in accordance with Article 12 of the KVKK. OneDataLake is also responsible for conducting or commissioning necessary audits in the operation of mechanisms for ensuring data security. 5.5.4. Obligation to Fulfill Decisions by the Personal Data Protection Authority OneDataLake must act in accordance with decisions given by the Personal Data Protection Board (KVKK) in order to ensure that personal data is processed in compliance with fundamental rights and freedoms. 5.5.5. Obligation to Respond to Data Subject Requests As a data controller, OneDataLake must conclude requests of data subjects regarding their personal data within the shortest time and no later than thirty (30) days in accordance with Article 13 of the KVKK. Data subjects must submit their requests regarding their personal data in accordance with the Regulation on the Procedures and Principles of Application to the Data Controller. According to Article 11 of the Personal Data Protection Law (KVKK), data subjects can request the following issues from data controllers by applying to them: 1. To learn whether their personal data is being processed, 2. If their personal data is being processed, to request information regarding this, 3. To learn the purpose of processing their personal data and whether they are being used appropriately for this purpose, 4. To know the third parties within the country or abroad to whom their personal data has been transferred, 5. If their personal data is incomplete or incorrectly processed, to request correction of this and to request notification of this correction to third parties to whom the personal data has been transferred, 6. To request the deletion or destruction of personal data in case the reasons requiring the processing of personal data have ceased to exist, despite being processed in accordance with the KVKK and other relevant laws, and to request notification of this deletion or destruction to third parties to whom the personal data has been transferred, 7. To object to the occurrence of a result against themselves as a result of the exclusively automated analysis of processed data, 8. In case of suffering damages due to the unlawful processing of personal data, to request compensation for the damages. 5.5.6. Obligation to Transfer and Obtain Personal Data in Compliance with the Law OneDataLake must process personal data in accordance with the law and the principle of honesty, as stipulated by Article 4 of the KVKK. Within this scope, activities related to the acquisition and transfer of personal data must also be carried out in compliance with the law. 5.5.7. Obligation to Comply with Regulations Regarding the Protection of Personal Data In accordance with Article 7 of the KVKK, even though personal data has been processed lawfully, OneDataLake must establish internal systems for the deletion, anonymization, or destruction of personal data when the reasons for processing cease to exist. 6. BASIC PRINCIPLES TO BE FULFILLED BY ONEDATALAKE COMPANIES FOR COMPLIANCE WITH THE ONEDATALAKE KVKK POLICY AND THE KVKK LAW OneDataLake should establish certain systems within its organization to comply with the KVKK Law and the guiding OneDataLake KVKK Policy. In this context, the following are the primary obligations to be fulfilled by OneDataLake: 6.1. Fulfilling the Obligations Stated in the OneDataLake KVKK Policy OneDataLake must act in accordance with the fundamental obligations stated under the OneDataLake KVKK Policy's Section 5.5. 6.2. Formulation of Policies on the Protection and Processing of Personal Data Considering its internal operations and the regulations envisaged in the KVKK, OneDataLake must establish a Personal Data Protection and Processing Policy. The language of this policy should be clear and understandable to data subjects. 6.3. Preparation of Policies, Regulations, Procedures, and Guidelines by ONEDATALAKE COMPANIES Regarding the Protection and Processing of Personal Data To ensure compliance with personal data protection laws, OneDataLake should prepare necessary documents for public disclosure or internal use, following the documentation model applied by the company. Any changes to the policies presented to the public must be easily accessible to data subjects. 6.4. Identification of the Unit Responsible for the Protection and Processing of Personal Data To manage the OneDataLake KVKK Policy and related policies, a Personal Data Protection Unit should be established within each OneDataLake company or a person responsible for the protection and processing of personal data should be appointed. The formation and distribution of responsibilities of this unit are determined by the top management of OneDataLake. In addition to the minimum duties mentioned above, additional responsibilities may be assigned based on the needs and activities of OneDataLake. 7. REVIEW This Policy document comes into effect from the moment it is approved by the OneDataLake Board of Directors. With the exception of the revocation of this Policy, changes made within the Policy and how they will be implemented are authorized by the OneDataLake Board of Directors to the Chairman of the Board. Changes to this Policy can be made and implemented with the approval of the Chairman of the Board of Directors of OneDataLake. Application rules specifying how the matters stated within this Policy will be executed in specific contexts will be regulated in the form of regulations. Regulations will be published and enforced with the approval of the Chairman of the Board of Directors of OneDataLake. This Policy is reviewed annually, and if necessary changes are made, they are presented to the approval of the Chairman of the Board of Directors of OneDataLake for updating.