Processing Personal Data

MFA OCCUPATIONAL SAFETY MEDICAL A.S.
PERSONAL DATA PROTECTION and PROCESSING POLICY

1. Introduction

As a data controller, it is very important for MFA İş Güvenliği Medikal A.Ş. (MFA or the Company) to protect the personal data of its customers, employees and other natural persons with whom it has a relationship. This policy has been created by our company for the processing and protection of the personal data of our customers, potential customers, employees, employee candidates, visitors, employees of the organization we cooperate with and third parties in accordance with the KVK Regulations. Within the scope of this policy, necessary administrative and technical measures are taken by MFA for the processing and protection of personal data in accordance with the relevant laws and regulations.

2. PURPOSE OF THE POLICY

The purpose of this policy is to explain the personal data processing activities carried out by MFA in accordance with the PDP Regulations and the systems adopted for the protection of personal data. In this context, it is aimed to provide transparency by informing our customers, employees, employee candidates, visitors, customers whose personal data are received through our dealers, shareholders and employees of the organizations we cooperate with and third parties. MFA reserves the right to make changes in this policy, if required by the KVK Regulations or within the framework of changes in the purposes and collection methods of processing and transferring personal data, when MFA deems necessary.

The goals we want to achieve with this policy;


Processing personal data in accordance with the law and honesty rules,

Keeping personal data accurate and updated when necessary,

Processing personal data for specific, explicit and legitimate purposes,

Processing personal data in connection with the purpose for which they are processed, limited and measured,

Retaining personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed,

Informing and enlightening relevant persons,

Creating the necessary infrastructure for those concerned to exercise their rights,

Taking necessary measures for the protection of personal data,

To act in accordance with the relevant legislation and the regulations of the PDP Board in determining and implementing the purposes of processing personal data and transferring them to third parties,

Specific regulation of the processing and protection of special categories of personal data.

3. SCOPE OF THE POLICY

This Policy is related to all personal data of our customers, employees, employee candidates, visitors, customers whose personal data have been received through our dealers, employees of the institutions we cooperate with and third parties, which are processed automatically or non-automatically provided that they are part of any data recording system.

4. DEFINITIONS

Explicit Consent: Consent on a specific subject, based on information and expressed with free will.

Anonymization: Making the data previously associated with a person impossible to associate with an identified or identifiable natural person under any circumstances, even by matching with other data.

Application Form: The application form for the applications to be made by the relevant person (Personal Data Owner) to the data controller, prepared in accordance with the Law No. 6698 on the Protection of Personal Data and the Communiqué on the Procedures and Principles of Application to the Data Controller issued by the Personal Data Protection Authority, which includes the application to be made by personal data owners to exercise their rights.

Employee Candidate: Real persons who have applied for a job to the Company by any means or who have opened their resume and related information to the Company's review.

Employee/Intern: Natural persons who perform services at the Company under an employment contract.

Real Person Business Partner: Natural persons with whom the Company has any kind of business relationship.

Data Subject, Personal Data Owner or Data Subject: Company Stakeholders, Employees, Business Partners, Authorities, Employee Candidates, Visitors, Company Customers, Potential Customers, Third Parties and other persons whose personal data are processed by the Company.

Destruction: Termination of the processing activity by deleting, destroying or anonymizing personal data.

Personal Data Subject: The natural person whose personal data is processed by or on behalf of MFA.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: Any operation performed on Personal Data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of Personal Data by fully or partially automatic or non-automatic means provided that it is part of any data recording system.

KVK Regulations: Law No. 6698 on the Protection of Personal Data, regulations, communiqués and relevant legislation on the protection of personal data, decisions of the Personal Data Protection Board, court decisions, applicable international agreements and any other legislation on the protection of data.

Personal Data Protection Board: Personal Data Protection Board

KVKK: Law No. 6698 on the Protection of Personal Data.

Sensitive Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Policy: Personal data processing and protection policy

Potential Customer: Real persons who have made a request or interest in using the Company's products and services, or who have been evaluated in accordance with the rules of commercial custom and honesty that they may have this interest, and who have the potential to turn into customers.

Stakeholder, Official, Employee of the Company's Business Partners: All real persons, including employees, Stakeholders and officials of real and legal persons (such as business partners, suppliers) with whom the Company has all kinds of business relations.

Company Customer: Real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.

Company Stakeholder: Stakeholders of the Company are real persons.

Company Official: Members of the Company's Board of Directors and other authorized natural persons.

Company: MFA İş Güvenliği Medikal A.Ş.

Third Person: Natural persons whose personal data are processed within the scope of the policy, who are not defined differently within the scope of the policy.

Data Processor: Natural and legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.

Data Recording System: The recording system where personal data is structured and processed according to certain criteria.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Visitor: All natural persons who enter the physical premises owned by the Company for various purposes or visit the websites for any purpose.

5. PROCESSING, CLARIFICATION AND INFORMATION OF PERSONAL DATA OF RELATED PERSONS

MFA; In accordance with Article 10 of the KVK Law, it informs personal data owners during the collection of personal data. In this context, MFA provides clarification on the identity of the data controller, the identity of his representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the personal data collection method and legal reason, and the rights of the relevant person, according to the nature of the relevant person and the data processing process. is doing. Along with this Policy, the customer information text, cookie policy and application form are also published on MFA websites.

One of the conditions for processing personal data is the explicit consent of the owner, and in cases where explicit consent is required after informing personal data owners within the scope of fulfilling the obligation to inform, personal data is processed if the owners give explicit consent. Within the framework of the obligation to inform, personal data owners are informed of their rights before obtaining explicit consent.

In cases where it is envisaged to process personal data without explicit consent within the scope of KVK Regulations (KVKK articles 5.2 and 6.3), MFA may process personal data without obtaining the explicit consent of the personal data owner, and in case personal data is processed in this way, the Company processes personal data within the limits drawn by the KVK Regulations. The basis for personal data processing may be only one of the conditions listed below, or more than one of these conditions may be the basis for the same personal data processing activity.

The personal data of the data owner may be processed in accordance with the law if it is clearly provided for by law;

- Personal data may be processed by MFA without explicit consent in order to protect the life or physical integrity of the personal data owner who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity, or of a person other than the personal data owner.

- Personal data belonging to the parties to the contract may be processed by MFA without the explicit consent of the personal data owners, provided that it is directly related to the establishment, implementation, performance or termination of a contract.

- As the data controller, MFA may process personal data without the explicit consent of the data owner, if processing is mandatory to fulfill its legal obligations. Personal data made public by the personal data owner may be processed by MFA without explicit consent.

- If processing personal data without explicit consent is the only possible way to establish, exercise or protect a right, personal data may be processed by MFA without explicit consent.

- Personal data may be processed by MFA without explicit consent if data processing is necessary for the legitimate interests of MFA, provided that the fundamental rights and freedoms of the personal data owner are not harmed.

MFA acts in accordance with the regulations stipulated in the processing of special categories of personal data in accordance with Article 6 of the KVKK. In accordance with Article 6 of the KVKK, special categories of personal data are processed in the following cases, if there is no explicit consent of the personal data owner, provided that adequate measures to be determined by the Board are taken:

- Special personal data, other than the health and sexual life of the personal data owner, in cases stipulated by law,

- Personal data of special nature regarding the health and sexual life of the personal data owner can only be used by persons who are under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. can be processed by organizations.

- In this context, MFA evaluates whether personal data processing activities fall within the scope of one of these conditions and stops personal data processing activities that are not based on one of these conditions. When processing special personal data, precautions determined by the Board are taken.

- Your sensitive personal data is protected within the scope of a separate policy prepared in accordance with the Board decision.

5. CLASSIFICATION OF PERSONAL DATA

Before MFA, in line with MFA's legitimate and lawful personal data processing purposes, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the KVK Law, especially the principles specified in Article 4 regarding the processing of personal data, Personal data in the following categories are processed in accordance with the general principles specified in the KVK Law and all obligations regulated in the KVK Law and limited to the personal data owners within the scope of this Policy, by informing the relevant persons.

PERSONAL DATA CLASSIFICATION

PERSONAL DATA CLASSIFICATION EXPLANATION

Identity Data

Belongs to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; These are data containing information regarding the identity of the person; T.R. Information such as identity number, place of birth, date of birth, gender, identity card and passport number, tax number, SSI number.

Communication Data

Belongs to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Information such as telephone number, home address, workplace address, personal e-mail address, computer number, system user name, fax number, IP number, access URL (web).

Personnel Data

Belongs to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; All kinds of personal data processed to obtain information that will be the basis for the formation of personal rights of real persons who are in a working relationship as personnel in accordance with the service contract established with the company. (Resume information, education information, salary and premium information, promotion/warning information, starting date, job position/s, name of the manager, job assignments, working hours, performance information, discharge certificate, annual leave information).

Financial Data

Belongs to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship the Company has established with the Relevant Person, as well as bank account number, IBAN number, credit card information, income information, bank information, workplace credit card data ( data such as employee expenses, salary information, social security data, credit card information, e-invoice information, if any)

Visual and Audio Data

Belonging to an identified or identifiable natural person; Data consisting of photographs, camera recordings, and voice recordings received through the call center.

Location Data

Belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Information determining the location of the Relevant Person while using Company vehicles within the framework of operations carried out by the Company's business units; GPS location data.

Family Members and Relatives Data

Belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Contact information of family members (e.g. spouse, mother, father, child), relative of real persons who are in a working relationship as personnel in accordance with the service contract established with the company, for the purpose of being used when necessary.

Transaction Security Data

Data such as IP address, computer password, internet access records of the data subject.

Physical Space Security Data

Personal data regarding records and documents taken upon entering the company's physical locations and during the stay in the physical location; camera recordings and records taken at security points, etc.

Education and Occupation Data

It is information about the work history and educational background of employees, candidates, customers and potential customers.

Legal Transaction Data

Data processed within the scope of the determination and pursuit of the Company's legal receivables and rights, and the fulfillment of its debts and legal obligations.

Customer Transaction Data

Information such as records regarding the use of products and services and the customer's instructions and requests necessary for the use of products and services.

Marketing Data

Personal data processed for the marketing of products and services by customizing them in line with the usage habits, tastes and needs of the Relevant Person, and reports and evaluations created as a result of this processing.

Special Personal Data

These are the data specified in Article 6 of the Law and whose processing and protection are subject to more special conditions due to their nature (e.g. health data, criminal conviction data, etc.).

Other Data

Professional vehicle information, driver's license class (in case of vehicle allocation), business phone quota usage information, employee department information (such as retail, wholesale, chain, e-commerce), targeted sales figure information, emergency information form data, office login information. -exit information, psychotechnical test data, personality inventory test information, knowledge test data, personal data regarding records and documents taken upon entering the physical space and during the stay in the physical space, camera records.

 

6. DESTRUCTION OF PERSONAL DATA (DELETION, DESTRUCTION AND ANONYMIZATION)

In accordance with Article 138 of the Turkish Penal Code, Article 7 of the KVK Law and the "Regulation on Deletion, Destruction and Anonymization of Personal Data" issued by the Board, MFA is processed in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the provisions of the relevant law. Based on its own decision or upon the request of the personal data owner, personal data is deleted, destroyed or made anonymous. MFA has created a policy on this issue in accordance with the provisions of the regulation, and in accordance with this policy, it destroys the data according to its nature. In accordance with this regulation, periodic destruction dates have been determined by MFA, and the necessary calendar has been created for periodic destruction to be carried out at various intervals with the beginning of the obligation. The following techniques are applied by MFA to delete, destroy and anonymize personal data;

- Physical Destruction: Personal data can also be processed by non-automatic means, provided that it is part of any data recording system. When such data is deleted/destroyed, a system of physical destruction of personal data in such a way that it cannot be used later is implemented.

- Secure Deletion from Software: While data processed by fully or partially automatic means and stored in digital media is deleted/destroyed, methods are used to delete the data from the relevant software in a way that cannot be recovered again.

- Secure Deletion by an Expert: In some cases, MFA may contract with an expert to delete personal data on its behalf. In this case, personal data is securely deleted/destroyed by an expert in this field so that it cannot be recovered again.

- With data masking, personal data is made anonymous by removing the basic identifying information of personal data from the data set.

- With the aggregation method, many data are aggregated and personal data is made unable to be associated with any person.

- With the data derivation method, a more general content is created than the content of personal data and it is ensured that personal data cannot be associated with any individual.

- With the data mixing method, the ties between values ​​and individuals are broken by mixing the values ​​in the personal data set.

In accordance with Article 8 of the KVKK, anonymised personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of KVKK and the express consent of the personal data owner will not be required.

7. TRANSFER OF PERSONAL DATA

MFA, in line with the legal personal data processing purposes, takes the necessary security measures and processes the personal data of the personal data subject in accordance with the relevant laws and regulations; If there is a clear regulation in the law regarding the transfer of personal data; If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract; If personal data transfer is mandatory for the company to fulfill its legal obligations; If personal data transfer is necessary for the establishment, exercise or protection of a right; If the transfer of personal data is mandatory for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of the relevant person, it may be transferred to third parties.

8. RIGHTS OF PERSONAL DATA OWNER

- Learning whether personal data is processed or not,

- Requesting information if personal data has been processed,

- Learning the purpose of processing personal data and whether they are used for their intended purpose,

- Knowing the third parties to whom personal data is transferred domestically or abroad,

- Requesting correction of personal data in case of incomplete or incorrect processing and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,

- To request the deletion or destruction of personal data in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the KVK Regulations, and to request that the transaction carried out in this context be notified to third parties to whom personal data has been transferred,

- Objecting to a result that is unfavorable to the person by analyzing the processed data exclusively through automatic systems,

- Requesting the compensation of the damage in case of damage due to the processing of personal data in violation of the KVK Regulations.

9. CASES WHERE THE PERSONAL DATA OWNER CANNOT ASSERVE HIS RIGHTS

- Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics,

- Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime,

- Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defence, national security, public security, public order or economic security,

- Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial or enforcement proceedings.

- Processing personal data is necessary for the prevention of crime or criminal investigation,

- Processing of personal data made public by the personal data owner,

- Processing of personal data is necessary for the execution of auditing or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations that are public institutions, based on the authority granted by the law,

- Personal data processing is necessary to protect the economic and financial interests of the State regarding budget, tax and financial matters.

10. PERSONAL DATA OWNER'S USE OF HIS RIGHTS

Personal data owners will be able to submit their requests regarding their rights specified in this Policy to MFA free of charge, by filling out and signing the Application Form, with information and documents that will identify them, and by the methods specified below or other methods determined by the Personal Data Protection Board.

After filling out the form at www.mfamask.com, a copy with a wet signature must be sent in person or in writing via registered mail to the address Elvanpazarcık Beldesi, Hayat Mah., Baruthane Cad., No:21/1, Merkez, Zonguldak, or apply in person.

Filling out the form at www.mfamask.com and signing it with the "secure electronic signature" within the scope of the Electronic Signature Law No. 5070, then sending the form with the secure electronic signature via registered e-mail to infotr@mfamask.com.

In order for the application listed above to be accepted as a valid application, in accordance with the Communiqué on Application Procedures to the Data Controller, the relevant person must:

a) Name, surname and signature if the application is written,

b) For citizens of the Republic of Türkiye, T.R. identification number, nationality for foreigners, passport number or identification number, if any,

c) Residence or workplace address subject to notification,

c) E-mail address, telephone and fax number for notification, if any,

d) Subject of request,

It is mandatory to provide information. Otherwise, the application will not be considered a valid application. In applications to be made without filling out the application form, the issues listed here must be submitted completely to MFA.

In order for third parties to request an application on behalf of personal data owners, the data owner must have a special power of attorney issued through a notary on behalf of the person making the application.

11. PURPOSES OF PROCESSING AND TRANSFER OF PERSONAL DATA

-Planning and implementing human resources policies in the best possible way,

-Correct planning, execution and management of commercial partnerships and strategies,

-Ensuring the legal, commercial and physical security of himself and his business partners,

-Ensuring institutional functioning, planning and execution of management and communication activities,

-To ensure that Personal Data Owners benefit from the products and services in the best possible way and to recommend them by customizing them according to their demands, needs and wishes,

-Ensuring data security at the highest level,

-Creation of databases,

-Improving the services offered on the website and eliminating errors that occur on the website,

-Communicating with Personal Data Owners who submit their requests and complaints to it and ensuring request and complaint management,

-Management of relationships with business partners or suppliers,

-Execution of personnel recruitment processes,

-Planning and executing audit activities to ensure that the company's activities are carried out in accordance with the relevant legislation,

-Supporting the planning and execution processes of fringe rights and benefits to be provided to the company's senior managers,

-Providing support in carrying out company and partnership law transactions,

-Execution/monitoring of financial reporting and risk management transactions,

-Execution/follow-up of company legal affairs,

- Carrying out work to protect its reputation,

-Providing information to authorized institutions regarding the legislation,

-Creating and tracking visitor records

12. PERSONS TO WHICH PERSONAL DATA WILL BE TRANSFERRED

Personal Data may be shared with our suppliers, business and solution partners, banks and third parties that perform technical, logistics and other similar transactions on our behalf, in order to ensure that the services offered to you are complete and perfect, and only to the extent appropriate to the nature of the service. These third parties consist of people who must have access to the relevant information in order to provide the relevant services completely and flawlessly.

Apart from these, your Personal Data may be transferred - limited only to the relevant person or institution - in cases where it is mandatory for the Company to fulfill its legal obligations, it is clearly prescribed by law or there is a judicial/administrative order given in accordance with the law.

13. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the Law, the Company takes the necessary technical and administrative measures to ensure the appropriate level of security to prevent the Personal Data it processes from being processed unlawfully, to prevent unlawful access to the data, and to ensure the preservation of the data, and carries out the necessary inspections in this context or has it done.

Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data

The Company takes technical and administrative measures according to technological possibilities and implementation costs to ensure that Personal Data is processed in accordance with the law.

Technical Measures Taken to Ensure Lawful Processing of Personal Data

-Personal Data processing activities carried out within the company are audited by the established technical systems.

-Technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.

-Staff who are knowledgeable in technical matters are employed.

Administrative Measures Taken to Ensure Lawful Processing of Personal Data

-Employees are informed and trained about Personal Data protection law and the lawful processing of Personal Data.

-All activities carried out by the Company are analyzed in detail for all business units, and as a result of this analysis, Personal Data processing activities are revealed specific to the activities carried out by the relevant business units.

-Personal Data processing activities carried out by the Company's business units; The requirements to be fulfilled to ensure that these activities comply with the Personal Data processing conditions required by the Law are determined on a specific basis for each business unit and the detailed activity it carries out.

-In order to ensure legal compliance requirements determined on a business unit basis, awareness is created and implementation rules are determined for the relevant business units; The necessary administrative measures to ensure the control of these issues and the continuity of the application are implemented through in-company policies and training.

-Records are placed in the contracts and documents governing the legal relationship between the Company and its employees, which impose an obligation not to process, disclose or use Personal Data, except for the instructions of the Company and the exceptions brought by law, and employees' awareness on this issue is created and inspections are carried out to ensure that they comply with the obligations arising from the Law. is being fulfilled.

Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

The Company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and implementation costs in order to prevent imprudent or unauthorized disclosure, access, transfer or any other unlawful access of Personal Data.

Technical Measures Taken to Prevent Illegal Access to Personal Data

-Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed.

-Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on a business unit basis.

-Access authorizations are limited and authorizations are reviewed regularly.

-The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, and the issues that pose a risk are re-evaluated and the necessary technological solutions are produced.

-Software and hardware including virus protection systems and firewalls are installed.

-Staff who are knowledgeable in technical matters are employed.

-Security scans are carried out regularly to detect security vulnerabilities in the applications where Personal Data is collected. The gaps found are closed.

Administrative Measures Taken to Prevent Unlawful Access to Personal Data

-Employees are trained on the technical measures to be taken to prevent unlawful access to Personal Data.

- Personal Data processing and authorization processes are designed and implemented within the Company in accordance with legal compliance requirements for processing Personal Data on a business unit basis.

-Employees are informed that they cannot disclose the Personal Data they have learned to anyone else, contrary to the provisions of the Law, or use it for purposes other than the purpose of processing, and that this obligation will continue after they leave office, and the necessary commitments are taken from them in this regard.

-Contracts concluded by the Company with persons to whom Personal Data is lawfully transferred; Provisions are added stating that the persons to whom Personal Data is transferred will take the necessary security measures to protect Personal Data and ensure that these measures are complied with in their own organizations.

Storing Personal Data in Secure Environments

The Company takes the necessary technical and administrative measures, according to technological possibilities and implementation costs, in order to store Personal Data in secure environments and prevent it from being destroyed, lost or changed for unlawful purposes.

Technical Precautions Taken to Store Personal Data in Secure Environments

-Systems compatible with technological developments are used to store Personal Data in secure environments.

-Staff specialized in technical matters are employed.

-Technical security systems are established for hiding areas, security tests and research are carried out to detect security vulnerabilities on information systems, and current or potential risks identified as a result of the tests and research are eliminated. The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.

-Backup programs are used in accordance with the law to ensure that Personal Data is stored safely.

-Access to the environments where Personal Data is kept is restricted and only authorized persons are allowed to access these data, limited to the purpose of storing personal data. Access to data storage areas where Personal Data is located is logged and inappropriate access or access attempts are instantly notified to the relevant parties.

Administrative Measures Taken to Store Personal Data in Secure Environments

-Employees are trained to ensure that Personal Data is stored securely.

-Legal and technical consultancy services are received to follow the developments in the field of information security, privacy of private life and protection of personal data and to take the necessary actions.

-In case the Company obtains an external service due to technical requirements for storing Personal Data, the contracts concluded with the relevant companies to which the Personal Data is transferred in accordance with the law; Provisions are included stating that the persons to whom Personal Data is transferred will take the necessary security measures to protect Personal Data and ensure that these measures are complied with in their own organizations.

Audit of Measures Taken for the Protection of Personal Data

The company carries out or has the necessary inspections carried out within its own structure in accordance with Article 12 of the Law. These audit results are reported to the relevant department within the scope of the Company's internal functioning and the necessary activities are carried out to improve the measures taken.

Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

The Company operates the system that ensures that if the Personal Data processed in accordance with Article 12 of the Law is obtained by others through illegal means, this situation is notified to the relevant Personal Data Owner and the KVK Board as soon as possible. If deemed necessary by the KVK Board, this situation may be announced on the KVK Board's website or by another method.

Observing the Legal Rights of Personal Data Owners

The Company observes all legal rights of Personal Data Owners through the implementation of the Policy and the Law and takes all necessary measures to protect these rights. Detailed information about the rights of Personal Data Owners is provided in the sixth section of this Policy.

Protection of Special Personal Data

The law attaches special importance to certain Personal Data due to the risk of causing victimization and/or discrimination when processed unlawfully. These data; Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. The Company pays utmost attention to the protection of special personal data, which are determined as "special nature" by law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company to protect personal data are implemented with the utmost care in terms of Special Personal Data, and the necessary controls are provided within the Company in this regard.

14. ENFORCEMENT AND UPDATING OF THE POLICY

This Policy issued by MFA is the current version of the Data Processing Policy that came into force on 02 October 2021 and was published on 02 October 2021. This Policy is published on MFA's website (www.mfamask.com) and made available to relevant persons.

MFA İŞ GÜVENLIĞI MEDİKAL A.Ş. (Data Controller)

Elvanpazarcık Beldesi, Hayat Mah., Baruthane Cad., No:21/1, Merkez, Zonguldak

Mersis Number: 0620138675600001

KVK APPLICATION FORM CLARIFICATION TEXT

CLARIFICATION TEXT ABOUT CUSTOMER PERSONAL DATA