Protection of Personal Data

Data Controller’s Identity

At Aydem Elektrik Perakende Satış A.Ş. (“Aydem” or the “Company”), we kindly bring the following to your attention under our liability to inform you to ensure that we can act in accordance with the Personal Data Protection Law No. 6698 (the “Law”) and the related regulations regarding the personal data we obtain from you as the data controller.

2.Processing of Personal Data and the Purposes for Processing

Your personal data is processed to ensure that our Company can offer the best services possible, although the purpose may vary depending on the services and commercial activities offered by Aydem. To this end:

Your personal data (identity, contact details, customer transaction data) and sensitive personal data (as per the Regulation on Electricity Market Consumer Services, such data can be indirectly obtained from your medical reports, and the religion and blood type details can be indirectly obtained from your identity card and/or driver’s license copy, if shared by you) are processed in a limited manner forcarrying out the subscription contract processes; following up the after-sales support services, customer relations management processes, customer satisfaction activities, legal/financial/accounting processes, and any requests/complaints; ensuring that the activities are in compliance with the Electricity Market Law and the secondary legislation, as well as other relevant legislations; conducting advertising/campaing/promotion/survey activities as part of the marketing analysis efforts and the marketing processes for the services offered; carrying out/auditing business activities; making audits; conducting activities to ensure business continuity; carrying out risk management processes; carrying out strategic planning activities; informing the authorized persons, entities and organizations if requested; carrying out communications activities; carrying out storage and archiving activities; carrying out information security processes and ensuring compliance with the policies and procedures of the Company and of the Aydem Holding group companies which the Company is affiliated with. Your personal data may also be transferred to physical archives and information systems to be stored in both digital and physical environments.

3.Parties to Whom the Personal Data Processed may be Transferred, and the Related Purposes

For the purposes set out in Article 2 of this Clarification Text, and depending on and limited to the reasons for transfer within the scope of the Law and the related regulations, your personal data collected may be transferred to the Energy Market Regulatory Authority and other governmental bodies and organizations; independent audit companies; law offices and attorneys; agencies; banks; our business partners; systems of Turkey-based information technology companies that we receive services from and collaborate with, including our suppliers; our Company’s domestic shareholders and group companies to carry out the operational processes and to get support from them and to databases used jointly with these companies.

4.Method and Legal Basis for Collecting Personal Data

As you are a customer of our Company, your personal data may be collected from the verbal or written information you provided to our Company through automated or non-automated means, from governmental bodies and agencies, from social media platforms, from the applications and software and the closed circuit camera systems used for the Company’s activities; for and limited to the legal reasons stipulated in Article 5 of the Law including express stipulation by law, establishment and performance of contracts, legal liabilities of the data controller, presence of an express consent, and legitimate interests of the data controller.

5.Your Rights under Personal Data Protection

As per the legislation on personal data protection, you have the rights to find out if your personal data has been processed; request information regarding the processing of your personal data if processed; find out the purpose for processing the personal data and if the data is used by us in line with such purposes; find out the third parties to whom your personal data is transferred at home and abroad; request correction if your personal data was processed incompletely or incorrectly and request that the third parties to whom the data was transferred (if transferred) be informed of such procedure; request deletion or destruction of your personal data if the conditions that require processing of such data are no longer valid and request that the third persons to whom the data was transferred (if transferred) are informed of such procedure; raise an objection if you believe that there is a consequence to the detriment of you due to the fact that the processed data was analyzed by automated systems exclusively; and request compensation if you incur any loss due to unlawful processing of your personal data.

According to the Law, for your applications regarding your personal data, you can fill out the form on https://aydemperakende.com.tr/ and

• Bring it to the address Adalet Mah. Hasan Gönüllü Bulvarı No:15/1 Merkezefendi, DENİZLİ, ensuring that your identity is authenticated or
• Send it to aydem.perakende@hs02.kep.tr or ;
• Send it to kvk.aydem@aydemenerji.com.tr from your email address registered at our Company or
• Submit it via other methods stated in the Law and the relevant legislation, ensuring that your identity is authenticated.

As per Article 13 of the Law, our Company will conclude application requests as soon as possible and, in any case, within 30 (thirty) days at the latest depending on the nature of the request. If the process incurs any cost, the tariff determined by the Personal Data Protection Board shall apply. If the request is rejected, the reason(s) for rejection shall be justified in writing or in electronic environment.

1. Data Controller’s Identity

At Aydem Elektrik Perakende Satış A.Ş. (“Aydem” or the “Company”), we kindly bring the following to your attention under our liability to inform you to ensure that we can act in accordance with the Personal Data Protection Law No. 6698 (the “Law”) and the related regulations regarding the personal data we obtain from you as the data controller.

2. Processing of Personal Data and the Purposes for Processing

Your personal data is processed to ensure that our Company can offer the best services possible, although the purpose may vary depending on the services and commercial activities offered by Aydem. To this end:

Your personal data (identity, contact details, customer transaction data) and sensitive personal data (as per the Regulation on Electricity Market Consumer Services, such data can be indirectly obtained from your medical reports, and the religion and blood type details can be indirectly obtained from your identity card and/or driver’s license copy, if shared by you) are processed in a limited manner for carrying out the subscription contract processes; following up the after-sales support services, customer relations management processes, customer satisfaction activities, legal/financial/accounting processes, and any requests/complaints; ensuring that the activities are in compliance with the Electricity Market Law and the secondary legislation, as well as other relevant legislations; conducting advertising/campaing/promotion/survey activities as part of the marketing analysis efforts and the marketing processes for the services offered; carrying out/auditing business activities; making audits; conducting activities to ensure business continuity; carrying out risk management processes; carrying out strategic planning activities; informing the authorized persons, entities and organizations if requested; carrying out communications activities; carrying out storage and archiving activities; carrying out information security processes and ensuring compliance with the policies and procedures of the Company and of the Aydem Holding group companies which the Company is affiliated with. Your personal data may also be transferred to physical archives and information systems to be stored in both digital and physical environments.

3. Parties to Whom the Personal Data Processed may be Transferred, and the Related Purposes

For the purposes set out in Article 2 of this Clarification Text, and depending on and limited to the reasons for transfer within the scope of the Law and the related regulations, your personal data collected may be transferred to the Energy Market Regulatory Authority and other governmental bodies and organizations; independent audit companies; law offices and attorneys; agencies; banks; our business partners; systems of Turkey-based information technology companies that we receive services from and collaborate with, including our suppliers; our Company’s domestic shareholders and group companies to carry out the operational processes and to get support from them and to databases used jointly with these companies.

4. Method and Legal Basis for Collecting Personal Data

As you are a customer of our Company, your personal data may be collected from the verbal or written information you provided to our Company through automated or non-automated means, from governmental bodies and agencies, from social media platforms, from the applications and software and the closed circuit camera systems used for the Company’s activities; for and limited to the legal reasons stipulated in Article 5 of the Law including express stipulation by law, establishment and performance of contracts, legal liabilities of the data controller, presence of an express consent, and legitimate interests of the data controller.

5. Your Rights under Personal Data Protection

As per the legislation on personal data protection, you have the rights to find out if your personal data has been processed; request information regarding the processing of your personal data if processed; find out the purpose for processing the personal data and if the data is used by us in line with such purposes; find out the third parties to whom your personal data is transferred at home and abroad; request correction if your personal data was processed incompletely or incorrectly and request that the third parties to whom the data was transferred (if transferred) be informed of such procedure; request deletion or destruction of your personal data if the conditions that require processing of such data are no longer valid and request that the third persons to whom the data was transferred (if transferred) are informed of such procedure; raise an objection if you believe that there is a consequence to the detriment of you due to the fact that the processed data was analyzed by automated systems exclusively; and request compensation if you incur any loss due to unlawful processing of your personal data.

According to the Law, for your applications regarding your personal data, you can fill out the form on https://aydemperakende.com.tr/ and

Bring it to the address Adalet Mah. Hasan Gönüllü Bulvarı No:15/1 Merkezefendi, DENİZLİ, ensuring that your identity is authenticated or

Send it to aydem.perakende@hs02.kep.tr or

Send it to kvk.aydem@aydemenerji.com.tr from your email address registered at our Company or

Submit it via other methods stated in the Law and the relevant legislation, ensuring that your identity is authenticated.As per Article 13 of the Law, our Company will conclude application requests as soon as possible and, in any case, within 30 (thirty) days at the latest depending on the nature of the request. If the process incurs any cost, the tariff determined by the Personal Data Protection Board shall apply. If the request is rejected, the reason(s) for rejection shall be justified in writing or in electronic environment.

1.Data Controller’s Identity

At Aydem Elektrik Perakende Satış A.Ş. (“Aydem” or the “Company”), we kindly bring the following to your attention under our liability to inform you to ensure that we can act in accordance with the Personal Data Protection Law No. 6698 (the “Law”) and the related regulations regarding the personal data we obtain from prospective employees as the data controller.

2. Processing of Personal Data and the Purposes for Processing

As you are a prospective employee, your personal data including your identity, contact details, professional experience, physical location security, family member details, visual data and your resumé that you provided to our Company, and your sensitive personal data including your medical and association membership data (if you have submitted) shall be processed, as part of the job application processes, to carry out the employee application processes and the selection, offer and recruitment processes; obtain camera recordings to ensure physical location security should you visit our Company; check references; ensure information and data security and to make sure that, if you are not recruited, we can assess your resumé for a potential future position or for an appropriate position at our group companies and that we can contact you in this regard. In addition, if you give your express consent, the said data shall be transferred to physical archives and information systems to be stored for 12 months in both digital and physical environments.

3. Parties to Whom the Personal Data Processed may be Transferred, and the Related Purposes

For the purposes set out in Article 2 of this Prospective Employee Clarification Text, and depending on and limited to the reasons for transfer within the scope of the Law and the related regulations, your personal data collected may be transferred to references, to Aydem Holding group companies which the Company is affiliated with, to databases used jointly with these companies and, if required, to governmental bodies and organizations.

4. Method and Legal Basis for Collecting Personal Data

Your personal data is collected in physical or electronic environments from the verbal or written applications made using our Company’s website or email address or made in person, from consultancy firms and from the information provided during interviews, from information provided by references and through closed circuit camera systems, in line with the basic principles stipulated in the Law and for and limited to the legal reasons stipulated in Article 5 of the Law including establishment of contracts, legitimate interests of the data controller, and presence of an express consent.

5. Your Rights under Personal Data Protection

As per the legislation on personal data protection, you have the rights to find out if your personal data has been processed; request information regarding the processing of your personal data if processed; find out the purpose for processing the personal data and if the data is used by us in line with such purposes; find out the third parties to whom your personal data is transferred at home and abroad; request correction if your personal data was processed incompletely or incorrectly and request that the third parties to whom the data was transferred (if transferred) be informed of such procedure; request deletion or destruction of your personal data if the conditions that require processing of such data are no longer valid and request that the third persons to whom the data was transferred (if transferred) are informed of such procedure; raise an objection if you believe that there is a consequence to the detriment of you due to the fact that the processed data was analyzed by automated systems exclusively; and request compensation if you incur any loss due to unlawful processing of your personal data.

After filling out the Information Request Form on Personal Data Protection Law (KVKK), you can:

Bring it to the address Anadolu Cad. No:41 Megapol Tower K:19 Bayraklı, İZMİR, ensuring that your identity is authenticated or

Send it to gedizepsas@hs02.kep.tr or

Send it to kvk.gediz@aydemenerji.com.tr from your email address registered at our Company or

Send it via other methods stated in the Law and the relevant legislation, ensuring that your identity is authenticated.

PROLOGUE

Purpose

Protection of personal data is among the top priorities of Aydem Elektrik Perakende Satış A.Ş. (the “Company”), who makes its best efforts to act in line with all the applicable legislations in this regard. The Personal Data Protection Law No. 6698 (the “Law”) classifies persons’ data regarding their race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership in associations, foundations or trade unions, health, sexual life or criminal conviction, or related to security measures, as well as biometric and genetic data as “Sensitive Personal Data”, attaching special importance to such data, and obliges data controllers to protect such data with an enhanced security standard.

Each of the group companies within the organization of Aydem Holding is subject to the provisions of this Policy.

This Aydem Elektrik Perakende Satış A.Ş. Sensitive Personal Data Processing Policy (the “Policy”) sets out the principles adopted while our Company conducts Sensitive Personal Data processing operations and minimum data security measures to be taken by the Company while conducting Sensitive Personal Data processing operations.

Scope

This Policy relates to Sensitive Personal Data belonging to identified or identifiable natural persons as defined under the Law, which is processed within the Company through automated or, provided it is part of a data storage system, non-automated means.

MATTERS WITH REGARD TO PROCESSING OF SENSITIVE PERSONAL DATA

General Principles to be Observed while Processing Sensitive Personal Data

Our Company processes Sensitive Personal Data

In accordance with the law and the rules of honesty;

In a way that is accurate, and whenever required, up-to-date;

For specific, clear and legitimate purposes;

In a way that is related, limited and restricted to the purpose for which the same is processed;

For the duration set out in the relevant legislation or that is necessary for the purpose of processing.

Conditions of Processing Sensitive Personal Data

Sensitive Personal Data is covered in the law separately and with limits,

Sensitive Personal Data is processed by our Company in accordance with the principles set out in this Policy, taking all necessary administrative and technical measures, including minimum security measures specified or to be specified by the Personal Data Protection Board (the “Board”), in the presence of at least one of the following conditions.

a) The data subject provides express consent;

b) It is expressly set out in the law;

c) It is required for protecting the life or corporal integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally recognized, or of another person;

ç) It relates to the personal data made public by the data subject and is in line with the will of making public;

d) It is required for establishing, exercising or protecting a right;

e) It is required for the persons or authorized agencies and organizations who are under privacy obligation to protect public health and to carry out preventive medicine, medical diagnosis, treatment and care services, as well as to plan, manage and provide financing for health services;

f) It is required for fulfilling legal obligations in the areas of employment, work health and safety, social security, social services and social assistance;

g) It is intended for current or former members and regulars of foundations, associations and other non-profit organizations or entities that are incorporated for political, philosophical, religious or trade union purposes, or persons who are in regular contact with these organizations and entities, provided this is in line with the regulation they are subject to and their purposes, limited to their line of operations and that it is not disclosed to third parties.

MATTERS REGARDING TRANSFER OF SENSITIVE PERSONAL DATA

CLARIFICATION OF DATA SUBJECTS AT THE TIME OF OBTAINING SENSITIVE PERSONAL DATA 

According to Article No. 10 of the Law, data controllers or the persons authorized by them have to provide clarification to data subjects at the time of obtaining personal data. While fulfilling its obligation to provide clarification to data subjects, our Company informs data subjects at least on the following matters:

Identity of the data controller and any representative thereof;

The purpose for which the personal data will be processed;

Parties to whom, and for which purposes, the personal data may be transferred;

Method and legal basis for collection of personal data;

The rights listed in the Article No. 11 of the Law and conferred to data subjects, and how these rights might be exercised.

Except in cases where alternative techniques and methods are adopted, disclosure forms are used which are offered to data subjects in the physical or electronic environment, in a way that it can be later proved, in order for the Company to fulfill its obligation of clarification. Company employees assigned to processes where Sensitive Personal Data is processed must ensure the necessary disclosure forms are provided to data subjects and data subjects are provided clarification prior to obtaining personal data.

STORAGE AND DESTRUCTION OF SENSITIVE PERSONAL DATA 

Pursuant to the obligation of deletion, destruction or anonymization of personal data as regulated in Article No. 7 of the Law, if the reasons requiring processing thereof are no longer present even though they were processed by our Company in accordance with the provisions of the Law and the legislation, all personal data including Sensitive Personal Data is deleted, destroyed or anonymized pursuant to the decision made by our Company ex officio or personal request of the Data Subject. Our Company reserves the right to refuse to fulfill the request of the data owner where it has the right and/or obligation to keep personal data pursuant to the relevant provisions of the legislation.

Details regarding storage and destruction of personal data can be found in the Personal Data Storage and Destruction Policy, which can be accessed in QDMS, the integrated management system providing the Company management standards.

ENSURING SECURITY AND CONFIDENTIALITY OF SENSITIVE PERSONAL DATA 

In this regard, our Company takes all necessary administrative and technical measures, the relevant measures are reviewed and updated according to current Board decisions, and if personal data is unlawfully disclosed, action is taken according to the measures set out in the Law.

The standard technical and administrative data security measures already taken by the Company in other processes shall continue to be taken to the extent it is appropriate with regard to processes where Sensitive Personal Data is processed. Detailed information regarding data security measures taken by the Company can be obtained from the Aydem Elektrik Perakende Satış A.Ş.  Data Security Policy, which can be accessed from QDMS, the integrated management system providing the Company management standards.

Administrative Measures Taken by Our Company to Ensure Sensitive Personal Data is Processed Lawfully and to Prevent Unlawful Access to Sensitive Personal Data

Risks that might occur in relation to Sensitive Personal Data in our Company were identified and measures to be taken against these risks were determined;

Our Company trains its employees in relation to processing and protection of Sensitive Personal Data, informs them and conducts works to create awareness in them.

Employees who have access to Sensitive Personal Data are required to sign the Employee Non-Disclosure Commitment in order to ensure security of Sensitive Personal Data.

Scope and duration of access of employees to Sensitive Personal Data are restricted.

Authorizations are periodically checked.

Access authorizations of employees who are reassigned or who quit are immediately revoked. The inventory entrusted to them in this regard is returned as well.

As highlighted in the guides and publications of the Authority, Sensitive Personal Data is minimized to the extent possible, pursuant to the principle of minimization of data, and Sensitive Personal Data that is not required or is not up-to-date or that does not serve a purpose is not collected, and if such data was collected during the period prior to the KVKK, the same is destroyed in accordance with the Personal Data Storage and Destruction Policy.

Technical Measures Taken by Our Company to Ensure Sensitive Personal Data is Processed Lawfully and to Prevent Unlawful Access to Sensitive Personal Data

If the environments where Sensitive Personal Data is processed, kept and/or accessed are electronic environments;

Our Company keeps Sensitive Personal Data using cryptographic methods.

Cryptographic keys are kept in secure and different environments.

Transaction records of all actions performed on Sensitive Personal Data are securely logged.

Security updates regarding media where Sensitive Personal Data is kept, are continuously followed, regular vulnerability scans are performed in our Systems, any weaknesses of the operating systems and software that we use are detected and the necessary updates are made. The strength of our cyber security is tested through periodic penetration tests and the necessary improvements are made. Regular checks are performed on patch management and software updates, proper operation of software and hardware and whether the security measures taken for the systems are adequate. Our brands, the Company’s domain addresses and our internet services are continuously monitored through cyber intelligence services.

If Sensitive Personal Data is accessed through software, then user authorizations are made for that software, necessary security tests are regularly performed or procured, and test results are recorded.

If remote access to Sensitive Personal Data is required, minimum two-step authentication system is provided.

If the environments where Sensitive Personal Data is processed, kept and/or accessed are physical environments;

It is ensured that adequate security measures (against situations such as electrical leakage, fire, overflooding or theft) are taken depending on the nature of the environment where Sensitive Personal Data is kept.

Physical security of these environments is ensured and unauthorized entries and exits are prevented.

Measures Taken by Our Company to Ensure Lawful Transfer of Sensitive Personal Data

If Sensitive Personal Data needs to be transferred by e-mail, our Company transfers it in encrypted form using its corporate e-mail address or Registered Electronic Mail (REM) account.

If it needs to be transferred via media such as Flash Disk, CD or DVD, it is encrypted using cryptographic methods and the cryptographic key is kept in a different environment.

If transfer is made between servers in different physical environments, data transfer is made between servers using VPN or the sFTP method.

If Sensitive Personal Data needs to be transferred in printed format, necessary measures are taken against risks such as the document being stolen, lost or seen by unauthorized persons, and the document is sent in a “classified documents” format.

Measures to be Taken if Sensitive Personal Data is Unlawfully Disclosed

PROTECTION OF YOUR SENSITIVE PERSONAL DATA

KVKK, Article No. 6 specifies that data regarding their race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership in associations, foundations or trade unions, health, sexual life or criminal conviction, or related to security measures, as well as biometric and genetic data are considered Sensitive Personal Data since they bear the risk of causing aggrievement of persons or discrimination if processed unlawfully, and subjects the processing of such data to a more sensitive protection.

Our Company provides clarification to Data Subjects at the time of obtaining Sensitive Personal Data in accordance with the KVKK, Article No. 10. Sensitive Personal Data is processed upon taking measures according to the KVKK and performing or procuring the necessary inspections.

With regard to processing Sensitive Personal Data, express consent of Data Subjects is not sought if any of the conditions specified in the KVKK, Article No. 6 is present. Regardless of the reason for processing, general principles of data processing are always considered and complied with.

Our Company takes special measures to ensure security of Sensitive Personal Data. Due to the principle of data minimization, Sensitive Personal Data is not collected unless it is required for the relevant business process and is only processed where necessary. Where Sensitive Personal Data is processed, technical and administrative measures deemed necessary for compliance with legal obligations and for compliance with the measures determined by the KVK Board are taken.

APPENDIX 1 - Definitions

Prologue

Pursuant to the Constitution of the Republic of Türkiye, article 20, everyone has the right to request protection of personal data relating to them. This right includes being informed of personal data relating to the person, requesting access to such data or correction or deletion thereof, and learning whether the data is used pursuant to the purposes of processing.

The Personal Data Protection Law No. 6698 (the “KVK Law”) regulates the protection of basic rights and freedoms of persons in the processing of personal data, the obligations of the natural persons and legal entities processing personal data, and the procedures and principles that they shall follow. The purpose of this Policy, which was prepared in this regard, is to ensure compliance to obligations regarding the regulations of the KVK Law.

The purpose of this Policy is to ensure protection of the personal data of guarantors, customers, visitors, suppliers and third parties through this Policy. Protection of personal data of our employees is handled under the Policy on the Protection and Processing of Employees’ Personal Data, which was drafted in parallel with the principles of this Policy.

In case of any contradiction between the KVK Law and other relevant legislation and the Policy on the Protection and Processing of Personal Data, the legislation in force shall prevail.

Purpose

The Aydem Elektrik Perakende Satış A.Ş. (the “Company”) Policy on the Protection and Processing of Personal Data (the “Policy”) was prepared in order to protect the basic rights and freedoms of persons in the processing of personal data, in particular privacy, and to establish the obligations of natural persons and legal entities processing personal data and the procedures and principles they shall follow.

The Policy aims to maintain and improve the operations carried out by the Company in line with the principles set out in the KVK Law.

Scope

The data owners whose personal data is processed under this Policy were categorized as follows:

Definitions

The definitions used in this Policy are as follows:

5. General Principles Regarding Processing of Personal Data

Pursuant to the KVK Law, article 3, any transaction performed on data such as obtaining, recording, storing, maintaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data through means that are entirely or partially automated or, provided they are part of a data storage system, non-automated, fall under the scope of personal data processing.

The following principles have to be observed in the processing of personal data:

Complying with the law and rules of honesty

Our Company carries out its personal data processing operations in accordance with the law and rules of honesty, in line with the KVK Law and the relevant legislation, in particular the Constitution.

Being accurate, and whenever required, up-to-date

All administrative and technical measures are taken by our Company to ensure the

personal data is accurate and current while carrying out the processing of personal data.

Processing for specific, clear and legitimate purposes

Our Company specifies its purpose of processing personal data clearly and precisely prior to

starting the processing of personal data.

Being related, limited and restricted to the purpose for which the data can be processed

Our Company processes personal data to the extent necessary for realizing the specified objectives. No data processing is performed on the assumption that they might be used later.

Keeping for the duration set out in the relevant legislation or that is necessary for the purpose of processing

Our Company keeps personal data for the limited duration which is set out in the KVK Law and the relevant legislation, or that which is required for the purpose of data processing.

6. Terms of Processing of Personal Data

Our Company may process personal data and sensitive personal data with the express consent of the

personal data owner, or without seeking express consent in cases that are set out in the KVK Law, articles 5 and 6.

6.1. Processing of Personal Data

Our Company carries out its personal data processing operations in accordance with the conditions of processing

data as set out in the KVK Law, article 5:

Being expressly set out in the law.

Being required for protecting the life or corporal integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally recognized, or of another person.

Processing personal data of contractual parties is required, provided this is directly related to establishing or fulfilling the agreement.

Being required in order for our Company to fulfill its legal obligation.

Being made public by the owner of the personal data.

Data processing is required for establishing, exercising or protecting a right.

Data processing is required for the legitimate interests of our Company provided this does not bring harm to the fundamental rights and freedoms of the owner of the personal data.

6.2. Processing of Sensitive Personal Data

The Company attaches further significance to processing sensitive personal data that poses the risk of causing discrimination if processed unlawfully. In this regard, in the processing of sensitive personal data of the Employees by the Company, firstly it is determined whether the conditions of processing data are present, and once it is ensured that the lawfulness condition is satisfied, data processing is then performed.

Processing sensitive personal data is possible if

The data subject provides express consent;

It is expressly set out in the law;

It is required for protecting the life or corporal integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally recognized, or of another person;

ç) It relates to the personal data made public by the data subject and is in line with the will of making public;

It is required for establishing, exercising or protecting a right;

It is required for the persons or authorized agencies and organizations who are under privacy obligation to protect public health and to carry out preventive medicine, medical diagnosis, treatment and care services, as well as to plan, manage and provide financing for health services;

It is required for fulfilling legal obligations in the areas of employment, work health and safety, social security, social services and social assistance;

It is intended for current or former members and regulars of foundations, associations and other non-profit organizations or entities that are incorporated for political, philosophical, religious or trade union purposes, or persons who are in regular contact with these organizations and entities, provided this is in line with the regulation they are subject to and their purposes, limited to their line of operations and that it is not disclosed to third parties.

6.3 Legal Grounds of Processing Your Personal Data

We process your personal data based on the legal grounds provided below, which are set out in the KVK Law article 5 and notably the Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098, Tax Procedural Law No. 213 and the legislation on electronic commerce:

We process your data based on your consent in situations where we need to obtain your express consent pursuant to the KVK Law and the relevant legislation (Please note that in this case you may withdraw your consent any time)

In cases permitted by the applicable legislation

When it is required to protect life-critical interests of any person

In situations where we need to make an agreement with you, or where actions need to be performed under the agreement and where we need to fulfill our obligations under an agreement

To fulfill our legal obligations,

If you made your personal data public

If data processing is required for establishing or protecting certain rights; to exercise our legal rights and to make defense against legal claims against us

When required for our legal interests provided this does not bring harm to your fundamental rights and freedoms

7. Ensuring Security and Confidentiality of Personal Data

Our Company takes all the necessary technical and administrative measures for ensuring appropriate security level to maintain personal data, and to prevent unlawful processing and unlawful access to the personal data that it processes according to the KVK Law, article 12.

7.1. Technical Measures Taken to Ensure Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data

Our Company took all technical and technological security measures to protect your personal data and secured your personal data against potential risks. The measures are as follows:

- Taking the technical measures to the extent permitted by technology

- Employing experts on technical matters

- Making inspections for the implementation of measures taken in regular intervals

- Creating the necessary software and infrastructure for ensuring security

- Limiting access to data processed within the organization of the company

- Using a backup program in line with the law to ensure secure storage of personal data

- Using software including virus protection systems

7.2. Administrative Measures Taken to Ensure Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data

- Training and creating awareness among the company’s employees with regard to the KVK Law;

- When personal data transfer is being performed, ensuring an entry is added in the agreements made with the persons to whom the personal data is transferred, that the party to whom personal data is transferred shall ensure data security;

- Identifying what actions need to be performed for compliance with the KVK Law and preparing internal policies for the implementation of said actions;

- As highlighted in the guides and publications of the Personal Data Protection Authority, personal data is minimized to the extent possible, pursuant to the principle of minimization of data, and personal data that is not required or is not up-to-date or that does not serve a purpose is not collected, and if such data was collected during the period prior to the KVK Law, data is destroyed in accordance with the Personal Data Storage and Destruction Policy.

- Access authorizations are limited, an authorization matrix is created and powers are regularly reviewed. Relevant authorizations of employees who are reassigned or who quit are revoked.

- The Company inspects the operation of technical and administrative measures taken under the scope of protection and ensuring security of personal data and carries out applications that will ensure continuity of the operation. The results of the inspections conducted in this regard are reported to the relevant department at the Company. Activities aimed at developing and improving the measures taken for the protection of data are carried out pursuant to the inspection results.

7.3. Measures to be Taken if Personal Data is Unlawfully Disclosed If processed personal data is unlawfully obtained by others, our Company shall communicate the matter to the relevant data owner and the Board as soon as possible.

8. Purposes of Processing of Personal Data and Retention Periods

8.1. Purposes of Processing of Personal Data

The Personal Data may be processed by the Company under the following purposes and may be stored for the duration required for these purposes and required under the relevant legal terms.

Purposes of Processing Personal Data

Carry out electricity retail sale operations

Carry out operations the Company is required to conduct under legal and administrative obligations;

Clarify the data owner with regard to changes in the rules and policies set out in the legislation or accepted within the Company;

Inquire, detect, report and prevent unlawful actions, and manage and carry out activities that are subject to the legal process;

Protect legitimate interests;

Negotiate, create and perform under agreements;

Make due diligence under the scope of the requests and questions and respond to the data subject;

Carry out promotional activities, ask for the opinion of data owners through surveys and polls and ensure customer / employee satisfaction;

Maintain workflow and coordination between units and increase efficiency;

Examine the suitability of candidates for the relevant position during job application, candidate assessment and recruitment processes and contact the candidates, as well as the persons relevant to the job application;

Make entries for visits and track cargo;

Take the necessary measures by ensuring security of the digital systems and physical environments belonging to or used by the Company and making the relevant evaluations;

Ensure the business units carry out the necessary works so the customers benefit from the products and services offered;

Plan and execute corporate sustainability operations;

Perform the corporate law actions;

Ensure legal and commercial security of persons with whom a business relationship is in place;

Carry out business operations for determining and implementing commercial and work strategies.

8.2. Personal Data Retention Periods

We keep your personal data only for the duration that is necessary for fulfilling the purpose of collecting them. We determine these durations separately for each business process and we destroy your personal data according to the KVK Law and the Personal Data Storage and Destruction Policy upon expiry of the relevant duration if there is no other reason requiring us to keep your personal data.

We consider the following criteria while determining the destruction time of your personal data:

The time period commonly accepted in the sector where the data controller operates, given the purpose of processing of the relevant data category;

The period for which the legal relationship will continue, where the legal relationship is created with the data subject and requires the processing of the personal data in the relevant data category;

The period for which the legitimate interest maintained by the data controller will be applicable in accordance with the law and rules of integrity with a view to the purpose of processing of the relevant data category;

The period for which the risks, costs and obligations arising from storing the relevant data category according to the purpose of processing will be legally applicable;

Whether the maximum duration to be determined is convenient for keeping the relevant data category accurate and, where necessary, current;

The period for which the data controller is required to keep the personal data falling under the relevant data category due to their legal obligation;

The timeout period granted by the data controller for exercising certain rights related to the personal data in the relevant data category.

9. Deletion, Destruction and Anonymization of Personal Data

Pursuant to the KVK Law, article 7, personal data is deleted, destroyed or anonymized by our Company automatically or upon request of the personal data owner once the reasons requiring processing thereof are no longer present even though the personal data was processed in accordance with the relevant legislation.

Procedures and principles regarding the matter shall be fulfilled according to the KVK Law and the secondary legislation based on that Law.

9.1. Methods of Deletion and Destruction of Personal Data

Our Company may delete or destroy personal data at its own discretion or upon request of the personal data owner once the reasons requiring processing thereof are no longer applicable even though data was processed in accordance with the provisions of the relevant law. The deletion or destruction methods most used by our Company are as follows:

Physical Destruction

Personal data may also be processed through non-automated means provided this is part of a data storage system. When deleting or destroying such data, the system of physically destroying personal data is used so that it cannot be used later.

Safely Deleting from Software

While deleting or destroying data that was processed through entirely or partially automated means and kept in digital media, certain methods are used where the data is deleted from the relevant software so that it can never be recovered.

Secure Deletion by an Expert

In some cases, our Company may engage an expert to delete the personal data on the Company’s behalf. In this case, the personal data is securely deleted or destroyed by the specialist in such way that it can never be recovered.

9.2. Methods of Anonymization of Personal Data

Making personal data such that it cannot be associated with an identified or identifiable

natural person in any way even by matching with other data.

Masking

Data masking refers to the method of removing the fundamental identifying information from within the dataset, thereby anonymizing the personal data.

For example: Removing information such as Turkish Id Number and name, which allows identification of the personal data owner, thereby transforming the dataset into one where identifying the personal data owner is impossible.

Consolidation

Using the data consolidation method, many pieces of data are consolidated, where personal data can no longer be associated with any person.

For example: Displaying that there are y customers at the age of x, without showing the age of customers individually.

Derived Data

Using the data derivation method, a more general content is created from the personal data content, ensuring the personal data cannot be associated with any person.

For example: Stating age rather than date of birth; stating the area of residence rather than full address.

d. Data Mixing

Using data mixing method allows mixing the values within the personal dataset, removing any connections between values and persons.

For example: Altering the properties of audio records so the voices cannot be associated with the data owner.

10. Third Persons the Personal Data is Transferred to and the Purposes of Transfer

The procedures and principles to apply for personal data transfers are set out in the KVK Law, articles 8 and 9, and personal data and sensitive personal data of the personal data owner may be transferred to third parties at home or abroad. Your personal data may be shared with the third persons offering services to the Company, contracted agencies, lawyers for the resolution of legal disputes, natural persons and legal entities with which we have a proxy relationship, our business partners and other third parties, including but not limited to cases required by the Law and other legislation, other regulations related to the laws, regulations of supervisory and regulatory authorities and organizations, and public authorities, in order to provide the services. But, in any case, personal data cannot be transferred without express consent of the personal data owner, excluding exceptional cases.

10.1. Domestic Transfer of Personal Data

In accordance with the KVK Law, article 8, domestic transfer of personal data shall be possible provided one of the conditions set out in this Policy, part 6 titled “Conditions of Processing Personal Data” is met.

10.2. Overseas Transfer of Personal Data

Pursuant to the KVK Law, article 9, the Company may transfer personal data abroad;

If a decision of adequacy was issued by the Board regarding the country, the sectors inside the country or international organizations to which the transfer is to be made or;

If the parties provide one of the following appropriate assurances, provided the data subject is able to exercise their rights and commence effective legal proceedings in the country to which the transfer is to be made:

a) An agreement is in place that is not in the nature of an international agreement between the overseas public bodies and organizations or international organizations and the public bodies and organizations or professional organizations in the nature of a public agency in Türkiye, and the Board allows the transfer.

b) Binding company rules are in place containing provisions on the protection of personal data, which are approved by the Board and which are binding on the companies within the group of initiatives conducting shared economic activity.

c) A standard agreement is in place, setting out matters such as data categories, purposes of data transfer, receivers and receiver groups, technical and administrative measures to be taken by the data receiver, and additional measures taken for sensitive personal data, as announced by the Board.

ç) A written letter of commitment is in place containing provisions that would provide adequate protection and the Board allows the transfer.

The standard agreement is reported by the data controller or data processor to the Authority within five business days from the signature thereof.

If there is no decision of adequacy and any of the appropriate assurances set out in the fourth paragraph cannot be provided, data controllers and data processors may transfer personal data abroad only if one of the following situations is present, provided this is incidental:

a) The data subject provides express consent for the transfer, provided they are informed regarding possible risks.

b) The transfer is required for fulfilling an agreement between the data subject and the data controller or implementing the pre-agreement measures taken upon request of the data subject.

c) The transfer is required for establishing or fulfilling the agreement between the data controller and another natural person or legal entity for the benefit of the data subject.

ç) The transfer is required for the best interests of the public.

d) The transfer of personal data is required for establishing, exercising or protecting a right.

e) Transfer of personal data is required for protecting the life or corporal integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally recognized, or of another person.

f) Making transfer from a registry that is open to the public or to persons with legitimate interests, provided the conditions for having access to the registry as set out in the relevant legislation are satisfied and the person with legitimate interests makes a request.

Provisions in other laws regarding overseas transfer of personal data are reserved.

10.3. Groups of Persons to Whom Our Company Transfers Personal Data

Our Company may transfer the personal data of personal data owners that fall under the scope of this Policy to the groups of persons specified below for the specified purposes in accordance with the KVK Law, articles 8 and 9:

11. Our Company’s Obligation of Clarification

Our Company must clarify personal data owners at the time of collecting personal data in accordance with the KVK Law, article 10. In this regard, our Company fulfills its obligation to make clarification on the following matters:

Our Company’s name in the capacity of data controller

The purpose for which the personal data will be processed

Parties to whom, and for which purposes, the personal data processed may be transferred

Method and legal basis for collection of personal data

Rights of the personal data owner

12. Rights of the Personal Data Owners and Exercising These Rights

In accordance with the KVK Law, article 13, evaluation of the rights of personal data owners and the required clarification to personal data owners are performed via the Company Personal Data Subject Application Form besides this Policy. Personal data owners may communicate their complaints or requests regarding processing operations for their personal data to us pursuant to the principles specified in the relevant form.

12.1. Right of Application

Pursuant to the KVK Law, article 11, anyone whose personal data is processed may consult our Company and make requests in relation to themselves on the following matters:

learning whether their personal data is processed or not;

demanding information as to whether their personal data has been processed;

finding out the purpose of processing their personal data and whether the data has been used for the intended purpose;

finding out the third parties to whom their personal data has been transferred at home or abroad;

requesting the rectification of the incomplete or inaccurate data, if any, and requesting reporting of the operations carried out as per this paragraph to third parties to whom their personal data has been transferred;

requesting the erasure, destruction or anonymization of their personal data under the conditions where the grounds for processing no longer exist, and requesting reporting of the operations carried out as per this paragraph to third parties to whom their personal data has been transferred;

objecting to the occurrence of a result against the data owner by analyzing the data processed solely through automated systems;

claiming compensation for the damage arising from the unlawful processing of their personal data.

12.2. Situations Outside the Scope of the Right of Application

Pursuant to the KVK Law, article 28, the personal data owners cannot claim their rights in the following situations:

Their personal data is processed by natural persons entirely under the scope of operations related to themselves or family members living in the same housing provided the data is not provided to third parties and data security obligations are fulfilled;

Their personal data is processed for official statistics, and upon anonymization, for purposes such as research, planning and statistics;

Their personal data is processed for art, history, literature or scientific purposes or under the scope of freedom of expression, provided this does not violate national defense, national security, public safety, public order, economic safety, privacy or personal rights or constitute a crime;

Their personal data is processed under the scope of preventive, protective and intelligence operations conducted by public bodies and organizations whose duties and powers are assigned by law for maintaining national defense, national security, public safety, public order or economic safety;

Their personal data is processed by judicial bodies or execution authorities with regard to investigations, proceedings, trials or executions.

Pursuant to the KVK Law, article 28, paragraph 2, personal data owners cannot claim their rights in the following situations (except for the right to request indemnification):

Personal data processing is required for the prevention of committing a crime or for investigating a crime.

Processing personal data that was made public by the data subject.

Processing personal data is required for the assigned and authorized public bodies and organizations and

professional organizations in the nature of public agencies to carry out their duties of inspection or regulation, and for disciplinary investigations and proceedings, based on the powers conferred by the law.

Processing personal data is required for protecting the economic and financial interests of the Government with regard to budget, taxes and financial matters.

12.3. Procedure for Replies

In accordance with the KVK Law, article 13, our Company shall finalize the application requests made by the personal data owner as soon as possible and in any case within 30 (thirty) days at the latest depending on the nature of the request, free of charge.

The application of the personal data owner may be declined in the following situations if

It prevents the rights and freedoms of other persons

It requires disproportionate effort

The information in question is publicly available

It endangers others’ confidentiality

One of the situations that are outside the scope according to the KVK Law is present

13. Personal Data Processing Operations Performed within the Company and Data Processing Operations Performed on the Website

13.1.Camera Surveillance inside the Company

Camera surveillance is implemented inside our Company to protect the interests of our Company and other persons with regard to ensuring their security.

A procedure was prepared with regard to areas with a camera, the field of view of the cameras and the durations of keeping records and is implemented in our Company.This procedure is considered prior to installing a camera and the camera is only installed after consideration thereof.

No surveillance is made in areas that might give rise to breach of privacy. Only a limited number of our Company employees, and if needed, the employees of the security company, which is in the position of a supplier, have access to security camera records. Those persons who have access to the records declare, through the non-disclosure commitment they sign, that they shall protect the confidentiality of the data they had access to.

13.2. Entrance-Exit of Customers Visiting the Company

Personal data processing is performed to keep track of entries and exits of our guests visiting our Company. While obtaining the full names of persons visiting our Company, such data is processed solely for this purpose and the relevant personal data is entered in the recording system in the physical environment.

13.3.Website Visitors

For the persons visiting our Company’s website, their internet movements within the website are recorded in order to allow the website to display content that is customized for the visitor and to display online ads (through technical means such as cookies) so that they can visit the website in line with their purpose of visiting. Detailed explanations regarding these activities of our Company can be found in the Privacy Policies texts on our website.

This Policy may be revised by the Company if deemed necessary. When a revision is made, the Policy’s updated version will be posted on the Company’s website.