1. DATA PRIVACY COMMITMENT

1.1 This Personal Data Protection Policy (“Policy”)  EMPCLINICS HİZMETLERİ TİCARET A.Ş., within the Company and/or by the Company, while fulfilling its obligations to protect Personal Data and processing Personal Data in accordance with the provisions of the relevant legislation, especially the Personal Data Protection Law No. 6698. It determines the principles that must be followed.

1.2 The Company undertakes to act in accordance with this Policy and the procedures to be applied in accordance with the Policy, in terms of the Personal Data contained within it.

2. PURPOSE OF THE POLICY

The main purpose of this Policy is to determine the principles regarding the methods and processes for the processing and protection of Personal Data by the Company.

3. SCOPE OF THE POLICY

3.1 This Policy covers all activities regarding Personal Data processed by the Company and applies to such activities.

3.2 This Policy does not apply to data that does not qualify as Personal Data.

3.3 This Policy may be amended from time to time with the approval of the Board of Directors, if required by the KVK Regulations or when deemed necessary by the Company or the Committee. In case of any incompatibility between KVK regulations and this Policy, KVK Regulations shall prevail.

4. DEFINITIONS

The definitions used in this Policy have the following meanings;

Explicit Consent: It refers to consent based on being informed about a specific issue and expressed with free will.

Anonymization: It refers to making Personal Data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.

Disclosure Obligation: It refers to the obligation of the Data Controller or the person authorized by him to provide information to the Data Owner within the scope of Article 10 of the KVKK during the acquisition of Personal Data.

Personal Data: It refers to any information regarding an identified or identifiable natural person (within the scope of this procedure, the expression "Personal Data" will also include "Personal Data of a Special Nature" defined below, to the extent appropriate)

Personal Data Processing: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available Personal Data by fully or partially automatic or non-automatic means provided that it is part of any data recording system, It refers to any operation performed on data, such as classifying or preventing its use.

Committee: Refers to the Company's Personal Data Protection Committee.

Board: Refers to the Personal Data Protection Board.

Institution: Refers to the Personal Data Protection Authority.

KVKK: Refers to the Personal Data Protection Law No. 6698.

KVK Regulations: Personal Data Protection Law No. 6698 and other relevant legislation for the protection of Personal Data, binding decisions, principle decisions, provisions, instructions and applicable international agreements for the protection of data and all other kinds of decisions made by regulatory and supervisory authorities, courts and other official authorities. It refers to the legislation.

KVK Policies: It refers to the policies issued by the Company regarding the protection of Personal Data.

KVK Procedures: It refers to the procedures that determine the obligations that the Company, its employees and the Committee must comply with within the scope of the KVK Policies.

Personal Data of Special Nature: "Data regarding individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric data and refers to genetic data.

Deletion and Destruction: refers to the irreversible destruction or destruction of Personal Data.

Data Inventory: "Personal Data Processing processes and methods for the Company's Personal Data processing activities, Personal Data Processing purposes, data category, third parties to whom Personal Data is transferred, etc. It refers to the inventory containing information.

Data Processor: It refers to the real or legal person who processes Personal Data on behalf of the Data Controller, with authorization from the Data Controller.

Data Owner: Refers to all natural persons whose Personal Data is processed by or on behalf of the Company.

Data Controller: Refers to the natural or legal person who processes personal data by specifying the purposes and ways of processing and is responsible for establishing and managing the data recording system.

Data Controller Contact Person: It refers to the real person who notifies registration in the registry by the data controller for communication with the Authority regarding KVK Regulations.

5. PRINCIPLES OF PERSONAL DATA PROCESSING

5.1 Processing of Personal Data in Accordance with Law and Integrity Rules

The Company processes Personal Data in accordance with the law and the rules of honesty and on the basis of proportionality.

5.2 Taking Necessary Precautions to Ensure Personal Data is Accurate and Up-to-Date Where Necessary

The Company takes all necessary measures to ensure that the Personal Data is complete, accurate and up-to-date, and updates the relevant Personal Data if the data owner requests changes to the Personal Data within the scope of KVKK Regulations.

5.3 Processing of Personal Data for Specific, Clear and Legitimate Purposes

Before processing Personal Data, the purpose for which Personal Data will be processed is determined by the Company. In this context, the Data Owner is informed within the scope of KVK Regulations and their Explicit Consent is obtained where necessary.

5.4 Personal Data Should Be Related to the Purpose for Processing, Limited and Proportionate

The Company processes Personal Data only in exceptional cases within the scope of KVK Regulations (KVKK Article 5.2 and Article 6.3) or for the purpose within the scope of Explicit Consent received from the Data Owner (KVKK Article 5.1 and Article 6.2) and in accordance with the principle of proportionality. The Data Controller processes Personal Data in a manner suitable for achieving the specified purposes and avoids processing in cases that are unrelated or unnecessary to the achievement of the purpose.

5.5 Retention of Personal Data for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose for which they are Processed

5.5.1 The Company retains Personal Data for as long as necessary for the purpose. If the Company wishes to retain Personal Data for a period longer than the period stipulated in the KVK Regulations or required for the purpose of Personal Data Processing, the Company acts in accordance with the obligations specified in the KVK Regulations.

5.5.2 Personal Data is Deleted, Destroyed or Anonymised after the period required for the purpose of processing Personal Data has expired. In this case, third parties to whom the Company transfers Personal Data are also enabled to Delete, Destroy or Anonymize Personal Data.

5.5.3 The Committee is responsible for the operation of the Deletion, Destruction and Anonymization processes. In this context, the necessary procedure is established by the Committee.

6. PROCESSING OF PERSONAL DATA

Personal Data can only be processed by the Company within the scope of the procedures and principles specified below.

6.1 Explicit Consent

6.1.1 Personal Data is processed after informing Data Owners within the framework of fulfilling the Disclosure obligation and if Data Owners give Explicit Consent.

6.1.2 Data Owners are notified of their rights before obtaining Explicit Consent within the framework of the Information Obligation.

6.1.3 Explicit Consent of the Data Owner is obtained by methods in accordance with the KVK Regulations. Explicit Consent is verifiable and kept by the Company for the required period within the scope of KVK Regulations.

6.1.4 The Committee ensures that the Disclosure Obligation is fulfilled in terms of all Personal Data Processing processes and that Explicit Consent is obtained when necessary.

7.1 If it is necessary to transfer Special Personal Data via e-mail, an encrypted corporate e-mail address or Registered Electronic Mail (“KEP”) account will be used.

7.2 If it is necessary to physically transfer Special Personal Data on paper, the company will take the necessary precautions against risks such as theft, loss or viewing of the document by unauthorized persons and send the document in the format of "confidential documents".

7.3 In addition to the above regulations, the Committee and the Contact Person will act in accordance with the KVK Regulations, especially the Personal Data Security Guide, published by the Board regarding the security of Personal Data, including Special Data.

7.4 In any case that requires the processing of special personal data, the Committee is informed by the relevant employee.

7.5 If it is not clear whether a data is Personal Data of Special Nature or not, the opinion of the Committee is sought by the relevant department.

8. STORAGE PERIOD OF PERSONAL DATA

Personal Data is kept within the Company for the relevant legal retention periods and is kept for the period necessary to carry out the activities related to this data and the purposes specified in this Policy. Personal Data whose intended use has expired and whose legal retention period has expired is deleted, destroyed or anonymized by the Company in accordance with Article 7 of the KVKK.

9. DELETION, DESTRUCTION AND ANONYMOSIS OF PERSONAL DATA

9.1 When the legitimate purpose for processing Personal Data disappears, the relevant Personal Data is Deleted, Destroyed or Anonymised. Situations requiring deletion, destruction or anonymization of personal data are monitored by the Committee and departments.

9.2 The Committee is responsible for the operation of the Deletion, Destruction and Anonymization processes. In this context, the necessary procedure is established by the Committee.

9.3The Company cannot store Personal Data considering the possibility of future use.

9.4 All Deletion, Destruction and Anonymization Activities that the Company will perform on Personal Data will be carried out in accordance with the principles specified in the Personal Data Storage and Destruction Policy.

10. TRANSFER OF PERSONAL DATA AND PROCESSING OF PERSONAL DATA BY THIRD PARTIES

The Company may transfer Personal Data to a third natural or legal person in the country and/or abroad in accordance with KVK regulations, provided that it takes the necessary precautions in line with the purposes of Personal Data Processing. In this case, the Company ensures that third parties to whom it transfers Personal Data comply with this Policy. In this context, necessary protective regulations are added to the contracts concluded with third parties. Each employee is obliged to comply with the processes in this Policy in case of Personal Data transfer.

10.1 Transfer of Personal Data to Third Parties in Turkey

10.1.1 Personal Data may be transferred to third parties in Turkey without Explicit Consent in exceptional cases specified in Article 5.2 of the KVKK and in Article 6.3 provided that adequate measures are taken, or in other cases with the Explicit Consent of the Data Owner (Article 5.1 and Article 6.2 of the KVKK). It can be transferred by the company.

10.1.2 Company employees and the Committee are jointly responsible for ensuring that the transfer of Personal Data to third parties in Turkey complies with the KVK Regulations.

10.2 Personal Data Transfer to Third Parties Abroad

10.2.1 Personal Data may be transferred by the Company to third parties abroad, provided that the Data Owner's Explicit Consent is obtained (KVKK Article 5.1 and Article 6.2).

10.2.2 In cases where Personal Data is transferred without Explicit Consent in accordance with the KVK Regulations, one of the following conditions must also exist in terms of the foreign country to which it will be transferred;

10.2.3 The foreign country to which the Personal Data will be transferred must have the status of a country where adequate protection is provided by the Board,

10.2.4 If the foreign country where the transfer will take place is not included in the Board's safe countries list, the Company and the Data Controllers in the relevant country must obtain permission from the Board by making a written commitment that adequate protection will be provided.

10.2.5 Company employees, the Committee and its Representative are jointly responsible for ensuring that the transfer of Personal Data to third parties abroad complies with the KVK Regulations.

11. COMPANY'S OBLIGATION TO DISCLOSE

In accordance with Article 10 of the KVKK, the Company informs the Data Owners before the Processing of Personal Data. In this context, the Company fulfills its Notification Obligation when obtaining Personal Data. The notification to be made to Data Owners within the scope of the Disclosure Obligation includes the following elements, respectively;

11.1 Identity of the Data Controller (and his representative, if any),

11.2 For what purpose Personal Data will be processed,

11.3 To whom and for what purpose the processed Personal Data may be transferred,

11.4 Method and legal reason for collecting Personal Data,

11.5 The rights of Data Owners listed in Article 11 of the KVKK.

11.6 The Company provides the necessary information if the Data Owner requests information in accordance with Article 20 of the Constitution of the Republic of Turkey and Article 11 of the KVKK.

11.7 If requested by the Data Owners in accordance with the KVKK Regulations, the Company provides the Data Owner with the necessary information regarding the personal data it processes.

11.8 The employee and the Committee who follow the relevant process are jointly responsible for ensuring that the necessary Disclosure Obligation is fulfilled before the processing of Personal Data.

11.9 Third parties with the status of data processors undertake to comply with the above-mentioned obligations in a written contract before starting to process data.

12. RIGHTS OF DATA SUBJECTS (RELATED PERSONS)

12.1 The Company responds to the following requests of the data owners whose Personal Data it processes, in accordance with the KVK Regulations;

12.1.1 Learning whether Personal Data is Processed by the Company,

12.1.2 Requesting information regarding the processing of personal data

12.1.3 Learning the purpose of processing Personal Data and whether they are used for their intended purpose,

12.1.4. Knowing the third parties to whom Personal Data is transferred domestically or abroad,

12.1.5. Requesting correction of Personal Data if it has been processed incompletely or incorrectly by the Company,

12.1.6. Requesting the deletion or destruction of Personal Data by the Company in case the reasons requiring the Processing of Personal Data are eliminated in order to be evaluated within the principles of purpose, duration and legitimacy,

12.1.7. In case of correction, deletion or destruction of Personal Data by the Company, requesting that these transactions be notified to third parties to whom Personal Data has been transferred,

12.1.8. If the processed Personal Data is analyzed exclusively through automatic systems and a result arises against the Data Owner, to object to this result,

12.1.9. Request compensation for the damage if Personal Data is processed unlawfully and the Data Owner suffers damage due to this.

In cases where Data Owners want to exercise their rights and/or think that the Company does not act within the scope of this Policy when processing Personal Data, they can submit their requests by filling out the form on the company website or by creating their own requests in a way that meets the conditions determined by the Authority, via the e-mail address given below, which may change from time to time. to the address, by e-mail from the e-mail address previously notified to the Company and registered in the Company system (the e-mail address registered in the system should be checked), or to the Company KEP address with a secure electronic signature or mobile signature, or to the following address from time to time: They can deliver their identity documents to the postal address, which may change, along with a petition with a wet signature, by hand or through a notary public, and send it by other methods determined by the Institution that may be added to them in the future. Current application methods and application content must be confirmed by the legislation before application.

Data Controller: EMPCLINICS HİZMETLERİ TİCARET A.Ş.

Postal: Küçükbakkalköy, Ahmet Yesevi Cd No: 8/A, 34750 Ataşehir/İstanbul

If Data Owners submit their requests regarding their rights listed above to the Company in writing, the Company will finalize the request free of charge within thirty (30) days at the latest, depending on its nature. If an additional cost arises for the conclusion of the requests by the Data Controller, the fees in the tariff determined by the Personal Data Protection Board may be requested by the Data Controller.

13. DATA MANAGEMENT AND SECURITY

13.1 The Company establishes a Committee to fulfill its obligations under the KVK Regulations, to ensure and supervise the implementation of the KVK Procedures necessary for the implementation of this Policy, and to make recommendations regarding their operation.

13.2 All employees involved in the relevant process are jointly responsible for the protection of Personal Data in accordance with this Policy and KVK Procedures.

13.3 Personal Data processing activities by the Company are controlled by technical systems according to technological possibilities and implementation costs.

13.4 Personnel who are knowledgeable in technical matters regarding Personal Data Processing activities are employed.

13.5 Company employees are informed and trained regarding the protection and lawful processing of Personal Data.

13.6 Company employees can access Personal Data only within the authority defined for them and in accordance with the relevant KVK Procedure. Any access or operation carried out by the employee in a way that exceeds his or her authority is against the law and is a reason for termination of the employment contract with just cause.

13.7 If a company employee suspects that the security of Personal Data is not adequately ensured or detects such a security vulnerability,

13.8 A detailed KVK Procedure for the security of Personal Data is created by the Committee.

13.9 Each person who is allocated a Company device is responsible for the security of the devices allocated for his/her use.

13.10 Each Company employee or person working within the Company is responsible for the security of the physical files within their area of responsibility.

13.11 In case of additional security measures requested or to be additionally requested for the security of Personal Data within the scope of KVK Regulations, all employees are obliged to comply with the additional security measures and ensure the continuity of these security measures.

13.12 In order to store Personal Data in secure environments, the Company installs software and hardware including virus protection systems and firewalls in accordance with technological developments.

13.13 Backup programs are used in the Company to prevent loss or damage to Personal Data and adequate security measures are taken.

13.14 Necessary measures will be taken to protect the documents containing Personal Data provided to the Company with encrypted systems. In this context, Personal Data will not be stored in common areas and on the desktop. Files and folders containing Personal Data, etc. Documents will not be moved to the desktop or shared folder, and information on the Company computer will not be transferred via USB, etc., without prior written approval from the Committee. It will not be transferred to another device or taken outside the Company.

13.15 The Committee, together with the Board of Directors, is obliged to take technical and administrative measures for the Protection of all Personal Data within the Company, to constantly follow the developments and administrative activities, to prepare and announce the necessary KVK Procedures within the Company, and to ensure and supervise compliance with them. In this context, the Committee organizes the necessary training to increase the awareness of employees.

13.16 If a department within the Company Processes Personal Data of Special Nature, this department will be informed by the Committee about the importance, security and confidentiality of the Personal Data they process and the relevant department will act in accordance with the instructions of the Committee. Access to Special Personal Data will be granted only to limited employees, and their list and follow-up will be done by the Committee.

13.17 All Personal Data processed within the Company is considered “Confidential Information” by the Company.

13.18 Company employees have been informed that their obligations regarding the security and confidentiality of Personal Data will continue after the termination of the employment relationship, and a commitment has been received from Company employees to comply with these rules.

14 DATA BREACH RESPONSE PLAN

14.1 The employee who notices the attitude and behavior contrary to the personal data protection law and relevant legislation immediately reports the situation to the COMPANY Personal Data Protection Committee.

14.2 If the processed personal data is obtained by others through illegal means, the institution will be notified within 72 hours.

14.3 Following the identification of the persons affected by the data breach in question, the relevant persons are notified as soon as possible, directly, if the contact address of the relevant person can be reached, or by appropriate methods such as publishing it on the data controller's own website, if not.

14.4 If the data controller cannot notify the Board within 72 hours with a justified reason, the reasons for the delay will be explained to the Board along with the notification to be made.

14.5 In the notification to be made to the Board, the "Personal Data Breach Notification Form" published at the institution's address: https://ihlalbildirim.kvkk.gov.tr is used.

14.6 Where it is not possible to provide the information contained in the form at the same time, this information will be provided gradually without delay.

14.7 The data controller shall ensure that information regarding data breaches, their effects and the measures taken are recorded and made available for review by the Board.

14.8 If the personal data held by the data processor is obtained by others through illegal means, the data processor is notified to the committee without any delay.

The relevant plan is reviewed by the committee at regular intervals.

15. EDUCATION

15.1 The Company provides its employees with the necessary training on the protection of Personal Data within the scope of the Policy and the KVK Procedures and KVKK Regulations included in its annex. You can offer these trainings in person or online.

15.2 During the training, the definitions and protection practices of Special Personal Data are specifically mentioned.

15.3 If the Company employee accesses Personal Data physically or in a computer environment, the Company shall train the relevant employee regarding these accesses (for example, the computer program accessed).

16. AUDIT

The Company has the right to regularly and ex officio audit, without any prior notice, whether all employees, departments and contractors of the Company comply with this Policy and KVK Regulations, and carries out the necessary routine audits within this scope. The Committee creates the KVK Procedure for these audits. It submits to the approval of the management and ensures the implementation of the said procedure.

17. VIOLATIONS

17.1 Each employee of the Company reports to the Committee any work, transaction or action that he/she thinks is contrary to the procedures and principles specified in the KVK Regulations and this Policy. In this context, the Committee creates an action plan for the relevant violation in accordance with this Policy and KVK Procedures.

17.2 As a result of the information provided, the Committee prepares the notification to be made to the Data Owner or the Institution regarding the violation, taking into account the provisions of the applicable legislation on the subject, especially the KVK Regulations. The Contact Person carries out the correspondence and communication with the Institution.

18. RESPONSIBILITIES

Responsibilities within the company are respectively employee, department and committee. In this context; The Committee responsible for the implementation of the Policy is appointed by the Company Management by management decision or by the bodies authorized to sign and bind, and changes within this scope are also made in the same way.

19. CHANGES TO BE MADE IN THE POLICY

19.1 This Policy may be amended by the Company from time to time with the approval of the Management.

19.2 The Company shares the updated Policy text with its employees via e-mail so that the changes made to the Policy can be reviewed, or makes it accessible to employees and Data Owners via the web address below.

20. EFFECTIVE DATE OF THE POLICY

This version of the Policy came into force after being approved by the Company Management on 01/01/2023.