CUSTOMER PRIVACY NOTICE REGARDING THE PROCESSING OF PERSONAL DATA

Dear Customers,

This privacy notice has been prepared by Demir Otomat Elektrik Malz. Ve İnş. San. Tic. Ltd. Şti., acting as the data controller, within the scope of Article 10 of the Personal Data Protection Law No. 6698 (“KVKK”) and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform, in order to inform you, our natural person customers and/or the authorized persons and employees of our legal entity customers, about the purposes of processing your personal data, legal grounds, collection methods, to whom it may be transferred, and your rights under the KVKK.

1. Which Personal Data Do We Process?

2. For What Purposes Do We Process Your Personal Data?

Your Personal Data listed above;

• To be able to provide you with our products and services,
• To be able to carry out communication activities with you,
• To be able to provide you with after-sales support services for goods/services,
• To be able to carry out customer relations and satisfaction management processes and activities aimed at customer satisfaction,
• To be able to follow up your requests and/or complaints,
• To be able to carry out risk management processes,
• To be able to carry out our logistics activities,
• To be able to carry out contract processes,
• To be able to perform the necessary work by our relevant business units in order to carry out commercial activities and to manage related business processes,
• To be able to plan and implement commercial and/or business strategies, and to carry out finance and accounting activities,
• To be able to ensure the safety of our company and physical premises security and to provide administrative and technical measures related thereto,
• To be able to carry out marketing analysis studies of our products/services,
• To be able to carry out advertising, campaign and promotion processes related to our products/services and to send commercial electronic messages,
• To be able to verify your identity information and documents when necessary; to be able to perform necessary procedures to prevent abuse, loss and fraud,
• To be able to retain your information that must be kept in accordance with relevant legislation; to perform copying and backup operations to prevent loss of information; to ensure consistency checks of your information; to take the necessary technical and administrative measures for the security of your information,
• To be able to fulfill our legal obligations required or made mandatory by legal regulations to regulatory and supervisory authorities, and to be able to conduct legal follow-ups and legal processes,

3. To Whom and For What Purposes Do We Transfer Your Personal Data?

In matters related to public security and in potential legal disputes, in order to provide information to public prosecutors’ offices, courts and relevant public officials upon request and as required by legislation; and when necessary, within the scope of the purposes stated above, your personal data may be transferred to authorized public institutions and organizations, law firms with which we cooperate for the follow-up of legal processes, financial advisors for the preparation of our company’s financial statements, banks for the performance of goods/services contracts, our group companies for the management of our company and the verification of our compliance with group company rules and policies, cargo companies for sending documents and products, private legal entities with whom we have an employment/contractual relationship for ………., audit firms for auditing our business activities, and companies from which we receive accounting support in order to carry out accounting activities.

4. What Are the Methods of Collecting Your Personal Data and the Legal Grounds Related Thereto?

Your personal data stated above are processed based on the legal grounds specified in Articles 5 and 6 of Law No. 6698: (i) being explicitly stipulated in laws (ii) being necessary for the data controller to fulfill its legal obligation (iii) being necessary for the processing of personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract (iv) being necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject and (v) your identity and contact data will be processed based on your explicit consent for the purposes of sending you advertisements, campaigns and promotions and sending commercial electronic messages.

5. Do We Transfer Your Personal Data Abroad?

OPTION 1: We do not transfer your personal data abroad.

OPTION 2: ONLY IF MICROSOFT EXISTS (Legal grounds must again be determined, and the company should be asked which data are transferred.) Your identity, contact, etc. personal data are transferred abroad due to the servers used to ensure continuity of our business processes being located abroad. Your personal data are transferred in line with our legitimate interest by executing a standard contract and taking measures regarding the security of your data.

OPTION 3 EXCEPT MICROSOFT: (Note: If the company’s headquarters, group companies, affiliates, etc. are abroad and there is an overseas transfer (e.g., a shared software infrastructure is used with abroad, servers are in the cloud, overseas parties have access authorization to data in Turkey, etc.) OR if the company benefits from Microsoft (or similar cloud service providers) services, then overseas transfer exists. If none of the listed situations exist, it should be stated under the relevant heading as “we do not transfer your personal data abroad.” It should be asked whether there is a transfer of special category personal data. The company should be warned not to transfer special category data abroad. If the transfer of special category data is absolutely necessary, transfer based only on explicit consent should be recommended.

We may transfer your personal data abroad by taking appropriate technical and administrative measures. Accordingly; (The company should be asked which data are transferred.) Your identity, contact, etc. personal data are transferred abroad based on the legal grounds set out in Article 5 of the KVKK (Note: An appropriate legal ground must be selected.) (i) existence of the data subject’s explicit consent (ii) being explicitly stipulated in laws (iii) being necessary for the data controller to fulfill its legal obligation (iv) being necessary for the processing of personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract (v) being necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject, for the purposes of being able to work in an integrated manner with our headquarters or group companies located abroad, being audited, and ensuring business continuity, by executing a standard contract with our headquarters abroad.

Within the scope of the purposes stated in this Privacy Notice and in accordance with the General Principles listed in Article 4 of the Law;

• a) To be in compliance with the law and the rules of honesty,
• b) To be accurate and, where necessary, up to date,
• c) To be processed for specific, explicit and legitimate purposes,
• d) To be relevant, limited and proportionate to the purposes for which they are processed,
• e) To be retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and to be processed, recorded, stored, kept, classified, and transferred to the places stated above when necessary through automated or non-automated means (e-mail, paper, forms, phone, etc.), provided that they are part of any data recording system.

6. What Are Your Rights Regarding the Processing of Personal Data and How Can You Exercise These Rights?

Article 20 of the Constitution states that everyone has the right to be informed about their personal data. Article 11 of the KVKK lists the rights of the personal data owner under the law.

You may submit your requests regarding your rights under the KVKK to Demir Otomat Elektrik Malz. Ve İnş. San. Tic. Ltd. Şti. in writing or via registered electronic mail (KEP), secure electronic signature, mobile signature, or by using the electronic mail address previously notified by the data subject to the data controller and registered in the data controller’s system, in accordance with Article 5 of the “Communiqué on the Procedures and Principles of Application to the Data Controller”.