Personal Data Processing and Protection Policy

INTRODUCTION

Our company, Miss Diamond, is a legal entity located at Abdurrahman Nafiz Gürman Mah. Ahmet Kutsi Tecer Cad. No: 55/E Merter-Istanbul. Miss Diamond is the data controller within the scope of the Law on the Protection of Personal Data No. 6698 (hereinafter referred to as "KVKK"). Personal data owners are real persons whose personal data is collected, processed, and transferred in accordance with the provisions of the Law No. 6698 and other legislation to which Miss Diamond is subject, for the purposes specified below.

Miss Diamond attaches great importance to the security of personal data. With this awareness, the personal data of personal data owners is processed and stored in accordance with the KVKK, the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, which came into force after being published in the Official Gazette dated October 28, 2017, and the Regulation on the Data Controllers Registry, which came into force on January 1, 2018, and other relevant regulations.

PURPOSE AND SCOPE OF THE POLICY

1. The Policy aims to ensure that the regulations brought by Miss Diamond within the framework of the basic principles to be explained below for compliance with the KVKK are effectively implemented by Miss Diamond's shareholders, officials, employees, and business partners.
2. In line with the basic regulations stipulated by the Policy, all kinds of administrative and technical measures will be taken for the processing and protection of personal data within the operation of Miss Diamond, necessary internal procedures will be created, all necessary training will be provided to raise awareness, and appropriate and effective audit mechanisms will be established by taking all necessary measures for the compliance of Miss Diamond's shareholders, officials, employees, and business partners with the KVKK processes.
3. The Policy regulates the basic principles to be observed in all these processes and the issues that Miss Diamond is obliged to fulfill in order to guide the internal operation in accordance with the regulations brought by the KVKK. Compliance activities that Miss Diamond will carry out regarding the protection of personal data will be regulated with internal procedures to be created within the framework of the KVKK and relevant legislation. All employees of Miss Diamond are obliged to act in accordance with the regulations brought by this Policy and all other relevant legislation provisions while performing their duties.
4. In case of non-compliance with the Policy and the relevant legislation provisions, in addition to the criminal and legal liability stipulated by the legislation, sanctions that may go as far as the termination of the contract for just cause within the framework of the legislation regulating business life will be applied within Miss Diamond, depending on the nature of the event.

DEFINITIONS

The following terms in this Policy mean:

• Explicit consent: Consent that is based on information and is expressed with free will regarding a specific issue.
• Anonymization: The process of making personal data unable to be associated with an identified or identifiable real person, even by matching it with other data.
• Chairman: The Chairman of the Personal Data Protection Board.
• Data Subject: The real person whose personal data is processed.
• Personal Data: Any information related to an identified or identifiable real person.
• Processing of Personal Data: Any operation performed on data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data completely or partially automatically or non-automatically, provided that it is part of a data recording system.
• Deletion of Personal Data: The process of making personal data inaccessible and unusable for the relevant users in any way.
• Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable, and unusable by anyone in any way.
• Board: The Personal Data Protection Board.
• Institution: The Personal Data Protection Institution.
• Special Categories of Personal Data: Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
• Data Processor: The real or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
• Data Recording System: The recording system where personal data is processed by being structured according to certain criteria.
• Data Controller: The real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
• Regulation: The Regulation on the Data Controllers Registry.

In accordance with Article 11, Paragraph 1 of the Regulation, responsible persons have been appointed by Miss Diamond regarding the KVKK procedure, and necessary measures have been taken.

GENERAL PRINCIPLES IN PERSONAL DATA PROCESSING

In line with Article 4 of the KVKK, Miss Diamond agrees to process the personal data covered by this Policy in accordance with the following principles:

Compliance with the law and the rule of honesty: Miss Diamond, in its capacity as a data controller and as a prudent merchant, agrees to carry out personal data processing activities in accordance with all current and future legislation, especially the Constitution and the KVKK, and in an honest manner as stipulated in Article 2 of the Civil Code.

Accuracy and timeliness: In personal data processing activities, Miss Diamond takes all necessary measures to ensure the accuracy and timeliness of personal data to the extent that technology allows. In line with the requests that the Data Subject will notify to Miss Diamond in its capacity as a data controller and the situations that Miss Diamond will personally deem necessary, the administrative and technical mechanisms established by Miss Diamond will be operated to correct and check the accuracy of inaccurate or outdated personal data.

Processing for specific, explicit, and legitimate purposes: Personal data is processed by Miss Diamond in a lawful manner, limited to the requirements of the relevant legislation and the services provided or to be provided, and the purpose of processing personal data is determined openly and clearly before the data processing begins.

Processing data in a way that is relevant to, limited by, and proportionate to the purpose for which it is processed: Personal data is processed by Miss Diamond in a way that is relevant to and limited by the purposes of processing and to the extent necessary for the realization of this purpose. In this context, it is a fundamental principle to avoid processing personal data that is not related to the purpose of processing and is not needed.

Processing limited to the period stipulated by the legislation or the purpose of processing: Personal data is stored for the period stipulated by the relevant legislation or for the period required by the purpose of processing the data. At the end of the period stipulated by the legislation or the period required by the purpose of processing the data, personal data is deleted, destroyed, or anonymized by Miss Diamond. The necessary administrative and technical measures will be taken to prevent the storage of data at the end of the required period.

CONDITIONS FOR PROCESSING PERSONAL DATA

The conditions for processing personal data are regulated by the KVKK, and personal data is processed by Miss Diamond in accordance with the said conditions specified below.

General conditions for processing personal data

Except for the exceptions listed in the Law, Miss Diamond processes personal data only by obtaining the explicit consent of the data owners. In the presence of the following cases listed in the Law, personal data can be processed even without the explicit consent of the data owner:

• It is explicitly stipulated in the laws.
• It is mandatory for the protection of the life or physical integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally valid, or of another person.
• It is necessary to process the personal data of the parties to the agreement, provided that it is directly related to the establishment or performance of an agreement.
• It is mandatory for the data controller to fulfill its legal obligation.
• The data has been made public by the data owner themself.
• Processing of data is mandatory for the establishment, use, or protection of a right.
• Processing of data is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner.

Conditions for processing special categories of personal data

Miss Diamond shows special sensitivity in processing special categories of personal data, which are believed to be more critical for protection from various aspects for data owners. In this context, provided that sufficient measures determined by the Board are taken, such data is not processed without the explicit consent of the data owners. However, special categories of personal data other than data related to health and sexual life can also be processed without the explicit consent of the data owner in cases stipulated in the laws. In addition, data related to health and sexual life can be processed without explicit consent, provided that sufficient measures are taken and in the presence of the reasons listed below:

• Protection of public health,
• Preventive medicine,
• Medical diagnosis,
• Execution of treatment and care services,
• Planning and management of health services and financing.

METHODS FOR OBTAINING AND PROCESSING PERSONAL DATA

In this context, your personal data can be collected by Miss Diamond or real or legal persons who process data on behalf of Miss Diamond, in writing or electronically, including but not limited to the methods specified below:

• Notifications made during campaigns carried out through communication channels such as e-mail and phone, social media accounts,
• Employment and internship platforms,
• Themselves of the institutions with which our company has a professional relationship, signature circulars,
• Power of attorney, contracts,
• Various contracts you have signed with our company and all kinds of e-mails, requests, work orders, faxes, and letters you have sent to our company,
• Third-party company(s) that process data on behalf of our company or support our company at any stage of the membership program process,
• Our employees, our customer service channels including digital marketing and call center,
• Social media channels,

and is processed in this way in the data recording system and inventory. We would also like to point out that the legal reasons for data processing are; in case it is explicitly stipulated in the laws in accordance with KVKK Article 5/2/a and Article 6/3;

• in accordance with Article 5/2/c, for the establishment, performance, and termination of the contract with the data owner or the institution to which they are affiliated, if any,
• in accordance with Article 5/2/ç, for our Company to fulfill its legal obligations,
• in accordance with Article 5/2/d, if it has been made public by you,
• in accordance with Article 5/2/f, if it is mandatory for the legitimate interests of the data controller, such as the promotion of the institution, provided that it does not harm the fundamental rights and freedoms of the relevant persons.

In cases where there is no legal reason specified here and in the Law, your personal data will be processed with your explicit consent in accordance with Articles 5/1 and 6/2 if necessary.

1. Personal Data Subject Groups

Personal Data Subject Groups	Explanation
Miss Diamond Shareholders	Real persons who are shareholders of Miss Diamond
Miss Diamond Officials	Board members of Miss Diamond and other authorized real persons
Employees/Interns	Real persons who work or intern at Miss Diamond
Job Candidates	Real persons who have applied for a job in any way or have made their resumes and relevant information available for review by Miss Diamond, but who do not work or intern at Miss Diamond
Employees, Shareholders, and Officials of Institutions We Cooperate With (Miss Diamond's goods and service suppliers, business partners, etc.)	Real persons, including shareholders, employees, and officials of institutions, with whom Miss Diamond has any kind of business relationship, including but not limited to those with whom it establishes a business relationship for the purpose of carrying out various projects, receiving services, developing investments, and carrying out commercial activities, with or without a contractual relationship

2. Data Categorization

Data Categorization	Explanation of Data Categorization
Identity Information	Data that clearly belongs to an identified or identifiable real person; processed in a partially or completely automatic way or in a non-automatic way as part of a data recording system; data containing information about the person's identity; information such as name-surname, T.C. identity number, nationality information, mother's name-father's name, place of registration and other population information, place of birth, date of birth, gender, marital status, as well as documents such as driver's license, identity card, and passport, and tax number, SGK number, signature information, etc.
Contact Information	Information that clearly belongs to an identified or identifiable real person; processed in a partially or completely automatic way or in a non-automatic way as part of a data recording system; information such as phone number, address, e-mail address, fax number, etc.
Location Information	Information that clearly belongs to an identified or identifiable real person; processed in a partially or completely automatic way or in a non-automatic way as part of a data recording system; information about the location of the personal data owner (location of the place they are in, etc.) within the framework of the activities carried out by Miss Diamond in order to protect the legal and other interests of the personal data owner
Personnel Information and Professional Experience Information	All kinds of personal data processed for the purpose of obtaining information such as educational status, certificate and diploma information, foreign language information, training and skills, CV, courses taken, leave seniority base date, leave seniority additional day, leave group, exit/return date, day, reason for leave, address/phone number where they will be on leave, position name, department and unit, title, last date of employment, dates of entry and exit from work, insurance entry/retirement, social security number, flexible working hours status, travel status, number of working days, projects worked on, monthly total overtime information, severance pay base date, severance pay additional day, days spent on strike, employee internet access logs, entry and exit logs, which will form the basis for the personnel rights of real persons who have a working relationship with Miss Diamond and which are legally required to be included in the personnel file, and performance information necessary for the employee to advance in their position (Training and skills, information on which training they received on which date, e-mail, signed participation form, customer interview quality evaluation form, evaluation of monthly performance and target achievement status, activity)
Financial Information	Information that clearly belongs to an identified or identifiable real person; processed in a partially or completely automatic way or in a non-automatic way as part of a data recording system; financial personal data processed regarding information, documents, and records that vary according to the type of legal relationship that Miss Diamond has established with the personal data owner, as well as bank account number, bank account information (IBAN number, account holder, etc.), credit card information, etc., and financial and salary details, payrolls, bonus entitlements, bonus amounts, file and debt information regarding execution files, bank passbook, minimum living allowance information, private health insurance amount, etc.
Legal Action	Personal data that clearly belongs to an identified or identifiable real person; processed in a partially or completely automatic way or in a non-automatic way as part of a data recording system; personal data obtained as a result of correspondence with judicial authorities, litigation and enforcement proceedings.
Customer Transaction	Personal data that clearly belongs to an identified or identifiable real person; processed in a partially or completely automatic way or in a non-automatic way as part of a data recording system; personal data obtained for reasons such as invoice, check, promissory note, counter, receipt, request, and order forms.
Physical Space Security and Visual/Audio Records	Personal data that clearly belongs to an identified or identifiable real person; processed in a partially or completely automatic way or in a non-automatic way as part of a data recording system; personal data obtained in accordance with the security cameras located at Miss Diamond.
Professional Experience	Information that clearly belongs to an identified or identifiable real person; processed in a partially or completely automatic way or in a non-automatic way as part of a data recording system; Employee, Job Candidate, Intern
Marketing	Information that clearly belongs to an identified or identifiable real person; processed in a partially or completely automatic way or in a non-automatic way as part of a data recording system; personal data obtained for reasons such as shopping history, surveys, campaigns, and contracts.
Health Information	Information that clearly belongs to an identified or identifiable real person; processed in a partially or completely automatic way or in a non-automatic way as part of a data recording system; Employee, Intern
Transaction Security	Personal data that clearly belongs to an identified or identifiable real person; processed in a partially or completely automatic way or in a non-automatic way as part of a data recording system; personal data obtained for the purpose of ensuring the transaction security of the data owner within the scope of online platforms such as IP address information, website entry and exit information, password and password information, etc.

PRINCIPLES OF PERSONAL DATA TRANSFER

Miss Diamond may transfer the personal data of data owners to third parties and institutions in accordance with Articles 8 and 9 of the KVKK, within the scope of the personal data processing conditions specified in Articles 5 and 6 of the KVKK, and limited to the purposes specified in this Policy.

The scope of the aforementioned persons to whom data is transferred and the purposes of data transfer are specified below. These persons and institutions are:

1. Miss Diamond business partners, affiliates, and subsidiaries,
2. Miss Diamond suppliers,
3. Miss Diamond department and officials
4. Miss Diamond Sanayi Ticaret Ltd. Şti. shareholders/partners,
5. Banks,
6. Public institutions and organizations legally authorized to receive information,
7. Private law/public law legal entities legally authorized to receive information.

RECIPIENT GROUPS TO WHICH DATA CAN BE TRANSFERRED	DEFINITION	PURPOSE OF TRANSFERRING THE PROCESSED DATA
Business Partner/Affiliates/Subsidiaries	It defines the parties with which Miss Diamond establishes a business partnership for purposes such as carrying out various projects together, receiving services, etc., while carrying out its commercial activities.	Limited to ensuring the fulfillment of the purposes for which the business partnership was established.
Supplier	It defines the parties that provide services to Miss Diamond on a contractual basis or individually without a contractual relationship in accordance with Miss Diamond's orders and instructions while carrying out its commercial activities.	To ensure that the services obtained from the supplier and necessary for Miss Diamond to carry out its commercial activities are provided to Miss Diamond.
Banks	Private and public banks that work with Miss Diamond and with which studies are carried out in various areas, including the payment of monthly wages.	Limited to the information that is mandatory to be shared due to contracts, assignments, and relevant legal regulations regarding Miss Diamond's rights and receivables.
Company Officials	Miss Diamond board members and other authorized real persons	Limited to designing strategies for Miss Diamond's commercial activities, ensuring the highest level of management, and auditing purposes in accordance with the relevant legal provisions.
Legally Authorized Public Institutions and Organizations	Public institutions and organizations legally authorized to receive information and documents from Miss Diamond in accordance with the relevant legal provisions.	Limited to the purposes requested by the relevant public institutions and organizations within their legal authority.
Legally Authorized Private Law Persons	Private law persons legally authorized to receive information and documents from Miss Diamond in accordance with the relevant legal provisions.	Limited to the purpose requested by the relevant private law persons within their legal authority.

In accordance with KVKK Article 5, our Company transfers the personal data of personal data owners without their explicit consent in the following cases:

• If the processing of personal data is directly related to and necessary for the establishment or performance of a contract.
• If the processing of personal data is mandatory for our company to fulfill its legal obligation.
• If the personal data has been made public by the data owner themselves, provided that it is limited to the purpose of making it public.
• If the processing of personal data is mandatory for the establishment, use, or protection of the rights of our company or the data owner or third parties.
• If the processing of personal data is mandatory for the legitimate interests of our company, provided that it does not harm the fundamental rights and freedoms of the data owners.

In order for special categories of data to be transferred, it is mandatory to obtain the explicit consent of the data owner, except for the exceptions specified in KVKK Article 6 and listed below.

The relevant exceptions are that the special categories of personal data related to the health and sexual life of the personal data owner can only be transferred without explicit consent by persons or authorized institutions and organizations who are under the obligation of confidentiality, in the form of the protection of public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning, and management of health services and financing.

As a rule, no data transfer is made abroad by our company, and all necessary administrative and technical measures are taken to prevent the transfer of personal data abroad.

STORAGE OF PERSONAL DATA

The personal data we obtain is stored securely in physical or electronic media for an appropriate period in order for Miss Diamond's activities to continue. Within the scope of these activities, Miss Diamond acts in accordance with the obligations stipulated in all relevant legislation, especially the KVKK, regarding the protection of personal data. Except for cases where personal data is allowed or required to be stored for a longer period, if the purposes of processing the obtained personal data have ended, the data will be deleted, destroyed, or anonymized by Miss Diamond on its own initiative or upon the request of the owners.

In cases where the data controller has a legitimate interest, personal data may be stored within the general statute of limitations (ten years), provided that it does not harm the fundamental rights and freedoms of the data owners, even though the purpose of processing and the periods specified in the relevant laws have ended. After the said statute of limitations has expired, personal data is deleted, destroyed, or anonymized according to the procedure in the Destruction Policy (For detailed information, we strongly recommend that you review our Destruction Policy on the Deletion, Destruction, and Anonymization of Personal Data, which is available on our website at [email protected]).

MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the KVKK, Miss Diamond takes the necessary technical and administrative measures to ensure an appropriate level of security in order to prevent the unlawful processing of the personal data it processes, to prevent unlawful access to the data, and to ensure the preservation of the data, and makes or has the necessary audits made in this context. In the event that the processed personal data is seized by third parties through illegal means, despite all technical and administrative measures being taken, Miss Diamond will notify the relevant units as soon as possible.

1. Technical Measures

• Taking into account the conscious or unconscious threats that may be created by the people working in the organization, the necessary security controls have been implemented with log reporting through software and hardware devices in all relevant areas to control access to information and prevent unauthorized access.
• Layered network security measures have been established against threats that may come from external networks in the company.
• Technical measures are taken in line with technological developments, and the measures taken are updated and renewed periodically.
• In line with the legal compliance requirements determined on a business unit basis, access and authorization processes for personal data are designed and implemented within Miss Diamond.
• Access authorizations are restricted.
• The technical measures taken are checked periodically, and the issues that pose a risk are re-evaluated and the necessary technological solution is produced.
• Software and hardware including virus protection systems and firewalls are installed.
• Firewalls, antivirus software, firewalls, VPN software/hardware, content controllers, and central management software are used in the Company's computer systems.
• Personnel knowledgeable in technical matters are employed.
• Security scans are regularly performed to detect security vulnerabilities in applications where personal data is collected. The identified vulnerabilities are ensured to be closed.
• Penetration testing service is received when needed to control system vulnerabilities.
• The destruction of personal data is ensured in a way that it cannot be recycled and leaves no audit trail.

2. Administrative Measures

• Provisions are added to the contracts concluded with the persons to whom personal data is legally transferred by Miss Diamond that the persons to whom the personal data is transferred will take the necessary security measures for the purpose of protecting personal data and will ensure that these measures are complied with in their own organizations.
• Records are added to every document containing personal data that regulates the relationship between Miss Diamond and its personnel that they must act in accordance with the obligations stipulated by the KVKK for the lawful processing of personal data, that personal data must not be disclosed, that personal data must not be used unlawfully, and that the confidentiality obligation regarding personal data continues even after the termination of the employment contract with Miss Diamond. The failure of the personnel to comply with these obligations requires the application of sanctions that may lead to the termination of the employment contract.
• Provisions are added to the contracts concluded with the persons to whom personal data is legally transferred by Miss Diamond that the persons to whom the personal data is transferred will take the necessary security measures for the purpose of protecting personal data and will ensure that these measures are complied with in their own organizations.
• Employees are trained on the technical measures to be taken to prevent unlawful access to personal data.
• In line with the legal compliance requirements of personal data processing on a business unit basis, personal data access and authorization processes are designed and implemented within Miss Diamond.
• Records are added to every document containing personal data that regulates the relationship between Miss Diamond and its personnel that they must act in accordance with the obligations stipulated by the KVKK for the lawful processing of personal data, that personal data must not be disclosed, that personal data must not be used unlawfully, and that the confidentiality obligation regarding personal data continues even after the termination of the employment contract with Miss Diamond. The failure of the personnel to comply with these obligations requires the application of sanctions that may lead to the termination of the employment contract.
• Employees are informed that they cannot disclose the personal data they learn to others in violation of the provisions of the KVKK and cannot use it for purposes other than processing, and that this obligation will continue even after they leave their position, and they are given the necessary commitments in this regard.
• Provisions are added to the contracts concluded with the persons to whom personal data is legally transferred by Miss Diamond that the persons to whom the personal data is transferred will take the necessary security measures for the purpose of protecting personal data and will ensure that these measures are complied with in their own organizations.
• In the event that processed personal data is obtained by others through unlawful means, Miss Diamond will notify the relevant person and the Board as soon as possible.
• Miss Diamond employs knowledgeable and experienced personnel regarding the processing of personal data and provides its personnel with the necessary training within the scope of personal data protection legislation and data security.
• It performs and has the necessary audits performed in order to ensure the implementation of the provisions of the Law within its own legal entity. It eliminates the privacy and security vulnerabilities that arise as a result of the audits.
• In accordance with Article 12 of the KVKK, Miss Diamond is responsible for ensuring that the third parties to whom it transfers personal data fulfill their obligations to process and store the data in a lawful manner and to access the data in a lawful manner in accordance with this Policy and the provisions of the KVKK. For this reason, Miss Diamond must obtain commitments that include ensuring these conditions and giving it the authority to audit when transferring data to third parties. In addition, Miss Diamond must specially inform all its personnel about the responsibilities arising from the processes of transferring personal data to third parties.

3. Auditing of the Measures Taken for the Protection of Personal Data

Within the scope of the KVKK, Miss Diamond has registered with the VERBIS system as a data controller. In accordance with Article 11, Paragraph 1 of the Regulation, "The data controller obligations of legal entities established in Turkey within the scope of the Law are fulfilled through the authorized organ or the person or persons specified in the relevant legislation to represent and bind the legal entity. The organ authorized to represent the legal entity may assign one or more persons regarding the obligations to be fulfilled for the implementation of the Law." In accordance with this regulation, KVKK officials have been determined by our company, and these officials carry out audits at certain periods and at some times.

DATA CONTROLLER'S OBLIGATION TO INFORM

Within the scope of Article 10 of the KVKK, data owners must be informed before or at the latest during the acquisition of personal data. The information that must be conveyed to data owners within the framework of this obligation to inform is as follows:

• The identity of the data controller and its representative, if any,
• The purpose for which personal data will be processed,
• To whom and for what purpose the processed personal data can be transferred,
• The method of collecting personal data and the legal reason,
• Other rights listed in Article 11 of the KVKK.

In this context, our Company, in accordance with Article 10 of the KVKK, informs the personal data owner of their rights, guides the personal data owner on how to use these rights, and Miss Diamond carries out the necessary channels, internal operations, and administrative and technical regulations in accordance with Article 13 of the KVKK for the evaluation of the rights of personal data owners and the necessary notification to personal data owners.

In order to fulfill the obligation to inform, Miss Diamond has prepared disclosure statements to be presented to data owners within the scope of the aforementioned provision of the KVKK, on a process and data-processed-person basis. After the disclosure statements are presented to the data owners, explicit consent statements have also been prepared for data processing activities and data categories that require the explicit consent of the data owner in order for Miss Diamond to carry out its commercial activities. In the explicit consent statements prepared for data owners, in parallel with the European Union regulations that form the basis of the KVKK, data owners have been given the right to choose whether their personal data can be processed by Miss Diamond, and in the event that explicit consent cannot be obtained, they have been informed about the possible consequences.

OTHER OBLIGATIONS OF THE DATA CONTROLLER

Obligation to Inform: A Disclosure Text has been prepared regarding the data processed by Miss Diamond, and the relevant persons have been informed about the process.

Obligations Regarding Data Security: Our Company undertakes to fulfill all of its obligations to prevent the unlawful processing of personal data, to prevent unlawful access to this data, and to ensure its lawful preservation. The Company has established a data recording system that determines the purposes and means of processing personal data.

Obligation to Audit: Our Company undertakes that it performs/has the necessary audits performed in order to ensure the implementation of the provisions of the law, for the purpose of processing personal data in accordance with the procedures and principles stipulated in the law.

Obligation to Keep Confidential: Our Company undertakes not to disclose or use the personal data it processes to others, except for data for which it has provided information that it has made an unlawful transfer and for which it has received explicit consent. This commitment continues even after the data controller or data processor it has assigned during the processing leaves their position.

Obligation to Notify in Case of a Violation: In the event that the data it processes is obtained by others through unlawful means, our Company will notify the relevant person and the Board as soon as possible.

Obligation to Respond to Applications Made by Data Subjects and to Implement Board Decisions: Miss Diamond will respond to requests from data owners for the implementation of the Law, which are submitted to it in writing or by other methods to be determined by the Board, free of charge, as soon as possible and within thirty days at the latest, according to their nature. However, if a fee is foreseen by the Personal Data Protection Board and if a separate cost arises regarding the finalization of the requests by Miss Diamond, Miss Diamond may request the fees in the tariff determined by the Personal Data Protection Board from the relevant person who made the request.

Obligation to Register with the Data Controllers Registry: Miss Diamond will complete its registration with the registry within the date and time to be announced by the Personal Data Protection Board.

RIGHTS OF THE DATA SUBJECT AND HOW TO USE THESE RIGHTS

1. Rights of the Data Subject

As the data owner, we would like to state that you have the following rights in accordance with Article 11 of the Law:

• To learn whether your personal data has been processed,
• To request information about your personal data if it has been processed,
• To learn the purpose of processing your personal data and whether it is used in accordance with the purpose,
• To know the third parties to whom your personal data has been transferred at home or abroad,
• To request the correction of your personal data if it is incomplete or incorrectly processed and to request the notification of the transaction made in this context to the third parties to whom your personal data has been transferred,
• To request the deletion or destruction of your personal data in the event that the reasons requiring its processing have ceased to exist, even though it has been processed in accordance with the Law and other relevant legal provisions, and to request the notification of the transaction made in this context to the third parties to whom your personal data has been transferred,
• To object to the emergence of a result against you by analyzing the processed data exclusively through automatic systems,
• To demand compensation for the damage you have suffered in the event that your personal data is processed unlawfully.

If you apply to our company for your rights listed above, your applications will be concluded free of charge as soon as possible and within thirty days at the latest, depending on the nature of your request; however, if the transaction requires an additional cost, you may be charged a fee according to the tariff to be determined by the Personal Data Protection Board. In necessary cases, detailed and additional information may be requested to better understand the request. The procedures and principles of the application are explained below.

In accordance with Article 28 of the KVKK, data owners cannot assert the rights listed in Article 11 in the following cases, as they are excluded from the scope of the KVKK:

1. The processing of personal data for purposes such as research, planning, and statistics by anonymizing it with official statistics.
2. The processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights or constitute a crime.
3. The processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations and professional organizations in the nature of public institutions that are authorized by law to ensure national defense, national security, public security, public order, or economic security.
4. The processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial, or execution proceedings.

In accordance with Article 28/2 of the KVKK, in the cases listed below, personal data owners cannot assert the other rights listed in Article 11, except for the right to demand compensation for damages:

• If the processing of personal data is necessary to prevent the commission of a crime or for a criminal investigation.
• The processing of personal data made public by the personal data owner themself.
• If the processing of personal data is necessary for the performance of auditing or regulatory duties and for a disciplinary investigation or prosecution by public institutions and organizations and professional organizations in the nature of public institutions that are authorized by law.
• If the processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax, and financial matters.

1. How the Data Subject Uses Their Rights

Data owners will be able to submit their requests regarding their rights listed above to Miss Diamond free of charge by filling out and signing the Application Form in EK-1 with information and documents that will confirm their identity and using the methods specified below or other methods determined by the Personal Data Protection Board:

• An e-mail to be sent to the e-mail address [email protected]
• They have the right to learn with the Application Form they will send in person or via a notary to the address Ehlibeyt Mah. 6.Sokak No:25-B Balgat Çankaya/ANKARA.

In order for third parties to make an application request on behalf of personal data owners, a special power of attorney must be issued by the data owner through a notary on behalf of the person who will make the application.

2. The Data Subject's Right to Complain to the KVKK Board

In cases where the application is rejected, the answer is found to be insufficient, or the application is not answered within the period, the personal data owner can file a complaint with the KVKK Board within thirty days from the date they learn of Miss Diamond's answer and in any case within sixty days from the date of the application, in accordance with Article 14 of the KVKK.

MISS DIAMOND'S RESPONSE TO APPLICATIONS

1. Procedure and Period for Miss Diamond to Respond to Applications

If the personal data owner submits their request to Miss Diamond in a manner consistent with the procedure regulated in this policy, Miss Diamond will conclude the relevant request free of charge within thirty days at the latest, depending on the content of the request. However, if a fee is foreseen by the KVKK Board, Miss Diamond will charge the fee in the tariff determined by the KVKK Board from the applicant.

2. Information Miss Diamond May Request from the Personal Data Owner Making the Application

Miss Diamond may request information from the person concerned in order to determine whether the applicant is the personal data owner. Miss Diamond may ask the personal data owner questions regarding their application in order to clarify the issues in the application.

3. Miss Diamond's Right to Reject the Application of the Personal Data Owner

Miss Diamond may reject the application of the applicant by explaining the reason in the cases listed below:

• The processing of personal data for purposes such as research, planning, and statistics by anonymizing it with official statistics.
• The processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights or constitute a crime.
• The processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations and professional organizations in the nature of public institutions that are authorized by law to ensure national defense, national security, public security, public order, or economic security.
• The processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial, or execution proceedings.
• The processing of personal data is necessary to prevent the commission of a crime or for a criminal investigation.
• The processing of personal data made public by the personal data owner themself.
• If the processing of personal data is necessary for the performance of auditing or regulatory duties and for a disciplinary investigation or prosecution by public institutions and organizations and professional organizations in the nature of public institutions that are authorized by law.
• If the processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax, and financial matters.
• There is a possibility that the request of the personal data owner will interfere with the rights and freedoms of other people.
• The requests made require disproportionate effort.
• The requested information is public information.

REVISION AND ABOLITION

In the event that this Policy is revised or abolished, the revised version of the Policy or a new policy example will be announced in the relevant places.

EXECUTION

All department managers, including the IT Manager, are responsible for the execution of this Policy and the follow-up and coordination of all business and transactions within the scope of the KVKK and the regulations of the Data Protection Board of the board of directors of Miss Diamond, who is the data controller and is obliged to fulfill the obligations of the data controller.