TABLE OF CONTENTS

1. INTRODUCTION 1…………………………………………………………………………………………………….. ……………………………………………………………………………………………………..
2. Purpose and Scope 1……………………………………………………………………………………………… ………………………………………………………………………………………………
3. Definitions 1…………………………………………………………………………………………………………. …………………………………………………………………………………………………………
4. DUTIES and RESPONSIBILITIES 2……………………………………………………………………………. …………………………………………………………………………….
5. Duties and Responsibilities of the Employee 2………………………………………………………….. ………………………………………………………….
6. Duties and Responsibilities of the Committee 3…………………………………………………………. …………………………………………………………

III. SENSITIVE PERSONAL DATA SECURITY 4……………………………………………………………. …………………………………………………………….

4. TAKING SAFETY MEASURES FOR THE EMPLOYEE 4………………………………………….. …………………………………………..
5. TAKING SECURITY MEASURES IN ELECTRONIC ENVIRONMENTS 4………………….. ………………….
6. TAKING SAFETY MEASURES IN PHYSICAL ENVIRONMENTS 5…………………………… ……………………………

VII. SHARING SENSITIVE PERSONAL DATA 5……………………………………………………………. …………………………………………………………….

VIII. ENFORCEMENT OF THE POLICY 6…………………………………………………………………….. ……………………………………………………………………..

I. INTRODUCTION

A.  Purpose and Scope 

The purpose of this Policy is to determine the principles in all kinds of data processing activities such as the transfer, storage, destruction and storage of sensitive personal data according to the procedures and principles specified in the LPPD and the decision of the Personal Data Protection Board dated 31.01.2018 and numbered 2018/10 regarding “Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Personal Data”.

The provisions of the policy, all information systems and sub-information, contracts, environmental and physical areas that may be involved in the processing of Sensitive Personal Data in the fields of activity and work of PROCAT, and the systems and regulations produced for all these and any process in which it processes personal data, such as Shareholder / Partner, Employee, Employee Candidate, Intern, Parent/Guardian / Representative, Supplier Employee, Supplier Official, Employee Relative Product or Service Receiver, Potential Product or Service Recipient, Authorized Public Institutions and Organizations, Employees and Authorities of the Institutions and Organizations with which it has a Trade and Business Relationship, Sensitive Personal Data of individuals.

B. Definitions

II. ROLES and RESPONSIBILITIES

A. Duties and Responsibilities of the Employee

In addition to their responsibilities specified in the Policy, the Processor of Sensitive Personal Data is also responsible for the following issues:

• Complying with other relevant PROCAT regulations,

• Fulfillment of duties and responsibilities in accordance with the rules in the Policy.

The Employee is obliged to ensure that the data processed by PROCAT and under his/her own responsibility are kept secure and that no sensitive personal data is disclosed to the third party unless the Confidentiality Undertaking and the relevant PROCAT regulations are complied with within the scope of the LPPD.

B. Duties and Responsibilities of the Committee

The Committee’s responsibilities are set out in paragraphs A and C of Article 2 of the Instruction:

• Reporting violations against this Policy to the Board of Directors,

• Supporting the Employee to implement the processes created within the scope of the Policy,

• If the Committee detects a data breach, it instructs the Contact Person to notify the PPD Board,

• Communicating Sensitive Personal Data processing issues and developments and other PROCAT regulations to the Employee in an appropriate manner,

• Regulation of Sensitive Personal Data processing processes in accordance with the Policy and coordination of its implementation by the relevant business units,

• Supervision of the units in charge of managing the Sensitive Personal Data protection system, ensuring and documenting compliance with the LPPD and other relevant legislation, and reporting these issues to the Board of Directors periodically for 6 months,

• Improving the administrative, technical and physical security controls of the systems containing Sensitive Personal Data and ensuring compliance with other PROCAT regulations created within the scope,

• Ensuring that the necessary measures and trainings are taken by working with the relevant units in establishing and maintaining a framework for the development, implementation and updating of the processing principles of Sensitive Personal Data,

• Taking part in the process of developing new products and services, determining the processing requirements, making opinions and suggestions about the subject before applying the new product or service to the production environment,

• Reporting and responding to complaints about violations related to the processing of Sensitive Personal Data and taking a basic role in coordinating solutions,

• Ensuring the implementation, creation and updating of the Policy,

• To protect the sensitive personal data in the systems or processed, to follow the technological developments in order to evaluate their current status and to implement the changes to be made,

• Ensuring that improvements and security assessments are made in systems with sensitive personal data by working with authorized business units.

III. SENSITIVE PERSONAL DATA SECURITY

Sensitive Personal Data should only be accessible by those who have access to the relevant data. Access shall be granted in accordance with the relevant PROCAT regulations.

Information security situations related to Sensitive Personal Data are evaluated by the Committee as soon as possible and reported to the Board of Directors. If the Committee detects a data breach, it instructs the Contact Person to notify the PPD Board,

IV. TAKING SAFETY MEASURES FOR THE EMPLOYEE

About the Employee in the business units that carry out business processes by processing Sensitive Personal Data in the Human Resources and Administrative Affairs Unit, Occupational Health and Safety Unit, Workplace Physician and Accounting Unit;

• Providing training on the security of personal data to the relevant units listed above once a year,

• Making confidentiality agreements,

• Clearly defining the scope and duration of authorization of users with access to Sensitive Personal Data and periodically performing authorization checks,

required.

The powers of the Employee who has changed his/her job or left the job in this field must be removed immediately and his/her existing accounts must be closed immediately. In this context, it should be ensured that the inventories (computer, hard disk, file, folder, etc.) containing personal data allocated to the Employee by the Data Controller are returned.

V. TAKING SECURITY MEASURES IN ELECTRONIC ENVIRONMENTS

If the media in which the said data is processed, stored and / or accessed is electronic media;

• Preservation of data using cryptographic methods,

• Keeping cryptographic keys in secure and different environments,

• Securely logging the transaction records of all movements made on the data,

• Continuously monitoring the security updates of the environments where the data are located, performing/having performed the necessary security tests regularly, recording the test results,

• If the data is accessed through a software, performing user authorizations for this software, performing/having performed security tests of these software regularly, recording the test results,

• Providing at least two-step authentication system if remote access to data is required,

is required.

VI. TAKING SECURITY MEASURES IN PHYSICAL ENVIRONMENTS

The environments in which the data is processed, stored and / or accessed, and the physical environment;

• Ensuring that adequate security measures (against electricity leakage, fire, flood, theft, etc.) are taken according to the nature of the environment in which the Sensitive Personal Data is located,

• Preventing unauthorized entry and exit by ensuring the physical security of these environments,

is required.

VII. SENSITIVE PERSONAL DATA SHARING

Sensitive Personal Data may only be shared with third parties in accordance with the law and equity within the scope of the Explicit Consent of the Relevant Person or the exceptions in paragraph 3 of Article 6 of the KVKK.

Accordingly, in order to share personal data, it is required to have one of the following conditions:

• Obtaining the explicit consent of the data owner,

• The processing of personal data for sensitive personal data other than health and sexual life is clearly stipulated in the laws,

• Sensitive personal data related to health and sexual life may be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

In case of sharing Sensitive Personal Data, the following measures will be taken and transfer activities will be carried out in this context:

• If the data needs to be transferred via e-mail, transferring it with an encrypted corporate e-mail address or using a Registered Electronic Mail (REM) account,

• If it is necessary to transfer via media such as Portable Memory, CD, DVD, it should be encrypted with cryptographic methods and the cryptographic key should be kept in a different environment,

• If transferring between servers in different physical environments, transferring data between servers by setting up a VPN or using the sFTP method.

If the transfer of Personal Data via paper media is required, necessary measures must be taken against risks such as theft, loss or unauthorized viewing of the document; the document must be sent in a format that carries the phrase “Confidential” and in the format used for confidential documents.

In addition to the above-mentioned measures, technical and administrative measures to ensure the appropriate level of security specified in the Personal Data Security Guide published on the website of the PPD Board will be followed and taken into account and the relevant department and the Employee will be informed about the subject.

VIII. ENFORCEMENT OF THE POLICY

This Policy, issued by the Committee, entered into force on 26.06.2020 and necessary updates will be made in case of renewal of all or certain articles of the Policy.

The Committee shall carry out the implementation, updating and announcement of this Policy.