PERSONAL DATA PROCESSING AND PROTECTION POLICY

1. PURPOSE OF THE POLICY

With the awareness of the importance of the confidentiality and security of personal data obtained by our Company within the scope of the Law No. 6698 on the Protection of Personal Data (KVKK) and other relevant legislation, it aims to fulfil the requirements for compliance with the relevant legislation in the capacity of data controller defined in the Law on the Protection of Personal Data and to establish a data protection and processing policy at international standards.

Our Company's Personal Data Protection Policy ("Policy") sets out the principles of lawfulness, honesty and openness adopted by our Company in the protection and processing of personal data. The Policy also provides information on the purposes for which our Company processes personal data, the method, legal reason and purpose of collecting personal data, to whom and for what purposes the data may be transferred, and the rights and remedies of those concerned.

2. PURPOSE, SCOPE, AND DEFINITIONS

2.1 PURPOSE

This Personal Data Processing and Protection Policy ("Policy") is the main policy text regulating the principles that AREL ENERJİ ÇEVRE YATIRIMLARI A.Ş. (AREL Energy) will comply with while fulfilling its obligations imposed by the Law No. 6698 on the Protection of Personal Data ("KVKK") and other relevant legislation.

2.2 SCOPE

The Policy covers Personal Data collected, processed or shared with AREL Energy during its activities, including AREL Energy employees, employee candidates, business partners, customers, potential customers, suppliers, service recipients, visitors and website visitors, and is binding on AREL Energy, its departments and employees.

2.3 DEFINITIONS

In the application of this Policy, the following definitions shall have the meanings given to them:

Recipient group: The category of natural or legal person to whom personal data is transferred by the data controller,

Relevant user: Persons who process personal data within the organisation of the data controller or in accordance with the authorisation and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data,

Destruction: Deletion, destruction or anonymisation of personal data,

Law: Law No. 6698 on the Protection of Personal Data,

Recording medium: Any medium in which personal data processed by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system,

Personal data: Any information relating to an identified or identifiable natural person,

Relevant Person (Personal data owner): The natural person whose personal data is processed,

Processing of personal data: Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganising, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system,

Personal data processing inventory: The inventory that data controllers create by associating the personal data processing activities they carry out depending on their business processes with the purposes of processing personal data, data category, transferred recipient group and data subject group, and detailing the maximum time required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and the measures taken regarding data security,

Board: Personal Data Protection Board,

Explicit Consent: the consent given with free will after being informed about a certain subject,

Sensitive personal data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data,

Periodic destruction: The process of deletion, destruction or anonymisation to be carried out ex officio at recurring intervals specified in the personal data storage and destruction policy in the event that all of the conditions for processing personal data specified in the Law disappear,

Policy This Policy, which data controllers use as a basis for the process of determining the maximum period of time required for the purpose for which personal data are processed and the process of deletion, destruction and anonymisation,

Registry: The registry of data controllers kept by the Personal Data Protection Authority,

Data processor: The natural or legal person who processes personal data on behalf of the data controller based on the authorisation granted by the data controller,

Data recording system: The recording system in which personal data are structured and processed according to certain criteria,

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system

For definitions not included in this Policy, the definitions in the Law apply.

3. PROCESSING OF PERSONAL DATA

3.1 PRINCIPLES

AREL Energy acts in accordance with the following principles in all kinds of activities related to the collection and processing of Personal Data:

3.1.1 Compliance with the law and honesty rules

Personal Data will be collected and processed in accordance with the law and good faith.

3.1.2 Accuracy and timeliness when necessary

If necessary for the purpose of collecting and processing Personal Data:

AREL Energy will take reasonable measures to keep Personal Data complete, accurate and up-to-date.

In the event that the Data Subjects provide information about changes to the Personal Data, AREL Energy, will update the Personal Data and take reasonable measures to update, correct or delete incomplete or inaccurate data.

3.1.3 Specificity, clarity, and fulfilment of legitimate purposes,

AREL Energy undertakes to collect and process Personal Data to the extent necessary and in connection with the business purpose for which it is collected. Except where legally permitted or required, Personal Data will not be collected and/or processed in advance for purposes expected to arise in the future. Except in cases where the processing of Personal Data is legally required or possible, it will be processed only for legitimate purposes clearly stated before the collection of the data and in accordance with the consent to be obtained or, where necessary, Explicit Consent.

Prior to any data collection activity by AREL Energy, in cases where it is necessary to obtain the Explicit Consent of the Data Subject in accordance with the data collection method and this Policy, the consent form or online environments where consent is obtained will be used.

In cases where Personal Data is processed by third parties who Process Data on behalf of AREL Energy, third parties must undertake in advance in writing, contractually or otherwise that they will comply with the obligations set out in this Policy.

3.1.4 Preservation for the period stipulated in the relevant legislation or required by the purpose for which they are processed

Personal Data is stored for the maximum retention period in accordance with the purposes of processing, this period may be kept longer in order to comply with the obligations set out in the legislation or to protect legitimate business interests.

After the legally, administratively, or commercially required periods expire, Personal Data that are not needed will be deleted, anonymised or destroyed in accordance with the legislation and AREL Energy Personal Data Retention and Destruction Policy ("Destruction Policy").

AREL Energy is responsible for the destruction of all data in accordance with the legislation in the event that the purpose of collecting this data disappears and the legal retention periods expire regarding the Personal Data in the physical and electronic data recording systems.

All transactions regarding the deletion, destruction and anonymisation of Personal Data will be recorded and such records will be kept for at least three (3) years, excluding other legal obligations.

3.2 DATA COLLECTION AND PROCESSING

AREL Energy will collect and process Personal Data in accordance with the following legal conditions.

METHOD OF COLLECTING PERSONAL DATA

Obtaining personal data of natural persons and shareholders of legal entities, members of the board of directors, authorized signatories, and employees during all kinds of commercial transactions, negotiations, preparation and delivery of projects and execution of the contract in order for our company to continue its commercial activities,

Obtaining general and special quality personal data obtained during interviews with employee candidates in order to meet the employment needs of our company,

Obtaining general and special categories of personal data during the signing of the employment contract with the employee and the performance of the employment contract,

Obtaining security camera records and filling out the visitor form in order to ensure safe entry and exit,

Obtained by visiting our Company's premises, facilities, centres, websites and/or other social and digital media in order to benefit from our products and services,

Your personal data may also be obtained by participating in activities such as fairs, events, seminars, organisations, project meetings and trainings organised by our Company.

Personal data may be collected verbally, in writing or electronically by automatic or non-automatic methods and similar means. Your collected personal data may be processed and transferred within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the KVKK in order to provide you with better service.

3.3 Consent

AREL Energy will process the collection and/or processing of Personal Data after informing the Data Subject in accordance with the legislation and the Policy and after obtaining his/her Explicit Consent in writing or electronically with his/her free will. In case of processing Personal Health Data, Explicit Consent is obtained in writing. Explicit Consent statements received will be documented and stored in physical or electronic media. Personal Data may be processed without the consent of the Data Subject in the presence of the following cases listed in the KVKK:

It is clearly stipulated in the laws.

It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.

Provided that it is directly related to the establishment or performance of a contract, it is necessary to process the Personal Data of the parties to the contract.

It is mandatory for the Data Controller to fulfil its legal obligation.

It has been made public by the Data Subject himself/herself.

Data Processing is mandatory for the establishment, exercise or protection of a right.

Data processing is mandatory for the legitimate interests of the Data Controller, provided that it does not harm the fundamental rights and freedoms of the Data Subject.

3.4 Special Categories of Personal Data

Sensitive Personal Data may only be processed with the explicit consent of the Data Subject or in cases explicitly stipulated by law, except for data relating to health and sexual life. Personal Data relating to health and sexual life can only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing, by persons under the obligation of confidentiality, without seeking the Explicit Consent of the person concerned. In the processing of Special Categories of Personal Data, the decisions of the Personal Data Protection Board shall be complied with.

4. TRANSFER OF PERSONAL DATA

4.1 Personal Data may be transferred to third parties in Türkiye only in the event that the Data Subject has given explicit consent to the data transfer or in the presence of one of the conditions listed in 3.3 where explicit consent is not required.

4.2 In the transfer of Personal Data to third parties abroad, in addition to the conditions listed in 4.1:

In addition to the conditions listed in 4.1, the foreign country to which the Personal Data is transferred must provide adequate protection or, if there is no adequate protection in the relevant foreign country, AREL Energy and the data controllers in the relevant foreign country must undertake in writing that adequate protection is provided, and the Board's authorisation must be obtained.

5. RIGHTS AND OBLIGATIONS

5.1 Rights of the Relevant Person

Natural persons whose Personal Data are collected or processed by AREL Energy have the right to apply to the Data Controller in accordance with the KVKK.

By using the right of application, the Data Subject may address the following requests in writing or by e-mail to AREL Energy or its representatives in line with the contact information provided in the last section of this Policy:

To learn whether Personal Data is processed or not,

To receive information if their Personal Data has been processed,

To learn the purpose of processing Personal Data and whether they are used in accordance with their purpose,

To know the third parties to whom Personal Data is transferred domestically or abroad,

To correct Personal Data in case of incomplete or incorrect processing,

To delete or destroy Personal Data within the framework of the Law,

To notify the third parties to whom the Personal Data is transferred of the above-mentioned transactions,

To object to the emergence of a result to the detriment of the person himself/herself by analysing the processed Personal Data exclusively through automated systems,

To compensate the damage in case of damage due to unlawful processing of Personal Data

5.2. Obligations of the Data Controller

5.2.1 Disclosure Obligation

AREL Energy will make an informative, clear, and understandable notification to the relevant persons about the process of processing their Personal Data and the purposes of Data Processing during the acquisition of Personal Data, will ensure that these persons are informed about their rights regarding their Personal Data.

The notification to be made to the Relevant Persons includes at least the following elements:

Identity of the Data Controller or its representative, if any,

Purpose, method, and legal reason for Data Processing,

To whom and for what purpose Personal Data may be transferred,

The method and legal reason for collecting personal data,

Other rights listed in Article 11 of the KVKK,

AREL Energy will fulfil its disclosure obligation within the scope of KVKK through its website at www.arelenerji.com.

5.2.2 Obligations Regarding Data Security

Within the scope specified in the relevant legislation,

AREL Energy takes necessary measures to prevent the misuse, destruction, loss, unauthorised alteration or acquisition of data. In line with the Personal Data Protection Policy, it takes reasonable measures in accordance with the legislation to implement an effective measure system:

Preventing unauthorised persons from accessing the data processing system in order to use or process Personal Data (access control),

Ensuring that persons authorised to use a data processing system have access only to the data to which they are authorised to access and preventing unauthorised reading, copying, modification or deletion of Personal Data during processing and use and after recording (controlling access, principle of being informed as necessary),

Preventing the reading, copying, modification or deletion of Personal Data by unauthorised persons during the electronic transmission or transfer of Personal Data or during the process of saving it in the data storage medium and ensuring the determination and control of by whom Personal Data is transferred using data transmission tools (control of information transfer),

Ensuring the control and determination of whether Personal Data has been accessed, modified or deleted from the data processing system and by whom such operations have been performed (input control),

Ensuring that Personal Data processed on behalf of others are processed in accordance with the instructions of the Data Controller (business control),

Ensuring that measures are taken against accidental destruction or loss of Personal Data (data availability control),

Ensuring that Personal Data collected for different purposes can be processed separately.

In the event that the processed Personal Data is obtained by others illegally, AREL Energy shall notify the relevant person and the Board as soon as possible.

AREL Energy shall carry out or have the necessary audits carried out in order to ensure Personal Data security.

5.2.3 Registration to the Data Controllers Registry

According to the Regulation on the Data Controllers Registry, AREL Energy will fulfil the relevant obligation to be fulfilled in accordance with the Regulation by registering to the Data Controllers Registry to be established by the Personal Data Protection Authority. In this context, the following information will be made available to the public:

Name, address and, if received, KEP address of the Data Controller, Data Controller's representative and contact person, if any,

The purposes for which Personal Data may be processed,

The group or groups of persons subject to Personal Data and the categories of data belonging to these persons,

Recipients and recipient groups to whom Personal Data may be transferred,

Personal Data foreseen to be transferred to foreign countries,

The date of registration and the date of termination of registration,

Measures taken regarding Personal Data security,

The maximum period required for the purpose for which the Personal Data is processed.

5.2.4 Awareness and Training

AREL Energy is obliged to ensure that its employees, distribution channels and third parties with mutual responsibility framed by the Law are sufficiently informed and trained on the processing of personal data within the framework of this Policy, local legislation and directives.

AREL Energy takes measures to ensure that persons involved in the processing of Personal Data are familiarised with the local data protection legislation and the terms of the Policy regarding data protection; these measures include holding awareness meetings and providing training. Trainings or awareness meetings are organised in the following ways:

e-training,

face-to-face work,

internal newsletters,

other appropriate means to achieve and maintain a high level of awareness of data protection issues,

Such training and information activities are carried out in coordination with the HR Department.

6. Methods to be Applied for Deletion, Destruction, Anonymisation of Personal Data

AREL Energy will delete, destroy and/or anonymise the personal data within its structure by using the methods set out below.

6.1.1 Application Type Cloud Solutions as a Service (such as Office 365, etc.)

AREL Enerji will delete the data in the cloud system by issuing a delete command. While performing the aforementioned process, AREL Energy shall pay particular attention to the fact that the relevant user is not authorised to restore the deleted data on the cloud system.

6.1.2 Personal Data on Paper Media

AREL Energy will erase personal data on paper media using the blackout method. The blackout process is performed by cutting the personal data on the relevant document, where possible, and making it invisible to the relevant users by using fixed ink in a way that cannot be reversed and cannot be read with technological solutions.

6.1.3 Office Files on the Central Server

AREL Energy will delete the file with the delete command in the operating system or remove the access rights of the relevant user on the file or the directory where the file is located. AREL Energy shall pay attention that the relevant user is not also the system administrator while performing the aforementioned operation.

6.1.4 Personal Data on Portable Media

AREL Energy stores personal data in flash-based storage media in encrypted form and will delete them using software suitable for these media.

6.1.5 Databases

AREL Energy will delete the relevant rows containing personal data with database commands (DELETE etc.). While performing the aforementioned operation, it will pay attention that the relevant user is not also the database administrator.

7. Periods for Ex officio Deletion, Destruction or Anonymisation of Personal Data

AREL Energy deletes, destroys, or anonymises personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymise personal data arises.

The periodic destruction will be carried out by AREL Energy within 180 days following the date on which the obligation to delete, destroy or anonymise personal data arises. In mandatory cases, this period can be extended for a maximum of 30 days.

8. Amendments to the Policy and Effective Date

The provisions contained in this Policy may be amended by AREL Energy in accordance with the provisions of the Regulation to be issued in accordance with the KVKK and other legislation and for other reasons, including, but not limited to, other reasons, if deemed necessary by AREL Energy, in accordance with the provisions of the legislation, by publishing on the website. In the event that any of these provisions are changed, the relevant changes shall enter into force on the date of publication of the change on the website.

DATA CONTROLLER : AREL ENERJİ ÇEVRE YATIRIMLARI A.Ş.

ADDRESS : MUTLUKENT MAHALLESI 1977. SOKAK NO:17 06810 UMITKÖY / ÇANKAYA / ANKARA

E-mail address : info@arelenerji.com

KEP address :