Policy for Protection and Processing of Personal Data

4. BASIC PRINCIPLES REGARDING PROTECTION AND PROCESSING OF PERSONAL DATA

The basic principles followed in the processing of Personal Data are as follows:

a) Personal data is processed in accordance with law and rules of honesty.

b) Attention is paid to the proper processing of personal data and the data is updated when necessary.

c) Purposes for which personal data will be processed are determined and clear, and those purposes are legitimate. The relevant person is informed about the purposes for which personal data can be processed.

ç) Personal data processed is related to, limited to, and restrained for, the purpose for which it is processed.

d) Personal data is kept for the time period necessary for the purposes for which it is processed. In this context, personal data shall be stored during this time period, if required by the relevant legislation. If no time period has been set out in the relevant legislation regarding how long the personal data should be stored, the relevant data will be stored for the time period that requires storage in accordance with the practices of our Bank and its business life, in connection with the activity carried out, and then will be deleted, destroyed or anonymized based on its nature.

Regarding the processing of personal data, personal data may be processed without the express consent of the person concerned in the following cases:

a) If it is clearly provided for in the law;

b) If it is mandatory to protect life or body integrity of any person, who is unable to disclose his/her consent due to actual impossibility or whose consent is not considered legally valid, or any other person;

b) If it is mandatory to protect life or body integrity of any person, who is unable to disclose his/her consent due to actual impossibility or whose consent is not considered legally valid, or any other person;

ç) If it is mandatory for the data controller to fulfil its legal obligation;

d) If the personal data has been publicized by the person concerned;

e) If the processing is mandatory in order to establish, exercise or protect a right;

f) If the processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the person concerned are not damaged.

5. PURPOSE OF PERSONAL DATA PROCESSING

Taking into account the basic principles mentioned above, the personal data is processed in order for concluding the contract and fulfilling the requirements therein, preparing all records and documents that will serve a basis for the transactions provided for in the contract and the relevant legislation, our Bank communicating with the relevant persons, the provision of the services provided for in the Banking Law and other legislation, obtaining identity, address details and other necessary information to identify the information of the transaction owner or guests of our Bank, carrying out any intra-bank communication in accordance with the relevant procedure, complying with the regulations in the Banking Law, the Capital Markets Law and other relevant legislation, fulfilling information storage, reporting, disclosure and other obligations required by the BRSA, CMB, CBRT and other official organizations and providing the Bank's products and services.

6. PERSONS AND ORGANIZATIONS THAT PERSONAL DATA CAN BE SHARED WITH

Personal data can be transferred for the purposes specified in the Article above to the relevant Bank employees, persons or organizations permitted by the provisions of the Banking Law and other legislation, Takasbank, Investor Compensation Centre (YTM), Credit Bureau (KKB), BRSA, SPK, CBRT, courts, enforcement offices and other official institutions and organizations, the Bank's shareholders, direct / indirect domestic affiliates, and persons and program partner organizations from whom services are received, with whom cooperation is made and training programs are organized in order to carry out the Bank's activities, persons and organizations abroad to which the Bank is related, and any relevant persons and organizations as required by the foreign legislation that the Bank is obliged to comply with, within the scope of the Bank's activities.

7. RIGHTS OF PERSONS WHOSE PERSONAL DATA IS PROCESSED

Those whose personal data is processed by our Bank shall have the right a) to figure out whether their personal data is processed, b) if processed, to request for information related thereto, c) to know about the purpose of such processing and whether their personal data is used properly, ç) to know about third-parties to whom their personal data is transferred home and abroad, d) to request for correction if their personal data is processed in an incomplete and/or incorrect manner, e) to request for deletion and/or destruction of their personal data under the conditions provided for in Article 7 of the Personal Data Protection Law, f) to request for notification to third-parties to whom their personal data is transferred of processes carried out pursuant to paragraphs (d) and (e) above, g) to appeal to occurrence of any result against them due to analysis of their personal data exclusively by automated systems and ğ) demand compensation if they incur any loss due to processing of their personal data unlawfully, by applying to our Bank. Our Bank reserves its rights arising from the legislation related thereto. Except for demands which are unreasonably repetitive, require disproportionate technical efforts and jeopardizing the privacy of others, maximum effort is exercised to ensure that such rights are effectively provided.

Please click here to access the data subject application form.