Personal Data Processing and Data Security Policy

LOGIN

GENERAL DESCRIPTION

FOR THE PROTECTION OF PERSONAL DATA ISSUES CONCERNING THE PROCESSING OF PERSONAL DATA ISSUES COMPANY OF PERSONAL DATA PROCESSED BY CATEGORIZATION dressing OBJECTIVE THREE PEOPLE that TRANSMISSION OF PERSONAL DATA BY MYRAANG AND IMPORTED on OBJECTIVES BASED ON CONDITION PROCESSING The LAW OF PERSONAL DATA AND LIMITED TO TREATING THESE TERMS MYRAANG HEAD OFFICE AND STORE WITH THESE BUILDINGS WITHIN PERSONAL DATA PROCESSING ACTIVITIES TO USE PERSONAL DATA OWNERS 'RIGHTS AND USE OF THESE RIGHTS AND EVALUATION BY MYRAANG MYRAANG'S OTHER PERSONAL DATA PROTECTION AND PROCESSING OTHER INTERNAL POLICIES

1.

GENERAL DESCRIPTION

MYRAANG TEKSTİL SAN VE TİC.LTD.ŞTİ (bir MYRAANG öz and / or ası the Company in) is committed to the protection of personal data and we apply it to all natural and legal persons by making it a company policy. In this context, the Processing and Data Security Policy of this Personal Data (Ziyaret Policy Çalışan) and the Customers, Employees and Employees of the Associated Institutions, Supplier Authorities and Employees, Partners and Employees, Visitors, Website Users, Employee Candidates and other Third We aim to protect personal data of individuals.

As MYRAANG, we take the necessary administrative and technical measures to protect personal data processed in accordance with Law No. 6698 on the Protection of Personal Data.

(I) processing of personal data in accordance with the law and integrity rules; (iii) processing of personal data for specific, clear and legitimate purposes; (iv) personal data linked to the purpose for which they are processed; (v) maintaining personal data for the period required by the applicable legislation or for the purpose for which they are committed; (vi) disclosing and informing the personal data owners; (vii) creating the technical and administrative infrastructure required for the use of the rights of the personal data owners; (viii) To take the necessary technical and administrative measures to protect personal data, (ix) to act in accordance with the relevant legislation and the regulations of the Board in transferring the personal data to third parties in accordance with the requirements of the processing purpose, We msemekt. In this Policy, we make detailed explanations regarding these basic principles.

1.1. Purpose and Scope of Polı Poltı

The purpose of this Policy is to inform MYRAANG about the security measures and measures taken by MYRAANG for the protection of data processed and adopted by ISRAUH while processing personal data in accordance with the law and informing the persons whose personal data are processed by MYRAANG. In this context, this Policy covers the protection of the Personal Data of the Persons and Employees of Our Customers, the Authorities and Employees of the Organizations we are Cooperating with, Our Business Partners, Employees and Employees, Visitors, Website Users, Employee Candidates and other Third Constitution, and other laws. and to inform the public about the processing and protection of personal data collected by MYRAANG in a non-automated manner, as part of any data recording system.

1.2. Implementation of the Policy and Relevant Legislation

The relevant legislative regulations in force on the processing and protection of personal data will be prioritized. In the event of discrepancy between applicable legislation and the Policy, MYRAANG agrees to implement the applicable legislation.

2. ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA2.1. Securing Personal Data

Under Article 12 of the Act, MYRAANG takes the necessary measures and measures to prevent unlawful processing of personal data, to protect personal data and to prevent unauthorized access to personal data and to carry out the necessary inspections.

In this context, the Personal Data Guide (Technical and Administrative Measures) issued by the Board; (i) Entitlement Matrix, (ii) Authorization Control, (iii) Access Logs (iv) User Account Management, (v) Network Security, (vi) Application Security, (vii) Encryption, (viii) Infiltration Test, (ix) Intrusion Detection and Prevention Systems, (x) Log Logs, (xi) Data Masking, (xii) Data Loss Prevention Software, (xiii) Backup, (xiv) Firewalls, (xv) Current Anti Virus Systems, (xvi) Deletion, Destroying and Anonymous (xvii) Key Management 

explained as technical measures that can be taken by the responsible. (I) Preparation of Personal Data Inventory (ii) Preparation of Personal Data Inventory, (ii) Preparation of Corporate Policies (Access, Information Security, Use, Retention and Disposal, etc.) in the Personal Data Guide (Technical and Administrative Measures); (iii) (Contract Manager - Data Officer, Data Officer - Data Processor) to be concluded, (iv) Signing the Privacy Undertakings, (v) internal or random tests, (vi) Risk Analysis, (vi) Risk Analysis, (vii) Work Contract and Discipline (Viii) Compliance of the Corporate Communications Principles with the Law (Crisis Management, Information Process for the Board and Related Persons, Reputation Management, etc.), (ix) Conducting Training and Awareness Activities Within the framework of Information Security and Law) and (x) Data Responsibility Registry Information System (VERBIS) explained as administrative measures.

MYRAANG has taken the following administrative and technical measures in the light of the Personal Data Guide (Technical and Administrative Measures) described above and published by the Board:

Current risks and threats are identified, training and awareness raising activities of MYRAANG Employees are conducted, Personal data security policies and procedures are determined, personal data processed by MYRAANG is reduced as much as possible and the Contractors and MYRAANG are contracted under the Law and administrative and technical measures are taken to ensure cyber security. (eg erasing unused software and services, creation of firewalls, patch management and software updates, access restrictions, creation of access authorization and control matrix, use of antivirus products, establishment of SSL connections, etc.) Personal data security is monitored (eg log records are kept , an official reporting procedure is established to report security issues, weakness scans and penetration tests are carried out), Personal data in the cloud environment encryption and encryption keys are used, and data backup strategies are being developed.2.1.1. Technical and Administrative Measures Taken to Ensure the Legal Processing of Personal Data

MYRAANG takes the necessary technical and administrative measures in order to ensure that the personal data is processed in accordance with the law and which are listed below. In this context;

Personal data processing activities carried out within MYRAANG are audited by established technical systems, technical measures are reported to the relevant person in case of need, technical personnel are informed on the technical issues, MYRAANG and MYRAANG Employees who manage the legal relationship between the contract and documents, except for the exceptions brought by law, personal data processing, non-disclosure MYRAANG Employees are informed and MYRAANG Employees are periodically informed and trained about the protection of personal data law and personal data in accordance with the law. data processing activities; In order to ensure compliance of these activities with the Law, the requirements to be fulfilled are determined on a case-by-case basis, policies are implemented to ensure legal compliance requirements, to create awareness within the Company, to ensure the continuity of practices and to perform regular audits, and periodically to access MYRAANG's corporate systems. trainings are provided to persons (including, but not limited to, other real persons, if necessary,), and the contracts and documents governing the legal relationship between MRRAANG and the Institutions, Suppliers, Business Partners, Visitors, Web Site Users, Employee Candidates and other Third Parties except for exceptions, records of personal data, non-disclosure, non-disclosure and non-use of records are placed Technical and Administrative Measures Taken to Prevent the Unlawful Access of Personal Data

MYRAANG takes the technical and financial means and the technical and administrative measures listed below, which are necessary to prevent unauthorized disclosure, access, transfer or any other unlawful access of personal data. According to this;

Technical measures are taken in line with the developments in technology and these measures are updated and renewed when necessary, and technical solutions related to access and authorization are put into effect in line with the legal compliance requirements determined on the basis of process and access rights are limited.

explained as technical measures that can be taken by the responsible. (I) Preparation of Personal Data Inventory (ii) Preparation of Personal Data Inventory, (ii) Preparation of Corporate Policies (Access, Information Security, Use, Retention and Disposal, etc.) in the Personal Data Guide (Technical and Administrative Measures); (iii) (Contract Manager - Data Officer, Data Officer - Data Processor) to be concluded, (iv) Signing the Privacy Undertakings, (v) internal or random tests, (vi) Risk Analysis, (vi) Risk Analysis, (vii) Work Contract and Discipline (Viii) Compliance of the Corporate Communications Principles with the Law (Crisis Management, Information Process for the Board and Related Persons, Reputation Management, etc.), (ix) Conducting Training and Awareness Activities Within the framework of Information Security and Law) and (x) Data Responsibility Registry Information System (VERBIS) explained as administrative measures.

MYRAANG has taken the following administrative and technical measures in the light of the Personal Data Guide (Technical and Administrative Measures) described above and published by the Board:

Current risks and threats are identified, training and awareness raising activities of MYRAANG Employees are conducted, Personal data security policies and procedures are determined, personal data processed by MYRAANG is reduced as much as possible and the Contractors and MYRAANG are contracted under the Law and administrative and technical measures are taken to ensure cyber security. (eg erasing unused software and services, creation of firewalls, patch management and software updates, access restrictions, creation of access authorization and control matrix, use of antivirus products, establishment of SSL connections, etc.) Personal data security is monitored (eg log records are kept , an official reporting procedure is established to report security issues, weakness scans and penetration tests are carried out), Personal data in the cloud environment encryption and encryption keys are used, and data backup strategies are being developed.2.1.1. Technical and Administrative Measures Taken to Ensure the Legal Processing of Personal Data

MYRAANG takes the necessary technical and administrative measures in order to ensure that the personal data is processed in accordance with the law and which are listed below. In this context;

Personal data processing activities carried out within MYRAANG are audited by established technical systems, technical measures are reported to the relevant person in case of need, technical personnel are informed on the technical issues, MYRAANG and MYRAANG Employees who manage the legal relationship between the contract and documents, except for the exceptions brought by law, personal data processing, non-disclosure MYRAANG Employees are informed and MYRAANG Employees are periodically informed and trained about the protection of personal data law and personal data in accordance with the law. data processing activities; In order to ensure compliance of these activities with the Law, the requirements to be fulfilled are determined on a case-by-case basis, policies are implemented to ensure legal compliance requirements, to create awareness within the Company, to ensure the continuity of practices and to perform regular audits, and periodically to access MYRAANG's corporate systems. trainings are provided to persons (including, but not limited to, other real persons, if necessary,), and the contracts and documents governing the legal relationship between MRRAANG and the Institutions, Suppliers, Business Partners, Visitors, Web Site Users, Employee Candidates and other Third Parties except for exceptions, records of personal data, non-disclosure, non-disclosure and non-use of records are placed Technical and Administrative Measures Taken to Prevent the Unlawful Access of Personal Data

MYRAANG takes the technical and financial means and the technical and administrative measures listed below, which are necessary to prevent unauthorized disclosure, access, transfer or any other unlawful access of personal data. According to this;

Technical measures are taken in line with the developments in technology and these measures are updated and renewed when necessary, and technical solutions related to access and authorization are put into effect in line with the legal compliance requirements determined on the basis of process and access rights are limited....

requesting the deletion or destruction of personal data and requesting notification to the third parties where the personal data is transferred, objecting to the emergence of a result against the individual by analyzing the processed data exclusively through automatic systems in the case of claiming the right to damage, has the rights.2.3. Protection of Personalized Personal Data

The law also imposes certain regulations on the processing and protection of such data due to the specific nature of certain personal data. According to the law, data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, costume and attire, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data personal data. In addition to being a Company operating in the retail sector and the nature of the work we do, we also pay special attention to the proper processing and protection of private personal data. In this context, technical and administrative measures are taken by MYRAANG for the protection of personal data and necessary audits are carried out periodically.

 

2.4.MYRAANG Increasing and Controlling of Our Customers, Our Company Officials, Authorized Persons of Employees and Employees, Supplier Authorities and Employees, Business Associates and Employees, Visitors, Website Users, Employee Candidates and Other Third Persons' Awareness on Protection and Processing of Personal Data

 

As MYRAANG, we are organizing trainings to MYRAANG Employees and Company Officials in order to prevent unlawful access to personal data and to prevent data access and to provide data protection. MYRAANG Employees, our company officials are periodically repeated training. These trainings are updating and updating our trainings in parallel with the updating of the legislation.

3. ISSUES RELATED TO THE PROCESS OF PERSONAL DATA3.1. Processing of Personal Data

MYRAANG, in accordance with Article 20 of the Constitution and Article 4 and Article 6 of the Law on the Protection of Personal Data; to comply with the rules of law and honesty; providing for specific, open and legitimate purposes; is engaged in personal data processing in a limited, limited and measured manner. MYRAANG maintains personal data in the light of the principles stipulated in the laws or as required by the purpose of personal data processing and / or for a period of time agreed on a sectoral basis.

Compliance with Law and Integrity Rule: MYRAANG; It acts in accordance with the principles brought by legal regulations in the processing of personal data and general trust and honesty rules. In this context, MYRAANG does not process or use personal data except that it is intended to Ol aim at processing personal data. “Ensuring that Personal Data are Correct and Correct if necessary: ​​MYRAANG; It ensures that the personal data it processes is accurate and up-to-date and accordingly takes the necessary measures as explained in this Policy. Processing with Specific, Clear and Legitimate Purposes: MYRAANG clearly and strictly determines the purpose of legitimate and lawful personal data processing. MYRAANG processes personal data that is linked to and is necessary for the commercial activity it is conducting. The purpose for which personal data is to be processed by MYRAANG is presented before the start of personal data processing. Preserving up to the time required by the legislation or for the purpose for which they are processed: MYRAANG maintains personal data only for the period specified in the relevant legislation or on a sectoral basis, or for the period required for the purpose for which they were processed. In this context, MYRAANG determines firstly whether there is a deadline for storing personal data in the relevant legislation, if it is specified for a period of time, and if it is not determined for a period of time, and / or for a period of time accepted and / or accepted on the sectoral basis. The policy is kept until the deadline set. Personal data is deleted by MYRAANG if the reasons for the expiration or processing of the term have expired, or is anonymized.

Protection of personal data is a constitutional right. Fundamental rights and freedoms, without touching their essence, may be restricted only by law, depending on the reasons set out in the relevant articles of the Constitution. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may only be processed in the cases provided for in the law or with the express consent of the person. MYRAANG, both in accordance with the third paragraph of Article 20 of the Constitution and Article 5 of the Act, operates on one or more of the conditions listed in the relevant article of the Law, and process the personal data only in the cases provided for in the Law or with the express consent of the person. In addition, MYRAANG, in accordance with Articles 8 and 9 of the Law, transmits personal data in accordance with the regulations stipulated in the Law and published by the Board. MYRAANG, in accordance with the 10th article of the Act, informs the personal data owners about the personal data processed and informs the personal data owners when they request information. In this context, MYRAANG, if any, has been illuminating the identity of its representative, the purpose for which the personal data is processed, the personal data to which it is processed and for what purpose, the method of collecting personal data and the legal reason and the rights of the personal data holder. In Article 11 of the Law, ib requesting information kişisel was counted among the rights of the personal data holder. In this context, MYRAANG provides the necessary information if the Personal Data Holder requests information in accordance with Article 11 of the Law.

3.2. Processing of Personalized Personal Data

As a company operating in the retail sector, due to the nature of the work we do, the Company is sensitive to the regulations envisaged by the Law in the legal processing of private data. In Article 6 of the Act, a number of personal data that are at risk of causing discrimination or discrimination of persons when they are unlawfully committed are designated as a special hukuk. These data; data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing and attire, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data. Specific personal data are published in the Official Gazette dated 13.03.2018 and numbered 30356, under the Personal Data Security Guidelines (Administrative and Technical) published by MYRAANG and the Board Decision No. 2018/10 dated 3.01.2018. Adequate Measures to be Obtained by Data Responsibles in the Processing of Qualified Personal Data Ver shall be processed in the following cases provided that the measures determined in the decision are taken:

If the personal data holder has clear consent or if the personal data owner does not have clear consent, the personal data of the private owner and the private personal data other than his or her sexual life, in the cases provided for by the law, the personal data of the personal data owner and his / her personal personal life related to his / her sexual life, but the protection of public health, In order to carry out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, it is processed by the persons or authorities authorized to keep secrets.3.3.

MYRAANG can transfer the personal data and personal data of the personal data holder to third parties by taking necessary security measures in accordance with the law for personal data processing purposes. MYRAANG acts in accordance with the provisions of Article 8 of the Law. Detailed information on this is provided in Chapter 6 of this Policy.

3.3.1. Transfer of Personal Data

MYRAANG can transfer personal data to third parties in a limited manner and limited to one or more of the personal data processing requirements specified in Article 5 of the Act in accordance with legitimate and lawful personal data processing purposes:

If there is clear consent of personal data in the Law, if there is clear consent of the personal data holder, if the personal data holder is compulsory for the protection of the life or the integrity of the body or if the personal data owner is unable to disclose his consent due to the actual impossibility or the legal validity of his consent is not granted; if the transfer of personal data of the parties to the contract is necessary if it is necessary to transfer the personal data of the contractual party directly with the execution or execution of the contract, if the personal data transfer is mandatory for MYRAANG to fulfill its legal obligation, provided that, without prejudice to the fundamental rights and freedoms of the Personal Data Holder, personal data is available for MYRAANG's legitimate interests, without prejudice to their rights and freedoms.

If necessary, it is required.3.3.2. Transfer of Personalized Personal Data

MYRAANG taking the necessary measures, taking the necessary security measures and taking adequate measures issued by the Board; in accordance with the legitimate and lawful personal data processing purposes, the personal data of the personal data holder can be transferred to third parties in the following cases.

If the personal data holder has the express consent or if the personal data holder does not have clear consent, the personal data of the personal data owner and the private personal data other than his or her sexual life (race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and clothing, special data related to the health and sexual life of the personal data owner, personal data protection, preventive medicine, medical diagnosis, personal data about the health and sexual life of the personal data owner, in case of law, data related to membership of association, foundation or union, criminal conviction and security measures. for the purpose of planning and managing health services and financing of treatment and care services, by persons or authorities authorized to keep a secret. Transferring Personal Data Abroad

MYRAANG can take the necessary security measures in accordance with the law for personal data processing purposes and transfer the personal data and personal data of the personal data holder to third parties. MYRAANG; Assembly by adequate protection where it has been declared to foreign countries ( "Adequate Protection with Foreign Countries") or in case of adequate protection of the absence of an adequate protection of those responsible for the data in and in the foreign countries, Turkey has pledged in writing and the Board where the permission to foreign countries ( "Adequate Personal Data can be transferred. MYRAANG acts in accordance with the provisions of Article 9 of the Law. MYRAANG has the express consent of the personal data holder for legitimate and lawful personal data processing purposes, or if the personal data holder does not have clear consent.

If there is clear consent of personal data in the Law, if there is clear consent of the personal data holder, if the personal data holder is compulsory for the protection of the life or the integrity of the body or if the personal data owner is unable to disclose his consent due to the actual impossibility or the legal validity of his consent is not granted; if personal data are required to be transferred to fulfill the legal obligation of the contract, if personal data are mandatory for MYRAANG to fulfill its legal obligation, if personal data is required by the personal data owner, or if personal data transfer is mandatory for MYRAANG's legitimate interests, provided that it does not harm the fundamental rights and freedoms of the Personal Data Holder.3.4.1. Transfer of Specially Qualified Personal Data

MYRAANG has the express consent of the personal data holder for legitimate and lawful personal data processing purposes or if the personal data holder does not have explicit consent. In the case of the presence of one of the following conditions, he / she can transfer the personal data of the personal data to the Foreign Countries which have sufficient protection or sufficient protection for adequate protection:

If the personal data holder has the express consent or if the personal data holder does not have clear consent, the personal data of the personal data owner and the private personal data other than his or her sexual life (race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and clothing, special data related to the health and sexual life of the personal data owner, personal data protection, preventive medicine, medical diagnosis, personal data about the health and sexual life of the personal data owner, in case of law, data related to membership of association, foundation or union, criminal conviction and security measures. for the purpose of planning and management of health services and financing of treatment and care services, by the persons or authorities authorized to keep secrets.

4. COLLECTION OF PERSONAL DATA PROCURED BY OUR COMPANY, PROCESSING PROCESSES

4.1. Categorization of Personal Data

At MYRAANG; In accordance with MYRAANG's legitimate and lawful personal data processing purposes, the general principles specified in the Law shall be based on one or more of the personal data processing requirements referred to in and in accordance with all obligations under this Law and With the subjects covered in the following articles (Customers, Authorized Persons and Employees of the Institutions we are cooperating with, Supplier Authorities and Employees, Partners and Employees, Visitors, Web Site Users, Employee Candidates and other Third Parties), personal data of the following categories are limited, Pursuant to the relevant persons are processed.

Personal Data or Customized Personal Data Description

Identity Information

Name-surname, T.C. documents such as identification number, nationality, mother's first and last name, father's name, surname, place of birth, date of birth, gender, and other documents such as driver's license, birth certificate and passport, as well as other documents including this information, tax number, SGK number, signature information. , vehicle plate, etc.

Communication information

Phone number, address, e-mail address, fax number, IP address, etc.

Customized Personal Data

Prescription information, medical report, assay and radiology results, medical report, blood type, genetic data, etc. With all kinds of health data such as religion, association data, etc.

Physical Space Safety Information

Personal data on records and documents received during the stay in the physical space where MYRAANG owns or is a tenant (MYRAANG Headquarters and / or MYRAANG Stores): camera records, records received at the security point, etc.

Financial Information

Personal data, information, documents and records related to the financial results generated by the type of legal relationship established with the suppliers, business partners and other third parties or other personal data owners, bank account number, IBAN number, credit card information, financial profile data, income data, etc.

Audio / Visual Information

All kinds of photo and camera recordings, sound recordings.

Personal Information

Information that will be the basis for the realization of personal rights of natural persons who are or will be working with MYRAANG (eg Employees of the Employees of the Employees and / or Employees of the Partnership Partners and / or Employee Candidates, but not MYRAANG Employees) (curriculum vitae, medical report, bank account, passport photo, copy of residence, copy of birth certificate, etc.)

Claims / Complaints Management Information

Data on the receipt and evaluation of any request or complaint directed to MYRAANG.

Process Security Information

Personal data processed to ensure the technical, administrative, legal and commercial security of both the data owner and the Company in conducting MYRAANG's commercial activities

Risk Management Information

Personal data processed through commercially available technical, managerial and managerial risks in accordance with generally accepted legal, commercial, and honesty rules in these areas.

Legal Compliance Compliance Information

MYRAANG's personal data on the identification, determination, follow-up and performance of legal obligations and obligations and on the compliance of statutory obligations and MYRAANG policies.

Audit and Inspection Information

MYRAANG's statutory obligations and personal data on compliance with Company policies

Reputation Management Information

Personal data associated with the person and collected to protect MYRAANG's commercial reputation (for example, shares made on MYRAANG)

4.2. Personal Data Processing Purposes

MYRAANG treats personal data limited to the purposes and conditions within the personal data processing requirements of paragraph 5 of Article 5 and paragraph 3 of Article 5 of the Law. These objectives and conditions;

Clearly stipulating MYRAANG's involvement in the processing of your personal data

MYRAANG's processing of your personal data is directly related to and necessary for the establishment or performance of a contract.

The processing of your personal data must be compulsory for MYRAANG to fulfill its legal obligation

Provided that your personal data is publicized by you; processing by MYRAANG in a limited way for your purposes

MYRAANG's processing of your personal data is mandatory for the establishment, use or protection of MYRAANG or the rights of you or third parties

Personal data processing is essential for MYRAANG's legitimate interests, without prejudice to your fundamental rights and freedoms.

Personal data processing by MYRAANG is compulsory for the protection of the personal data owner or someone else's life or body integrity, and in this case the personal data holder is unable to disclose his consent due to actual or legal invalidation.

Personal data owner's health and personal data other than sexual life to be foreseen in the laws of personal data and sexual life of the personal data in terms of personal data about the protection of public health protection, preventive medicine, medicine i) to conduct diagnosis, treatment and care services, to process and manage health services and financing, to be treated by persons or authorities authorized to keep secrets.

In this context, MYRAANG processes your personal data for the following purposes:

The company's internal operations,

conducting business activities and ensuring the security of Company operations,

conducting the activities necessary for the realization of efficiency, efficiency and appropriateness analysis of business activities,

Management of strategic planning activities and business partners / supplier relations,

Carrying out customer relations processes and customer satisfaction activities,

Carrying out marketing and sales activities,

Implementation and / or enhancement of loyalty to the products and / or services offered by the Company,

conducting market research activities for sales and marketing of products and services

Carrying out activities related to activities, carrying out production and / or operation processes,

Conducting financial / accounting activities with banking transactions,

Conducting activities that are legal, technical and administrative results and providing legal information to the authorized institutions, carrying out activities related to legal demands and legal affairs,

Ensuring business continuity and operating the processes required for corporate governance activities,

Carrying out activities related to sales processes of products and / or services and after-sales support services,

To keep the data accurate and up-to-date, to carry out the necessary operations to carry out the Company's activities in accordance with the company procedures and / or relevant legislation,

Ensuring the security of company premises and / or facilities, creation and monitoring of visitor records, planning and execution of logistics activities,

Conducting activities related to information security processes and information technology infrastructure,

Planning and execution of emergency management processes, carrying out occupational health and / or safety processes,

Planning human resources processes,

Carrying out activities related to sales processes of products and / or services and after-sales support services,

Keeping the data accurate and updated,

Planning the building or construction works, carrying out activities related to the Group companies, providing the employees with access to information,

Planning and execution of intra-company assignment-promotion and resignation processes, planning and execution of personnel exit operations, planning and execution of talent-career development activities, recruitment / employment, execution of personnel procurement processes,

Planning and execution of side benefits and benefits for employees, wage management activities, planning of employee wage increases,

Monitoring and / or auditing of employees' business activities, planning and monitoring of employee performance evaluation processes, planning and execution of employee satisfaction and / or loyalty processes,

To evaluate the quality, experience and relevance of the Employee Candidate to the open position,

To contact the third parties and conduct research on the candidate,

To contact the Employee Candidate about the application and recruitment process,

To communicate with the Employee Candidate if the position is opened later,

To meet the requirements of the relevant legislation and / or the demands of the competent authorities and institutions.

Processing activity performed for the aforementioned purposes,

If you do not meet any of the conditions specified in the law, MYRAANG will provide your express consent with regard to the relevant processing.

In this context, (i) digital application form of Employee Candidates (i) written or electronically, (ii) e-mail, cargo, reference etc. to MYRAANG. (iii) through employment and / or consultancy companies; (iv) during video conferencing or face-to-face interviews; and (v) through recruitment tests, which are conducted by experts with experience, and who identify the skills and personality traits whose results have been examined. (vi) during the recruitment process;

Employee Candidates may, if they wish, be able to submit their requests related to the rights arising from the Data Holder and the rights arising from the Law by the method described in Article 10 of this Policy.

5. THIRD PERSONS AND TRANSMISSION PURPOSES FROM PERSONAL DATA BY MYRAANG

In accordance with Articles 8 and 9 of MYRAANG Law, the personal data of policy-managed data holders can be transferred to the following categories of persons:

MYRAANG business partners, MYRAANG suppliers, MYRAANG affiliates (MYRAANG TEXTILE INDUSTRY AND TRADE), Legally authorized public institutions and authorized private law persons, in accordance with the data transfer requirements, other third parties come to.

The scope of the aforementioned persons and the purposes of transferring data are as follows:

DATA TRANSMISSION PERSONS DEFINITION DATA TRANSFER PURPOSE

Business partner

The parties to which MYRAANG establishes a business partnership for the purposes of conducting business activities

In order to ensure the fulfillment of the objectives of the

Suppliers

Within the scope of the conduct of MYRAANG's commercial activities, the parties providing services to MYRAANG in accordance with MYRAANG's orders and instructions and contract-based

In order to ensure that the Company provides outsourced services from the supplier and that the services required to perform the Company's commercial activities are provided to the Company,

Associates

Companies in which the Company is a shareholder

Limited to ensuring the conduct of commercial activities requiring participation of the Company's subsidiaries.

Legally Authorized Public Institutions and Organizations

Pursuant to the provisions of the relevant legislation, the public institutions and organizations authorized to obtain information and documents of the Company

Limited to the purpose requested by the relevant public institutions and organizations within the legal capacity of

Legally Authorized Private Legal Persons

According to the provisions of the relevant legislation, private law persons authorized to obtain information and documents from the Company

Limited to the purpose requested by the relevant private law

Transactions carried out by MYRAANG act in accordance with the matters set out in sections 2 and 3 of the Policy.

6. BASED ON THE PROCESSING PROCESS OF PERSONAL DATA AND PROCESSING WITH THESE TERMS6.1. Processing of Personal Data and Specific Personal Data6.1.1. Processing of Personal Data

Although the legal basis for processing personal data varies by MYRAANG, all kinds of personal data processing activities are carried out in accordance with the general principles set out in Article 4 of the Act. The basis of personal data processing may be only one of the following conditions, and more than one of these conditions may be the basis of the same personal data processing activity.

      I. Finding the Personal Data Holder's Clear Consent: One of the conditions of processing personal data is the express consent of the personal data holder. The express consent of the personal data holder must be explained on a specific subject, informed and free. Open consent can be taken orally or in writing. In the presence of one of the conditions listed in (ii), (iii), (iv), (v), (vi), (vii), (vii) below, the express consent is not sought, in the presence of one or more of the conditions MYRAANG express consent it is not.

     ii. Obligation of Laws: The personal data of the owner of the data may be processed in accordance with the law if it is expressly foreseen by law. MYRAANG illuminates the personal data holder about the personal data it processes in accordance with Article 10 of the Act. For example, MYRAANG invoices have personal information (name and surname and personal tax ID number) in accordance with Article 230 of the Tax Procedural Code.

     iii. Failure to Obtain Clear Consent for Actual Impossibility: The life of the person or another person who is unable to disclose his consent due to actual impossibility or whose consent cannot be validated, or v. In order to maintain the integrity of the body, the personal data of the data owner can be processed if it is necessary to process personal data. For example, if the MYRAANG visitor suddenly becomes unconscious, his or her unconsciousness and the MYRAANG employee revealing the identity of the visitor to the healthcare provider cannot obtain the express consent of the person concerned.

     iv. Direct Interest in the Establishment or Execution of the Agreement: It is possible to process personal data if it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract. For example, in the lease contract concluded for the workplace where MYRAANG is a tenant, the bank account number of the lessor is the personal data processed to make the payment for the performance of the contract.

     v.MYRAANG 's Obligation to Obtain Legal Liability: In the event that personal data processing is mandatory for MYRAANG data officer to fulfill its legal obligations, the personal data of the data owner can be processed. For example, it is a legal obligation to submit the information requested by the court to the court.

     vi. Personalization of Personal Data Owner's Personal Data: The personal data of the data owner can be processed if the personal data is publicized by him / her. For example, the personal data of the data owner is disclosed on their website and publicized their personal data.

     vii. A Right n Mandatory Data Processing for Facility or Protection: The personal data of the personal data owner can be processed if data processing is required for the establishment, use or protection of a right. For example, MYRAANG can process data from the old MYRAANG employee to store the file and use it as soon as necessary (for example, if it is returned to work or filing a claim).

     vii.MYRAANG's Compliance with Data Processing for Legitimate Benefit: The data owner's personal data can be processed if data processing is required for MYRAANG's legitimate interests, provided that it does not harm the fundamental rights and freedoms of the personal data holder. Example: Recording security camera in MYRAANG building is a condition where data processing is required for MYRAANG's legitimate interest.

6.1.2. Processing of Personalized Personal Data

By MYRAANG; if the personal data owner does not have the express consent of the personal data holder, however, it is also specified in the 35 Adequate Measures to be Obtained by Data Responsibles to Process Specially Qualified Personal Data tarihli published in the Official Gazette dated 13.03.2018 and numbered 30356 in accordance with the Board Decision dated 01.2018 and numbered 2018/10. provided that the measures are taken:

The personal data of the personal data owner and the private personal data other than sexual life, in the cases stipulated by the law, personal data about the health and sexual life of the personal data of the personal data only protection of public health, preventive medicine, medical diagnosis, treatment and care services, health services for the purpose of planning and managing its financing, by persons or authorities authorized to keep a secret. MYRAANG HEAD OFFICE AND STORES AND PERSONAL DATA PROCESSING ACTIVITIES IN THIS BUILDINGS7.1. Personal Data Processing Activities at MYRAANG Headquarters and Stores

In order to provide security by MYRAANG, MYRAANG Head Office and Stores (asıyla Buildings ”) surveillance camera is used for monitoring personal data processing to monitor guest input and output.

MYRAANG is conducting camera monitoring at and at the entrances of the buildings and aims to protect the interests of the Company and other persons. In this context, MYRAANG complies with the Law and other relevant legislation. In other words, the monitoring activity with the camera complies with the Law on Private Security Services and the relevant legislation, and the regulations in accordance with the Law are carried out by MYRAANG for the purpose of surveillance with camera. According to this; Under the 10th article of the Act, the personal data holder is illuminated. As part of its obligation to illuminate, MYRAANG publishes this Policy on its website and notices on the areas of monitoring are posted.

MYRAANG, in accordance with the 4th article of the Law, processes personal data in a limited and measured manner, linked to the purposes for which it was committed, and carries out its activities with a video camera. In this respect, MYRAANG defines surveillance areas, number of surveillance cameras and storage times of video recordings without limiting the security purpose. It should also be noted that video recording activities are carried out so as not to interfere with one's privacy.

MYRAANG takes the necessary technical and administrative measures to ensure the security of personal data obtained by MYRAANG as a result of the monitoring activity carried out by video recording. In this context, a limited number of MYRAANG employees have access to the related video recordings and confidentiality commitments are also received from these employees.

7.2. Web Site Visitors

MYRAANG owns MYRAANG 's operations (site visit, membership transactions, shopping process) on the web sites required for the security measures according to information and the nature of the process MYRAANG' s contract by contracting the software on the website, installation, hosting and maintenance services the third person responsible for the management and operating services of the trading system and all e-commerce activities carried out with this system and also for collecting personal data directly on the website as a data specialist by providing consignment services to visitors and customers. The person is contracted by the company and the Internet infrastructure, technological facilities and cost elements within the scope of the appropriate technical and administrative methods were taken. To make visits to people visiting these sites in accordance with their visit purposes and to show them customized content and to be able to engage in online advertising activities (KuraThe internet transactions within the site and / or application are processed by the third party by technical methods and MYRAANG has no legal responsibility. The detailed information about the activities carried out on the website and the protection and processing of personal data is explained in the ası Privacy Policy unan text of the website.

8. USE OF RIGHTS AND RIGHTS OF PERSONAL DATA OWNERS AND EVALUATION BY MYRAANG8.1. Data Owner Rights

Pursuant to Article 10 of the Act, the rights of the personal data holder are as follows:

Learning whether personal data has been processed, Requesting information about personal data if it is processed, Learning the purpose of processing personal data and using them for their intended purpose, Knowing the third parties in which personal data is transferred domestically or abroad, Asking them to be corrected if personal data is incomplete or incorrectly processed and requesting that third parties to be notified of the transaction carried out in this scope, in accordance with the provisions of the Law and other relevant laws, request the deletion or destruction of the personal data in case the reasons for the processing are removed and the notification of the transaction to the third parties to which the personal data is transferred. By analyzing the processed data exclusively through automated systems, the result of the individual against himself / herself to appeal the loss, in case of loss due to unlawful processing of personal data to request the removal of the damage.8.2. Personal Data Holder's Rights

Since personal data holders are excluded from the scope of the Law in accordance with Article 28 of the Act, personal data holders shall be bound by this Policy in this respect. they cannot claim their rights. Namely:

Pursuant to Article 28, paragraph 2 of the Law; In the cases listed below, the personal data holders shall have the right to request that the claim be remedied. Other rights which are mentioned in

Provided that personal data is rendered anonymous with official statistics for purposes such as research, planning and statistics. Provided that personal data does not violate national defense, national security, public security, public order, economic security, privacy or personal rights, or constitute a crime. art, history, literature or scientific purposes or freedom of expression within the scope of freedom of expression. National security, public security, public order or economic security to provide national security, task and authority given by the public institutions and organizations carried out by the preventive, protective and intelligence the processing of personal data by the judicial authorities or by the enforcement authorities in relation to the investigation, prosecution, prosecution or execution of proceedings. Prevention of crime or investigation of crime of personal data processing. It is necessary for personal data processing to be performed by the personal data owner. It shall be necessary for the conduct of inspection or regulation duties of authorized and authorized public institutions and organizations and public institutions, and for the conduct of disciplinary investigation or prosecution based on the authority given by the personal data owner. .It is necessary for personal data processing to protect the economic and financial interests of the State in relation to budget, tax and financial issues.8.3. Use of Personal Data Rights

Personal Data Holders of this Policy 8.1. and to submit their requests to MYRAANG free of charge by completing and signing the Data Owner Application Forum with the information and documents to determine their identity and other methods determined by the Board:

In addition, in order for third parties to request an application on behalf of the Personal Data Owners, there must be a special power of attorney issued by a notary public on behalf of the person who will apply by the data owner. Personal Data Holders are obliged to submit their applications in Turkish and you will be asked to:

       1. After completing the form on www.myraang.com, signed by the notary of the central district Kazım Orbay Cad. No: 33/2 Şişli, İstanbul Address or

       2. After the form on www.myraang.com is filled in and signed with your ag secure electronic signature within the scope of Electronic Signature Law No. 5070, it is sent via e-mail to rsctagidavetekstil@hs03.kep.tr

Name, surname and the signature written application, to the citizens of the Republic of Turkey T. C. identification number, nationality for foreigners, passport number or identity if any The information about the settlement or the address of the place of business, the e-mail address, the telephone and fax number, if any, the subject of the request, if any, further information and documents on the subject. Personal Data Holder's Right to Complain to the Board

Personal Data Holder, in accordance with Article 14 of the Act, is rejected within the period of the application or the response is insufficient or if the application is not answered within the response period by MYRAANG; Thirty (30) from the date of learning of MYRAANG 's reply and in any event within sixty (60) days from the date of application.

8.5. MYRAANG's Response to Applications

MYRAANG should be applied only if MYRAANG is deemed to be data responsible under the Act. This may be the case where MYRAANG collects personal data directly from the person concerned, or where data sharing between the relevant MYRAANG Affiliates and MYRAANG is considered data transfer from the data responsible under the Act to the data responsible. Apart from these, applications related to personal data processing activities in which MYRAANG Affiliates are deemed to be data responsible should be made to the relevant MYRAANG Affiliate, not MYRAANG. The Personal Data Holder may use this Policy 8.3. In accordance with the procedure described in Article 31, MYRAANG shall submit the request free of charge to any request within thirty (30) days at the latest. However, if a fee is foreseen by the Board, MYRAANG will charge the tariff determined by the Board from the applicant. Pursuant to Article 7 of the ib Communiqué on Procedures and Principles of Application to the Data Officer cevap published in the Official Gazette dated March 10, 2018 and numbered 30356, if the request of the Personal Data Holder is answered in writing, the corresponding answer is 10 (ten) pages or more for each page. 1 Turkish Lira will be charged. If the application is answered in a recording medium such as a CD or flash memory, the charge that MYRAANG will charge will not exceed the cost of the recording medium. MYRAANG may request information from the relevant person to determine whether the applicant has a personal data or not, and may raise questions about his application. MYRAANG may reject the application of the applicant by explaining the reasons:

1. Processing of personal data by anonymization with official statistics for purposes such as research, planning and statistics. The processing of personal data within the scope of art, history, literature or scientific or freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime. The processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations with the purpose of ensuring national defense, national security, public security, public order or economic security. Processing of personal data by judicial authorities or enforcement authorities in relation to the investigation, prosecution, prosecution or execution of proceedings. Personal data processing is necessary for the prevention of crime or investigation of crime. Personal data processing by the personal data owner itself. Personal data processing shall be required by the competent and authorized public institutions and organizations as well as the public institutions, by the professional organizations, in order to carry out inspection or regulation tasks and to disciplinary investigation or prosecution. Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters. The possibility of personal data holder blocking other people's rights and freedoms10. There have been demands that require disproportionate effort11. The information requested is public information. MYRAANG'S OTHER PUBLIC POLICIES ON PROTECTION AND PROCEDURE OF PERSONAL DATA

MYRAANG forms sub-policies for internal use in the protection and processing of personal data related to the principles laid down by this Policy.

9.1. MYRAANG Protection and Processing of Vacuum Data

A management team has been set up by MYRAANG in order to comply with the regulations and to ensure the effectiveness of the Personal Data Protection and Processing Policy. In this context, the Company has appointed a Data Protection Board consisting of 3 persons, including a representative of data representative, a contact person and an information technology expert, to ensure the implementation and management of other policies within MYRAANG under this Policy and this Policy and related Article 11. . The duties of the Data Protection Board are as follows:

Protection of personal data (i) to prepare and enforce the basic policies and amendments to the Company's management and, where necessary, to amend them.

To decide on how to implement and control the policies regarding the protection and processing of personal data and to present the company in this regard and to provide coordination for the approval of the Company Management.

To determine the issues to be taken in order to ensure compliance with the law and the relevant legislation and to submit it to the approval of the Company Management, to supervise its implementation and to provide coordination to the Company Management.

To raise awareness of the protection and processing of personal data in MYRAANG and in cooperation with MYRAANG.

To ensure that MYRAANG measures necessary risks in the personal data processing activities; to submit proposals for improvement to the approval of the Company Management.

To provide training to ensure that personal data owners are informed about their personal data processing activities and legal rights regarding the protection of personal data and the implementation and dissemination of policies.

To forward the applications of the personal data owners to the Company Management to decide.

To follow the developments and regulations on the protection of personal data; to inform the management of the Company about their suggestions on what to do within MYRAANG in accordance with these developments and regulations.

To carry out the relations with the Board and the Institution under the coordination of the Company Management.

It is the other duty of the Company Management to protect the personal data.

ABBREVIATIONS AND DEFINITIONS

Law: Law No. 6698 of 24 March 2016 on the Protection of Personal Data published in the Official Gazette dated 7 April 2016 and numbered 29677.

The Board shall mean the Personal Data Protection Board.

Institution: refers to the Personal Data Protection Agency.

Company: MYRAANG TEKSTIL SAN VE TIC.LTD.STI.

Personal data: Any information relating to an identifiable or identifiable real person. Therefore, the processing of information on legal persons is not within the scope of the Law.

Personal data owner: Personal data is the real person being processed.

Special personal data: race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, costume, association foundation or union membership, health, sexual life, criminal convictions and security measures and biometric and genetic data. .

Processing of personal data: Obtaining, recording, storing, maintaining, changing, rearranging, disclosing, transferring, retrieving, making available, whether personal data is fully or partially automated or part of any data recording system, any kind of operation performed on data such as classification or prevention of use.

Open consent: Consent on a particular subject, informed and free.

Anonymity: Changing personal data so that it loses the quality of personal data and cannot be recovered. (For example, masking, consolidation, data distortion, etc. with the techniques of personal data can not be associated with a real person.)

Disposal: The deletion, destruction or anonymity of personal data.

Data handler: A natural or legal person who processes personal data on his behalf based on the authority of the data responsible. (For example, a cloud computing company holding MYRAANG's data, etc.)

Data Officer: The person who manages the data recording system in which the data is kept in a systematic manner, which determines the purpose and means of processing the personal data.

Contact person: with built-in legal entities in Turkey Law of non-resident legal entities data chief representative in Turkey and to be issued based on this Act with respect to its obligations under secondary legislation, is the fact that people reported during registration in the Register by the responsible data for communication with the Agency.

Third Party: Personal data is any natural person committed under the Policy.

Data Holder Application Form: Application form available on the MYRAANG website for applications to the Data Officer by the personal data owner or his representative pursuant to the Law containing the application to be taken by the personal data owners to use their rights.

MYRAANG Group of Companies: MYRAANG TEKSTIL SAN VE TIC.LTD.STI is directly or indirectly affiliated to MYRAANG TEKSTIL SAN VE TIC.LTD.STI.

Employee Candidates: are natural persons who have applied for a job in MYRAANG or have submitted CV and related information to MYRAANG.

Collaborators and Employees of our Institution: MYRAANG's all kinds of business the real persons, including the shareholders, the authorities and the employees of the institutions (including, but not limited to, hospitals, ministries).

Supplier: Legal or natural persons providing services to MYRAANG on contract basis in accordance with MYRAANG 's orders and instructions when conducting MYRAANG' s commercial activities.

Supplier Authorities and Employees: Real persons, including shareholders, officials and employees of suppliers.

Partners: The parties to which MYRAANG establishes business partnerships for the purposes of conducting business activities.

Partners and Employees: Real persons, including shareholders, officials and employees of the business partners.

Visitor: Real persons who have been physically found at MYRAANG's workplaces for various purposes or who visit their website.

Website User: Real persons who visit MYRAANG's websites.

MYRAANG Headquarters: Hürriyet Mah. Maple sk.no:3/3 KAĞITHANE / ISTANBUL / TURKEY address is MYRAANG in the workplace.

MYRAANG Stores: The stores are located in Turkey.

Company Officer: MYRAANG board member and other authorized natural persons.

SSL: refers to the secure input layer. It is the certificate that enables the security and integrity of the field data between the server and the client.

Secure Electronic Signature: This is an electronic signature which is exclusively signed by the signatory, which is created by the secure electronic signature creation tool, which provides the identification of the signatory based on the qualified electronic certificate, and determines whether any changes have been made in the signed electronic data.