X
Arama Search Icon
Ekspo Online Ekspo Online Icon
Contact us

Personal Data Protection

Personal Data Protection, Privacy, Retention, and Destruction Policy

1. Purpose and Scope

This policy outlines the principles of lawful processing, protection, confidentiality, retention, and destruction of personal data belonging to Ekspo Faktoring's customers and their guarantors, suppliers, employees, visitors, and any other individuals who engage with the Company through job applications or other means or channels.

It applies to all types of data—whether physical or digital—stored or processed by the Company.

2. Definitions

Personal Data

Any information related to an identified or identifiable natural person. This includes data that directly or indirectly reveals a person’s physical, economic, cultural, social, or psychological identity, or that can be associated with identifiers like ID, tax, or insurance numbers.

Sensitive Personal Data

Information on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, association or union membership, health, sexual life, criminal conviction, security measures, as well as biometric and genetic data.

Explicit Consent

Freely given, specific, and informed consent of the data subject to the processing of personal data.

Anonymization

Rendering personal data unidentifiable in such a way that it cannot be associated with an individual, even when combined with other data.

Processing of Personal Data

Any operation performed on personal data, whether by automatic or non-automatic means, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or blocking its use.

Data Subject

The individual whose personal data is being processed.

Data Recording System

A system where personal data is processed according to specific criteria.

Data Controller

A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data Processor

A natural or legal person who processes personal data on behalf of the data controller based on their authorization.

KVKK

The Law on the Protection of Personal Data (No. 6698), published in the Official Gazette on April 7, 2016.

Board

The Personal Data Protection Board.

Authority

The Personal Data Protection Authority.

Destruction

The process of deleting, destroying, or anonymizing personal data.

Data Storage Medium

Any environment—automated or non-automated—where personal data is processed as part of a data recording system.

Personal Data Processing Inventory

A detailed record prepared by the Company showing the processing activities performed in connection with its business processes, including the purposes of processing, data categories, recipient groups, data subject groups, maximum retention periods, international transfers, and security measures.

Periodic Destruction

The deletion, destruction, or anonymization of personal data by the Company at specified intervals when the legal grounds for processing are no longer valid.

Registry

The Data Controllers Registry maintained by the Board in accordance with the Regulation on the Data Controllers Registry published in the Official Gazette on December 30, 2017.

Policy

Ekspo Faktoring Inc.'s Policy on the Protection, Privacy, Retention, and Destruction of Personal Data.

Regulation

The Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette on October 28, 2017.

KVKK Committee

A working group consisting of the Internal Control Manager, IT Manager and Responsible Officer, and all department managers or supervisors.

3. Processing and Confidentiality of Personal Data

3.1. General Principles for Processing Personal Data

In accordance with Article 4/2 of the Personal Data Protection Law (KVKK) and the purposes listed in the "Purposes of Processing Personal Data" section of this Policy, the Company processes personal data under the following principles:

  • Lawfulness and fairness
  • Accuracy and, where necessary, keeping data up to date
  • Processing for specified, explicit, and legitimate purposes
  • Data minimization—processing only as much as necessary
  • Retention for the period required by law or the purpose of processing

3.2. Data Processed by the Company

Personal data is processed either with the explicit consent of the data subject or under conditions defined in Articles 5 and 6 of the KVKK. Data may vary based on the nature of the relationship and communication method and includes:

  • Identifying details (e.g., name, profession, title, marital status, citizenship, military status, legal records, tax status, health records)
  • Identity verification documents (e.g., ID cards, passports, licenses)
  • Contact information and communication logs (e.g., phone calls, emails)
  • Corporate documentation containing personal data (e.g., tax certificates, trade registry, power of attorney)
  • Financial data related to pricing, collection, and payment activities

3.3. Purposes of Processing

Personal data may be processed and retained for the following purposes:

  • To deliver Company products and services
  • Planning and executing corporate sustainability initiatives
  • Ensuring legal and commercial security
  • Defining and executing business strategies

3.4. Transfer of Personal Data

Within the scope of the purposes exemplified in the section titled "Purposes of Processing Personal Data" in this Policy and pursuant to Articles 8 and 9 of the Personal Data Protection Law (KVKK), the Company may transfer personal data domestically and internationally. In this context, personal data may be processed and stored on servers and electronic platforms used for such purposes. Personal data cannot be transferred without the explicit consent of the data subject.

The nature of the transfers and the parties with whom data is shared depend on the type and nature of the relationship between the data subject and the Company, the purpose of the transfer, and the relevant legal basis. These parties typically include:

  • Third parties located in Turkey or abroad from whom services are procured,
  • Direct and indirect shareholders, affiliates, and subsidiaries,
  • Individuals and institutions providing services and/or consultancy,
  • Business partners with whom contracts have been signed.

3.5. Collection of Personal Data

In order to fulfill the purposes exemplified in the section titled “Purposes of Processing Personal Data” of this Policy, the Company may collect personal data within the framework of the conditions stipulated under Articles 5 and 6 of the Personal Data Protection Law (KVKK). Such data may be obtained directly from employees, customers, suppliers, business partners, public institutions, and other physical environments, as well as through websites, mobile applications, social media platforms, other publicly available channels, or through trainings, events, and similar organizations.

3.6. Retention Period of Personal Data

Personal data is retained by the Company for the duration of the relevant legal retention periods, and for as long as necessary to fulfill the purposes of the activities associated with such data and the objectives specified in this Policy. Once the purpose of use has been fulfilled and the legal retention period has expired, the personal data is deleted, destroyed, or anonymized by the Company in accordance with Article 7 of the Personal Data Protection Law (KVKK).

3.7. Data Subject Rights under KVKK

Pursuant to Article 11 of the Personal Data Protection Law (KVKK), the rights of individuals whose personal data is processed are regulated, and accordingly, data subjects have the following rights regarding the Company:

  • To learn whether personal data is being processed,
  • If personal data has been processed, to request information regarding such processing,
  • To learn the purpose of the processing and whether the data is used in accordance with its intended purpose,
  • To know the third parties to whom personal data has been transferred, either domestically or abroad,
  • To request the correction of personal data if it has been processed incompletely or inaccurately,
  • To request the deletion or destruction of personal data if the reasons for its processing no longer exist,
  • To request that the actions taken in connection with correction or deletion be notified to third parties to whom the personal data has been transferred,
  • To object to a result arising to the detriment of the individual by analyzing the processed data exclusively through automated systems,
  • To request compensation for damages in the event of unlawful processing of personal data.

Requests from data subjects to exercise any of the above rights will be addressed by the Company within 30 days at the latest. These requests may be submitted in person with identity-verifying documents to Ekspo Faktoring A.Ş. at the address: Maslak Mahallesi, Maslak Meydan Sokak No:5/B, Spring Giz Plaza, Sarıyer, Istanbul; by notary to the same address; or via secure electronic signature to the email address: ekspofaktoring@hs02.kep.tr. If processing the request incurs any costs, the Company may charge a fee as permitted under applicable regulations.

3.8. Transfer of Personal Data Abroad

Personal data may be transferred abroad in accordance with applicable legislation for the purposes of processing, storage, administration, or other uses specified in this Policy, including the purposes exemplified in the section “Purposes of Processing Personal Data.” In such transfers, all necessary precautions are taken to ensure the protection of personal data.

3.9. Security of Personal Data

The Company places great importance on maintaining the confidentiality and security of personal data. Accordingly, necessary technical and administrative security measures are taken to protect personal data against unauthorized access, damage, loss, or disclosure. These measures include system access controls, data access controls, secure transfer controls, business continuity controls, and other required corporate safeguards.

4. Cookies and Similar Technologies

4.1. General

Small data files sent to users’ devices by web servers through the web browser being used are referred to as cookies. Websites use these cookies to recognize users, and the lifespan of cookies may vary depending on browser settings.

These cookies are created through systems managed by the Company; however, certain service providers authorized by the Company may also place similar technologies on users’ devices to collect information such as IP address, unique identifiers, and device identifiers. Furthermore, third-party links found within the Company’s systems are subject to the privacy policies of those third parties. The Company is not responsible for the privacy practices of these third parties. Therefore, it is recommended to review the privacy policy of the relevant site when visiting a site through such a link.

4.2. Types of Cookies

Cookies, primarily intended to facilitate user experience, can be categorized into four main groups:

Session Cookies: These cookies enable the use of various features such as transferring information between web pages and systemically remembering data entered by the user. They are essential for the proper functioning of the Company’s website.

Performance Cookies: These cookies collect information about the frequency of page visits, possible error messages, the total time users spend on specific pages, and usage patterns. They are used to improve the performance of the Company’s website.

Functional Cookies: These cookies remember previously selected options to provide convenience to the user. They aim to deliver enhanced online features within the scope of the Company’s website.

Advertising and Third-Party Cookies: These are cookies belonging to third-party providers and allow the use of certain functions on the Company’s website as well as enabling ad tracking.

4.3. Purposes of Cookie Usage

The purposes of using cookies by the Company are as follows:

Operational Uses: The Company may use cookies that enable the functionality of this website or detect irregular behavior for the purpose of managing and securing its systems.

Functionality Uses: To facilitate system usage and provide user-specific features, the Company may use cookies that remember user information and past selections.

Performance Uses: The Company may use cookies to enhance and measure system performance, evaluating and analyzing user interactions and behavior in response to communications.

Advertising Uses: The Company may use cookies through its own or third-party systems to deliver advertisements and similar content aligned with users’ interests and to measure the effectiveness or analyze the click-through rate of such advertisements.

4.4 Disabling Cookies

The use of cookies is preset as enabled in many browsers, and users can change this setting via their browser preferences. Accordingly, users can delete existing cookies and reject the use of future cookies. However, disabling cookies may result in the inability to benefit from certain features within the Company's systems. The method for changing cookie settings may vary depending on the type of browser, and such information can be obtained from the relevant service provider upon request.

5. STORAGE AND DESTRUCTION OF PERSONAL DATA

5.1. The following principles shall apply to the storage and destruction of personal data:

a) The general principles outlined in Article 4 of the Personal Data Protection Law (KVKK) shall be adhered to.

b) The Company acknowledges that merely preparing this Policy does not by itself imply that personal data has been destroyed in compliance with the Law, the Regulation, and the relevant legislation.

c) The Company agrees, declares, and undertakes to store, delete, destroy, or anonymize personal data in accordance with the security measures set forth in Article 12 of the KVKK, relevant legislative provisions, decisions of the Board, and this Policy.

d) The Company undertakes to ensure compliance with this Policy and the tools, programs, and processes to be implemented in connection with the Policy during the destruction of personal data processed wholly or partially by automated means, or by non-automated means which form part of a data recording system.

e) The Company shall take all necessary technical and administrative measures to securely store personal data and to prevent unlawful processing and access.

f) The Company defines the titles, departments, and job descriptions of the individuals involved in personal data storage and destruction processes.

5.2. Recording Media

With this Policy, the Company agrees to include the following environments that contain personal data, as well as any additional environments that may arise, within the scope of this Policy:

a) Computers/servers used on behalf of the Company,

b) Network devices,

c) Shared/non-shared disk drives used for data storage on the network,

d) All storage areas within mobile phones,

e) Paper,

f) Microfiche,

g) Peripheral devices such as printers and fingerprint readers,

h) Magnetic tapes,

i) Optical disks,

j) Flash memories.

5.3. Circumstances Requiring the Disposal of Personal Data

In the event of a breach within the scope defined below, it shall be considered a potential security breach, and related reports and notifications may be shared with Company management, the Board, and the relevant personal data owners when deemed necessary.

The Company undertakes not to process personal data contrary to the provisions of the Law. Unless the exceptions outlined in Articles 5 and 6 of the KVKK are applicable, the Company shall:

a) Not retain personal data of individuals whose explicit consent has not been obtained, except under the exceptions stipulated by the KVKK.

b) Dispose of personal data processed under exceptions or explicit consent once the purpose for processing no longer exists and/or the legal retention periods have expired.

5.4. Expiration of Personal Data Processing Conditions

The Company is responsible for maintaining the currency of data processing conditions and shares this responsibility with all relevant employees involved in personal data processing.

Employees shall cease data processing activities once the conditions for processing no longer apply. The identification of such situations is carried out by the KVKK Committee upon the recommendation of the relevant business unit, and the disposal is executed in accordance with this Policy.

The Company recognizes the expiration of data processing conditions in the following circumstances, which are also defined within the Regulation:

a) Amendment or repeal of the legal provisions forming the basis for personal data processing;

b) Absence, invalidity, automatic termination, cancellation, or withdrawal from a contract between the parties;

c) The disappearance of the purpose requiring the processing of personal data;

d) Processing of personal data in violation of the law or the principle of good faith;

e) Acceptance by the Company of the data subject’s request, made in accordance with Article 11(e) and (f) of the KVKK, to cease personal data processing;

f) In cases where the Company rejects the data subject's request for disposal, the response is deemed insufficient, or no response is given within the legally stipulated time; upon complaint to the Board, the request is approved by the Board;

g) Expiration of the maximum retention period for personal data without the existence of any valid justification for continued storage.

6. DISPOSAL OF PERSONAL DATA

The disposal of personal data may be carried out through one of three methods detailed below: deletion, destruction, or anonymization. Within the Company, the relevant departments, information system and application owners where the personal data resides, the KVKK Committee, and any other concerned parties or units will decide in writing which disposal method is to be applied, based on the reason for the disposal.

In accordance with this written decision, one of the disposal methods described in this Policy will be applied in line with the “Guideline on Deletion, Destruction or Anonymization of Personal Data” published by the Board.

The responsibility for tracking the disposal of personal data lies with the respective business unit owning the data. The data-owning business unit is responsible for overseeing the disposal process and may receive support from other departments within the Company.

6.1. Deletion of Personal Data

Deletion of personal data processed wholly or partially by automated means refers to rendering such data completely inaccessible and unusable by any relevant user. In the deletion process of personal data processed by non-automated means as part of any data recording system, the personal data subject to deletion is identified by considering the applicable legal retention periods. The Company updates its access and authorization systems according to its current information systems and applications, within the scope of role and authority matrices. Relevant users and their access rights, retrieval, and reuse capabilities are identified. When the Company deletes personal data, it ensures that such data is rendered completely inaccessible and unusable by anyone. This guarantee is maintained by implementing the necessary technical measures.

6.2. Destruction of Personal Data

Destruction of personal data means rendering the data completely inaccessible, irretrievable, and unusable by anyone. This process is applied particularly when the Company processes data in physical storage media, and the Company is obliged to ensure that such data cannot be recovered. For paper and microfiche formats, the destruction is carried out by shredding the material into unrecognizable and irretrievable small pieces using paper shredders or similar machines. The Company may also outsource this destruction service to third parties.

6.3. Anonymization of Personal Data

Anonymization refers to making personal data unidentifiable and unrelatable to an individual, even when combined with other data, especially when processed by wholly or partially automated means. The Company ensures that the data loses its ability to identify a person within a group or mass by removing or modifying all direct and/or indirect identifiers in the dataset. During this process, the Company may employ techniques such as one-way functions or encryption to achieve anonymization.

7. METHODS AND PROCEDURES FOR DESTRUCTION OF PERSONAL DATA

To destroy personal data, the Company defines all applicable methods within this Policy and its annexes. The data owner business unit is responsible for selecting and implementing the appropriate method based on the specific situation described in this Policy. According to a written decision issued by the Company, the most suitable of the following methods will be used to carry out the destruction:

7.1. Overwriting

This involves making previously stored data unreadable by writing random binary data (consisting of 0s and 1s) over magnetic or rewritable optical media at least 7 times using specialized software.

7.2. Degaussing

A method of rendering data unreadable by subjecting magnetic media to a high-powered magnetic field, causing physical alteration of the data.

7.3. Physical Destruction

This method involves physically destroying optical or magnetic media through melting, pulverizing, grinding, or similar methods. It is used in cases where degaussing or overwriting is not successful.

7.4. Cloud Destruction

For personal data stored in cloud systems, destruction is achieved by notifying the contracted service provider to delete the encryption keys and ensuring that all copies of these keys are irreversibly destroyed.

7.5. Destruction of Personal Data in Peripheral Systems

For devices such as printers, fingerprint scanners, and door access turnstiles containing personal data, destruction must be carried out either by overwriting, degaussing, or physical destruction of internal units if available—or the entire device if not. These types of destruction must occur before the devices are subjected to backup, maintenance, or similar operations.

8. DUTIES AND RESPONSIBILITIES

8.1. Employees

  • Act in compliance with the data retention and destruction policy,
  • Fulfill their duties and responsibilities in accordance with the instructions stated in the data retention and destruction policy,
  • Provide feedback to relevant parties regarding the policy when necessary.

8.2. Senior Management

  • Ensure that all managers in their respective departments act in accordance with the policy,
  • Encourage employees to report violations of the data retention and destruction policy,
  • Ensure that all employees participate in training programs on data deletion and destruction policies,
  • Establish, approve, and implement a data retention and destruction plan in compliance with applicable laws and regulations,
  • Determine, in collaboration with relevant department heads and/or process owners, which data should be retained, which should be destroyed, and the timing of such actions, based on current laws and regulations,
  • Delegate responsibility for data retention and destruction by identifying the relevant data owner business units.

8.3. KVKK Committee

  • Update the Policy on the Protection, Privacy, Retention, and Destruction of Personal Data,
  • Design retention and destruction processes according to this policy and coordinate the implementation with relevant business units,
  • Inform senior management and relevant business units about data retention and destruction policies,
  • Support employees in implementing the processes defined within this Policy,
  • Report violations related to this Policy and the relevant legislation on data retention and destruction to senior management every six months.

9. GENERAL PRINCIPLES AND RULES

Data is collected, processed, and securely retained with due diligence for a lawful and legitimate purpose. Once the purpose of data processing ceases or is fulfilled, the data is deleted, destroyed, or anonymized using an appropriate method consistent with this Policy.

Confidentiality

It is essential that all data processing activities within the Company are conducted in complete confidentiality. In this context, the Company prevents unauthorized access to data to the extent possible, applies all available technical and administrative measures, and conducts regular audits accordingly.

Compliance with Law and Principles of Integrity

The Company collects and processes data in accordance with the limits set by the law and the principles of integrity.

Accuracy and Being Up-to-Date When Necessary

Data is stored in a complete and accurate manner and updated when necessary. The Company makes the necessary arrangements to correct, amend, update, or delete data if it is found to be inaccurate or outdated.

10. COMPLIANCE REQUIREMENTS

10.1. Data Inventory

The Company has documented its data processing activities within this inventory, linking them to business processes, the purposes of processing, data categories used, recipient groups to whom the data is transferred, and the data subject categories. It also details the maximum retention period necessary for the purposes of processing, data transfers to foreign countries, and the security measures taken. The Company undertakes to keep this inventory updated in accordance with the principles outlined in this Policy.

10.2. Maximum Retention Periods

The Company has determined that data categories processed based on business processes should be retained for a maximum of 10 years in line with legal requirements and business objectives. The Company commits to processing data in accordance with retention periods defined in this Policy and to destroy the data periodically as outlined in the "Periodic Destruction" section once the retention period ends. All actions related to deletion, destruction, or anonymization of data are recorded and such records are kept for at least three years, excluding other legal obligations.

10.3. Measures Taken for Secure Storage and Destruction of Data

The Company is obligated to take and enforce both technical and administrative measures to ensure the secure storage of data, to prevent unlawful access or processing, and to ensure lawful destruction.

Administrative Measures Taken:

  • Publishing the Policy on the Protection, Confidentiality, Retention, and Destruction of Personal Data on the Company’s website;
  • Conducting awareness trainings within the Company regarding data protection, retention, and deletion;
  • Analyzing internal activities and processes to determine compliance actions;
  • Creating a Data Inventory.

Technical Measures Taken:

  • Implementing access control systems for data storage environments;
  • Deploying corporate access control and authorization solutions to prevent unauthorized access;
  • Keeping the Data Inventory updated and enforcing its implementation.

10.4. Periodic Destruction

The Company commits to reviewing the data it holds in both digital and physical formats every 6 months starting from the first day of each year and to automatically delete, destroy, or anonymize the data at regular intervals once the purpose of processing has ended.

PERSONAL DATA TRANSFER POLICY

11. PURPOSE
This Personal Data Transfer Policy ("Policy") is established pursuant to Articles 8 and 9 of Law No. 6698 on the Protection of Personal Data (KVKK) and the upcoming "related regulation" that will be issued. It outlines the principles to be followed by real or legal persons responsible for domestic and international transfers of personal data, as well as the rules to be observed by the Company and/or within the Company.

12. SCOPE
This Policy covers all departments and employees of the Company. It applies to all types of communications used by Company units that involve personal data. The Company will update this Policy to comply with newly enacted or amended legislation. If the Company determines that there is a legal barrier to implementing any part of this Policy, it will redefine the necessary steps—consulting the Board if deemed necessary.

13. DEFINITIONS

The following terms used in this Policy and the related regulation are defined as follows:

Personal Data

Any information relating to an identified or identifiable individual, including details that reveal one’s physical, economic, cultural, social, or psychological identity or that can be linked to identifiers like ID, tax, or insurance numbers.

Sensitive Personal Data

Data regarding race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Explicit Consent

Freely given, specific, informed consent.

Anonymization

Rendering personal data impossible to link to an identified or identifiable person, even when combined with other data.

Processing of Personal Data

Any operation performed on personal data, whether or not by automated means, such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or blocking its use.

Data Subject

The natural person whose personal data is processed.

Data Recording System

A system in which personal data is processed and structured according to specific criteria.

Data Controller

The person or entity that determines the purposes and means of processing personal data, and who is responsible for establishing and managing the data recording system.

Data Processor

A natural or legal person that processes personal data on behalf of the data controller based on the authority granted by them.

Recipient

A natural or legal person to whom personal data is transferred by the data controller.

Board

The Personal Data Protection Board.

Authority

The Personal Data Protection Authority.

Policy

The Personal Data Transfer Policy of Ekspo Faktoring A.Ş.

Regulation

The regulation expected to be issued regarding the transfer of personal data and identifying safe countries for international transfers.

KVKK Committee

A working group consisting of the Internal Control Manager, IT Manager and Officers, and all department Managers or Supervisors.

14. TRANSFER OF PERSONAL DATA IN PHYSICAL ENVIRONMENTS

Personal data in physical environments refers to all personal data stored in non-electronic formats where data can be read manually. This section of the Personal Data Transfer Policy outlines the requirements for the physical transfer of personal data. Unless otherwise specified, Company employees must comply with this Policy when transferring personal data in physical form. If an employee performs such a transfer or witnesses one being performed outside this Policy, they are obligated to notify the KVKK Committee.

Employees or business units performing such transfers must be able to demonstrate that the explicit consent of the data subject was obtained before acquiring the personal data. In cases where data is transferred without explicit consent, responsibility does not solely fall on the acquirer. The individual or unit performing the transfer holds a comparable level of responsibility to that of the data processor. Transfers without explicit consent are only valid if the exceptions outlined in Article 8(2) of the KVKK apply. If the employee is unsure whether an exception is applicable, they must consult the KVKK Committee before proceeding.

When transferring physical documents containing personal data, these documents must be rendered unreadable during transit. Even the person performing the transfer should not be able to view the personal data during transport. Depending on the size of the documents, if any processing of the data is required before delivery, the transfer must be traceable during this period. This traceability is ensured by sealing the envelope, box, or package. If sealing is not possible, the transfer can only proceed with the knowledge and approval of the KVKK Committee.

The sender must confirm with the recipient that the personal data has been received at the end of the expected transfer period. The recipient is also responsible for informing the sender that the data remained unprocessed during transfer (i.e., the seal was intact). If there is any suspicion of tampering, the recipient must notify both the sender and the KVKK Committee.

Domestic transfers of personal data in physical form should, whenever possible, be made directly from sender to recipient. Indirect or hand-to-hand transfers should be reserved for unavoidable circumstances. International transfers of personal data in physical form may only be made to countries designated as secure in the Regulation. If the target country is not listed as a secure country, prior consultation with the KVKK Committee is required before initiating the transfer.

15. TRANSFER OF PERSONAL DATA IN ELECTRONIC ENVIRONMENTS

Personal data in electronic environments refers to all personal data that can be made readable using an electronic device. This section of the Policy outlines the requirements for transferring personal data electronically. Unless otherwise specified, Company employees must adhere to this Policy when conducting electronic transfers of personal data.

If an employee performs or witnesses a data transfer outside the scope of this Policy, they are obligated to report it to the KVKK Committee. Employees or business units conducting the transfer must be able to prove that the data subject's explicit consent was obtained. Responsibility for the unauthorized transfer of data lies not only with the data acquirer but equally with the individual or unit performing the transfer. Transfers without explicit consent are only valid under the exceptions stated in Article 8(2) of the KVKK. If uncertain, the employee must consult the KVKK Committee before proceeding.

Before electronic transfer, it must be ensured that the recipient is authorized to process the data. Electronic transfers of personal data may only be carried out using the methods listed below and under the specified conditions. If these methods are insufficient, the KVKK Committee must be informed.

a. Email
When transferring personal data via email, the manager of the relevant business unit must be among the recipients of the email. Even if the manager is aware of the content, the employee will be considered non-compliant with the Policy if the manager is not included in the recipient list. The email should clearly indicate that the content and/or attachments include personal data. This data must be encrypted, and the password should be shared through a separate communication channel. If encryption is not applied, the employee must inform their unit manager, who must then seek approval from the KVKK Committee.

b. Portable Media
Portable media includes all physical formats capable of storing electronic data such as external hard drives, CDs, DVDs, USB drives, USB external disks, and memory cards. Encryption is mandatory when transferring personal data via portable media. Unencrypted portable media transfers are not allowed. The password must be shared through a separate communication channel. The employee conducting the transfer is also responsible for the subsequent destruction of the data on the device. Until the personal data is destroyed, the portable media must not be reused. The physical transfer must be made directly from the sender to the recipient, with minimal intermediaries. The Company’s contracted courier service must be used for the transfer.

c. Cloud Sharing
Cloud sharing refers to the upload of personal data to an online storage system by the sender, with the recipient accessing it thereafter. Before any cloud-based transfer, the employee must consult the IT Department and the manager of the data owner’s business unit to ensure the safest method is used. All cloud transfers must be encrypted, and the password must be shared via a separate communication channel. Cloud sharing must only be done using Company hardware and network infrastructure. Employees are not permitted to use personal devices or external networks.

d. Network Sharing
Personal data can be shared within or between business units via the Company’s shared network environments. All such transfers must be encrypted using cryptographic protocols, with passwords delivered through separate communication channels. If encryption is deemed impractical, the KVKK Committee must be informed with approval required. The shared area must be restricted to access only by the intended recipient or unit, and the sender is responsible for ensuring this access control. After the sharing is complete, the recipient must destroy the data and notify the sender, who must then confirm that the data no longer resides on the shared drive.

16. AMENDMENTS TO THE POLICY
Following the issuance of the Regulation by the Board, the Company will make changes to this Policy. After any official amendment to the Regulation, the Company may update this Policy to ensure compliance with such changes. The Company will notify its employees of any modifications to the Policy by highlighting the updates and sharing the revised Policy via email, and it will also be made accessible to employees at the following web address:

Relevant web address: http://www.ekspofaktoring.com

17. DUTIES AND RESPONSIBILITIES

17.1. Employees

  • Comply with the data transfer policy,
  • Fulfill their duties and responsibilities in accordance with the instructions outlined in the data transfer policy,
  • Provide feedback about the policy to relevant parties where deemed necessary.

17.2. Senior Management

  • Ensure that all managers within their departments act in accordance with the policy,
  • Encourage employees to report any breaches of the data transfer policy,
  • Ensure all employees participate in training regarding the data transfer policy,
  • Ensure the creation, approval, and implementation of a data transfer plan in compliance with applicable laws and regulations.

17.3. KVKK Committee

  • Update the Personal Data Transfer Policy,
  • Design and coordinate the implementation of transfer processes in collaboration with relevant business units in accordance with this policy,
  • Inform senior management and data owner business units about data transfer issues,
  • Support employees in implementing the processes established within the scope of this Policy.