PERSONAL DATA PROTECTION, PROCESSING, DESTRUCTION, AND COOKIE POLICY

1. PURPOSE AND SCOPE

As YEŞİL HOLDİNG A.Ş. (“YEŞİL HOLDİNG”), we process the personal data of real individuals—including our customers, suppliers, and employees—in accordance with the applicable legislation, primarily the Personal Data Protection Law No. 6698 (“KVKK”), and ensure that those whose data is processed can exercise their legal rights upon request.
We process, store, and transfer all personal data obtained during our activities—whether from our employees, suppliers, customers, or users visiting our website—in accordance with the “Personal Data Protection, Processing, Destruction, and Cookie Policy (Policy).”
We take all necessary administrative and technical protection measures by keeping up with legal regulations and current technologies to safeguard personal data.
This Policy explains the methods we follow for processing, storing, transferring, and deleting or anonymizing personal data shared during our commercial activities in accordance with the KVKK.

2. CLASSIFICATION AND PROCESSING OF PERSONAL DATA

2.1. Personal Data

Personal data refers to any information related to a real person whose identity is known or can be determined, such as name and surname, date of birth, Turkish Identity Number, phone number, e-mail address, address, etc.
The protection of personal data applies only to real individuals; information pertaining to legal entities that does not include personal data is excluded from personal data protection. Therefore, this Policy does not apply to data related to legal entities.

2.2. Sensitive Personal Data

Sensitive personal data includes information regarding a person’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and attire, memberships in associations, foundations or trade unions, health, sexual life, criminal convictions, etc.

2.3. Processing of Data

We process personal data in accordance with the following principles:
- Processing in accordance with law and principles of good faith
- Ensuring that personal data is accurate and, where necessary, kept up to date
- Processing for specific, explicit, and legitimate purposes
- Ensuring that processing is limited and proportionate to the purpose for which the data is processed
- Retaining personal data for the period prescribed by legal regulations and for our legitimate commercial interests

2.4. Our Purposes for Processing Personal Data

We process personal data for the following purposes:
- Conducting our operations,
- Managing the procurement processes for goods/services,
- Managing the sales processes for goods/services,
- Carrying out activities aimed at customer satisfaction,
- Providing support services within the framework of contractual agreements and service standards,
- Ensuring the fulfillment of our legal obligations as required or mandated by legal regulations,
- Conducting market research and statistical studies,
- Evaluating job applications,
- Maintaining communication with individuals who have a business relationship with the Company,
- Preparing legal reports,
- Billing,
- Ensuring corporate communication,
- Providing personalized job advertisement and employment-related information,
- Sending notifications via email.

2.5. Processing of Sensitive Personal Data

Sensitive personal data is processed by us with the administrative and technical measures prescribed by law and as outlined by the Data Protection Board, either with explicit consent or in cases mandated by legislation.
Since such data can be processed by individuals or authorized institutions under an obligation of confidentiality for the purposes of providing medical diagnosis and treatment services, as well as for planning and managing health services and financing, these data are not processed by us except for data pertaining to our employees.

2.6. Processing of Personal Data for Human Resources and Employment Purposes

During the process of your application as a candidate for employment at our institution, the personal data contained in your resume, diploma, and other documents that you share with us is processed, stored, and transferred for the purpose of evaluating your job application. The processing, transferring, and storage of personal data you share as a job candidate is subject to this Policy.
Personal data pertaining to employees is collected, processed, and stored in accordance with this Policy.

2.7. Exceptional Cases Where Explicit Consent Is Not Sought for Processing Personal Data

We may process personal data without explicit consent in the following exceptional cases as provided by law:
- When explicitly provided for in the laws;
- When it is necessary to process personal data of the parties to a contract that is directly related to the formation or performance of the contract;
- When processing data is necessary for the establishment, exercise, or protection of a right;
- When it is necessary to process your data for our legitimate interests as the data controller, provided that such processing does not harm fundamental rights and freedoms.

2.8. Our Cookie Policy and the Processing of Personal Data Collected via Cookies

As YEŞİL HOLDİNG, we may use certain technologies such as cookies, pixels, and gifs to enhance your experience during your visits to our online platforms, in accordance with the applicable regulations. Through these cookies, we may collect, process, transfer, and store your personal data.

The main reasons for our use of cookies are as follows:

- To analyze our websites and improve their performance.
- To enhance the functionality of our websites and provide ease of use.

Cookies do not contain personal data such as names, gender, or addresses of visitors. For more detailed information about cookies, please visit www.aboutcookies.org and www.allaboutcookies.org.

You can block cookies through your browser; however, if you do so, you may not be able to use some features on our Site. It is recommended that you check your browser settings to see if it allows you to manage cookies.

Your visit to our Sites and your decision not to block these cookies via your browser constitutes your consent to the use of cookies and the processing of your personal data in accordance with this Policy.


3. TRANSFER OF PERSONAL DATA

As a company, we act in accordance with the decisions and regulations issued by the Data Protection Board as set forth in the KVKK regarding the transfer of personal data.
Except for the exceptional cases provided in the legislation, personal data and sensitive personal data will not be transferred by us to any other natural or legal persons without the explicit consent of the data subject.
In exceptional cases provided for in the KVKK and other relevant legislation, data may be transferred without the explicit consent of the data subject to an administrative or judicial institution or board authorized within the limits prescribed by law.
Personal data;
• To our suppliers,
• To group companies,
• To public institutions and organizations authorized by law,
• To private law entities authorized by law,
• To our shareholders,

can be transferred in accordance with the principles and rules stated above.

4. STORAGE AND DESTRUCTION OF PERSONAL DATA

We retain personal data for the period required by the purpose of processing, subject to the retention periods stipulated by law.
When we process personal data for multiple purposes, if the purposes for processing cease to exist or if the data subject requests deletion and there is no legal impediment, we delete and/or destroy your personal data within the first 3 months following the date on which the obligation or request arises or is confirmed. We comply with the legislative provisions and the decisions of the Data Protection Board regarding destruction or deletion.

5. MEASURES TAKEN AND SECURITY PROVIDED FOR THE TRANSFER AND STORAGE OF PERSONAL DATA

- We employ staff with technical expertise.
- We implement administrative and technical measures according to our technological capabilities and implementation costs, and we establish security systems in accordance with technological developments.
- We update and renew technical measures periodically.
- Within our company, access to information and documents is granted on an authorized basis, and such access is securely restricted.
- We establish data recording systems used within our company in accordance with the legislation and conduct periodic audits of them.
- We train and inform our employees regarding access and authorization to personal data.
- In cases where we collaborate with third parties from whom we receive support or products, we enter into agreements regarding the protection of personal information with them.
- In the event of unauthorized disclosure or a data breach of personal data, we report the situation to the Data Protection Board and take measures in accordance with the investigations prescribed by law.


6. NOTIFICATION AND INFORMATION OF THE DATA SUBJECT

Within the scope of our duty to inform, we notify the Data Subject and make the necessary technical and administrative arrangements for the Data Subject to exercise their rights regarding their personal data.
The Data Subject has the following rights regarding their personal data:
- To learn whether personal data is being processed,
- To request information if personal data is being processed,
- To learn the purpose of processing and whether the data is being used in accordance with that purpose,
- To know the third parties to whom such personal data has been transferred,
- To request correction if the personal data has been processed incompletely or incorrectly,
- To request deletion or destruction of personal data if the reasons for processing cease to exist,
- To request that any corrections, deletions, or destructions be communicated to the third parties to whom the personal data has been transferred,

These are your rights. You can find the necessary application method and detailed information on the response process to your request in the Disclosure Text published on our website. 
Additionally,
- If the application is not based on a legitimate reason,
- If the application contains a request contrary to the relevant legislation,
- If the application does not comply with the application procedure,

your request may be rejected with justification.


7. PUBLICATION, STORAGE, AND UPDATE PERIOD OF THE DOCUMENT

This Policy is stored in both printed and electronic forms and will be updated as needed.

8. EFFECTIVENESS

This Policy is considered effective upon its publication on the Company's website.


9. ROLES AND RESPONSIBILITIES

The YEŞİL HOLDİNG Data Protection Board is responsible for the preparation, development, updating, and publication of this Policy on the website.