KVKK

YEŞİL PAZAR RETAILING INFORMATION AND E-COMMERCE SERVICES INC.

PERSONAL DATA PROTECTION LAW NO. 6698

PERSONAL DATA PROTECTION AND PROCESSING POLICY

1. PURPOSE


According to Article 20/3 of the Constitution of the Republic of Turkey, “everyone has the right to request the protection of personal data concerning them. This right includes being informed about personal data concerning them, accessing these data, requesting their correction or deletion, and learning whether they are being used in accordance with their intended purposes. Personal data may only be processed in cases prescribed by law or with the individual's explicit consent.” Accordingly, Law No. 6698 on the Protection of Personal Data (“PDP Law”) was published in the Official Gazette No. 29677 dated April 7, 2016, and entered into force with the aim of protecting the fundamental rights and freedoms of individuals, particularly the right to privacy, in the processing of personal data and regulating the obligations of natural and legal persons processing personal data and the procedures and principles they must comply with.

YEŞİL PAZAR MAĞAZACILIK BİLİŞİM VE E TİCARET HİZMETLERİ A.Ş. (“Company”) carries out the processing, storage and transfer of all personal data obtained from persons contacted during the activities, including but not limited to customers, visitors, suppliers, employees, users of the website and network connections, in accordance with the Personal Data Protection and Processing Policy (“Policy”) .

This Policy aims to inform you about the Personal Data Protection Law No. 6698 (“Law”) and all administrative, technical and managerial measures we have taken regarding the processing and protection of personal data, to ensure full compliance of our Company with the relevant legislation and to protect all rights of personal data owners arising from the legislation regarding personal data.

2. GENERAL PRINCIPLES TO BE FOLLOWED IN THE PROCESSING OF PERSONAL DATA

 

The Company will process personal data in accordance with the law, in particular the Constitution of the Republic of Türkiye, the Personal Data Protection Law and all regulations to be issued by the Personal Data Protection Authority.

In this context, the Company will ensure and maintain legal compliance by acting in accordance with the following principles in the processing of personal data:

The Company processes Personal Data in accordance with the procedures and principles stipulated in the Law and this Policy. The Company acts in accordance with the following principles when processing Personal Data:

  • Personal Data is processed in accordance with the relevant legal rules and the requirements of the principle of honesty .
  • Personal Data is ensured to be accurate and up-to-date . In this context, issues such as identifying the sources from which data is obtained, verifying its accuracy, and assessing whether it needs to be updated are carefully considered.
  • Personal Data is processed for specific, explicit, and legitimate purposes . A legitimate purpose means that the Personal Data processed by the Company is necessary for and related to the business it conducts or the service it offers.
  • Personal Data is used to achieve the Company's designated purposes. Personal Data that is not relevant or needed for the purpose is avoided. Processing is limited to only what is necessary to achieve the purpose. Personal Data processed within this scope is relevant, limited, and proportionate to the purpose for which it is processed .
  • If relevant legislation specifies a data retention period, the Company complies with this period; otherwise, the Company retains Personal Data only for the period necessary for the purpose for which it is processed . If there is no longer a valid reason for the retention of Personal Data, the data in question will be deleted, destroyed, or anonymized.

3. GENERAL CONDITIONS FOR PROCESSING PERSONAL DATA

Personal data can only be processed in cases stipulated in the Law or with the express consent of the individual, as specified in the third paragraph of Article 20 of the Constitution of the Republic of Turkey.

According to Article 5 of the Personal Data Protection Law, personal data cannot be processed without the express consent of the relevant person. The express consent of the relevant person must be specific, informed, and expressed freely.

Personal data can also be processed without explicit consent if one of the conditions listed in the second paragraph of Article 5 of the Personal Data Protection Law is met.

Accordingly;

  • If Explicitly Provided by Law

If it is clearly stipulated in the Personal Data Protection Law and relevant legislation, as well as other laws and legislation, the company will process personal data even without explicit consent.

  • In case it is necessary for a person who is unable to express his consent due to physical impossibility or whose consent is not recognized as legally valid to protect his own life or the bodily integrity of another person;

In cases where the person concerned is unable to give explicit consent or where the consent is not legally valid, and also if it is necessary to protect the life or physical integrity of the person concerned or another person, personal data may be processed by the Company without explicit consent.

  • If the Processing of Personal Data of the Parties to a Contract is Necessary, Provided That It is Directly Related to the Establishment or Execution of a Contract

If it is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract, personal data may be processed by the Company without explicit consent.

  • If it is mandatory for the data controller to fulfill its legal obligations

According to the Personal Data Protection Law, the Company is the data controller and may process personal data that is required to fulfill its legal obligations without explicit consent.

  • In Case It Is Made Public by the Relevant Person Himself

Personal data that the data owner has made public by any means may be processed without explicit consent if it is necessary for the Company's purposes and activities.

  • In Case Data Processing Is Mandatory for the Establishment, Exercise or Protection of a Right

If the processing of personal data is necessary for the establishment, exercise or protection of a right, personal data may be processed without the consent of the person concerned.

  • In case data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.

If the processing of personal data is necessary to protect the Company's legitimate interests, the Company may process personal data without consent, provided that it does not harm the fundamental rights and freedoms of the individual.

Personal data processed by the Company is processed based on one and/or more of the conditions listed in the second paragraph of Article 5 of the Personal Data Protection Law mentioned above and limited to these conditions.

If the Company needs to process personal data other than those listed above, the data will be processed by obtaining explicit consent from the relevant person.

4. CONDITIONS FOR PROCESSING SPECIAL NATURE PERSONAL DATA

Sensitive personal data under the law is given special importance due to the risk of causing victimization or discrimination when processed unlawfully. This "special" personal data, as listed in the law, is processed by us. These data include race, religion, and blood type information from old ID cards due to the requirement to obtain photocopies of employees' ID cards; health data due to the legal obligation to obtain a copy of an employee's ID card from an on-site physician and Occupational Health and Safety practices; and data related to criminal convictions and security measures based on criminal records recorded in personnel files. We do not process special personal data for individuals to whom we provide services or sell goods, nor for our website members.

Special personal data is processed by our Company in accordance with the principles set forth in this Policy and by taking all necessary administrative and technical measures, including the methods determined by the Board, and in the presence of the following conditions:

  • Sensitive personal data, excluding those related to health and sexual life, may be processed without the explicit consent of our employees if it is expressly provided for by law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data. Otherwise, our employees' explicit consent will be obtained.
  • Sensitive personal data, excluding those related to health and sexual life, may be processed by individuals or authorized institutions and organizations under a confidentiality obligation, without explicit consent, for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, and planning and managing healthcare services and their financing. Otherwise, the explicit consent of our employees will be obtained.

5. METHODS OF COLLECTING AND PROCESSING PERSONAL DATA AND LEGAL REASONS

When you contact our Company, your personal data is collected and processed electronically and/or physically by our Company's Management, through printed and online forms, telephone, fax, email, cargo, etc., in accordance with the reasons stipulated in this policy. Furthermore, your personal data is processed within the framework of the provisions set forth in Articles 5 and 6 of the Law and, where applicable, based on the legal basis of explicit consent.

PERSONAL DATA CATEGORIES

EXPLANATION

Identity Data

Collected from employees and interns;

  • Name-Surname,
  • Turkish Identity Number,
  • Tax Number,
  • Mother's Name - Father's Name,
  • Civil status,
  • ID Card Serial Number,
  • National ID Card Serial Number,
  • Birthplace,
  • Date of birth,

Documents such as driver's licenses and copies of ID cards containing information such as gender, religion, and nationality.

  • Signature/Initial Information.
  • Photograph

Collected from people who purchase products or services;

• Name-Surname,

• TR Identity Number,

Contact Data

Collected from employees, interns and people who purchase products or services;

  • Phone Number,
  • Fax,
  • Full Address Information,
  • Registered Electronic Mail (KEP) Information

· Email Address Information. (Including Extension Number and Corporate Email Address)

Financial Data

Collected from customers, visitors, suppliers, subcontractors, employees of subcontractors/suppliers, shareholders, companies we cooperate with, business partners and other third parties;

  • Financial Performance Information,
  • Asset Information,
  • Income Information,
  • Expenditure Amount,
  • Payment Information,
  • Invoice Date,
  • Bank Account Information.

Personnel Data

Collected from employees and interns;

  • Payroll Information,

· Disciplinary Investigation, (minute information)

· Professional Competence Certificate

Occupational Health and Safety Training Information

  • Service List,

· Employment Certificate Records,

· CV Information,

Health information (Blood type, last medication information (due to the primary employer's request), etc.)

· Criminal Conviction and Security Measures information

  • Military Service Information

· Information on entering and exiting the country (due to the pandemic)

All kinds of personal data that form the basis for the formation of personal rights of natural persons and include their professional experiences.

Special categories of personal data

Collected from employees;

  • Religious Knowledge (Resulting from Old Identities),

Health Information (blood type, last medication information) (Sourced by the workplace physician, Occupational Health and Safety, and Identity Information)

· Criminal Conviction and Security Measures information

Legal Transaction Data

Personal data processed within the scope of determining and pursuing legal receivables and rights, fulfilling debts, complying with legal obligations and Company policies, and file and debt information related to enforcement proceedings (information included in documents such as court and administrative authority decisions).

Audio/Visual Data

Passport photos, photo samples from ID cards, which are not included in the scope of physical location security information and collected from employees (excluding records included in the scope of Physical Location Security Information)

Control

And

Inspection Information

It means personal data processed during internal or external audit activities within the scope of our company's legal obligations and compliance with company policies.

Product or Service Receiving Transaction Data

Data such as records regarding the use of products and services purchased by product or service recipients and instructions and requests required for the use of products and services by product or service recipients.

  • Invoice, bill, check information,
  • Order and Request Information,

Application and Complaint Forms,

Other Data

Collected from product or service recipients and other third parties;

  • Invoice Date,
  • Document Date,

· Information such as Document Registration Number.

6. GROUPS OF PERSONS SUBJECT TO PERSONAL DATA

The classification of data owners whose personal data is processed is as follows.

PERSONAL DATA SUBJECT GROUP

EXPLANATION

Customer

Real persons who come to the Company, our branches and stores for shopping and visiting purposes and who benefit from or do not benefit from the services.

Users visiting the company's website

Visitor

Natural persons who come to the Company, our branches and stores for business and visit purposes

Users visiting the company's website

Supplier

A manufacturer that provides products or services to the Company.

Third Party

Beneficiaries and/or employee relatives, visitors, etc., even if they are not directly related to the Company's activities.

Person Purchasing Product or Service

People who benefit from the products or services offered by the company

7. PURPOSES OF PROCESSING PERSONAL DATA

The Company processes personal data in accordance with the provisions of the Personal Data Protection Law and other relevant legislation and this Company Policy, for the purposes and conditions specified below, but not limited to these.

· Planning and/or executing the recruitment and/or personnel processes of employees

· Conducting the application processes of employee candidates

· Conducting the Selection and Placement Processes of Employee Candidates / Interns / Students

· Managing employee benefits and benefits processes

Fulfilling the obligations of employees arising from employment contracts and legal regulations

Managing activities in accordance with legislation

· Conducting assignment processes

· Planning and/or execution of personnel appointment/promotion processes

Planning and/or execution of activities that must be carried out within the framework of occupational health and/or safety

· Monitoring and/or auditing employees' work activities

Planning and/or monitoring employees' paid/unpaid leave

· Planning and/or executing employee wages

· Planning and/or execution of employee exit procedures

Planning and/or execution of necessary operational activities related to disciplinary/ethical processes

· Conducting Audit and Ethical Activities

· Employee assignment processes, product delivery or service relationship management

Fulfilling the obligations of employees arising from employment contracts and/or legislation

· Carrying out activities to ensure business continuity

· Planning and/or execution of employee payroll processes

· Determining and calculating the incentives we can benefit from within the scope of relevant legislation

Ensuring the security of company premises and/or facilities

· Following up on legal affairs, contract processes and/or legal claims, using information regarding transaction history as evidence in case of dispute after the termination of the legal relationship.

Planning and/or executing the activities of providing and recording the information or documents and requests requested from official institutions and/or organizations.

Ensuring the security of company assets and/or resources

· Creating and/or managing information technologies infrastructure

· Execution of access authorizations

Ensuring physical space security

Ensuring the Security of Movable Goods and Resources

· Execution of Supply Chain Management Processes

Providing Information to Authorized Persons, Institutions and Organizations

· Follow-up of contract processes and/or legal requests

· Carrying out activities aimed at customer satisfaction

· Execution of customer relations management processes

Evaluating customer requests and/or complaints collected through digital and/or other media,

· Organizing corporate communications and other events, fairs, campaigns and invitations within this scope and providing information about them

Managing the marketing processes of products/services through sales and marketing analysis studies,

· Creating and monitoring visitor records

· Carrying out strategic planning activities

· Conducting marketing analysis studies

· Execution of the wage policy

· Conducting loyalty processes to companies / products / services

· Follow-up of requests / complaints

Planning and execution of goods/service purchasing processes,

· Managing Goods/Services Production and Operation Processes

· Carrying out goods/service sales processes, carrying out after-sales support services,

· Monitoring of financial and/or accounting affairs,

· Planning and/or execution of corporate governance activities,

· Planning and/or execution of stock and/or shipment operations of our company's products,

· Planning and execution of corporate communication activities,

· Planning and/or implementation of operational and/or productivity processes,

· Conducting Internal Audit/Investigation/Intelligence Activities

Planning and/or execution of the company's financial risk processes,

Carrying out storage and archive activities,

· Execution of Management Activities

· Execution and Supervision of Business Activities

· Receiving and evaluating suggestions for improving business processes

· Carrying out Business Continuity Activities

Customizing the products and services offered in line with demands; updating and developing them in line with customer needs and legal and technical developments,

· Announcing new or existing products, services and campaigns, carrying out sales and marketing activities, conducting market research,

Payment and collection of product, service and service fees, and selection of the collection method,

Fulfilling the information obligation arising from the Law No. 6563 on the Regulation of Electronic Commerce and other relevant legislation,

· To deliver advertisements for products and services suitable for the purpose of processing data and to the Data Subject on Yesilpazar.com.tr, and to provide information about products, services, promotions and campaigns,

· Communication with Yeşil Pazar AŞ for satisfaction measurement surveys,

· Creating participant registration in events/trainings/competitions organized by Yeşil Pazar AŞ, issuing certificates/participation documents, determining the award/present recipients and delivering the awards/presents,

· Providing the results arising from the legal transaction in case of merger, division or transfer of all or part of Yeşil Pazar AŞ with another company,

· Ensuring the security of Yesilpazar.com.tr and Applications,

· Creating a personal data inventory,

8. TRANSFER OF PERSONAL DATA

Our Company may, when necessary, transfer the personal data it collects to third parties, taking the necessary security measures in line with its personal data processing purposes. In this regard, our Company acts in accordance with the regulations stipulated in Articles 8 and 9 of the Law.

Even without the explicit consent of personal data owners, if one or more of the conditions specified below are met, personal data may be transferred to third parties by our Company by complying with the requirements and taking all necessary security measures, including the methods prescribed by the Board.

• The relevant activities regarding the transfer of personal data are clearly prescribed by law,

The transfer of personal data by the Company is directly related to and necessary for the establishment or performance of a contract,

The transfer of personal data is necessary for our Company to fulfill its legal obligations,

Transfer of personal data by our Company for limited purposes, provided that they are made public by the data owners,

The transfer of personal data by the Company is necessary for the establishment, exercise or protection of the rights of the Company or the data owner or third parties,

It is necessary to transfer personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of personal data owners.

· If it is necessary for a person who is unable to give his consent due to a physical impossibility or whose consent is not legally valid, to protect his own life or the physical integrity of another person.

Personal data is not transferred abroad within the scope of our Company's activities . If a transfer abroad is necessary within the scope of subsequent activities, in addition to the conditions set forth above, our Company will transfer personal data to foreign countries declared by the Board to have adequate protection (Foreign Country with Adequate Protection) or, if insufficient protection is not available, to foreign countries where the data controllers in Turkey and the relevant foreign country have undertaken, in writing, to provide adequate protection and where the Board has granted its permission (Foreign Country with a Data Controller Undertaking Adequate Protection) .

Sensitive personal data may be transferred by our Company in accordance with the principles set forth in this Policy and by taking all necessary administrative and technical measures, including the methods determined by the Board, and in the presence of the following conditions:

· Sensitive personal data, excluding those related to health and sexual life, may be transferred without the explicit consent of our employees if it is expressly provided for in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data. Otherwise, our employees' explicit consent will be obtained.

Sensitive personal data related to health and sexual life may be transferred without explicit consent by persons under a confidentiality obligation or authorized institutions and organizations for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, and planning and managing healthcare services and their financing. Otherwise, the explicit consent of our employees will be obtained.

9. STORAGE OF PERSONAL DATA

Our company retains personal data for the period necessary for the purpose for which it is processed and for the minimum period stipulated in applicable legislation. If applicable legislation specifies a retention period for personal data, we comply with this period. If no legal period exists, personal data is retained for the period necessary for the purpose for which it is processed.

Furthermore, even if the purpose of processing personal data has expired and the periods stipulated in relevant laws and regulations have expired, processed personal data may be retained solely as evidence in potential legal disputes or to establish a defense against any rights and claims that may be asserted related to personal data. These retention periods will be determined by taking into account any similar rights and claims previously made against the Company, even if the statute of limitations for any rights and claims that may be asserted related to personal data has expired. Personal data stored in this context will only be used when necessary in legal disputes and will not be accessed for any other purpose.

10. PROCEDURES FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Personal data processed by the Company in accordance with the relevant Laws and Regulations, particularly the Constitution of the Republic of Turkey, are deleted, destroyed or anonymized in accordance with the provisions of Article 7 of the Personal Data Protection Law, if the reasons requiring processing are eliminated or the stipulated periods expire, by a decision taken by the Company or upon the request of the relevant person.

During the deletion and destruction of personal data by the Company, personal data is destroyed physically, deleted from software using secure methods, and, if necessary, safely deleted and destroyed by experts in a way that makes it impossible to recover.

11. RECEIPT GROUPS TO WHICH DATA TRANSFER CAN BE MADE AND THE PURPOSES OF TRANSFER

Personal data processed by the Company is transferred to the third parties listed below, limited to the purposes of processing and in accordance with the regulations stipulated in Articles 8 and 9 of the Personal Data Protection Law.

Persons to Whom Data Can Be Transferred

Definition

Purpose of Data Transfer

Natural Persons or Private Law Legal Entities

It refers to institutions or organizations that are established in accordance with certain conditions determined by law in accordance with the relevant legislation and continue their activities within the framework determined by law.

• Companies we work with within the scope of our business partnerships that we receive and provide services to

• Personal data is shared with the law firm we have a contract with within the scope of carrying out legal activities.

Personal data is shared in a limited manner regarding the issues that fall within the scope of the activities carried out by the relevant private institutions and organizations and for the purpose of ensuring the rights and benefits provided to real persons.

Authorized Public Institutions and Organizations

It means public institutions and organizations authorized to receive information and documents from our Company in accordance with the relevant legislation.

Courts, Tax Offices, General Directorate of Social Security, Notaries, Occupational Health and Safety Centers, etc.

Personal data is transferred limited to the purposes requested by the relevant public institutions and organizations within their legal authority.

12. ENLIGHTENMENT OF PEOPLE

An "Information Text Regarding the Personal Data Protection Law" has been prepared to inform individuals whose personal data is processed by the Company regarding the law and company policies. These individuals are provided with the necessary information in the manner and within the timeframes stipulated in the Law. To this end, all company employees have been informed within the scope of the Law and additional information texts have been drawn up in their employment contracts.

The Information Text provides information and clarification regarding the data controller Company name, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal basis for collecting personal data, and the data owner's rights under Article 11 of the Personal Data Protection Law.

13. MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the Law, the Company takes the necessary administrative and technical measures to ensure the security level of personal data to prevent unlawful processing and access, and to ensure the preservation of data. It conducts or has the necessary audits carried out in this context. If, despite all administrative and technical measures being taken, personal data is obtained by third parties through unlawful means, the Company shall notify the relevant authorities as soon as possible.

v ADMINISTRATIVE MEASURES

The Company designs processes for accessing and authorizing personal data within the Company in accordance with legal compliance requirements for personal data processing. It identifies a limited number of individuals responsible for processing personal data and develops practices to prevent the dissemination of data within the Company. To this end, the Company revokes or limits access rights for employees who need to access personal data. The Company implements necessary physical security measures to ensure that only authorized employees have access to personal data.

The Company takes care to ensure that the persons responsible for processing data are knowledgeable and experienced in the processing of personal data, and provides the necessary training to its personnel within the scope of personal data protection legislation and data security.

The company has prepared and implements policies regarding access, information security, use, storage and destruction.

The Company has added to the documents regulating the relationship between its employees and containing personal data that the obligations stipulated under the Law must be mutually complied with for the lawful processing of personal data, that personal data must not be disclosed or used unlawfully, and that confidentiality obligations regarding personal data continue after the termination of the employment contract. Failure of the employee to comply with these obligations will result in the termination of the employment contract and the imposition of sanctions such as recourse to the relevant person for the sanctions imposed by the Personal Data Protection Authority due to non-compliance.

Personal data processed by employees related to their work activities may also be processed in accordance with the conditions set forth in Article 5 of the Personal Data Protection Law and the personal data processing principles set forth in Article 4, as well as for other lawful purposes. All information regarding these matters is provided through Employee Information Texts attached to contracts executed with employees, copies of which are provided to employees. If updates are made regarding data processing, employees are informed by the Company through appropriate procedures.

Before a complaint procedure or disciplinary process is initiated against an employee based on the data obtained as a result of the processing of personal data related to the work activities of the employees, the Company grants employees the right to see the obtained data, to make a statement about this data and to defend themselves.

The contracts concluded between the Company and the persons to whom personal data is lawfully transferred include provisions and commitments that the persons to whom personal data is transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.

In case the processed personal data is obtained by others through unlawful means, the Company notifies the relevant person and the Board as soon as possible.

The Company conducts and commissions necessary audits to ensure the implementation of the Law within the Company. It addresses any confidentiality and security vulnerabilities identified as a result of these audits.

v TECHNICAL MEASURES

Employees are informed about the technical measures to be taken to prevent unlawful access to personal data.

  • Measures are taken in accordance with technological developments, and the measures taken are periodically updated and renewed.

Network and application security are ensured. A closed network system is used for the transfer of personal data via the network.

• Security measures are taken within the scope of information technology systems procurement, development and maintenance.

· In case personal data of employees is removed from the workplace, necessary security measures are taken and relevant employees are informed about these measures.

Access rights are limited and reviewed regularly.

The technical measures taken are checked periodically, and if they pose a risk, they are re-evaluated and the necessary technological solutions are produced.

Software and hardware including virus protection systems and firewalls are installed.

· Applications that collect personal data are regularly scanned to identify security vulnerabilities. Any vulnerabilities found are resolved.

Personal data is backed up and the security of personal data is ensured.

Cybersecurity measures have been taken and their implementation is continuously monitored.

· Sensitive personal data transferred on portable memory, CD or DVD media is encrypted.

Encryption is used for data protection.

· Confidentiality Commitments are made.

· Up-to-date anti-virus systems are used.

Personal data is destroyed in a way that is irreversible and leaves no audit trail.

14. RIGHTS OF THOSE WHOSE PERSONAL DATA IS PROCESSED AND THE EXERCISE OF THESE RIGHTS

Within the scope of Article 11 of the Personal Data Protection Law, persons whose personal data are recorded within the company have the following rights, provided that they prove their identity.

a. To learn whether your personal data is being processed,

b. To request information about the processing of personal data,

c. To learn the purpose of processing personal data and whether it is used in accordance with its purpose,

d. To know the third parties to whom personal data is transferred, either domestically or abroad,

e. If your personal data has been processed incompletely or incorrectly, to request correction of it, or to request its deletion or destruction within the framework of the conditions stipulated in Article 7 of the KVKK,

f. To request notification of the transactions made pursuant to clauses (d) and (e) above to third parties to whom personal data has been transferred,

g. To object to any adverse consequences arising from the analysis of your personal data exclusively by automated systems,

h. In case you suffer damages due to the unlawful processing of your personal data, you have the right to demand compensation for the damages.

In accordance with the first paragraph of Article 13 of the Personal Data Protection Law, a petition containing the necessary identification information for the rights mentioned above and explanations regarding the right requested to be exercised among the rights specified in Article 11 of the Personal Data Protection Law, along with identification documents (photocopy of identity card), can be delivered personally, sent by post or sent via e-mail.

* Personal data rights may only be exercised regarding personal data belonging to individuals. Requests for data belonging to individuals other than the person sending the email and attaching a photocopy of their ID will not be considered. Forms without a photocopy of their ID will not be considered.

* Application methods and addresses are clearly stated in the table below.

APPLICATION METHOD

APPLICATION ADDRESS

EXPLANATION

Personally

MACUN MAH. 190. STREET GIMAT 13. BLOCK NO 345 Y.NEIGHBORHOOD ANKARA

The applicant can apply in person by coming to the application address below with a document proving his/her identity.

By Notification Through Notary

The notification envelope must include the phrase "Request for Information within the Scope of the Personal Data Protection Law".

By registered letter with return receipt

Documents confirming your identity must be attached, and the notification envelope must include the phrase "Request for Information within the Scope of the Personal Data Protection Law."

Via Email

satis@yesilpazar.com.tr

The applicant must include the phrase "Personal Data Protection Law Information Request" in the subject section of the e-mail.

Requests included in the application will be resolved free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request, and the outcome will be notified to you in writing or electronically. If the application or request is deemed justified, the Company will act promptly. If the application or request is rejected, the relevant person will be notified in writing or electronically, with the reason for rejection as stated in the application and request petition. If the Company rejects the application or request, finds the response inadequate, or fails to provide a timely response, the relevant person has the right to file a complaint with the Personal Data Protection Board within 30 (thirty) days from the date of receiving the response to the application or request, and in any case, within 60 (sixty) days from the date of application.

15. EXCEPTIONAL CASES

For the situations listed below, which are excluded from the scope of the Personal Data Protection Law, Data Owners cannot assert their rights stipulated in the law and this policy. Therefore, our company is not obligated to fulfill requests submitted in this context.

Processing of personal data for purposes such as research, planning and statistics by making them anonymous through official statistics.

Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime.

Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.

Processing of personal data by judicial authorities or enforcement authorities in connection with investigation, prosecution, trial or execution proceedings.

According to the law, in the following cases, Personal Data Owners cannot assert their rights other than the right to demand compensation for damages:

· Personal data processing is necessary for the prevention of crime or criminal investigation.

Processing of personal data made public by the personal data owner.

· Personal data processing is necessary for the performance of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with public institution status, based on the authority granted by law.

· Personal data processing is necessary to protect the economic and financial interests of the State regarding budgetary, tax and financial matters.

The accuracy and up-to-date maintenance of data shared with our Company is important for the exercise of rights under the Personal Data Protection Law and other relevant legislation, and any liability arising from providing incorrect information belongs entirely to the Personal Data Owner.

Trade Name

YESIL PAZAR MERCHANTMENT INFORMATION AND E-COMMERCE SERVICES JOINT STOCK COMPANY

Address

Gimat 13. Block No 345 Yenimahalle / ANKARA

Central Registry Number

0950097881400001

Phone Number

0850 333 25 80

Fax Number

-

Email and KEP Addresses

satis@yesilpazar.com.tr – yesilpazar@hsol.kep.tr