KVKK

YEŞİL PAZAR PLANT PRODUCTS INDUSTRY AND TRADE INC.

LAW NO. 6698 ON THE PROTECTION OF PERSONAL DATA

PERSONAL DATA PROTECTION AND PROCESSING POLICY

1. OBJECTIVE

According to Article 20/3 of the Constitution of the Republic of Turkey, “everyone has the right to request the protection of personal data concerning themselves. This right includes the right to be informed about personal data concerning oneself, to access this data, to request its correction or deletion, and to learn whether it is being used in accordance with its intended purposes. Personal data may only be processed in cases stipulated by law or with the explicit consent of the individual.” In line with this, the Law No. 6698 on the Protection of Personal Data (“KVKK Law”) was enacted on April 7, 2016, in the Official Gazette No. 29677, with the aim of protecting the fundamental rights and freedoms of individuals, primarily the right to privacy, and regulating the obligations of natural and legal persons processing personal data, as well as the procedures and principles they must comply with.

YEŞİL PAZAR BİTKİSEL ÜRÜNLER SANAYİ VE TİCARET ANONİM ŞİRKETİ (“the Company”) processes, stores, and transfers all personal data obtained from customers, visitors, suppliers, employees, users of its website and network connections, and other persons it comes into contact with during its operations, in accordance with its Personal Data Protection and Processing Policy (“the Policy”) .

This Policy aims to inform you about all the administrative, technical, and managerial measures we have taken regarding the processing and protection of personal data in accordance with the Law No. 6698 on the Protection of Personal Data ("the Law"), to ensure the full compliance of our Company with the relevant legislation, and to protect all the rights of personal data owners arising from the legislation regarding personal data.

2. GENERAL PRINCIPLES TO BE FOLLOWED IN THE PROCESSING OF PERSONAL DATA

 

The company will process personal data lawfully, in accordance with the Constitution of the Republic of Turkey, the Personal Data Protection Law, and any regulations that may be issued by the Personal Data Protection Authority.

In this context, the Company will ensure and maintain lawfulness in the processing of personal data by acting in accordance with the principles stated below:

Personal Data is processed by the Company in accordance with the procedures and principles stipulated in the Law and this Policy. The Company adheres to the following principles when processing Personal Data:

• Personal data is processed in accordance with relevant legal regulations and the principles of good faith .
• Personal data is kept accurate and up-to-date . This includes carefully considering factors such as identifying the sources from which the data is obtained, verifying its accuracy, and evaluating whether it needs to be updated.
• Personal data is processed for specific, explicit, and legitimate purposes . Legitimacy means that the personal data processed by the Company is related to and necessary for the business it conducts or the services it provides.
• Personal data is processed by the Company only if it is relevant to the purposes defined by the Company, and personal data that is not related to or needed for the achievement of the purpose is avoided. The processing of data is limited only to what is necessary for the achievement of the purpose. In this context, the personal data processed is relevant, limited, and proportionate to the purpose for which it is processed .
• If the relevant legislation specifies a retention period for data, these periods will be complied with; otherwise, Personal Data will only be retained for as long as necessary for the purpose for which it was processed . If there is no longer a valid reason for further retention of the Personal Data, that data will be deleted, destroyed, or anonymized.

3. GENERAL CONDITIONS FOR PROCESSING PERSONAL DATA

Personal data may be processed only in cases prescribed by law or with the explicit consent of the individual, as stipulated in the third paragraph of Article 20 of the Constitution of the Republic of Turkey.

According to Article 5 of the Personal Data Protection Law, personal data cannot be processed without the explicit consent of the data subject. This explicit consent must be given freely, based on informed knowledge, and relating to a specific matter.

Personal data may also be processed without explicit consent if one of the conditions listed in the second paragraph of Article 5 of the Personal Data Protection Law is met.

Accordingly;

• If explicitly provided for in the laws

If explicitly provided for in the Personal Data Protection Law (KVK Law) and related legislation, as well as other laws and regulations, the company will process personal data even without explicit consent.

• In cases where a person is unable to express their consent due to factual impossibility or where their consent is not legally valid, and it is necessary for the protection of their own life or the physical integrity of another person;

Personal data may be processed by the Company without explicit consent in cases where the data subject is unable to give explicit consent, or where their consent cannot be legally validated, or if it is necessary to protect the life or physical integrity of the data subject or another person.

• If the processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract.

Personal data may be processed by the Company without explicit consent if the processing of personal data belonging to the parties of a contract is necessary for the establishment or performance of that contract, provided that it is directly related to the contract.

• If necessary for the Data Controller to fulfill its legal obligations

In accordance with the Personal Data Protection Law, the Company is the data controller and may process personal data without explicit consent in order to fulfill its legal obligations.

• If the person concerned has made it public themselves

Personal data that the data subject has made public in any way may be processed without explicit consent if it is necessary for the Company's purposes and activities.

• Data processing is necessary for the establishment, exercise, or protection of a right.

Personal data may be processed without the consent of the data subject if the processing of such data is necessary for the establishment, exercise, or protection of a right.

• Data processing is permitted if it is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

If the processing of personal data is necessary to protect the legitimate interests of the Company, and provided that it does not harm the fundamental rights and freedoms of the individual, the Company may process personal data without consent.

Personal data processed by the company is processed based on and limited to one and/or more of the conditions listed in the second paragraph of Article 5 of the Personal Data Protection Law mentioned above.

If the company determines that it needs to process personal data other than those listed above, the data will be processed only after obtaining the explicit consent of the data subject.

4. CONDITIONS FOR PROCESSING SPECIAL CATEGORY PERSONAL DATA

Personal data that is considered sensitive under the law is given special importance due to the risk of causing harm or discrimination to individuals if processed unlawfully. These "special categories" of personal data, processed by us from among the data listed in the law, include: information on race, religion, and blood type from old identity cards due to the mandatory requirement to obtain photocopies of employees' identity cards; health data resulting from legal requirements regarding workplace physicians and occupational health and safety practices; and data related to criminal convictions and security measures from criminal records included in personnel files. However, no special categories of personal data are processed for individuals to whom services are provided or goods are sold, or for members of our website.

Special categories of personal data are processed by our Company in accordance with the principles set forth in this Policy and by taking all necessary administrative and technical measures, including methods determined by the Board, and only if the following conditions are met:

• Personal data of a special nature, other than health and sexual life data, may be processed without the explicit consent of our employees if it is explicitly provided for in the laws, in other words, if there is an explicit provision in the relevant law regarding the processing of personal data. Otherwise, the explicit consent of our employees will be obtained.
• Personal data of a special nature, excluding health and sexual life data , may be processed without explicit consent by persons or authorized institutions and organizations bound by an obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing. Otherwise, the explicit consent of our employees will be obtained.

5. METHODS OF COLLECTION AND PROCESSING OF PERSONAL DATA AND LEGAL GROUNDS

Your personal data is collected and processed by our Company's Management through printed and online forms, telephone, fax, e-mail, courier, etc., electronically and/or physically, in accordance with the reasons stipulated in this policy when you contact our Company. Furthermore, your personal data is processed within the framework of the provisions regulated in Articles 5 and 6 of the Law and, where applicable, based on the legal grounds of explicit consent.

PERSONAL DATA CATEGORIES	EXPLANATION
Identity Data	Collected from employees and interns; First and Last Name, Turkish National Identity Number, Tax Number, Mother's Name - Father's Name, Civil status, Identity Card Serial Number, Identity Card Serial Number, Birthplace, Date of birth, • Documents containing information such as gender, religion, and nationality, such as driver's licenses and copies of identity cards. Signature/Initialing Information. Photograph Collected from individuals who purchase products or services; • First and Last Name, • Turkish Republic Identity Number,
Communication Data	Collected from employees, interns, and individuals who purchase products or services; Phone Number, Fax, Full Address Information, Registered Electronic Mail (KEP) Information • Email Address Information. (Including Extension Number and Corporate Email Address)
Financial Data	Data collected from customers, visitors, suppliers, subcontractors, employees of subcontractors/suppliers, shareholders, companies we cooperate with, business partners, and other third parties; Financial Performance Information, Asset Information, Income Information, Expenditure Amount, Payment Information, Invoice Date, Bank Account Information.
Personal Data	Collected from employees and interns; Payroll Information, • Disciplinary Investigation (minutes information) • Professional Qualification Certificate • Occupational Health and Safety Training Information Service Record • Employment Entry Document Records, • Resume Information, • Health information (blood type, information on recently used medications (at the request of the primary employer), etc.) • Information on Criminal Conviction and Security Measures Military Information • Information on entry into and exit from the country (due to the pandemic) Personal data of all kinds, including professional experience, that forms the basis for the personal rights of natural persons.
Special categories of personal data	Collected from employees; Religious Knowledge (Stemming from Old Identities), • Health Information (blood type, information on recently used medications) (Related to workplace physician, occupational health and safety, and identification information) • Information on Criminal Conviction and Security Measures
Legal Transaction Data	Personal data processed for the purpose of determining and tracking legal receivables and rights, fulfilling debts, complying with legal obligations and company policies, and file and debt information related to enforcement proceedings (information contained in documents such as court and administrative authority decisions).
Visual/Auditory Data	Photographs collected from employees that are not included in the scope of Physical Security Information, such as passport-sized photographs and copies of identity cards (excluding records included in the Physical Security Information).
Control And Inspection Information	Personal data processed during internal or external audit activities within the scope of our company's legal obligations and compliance with company policies.
Product or Service Area Transaction Data	Data such as records of the use of products and services purchased by individuals, as well as instructions and requests related to the use of those products or services. Invoice, promissory note, check information, Order and Request Information, • Application and Complaint Forms,
Other Data	Collected from those who purchase products or services and other third parties; Invoice Date, Document Date, • Information such as Document Registration Number.

6. GROUPS OF INDIVIDUALS WHOSE PERSONAL DATA IS SUBJECT TO INFORMATION

The classification of data subjects whose personal data is processed is as follows:

PERSONAL DATA SUBJECT GROUP	EXPLANATION
Customer	Natural persons who visit the Company, its branches and stores for shopping and other purposes, whether or not they utilize its services. Users who visit the company's website
Visitor	Individuals who visit the Company, its branches and stores for business or leisure purposes. Users who visit the company's website
Supplier	A manufacturer that supplies products or services to the company.
Third Party	Even if not directly related to the Company's operations, beneficiaries and/or relatives of employees, visitors, etc.
Person Receiving Product or Service	People who benefit from the products or services offered by the company

7. PURPOSES OF PROCESSING PERSONAL DATA

The company processes personal data in accordance with the provisions of the Personal Data Protection Law (KVKK) and other relevant legislation, as well as this Company Policy, for the purposes and under the conditions stated below, but not limited to these.

• Planning and/or execution of employee onboarding and/or personnel processes

• Managing the application processes for job candidates

• Conducting the Selection and Placement Processes for Job Applicants / Interns / Students

• Managing employee benefits and advantages processes

• Fulfilling obligations arising from employment contracts and legal regulations for employees.

• Managing activities in accordance with legislation

• Execution of assignment processes

• Planning and/or execution of personnel assignment/promotion processes

• Planning and/or execution of activities that must be carried out within the framework of occupational health and/or safety.

• Monitoring and/or supervising employees' work activities

• Planning and/or monitoring paid/unpaid leave for employees

• Planning and/or execution of employee wages

• Planning and/or executing employee exit procedures

• Planning and/or execution of necessary operational activities related to disciplinary/ethical processes

• Conducting Audits and Ethics Activities

• Employee assignment processes, product delivery, or execution of service relationships

• Fulfilling obligations arising from employment contracts and/or legislation for employees.

• Conducting activities to ensure business continuity

• Planning and/or execution of employee payroll processes

• Identifying and calculating the incentives we can benefit from under the relevant legislation.

• Ensuring the security of company premises and/or facilities

• Monitoring legal matters, contract processes and/or legal claims, and using information regarding transaction history as evidence in disputes after the termination of a legal relationship.

• Planning and/or execution of activities related to providing and recording information or documents requested from official institutions and/or organizations.

• Ensuring the security of company assets and/or resources

• Establishment and/or management of information technology infrastructure

• Execution of access permissions

• Ensuring physical security of the premises

• Ensuring the Security of Movable Property and Resources

• Execution of Supply Chain Management Processes

• Providing Information to Authorized Persons, Institutions and Organizations

• Monitoring contract processes and/or legal claims

• Conducting activities aimed at customer satisfaction

• Execution of customer relationship management processes

• Evaluating customer requests and/or complaints collected through digital and/or other channels,

• Corporate communication and, within this scope, organizing and providing information about events, fairs, campaigns, and invitations.

• Conducting sales and marketing analysis studies and managing the marketing processes of products/services,

• Creating and tracking visitor records

• Conducting strategic planning activities

• Conducting marketing analysis studies

• Implementation of wage policy

• Managing processes related to company/product/service loyalty

• Tracking requests/complaints

• Planning and executing goods/services purchasing processes,

• Managing the Production and Operation Processes of Goods/Services

• Managing the sales processes for goods/services, and providing after-sales support services for goods and services.

• Monitoring financial and/or accounting tasks,

• Planning and/or execution of corporate governance activities,

• Planning and/or execution of inventory and/or shipment operations for our company's products,

• Planning and execution of corporate communication activities,

• Planning and/or implementation of operational and/or productivity processes,

• Conducting Internal Audit/Investigation/Intelligence Activities

• Planning and/or execution of the company's financial risk processes,

• Carrying out storage and archiving activities,

• Execution of Administrative Activities

• Execution and Supervision of Business Activities

• Receiving and evaluating suggestions for improving business processes

• Implementing Business Continuity Activities

• Customizing the products and services offered to meet demands; updating and improving them due to customer needs, legal and technical developments,

• Announcing new or existing products, services and campaigns, conducting sales and marketing activities, performing market research,

• Payment and collection of fees for products, services, and services, and selection of payment methods.

• Fulfilling the information obligations arising from the Law No. 6563 on the Regulation of Electronic Commerce and other related legislation,

• Sending advertisements for products and services that are in line with the purpose of data processing and available on Yesilpazar.com.tr to the Data Subject, and providing information about products, services, promotions and campaigns,

• Contacting Yeşil Pazar AŞ for satisfaction surveys,

• Creating participant registrations, issuing certificates/participation documents, determining award/gift recipients and delivering awards/gifts in events/trainings/competitions organized by Yeşil Pazar AŞ,

• Ensuring the consequences arising from any merger, division, or transfer of all or part of Yeşil Pazar AŞ to another company.

• Ensuring the security of Yesilpazar.com.tr and its applications,

• Creation of a personal data inventory,

8. TRANSFER OF PERSONAL DATA

Our company may transfer the personal data it collects to third parties when necessary, taking the necessary security measures for the purposes of personal data processing. In this regard, our company acts in accordance with the regulations stipulated in Articles 8 and 9 of the Law.

Even without the explicit consent of the personal data owners, if one or more of the conditions specified below are met, our Company may transfer personal data to third parties by acting in accordance with the requirements and taking all necessary security measures, including the methods foreseen by the Board.

• The relevant activities regarding the transfer of personal data must be explicitly stipulated in the laws,

• The transfer of personal data by the Company must be directly related to and necessary for the establishment or performance of a contract,

• The transfer of personal data is necessary for our Company to fulfill its legal obligations,

• Personal data may be transferred by our Company only for the purpose of making it public, provided that the data has already been made public by the data subjects.

• The transfer of personal data by the Company is necessary for the establishment, exercise or protection of the rights of the Company, the data subject or third parties,

• Personal data transfer activities must be necessary for the legitimate interests of the Company, provided that this does not harm the fundamental rights and freedoms of the data subjects.

• When a person is unable to express their consent due to factual impossibility or when their consent is not legally valid, and it is necessary to protect their own life or the physical integrity of another person.

Personal data is not transferred abroad as part of our company's operations . If, in the event of a subsequent transfer abroad, personal data is transferred abroad, in addition to the conditions stated above, to foreign countries declared by the Board to have adequate protection (Foreign Country with Adequate Protection) or, if adequate protection is not available, to foreign countries where the data controllers in Turkey and the relevant foreign country have provided a written guarantee of adequate protection and the Board has given its permission (Foreign Country with a Data Controller Guaranteeing Adequate Protection) .

Special categories of personal data may be transferred by our Company in accordance with the principles set forth in this Policy and by taking all necessary administrative and technical measures, including methods determined by the Board, and only if the following conditions are met:

• Personal data of a special nature, excluding health and sexual life data, may be transferred without the explicit consent of our employees if this is explicitly provided for in the laws, in other words, if there is an explicit provision in the relevant law regarding the processing of personal data. Otherwise, the explicit consent of our employees will be obtained.

• Special categories of personal data relating to health and sexual life may be transferred without seeking explicit consent by persons or authorized institutions and organizations bound by an obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing. Otherwise, the explicit consent of our employees will be obtained.

9. STORAGE OF PERSONAL DATA

Our company retains personal data for as long as necessary for the purpose for which it was processed, and for the minimum period stipulated in the relevant legislation. If a retention period for personal data is specified in the relevant legislation, we comply with that period. If no legal period exists, personal data is retained for as long as necessary for the purpose for which it was processed.

Furthermore, even if the purpose for processing personal data has ended and the periods stipulated in the relevant laws and regulations have expired, processed personal data may only be stored for the purpose of serving as evidence in possible legal disputes or establishing a defense regarding any rights and claims that may be asserted in relation to the personal data. In determining these storage periods, even if the statute of limitations for any rights and claims that may be asserted in relation to the personal data has expired, similar rights and claims previously made against the Company will also be taken into consideration. Personal data stored within this scope will only be used when necessary for legal disputes; access to this data will not be granted for any other purpose.

10. PROCEDURES FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Personal data processed by the company in accordance with the relevant laws and regulations, primarily the Constitution of the Republic of Turkey, shall be deleted, destroyed, or anonymized in accordance with Article 7 of the Personal Data Protection Law, upon a decision by the company or upon the request of the data subject, when the reasons requiring processing cease to exist or the prescribed periods expire.

During the process of deleting and destroying personal data, the company ensures that personal data is physically destroyed, securely deleted from software, and, if necessary, expertly erased in a way that makes it impossible to recover.

11. RECIPIENT GROUPS TO WHOM DATA CAN BE TRANSFERRED AND THE PURPOSES OF TRANSFER

Personal data processed by the company is transferred to the third parties listed below, limited to the purposes of processing and in accordance with the regulations stipulated in Articles 8 and 9 of the Law on the Protection of Personal Data.

People to whom data can be transferred	Definition	Purpose of Data Transfer
Natural Persons or Private Law Legal Entities	According to the relevant legislation, this refers to institutions or organizations established in accordance with specific legal conditions and operating within the framework defined by law. • Companies we work with/receive services from within the scope of our business partnerships • Personal data is shared with the law firm we have an agreement with for the purpose of conducting legal activities.	Personal data is shared only to a limited extent regarding matters falling within the scope of activities carried out by relevant private institutions and organizations, and for the purpose of securing the rights and benefits provided to natural persons.
Authorized Public Institutions and Organizations	This refers to public institutions and organizations authorized to obtain information and documents from our company in accordance with the relevant legislation. Courts, Tax Offices, General Directorate of Social Security, Notaries, Occupational Health and Safety Centers, etc.	Personal data is transferred only for the purpose requested by the relevant public institutions and organizations within their legal authority.

12. INFORMING THE PERSONS

In order to inform individuals whose personal data is processed by the company about the law and company policies, an "Information Text Regarding the Law on the Protection of Personal Data" has been prepared, and the necessary information is provided to the relevant individuals in accordance with the law and within the timeframes stipulated. Accordingly, all employees of the company have been informed about the law, and additional information texts have been added to their employment contracts.

The Privacy Notice includes information regarding the data controller company's name, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal basis for collecting personal data, and the data subject's rights under Article 11 of the Personal Data Protection Law.

13. MEASURES TAKEN REGARDING THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the Law, the Company takes the necessary administrative and technical measures to ensure the security level of the relevant personal data to prevent unlawful processing and access, and to ensure the preservation of the data, and conducts or has conducted the necessary audits within this scope. Even though all administrative and technical measures have been taken, in the event that personal data is obtained by third parties through unlawful means, the Company will notify the relevant units of this situation as soon as possible.

v ADMINISTRATIVE MEASURES

• In accordance with legal compliance requirements for personal data processing, the company designs access and authorization processes for personal data within the company, designates a limited number of individuals responsible for processing personal data, and develops practices to prevent the dissemination of data within the company. Accordingly, the company removes or restricts the access rights of employees whose access to personal data is unnecessary. The company takes the necessary physical security measures to ensure that only employees with access authorization can access personal data.

• The company takes care to ensure that those responsible for processing data are knowledgeable and experienced in the processing of personal data, and provides its personnel with the necessary training in personal data protection legislation and data security.

• The company has established and implements policies regarding access, information security, usage, storage, and disposal.

• The company has added amendments to documents regulating the relationship with its employees and containing personal data, stating that mutual compliance with the obligations stipulated in the Law for the lawful processing of personal data is required, that personal data should not be disclosed or used unlawfully, and that confidentiality obligations regarding personal data continue even after the termination of the employment contract. Failure of the employee to comply with these obligations will result in the termination of the employment contract and the application of sanctions by the Personal Data Protection Authority, which may be recouped from the individual concerned.

• Personal data of employees processed in relation to their work activities may be processed in accordance with the conditions specified in Article 5 and the principles of personal data processing stipulated in Article 4 of the Personal Data Protection Law, and for other lawful purposes. All information regarding these matters is provided through Employee Information Texts attached to the contracts concluded with the employees, and copies are given to the employees. Employees are also informed by the Company through appropriate methods if any updates are made regarding the processing of data.

• Before initiating a complaint procedure or disciplinary process against an employee based on personal data obtained as a result of processing employees' work-related activities, the company grants employees the right to view the data obtained, to comment on this data, and to defend themselves.

• Contracts concluded between the company and the individuals to whom personal data is lawfully transferred include provisions and commitments from the individuals to whom personal data is transferred, stating that they will take the necessary security measures to protect personal data and ensure compliance with these measures within their own organizations.

• If personal data processed by the company is obtained by others through unlawful means, the company notifies the relevant party and the Board as soon as possible.

• The company conducts and commissions necessary audits to ensure compliance with the law within the company. It addresses any confidentiality and security vulnerabilities identified as a result of these audits.

v TECHNICAL MEASURES

• Employees are informed about the technical measures to be taken to prevent unlawful access to personal data.

• Measures are being taken in line with technological developments, and these measures are periodically updated and renewed.

• Network security and application security are ensured. A closed-system network is used for the transmission of personal data over the network.

• Security measures are taken within the scope of the procurement, development, and maintenance of information technology systems.

• Necessary security measures are taken in anticipation of the possibility of employees' personal data being removed from the workplace, and relevant employees are informed about these measures.

• Access rights are restricted and regularly reviewed.

• The technical measures taken are checked periodically, and if they pose a risk, they are re-evaluated and the necessary technological solution is developed.

• Software and hardware, including antivirus systems and firewalls, are being installed.

• Applications that collect personal data undergo regular security scans to identify vulnerabilities. Any vulnerabilities found are then addressed.

• Personal data is backed up, and the security of personal data is ensured.

• Cybersecurity measures have been put in place and their implementation is continuously monitored.

• Special categories of personal data transferred via portable memory devices, CDs, and DVDs are transmitted in encrypted form.

• Encryption is used for data protection.

• Confidentiality agreements are in place.

• Up-to-date antivirus systems are used.

• Personal data is destroyed in a way that makes it irreversible and leaves no audit trail.

14. RIGHTS OF THOSE WHOSE PERSONAL DATA IS PROCESSED AND THE EXERCISE OF THESE RIGHTS

In accordance with Article 11 of the Law on the Protection of Personal Data, individuals whose personal data is recorded within the company have the following rights, provided they can prove their identity.

a. To find out whether your personal data is being processed,

b. Requesting information about the processing of personal data, if applicable.

c. To learn the purpose of processing your personal data and whether it is being used in accordance with that purpose.

d. Knowing the third parties to whom your personal data is transferred, domestically or internationally,

e. The right to request the correction of personal data if it has been processed incompletely or incorrectly, and to request its deletion or destruction within the framework of the conditions stipulated in Article 7 of the KVKK (Law on Protection of Personal Data).

f. Requesting that third parties to whom personal data has been transferred be notified of the actions taken in accordance with paragraphs (d) and (e) above.

g. You have the right to object to an outcome that is detrimental to you due to the analysis of your personal data exclusively by automated systems.

h. You have the right to claim compensation for damages if you suffer harm as a result of the unlawful processing of your personal data.

In accordance with Article 13, paragraph 1 of the Personal Data Protection Law (KVK Law), requests for the rights mentioned above can be submitted in person, by post, or by email, along with a request form containing the necessary identification information and a statement regarding the right requested under Article 11 of the KVK Law, and identification documents (photocopy of ID).

* Rights regarding personal data can only be exercised in relation to data belonging to the individual themselves. Requests regarding data of individuals other than the person sending the email and attaching a photocopy of their ID will not be considered. Forms without an attached photocopy of an ID will not be considered.

* Application methods and addresses are clearly indicated in the table below.

APPLICATION METHOD	APPLICATION ADDRESS	EXPLANATION
Personally	MACUN MAH. 190.CADDE GİMAT 13.BLOK NO 345 Y.MAHALLE ANKARA	Applicants may submit their applications in person at the following address, presenting proof of identity.
Notification via a Notary Public		The notification envelope must contain the phrase "Information Request under the Law on the Protection of Personal Data".
By Registered Mail with Return Receipt		Identifying documents must be attached, and the notification envelope must state "Information Request under the Law on the Protection of Personal Data".
Via Email	sales@yesilpazar.com.tr	The applicant must include the phrase "Information Request Regarding the Personal Data Protection Law" in the subject line of the email.

The requests included in the application will be processed free of charge as soon as possible, and no later than 30 (thirty) days, depending on the nature of the request, and the result will be notified to you in writing or electronically. If the application and request are deemed justified by the company, the necessary action will be taken without delay. If the application and request are rejected, the reason for the rejection will be notified to the relevant person in writing or electronically, as stated in the application and request. In cases where the application and request are rejected by the company, the response is deemed insufficient, or no response is given within the specified time, the relevant person has the right to file a complaint with the Personal Data Protection Board within 30 (thirty) days from the date they learned of the response to their application and request, and in any case within 60 (sixty) days from the date of application.

15. EXCEPTIONAL CIRCUMstances

Data subjects cannot exercise their rights under the Personal Data Protection Law and this policy for the cases listed below, which are outside the scope of the Personal Data Protection Law. Therefore, our company is not obligated to fulfill requests submitted within this scope.

• Processing personal data for purposes such as research, planning, and statistics through official statistics and by anonymizing it.

• Processing of personal data for artistic, historical, literary or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy or personal rights, or constitute a crime.

• Processing of personal data by public institutions and organizations authorized by law to carry out preventive, protective, and intelligence activities aimed at ensuring national defense, national security, public safety, public order, or economic security.

• Processing of personal data by judicial authorities or enforcement agencies in relation to investigation, prosecution, trial or execution proceedings.

According to the law, the Data Subject cannot exercise any of their rights, except for the right to claim compensation for damages, in the following cases:

• The processing of personal data is necessary for the prevention of crime or for criminal investigation.

• Processing of personal data that has been made public by the data subject.

• Personal data processing is necessary for the performance of supervisory or regulatory duties, or for disciplinary investigations or prosecutions, by authorized and competent public institutions and organizations, as well as professional organizations with the status of public institutions, based on the authority granted by law.

• The processing of personal data is necessary for the protection of the State's economic and financial interests in relation to budgetary, tax, and financial matters.

The accuracy and up-to-date maintenance of the data shared with our company is important for the exercise of rights under the Personal Data Protection Law and other relevant legislation, and the responsibility for any consequences arising from providing incorrect information rests entirely with the Personal Data Subject.

Trade Name	YEŞİL PAZAR PLANT PRODUCTS INDUSTRY AND TRADE INC.
Address	Gimat 13th Block No 345 Yenimahalle / ANKARA
Mersis No	0950097881400001
Phone Number	0850 333 25 80
Fax No.	-
Email and Registered Electronic Mail Addresses	satis@yesilpazar.com.tr – yesilpazar@hsol.kep.tr