Pdpl - Instıtunıonal

PDPL

The protection of personal data is one of the top priorities of our company, USLU SOLAR.

Our company makes every effort to comply with all applicable legislation in this regard. Our company establishes the necessary arrangements for the lawful protection and processing of personal data and sets up the necessary system to raise awareness among our employees and business partners.

Below are the information texts regarding the personal data processing activities carried out by our company and the policies our company implements under Law No. 6698, as well as the application form you can submit to our company under this law.

Personal Data Protection Law and Processing Policy

INTRODUCTION
The protection of personal data is among the most important priorities of USLU SOLAR ("USLU SOLAR" or "the Company"). Uslu Solar makes every effort to comply with all applicable legislation in this regard. This Uslu Solar Inc. Personal Data Protection and Processing Policy (" Policy ") outlines the principles adopted by our Company in conducting personal data processing activities and the fundamental principles adopted to ensure compliance with the regulations in the Law No. 6698 on the Protection of Personal Data (" Law " or " KVKK ").

1.2 Purpose
This Policy has been prepared to manage the compliance activities to be carried out by Uslu Solar in order to comply with the KVKK regarding the protection of personal data.
In line with the principles set forth in this Policy, Uslu Solar will make the necessary arrangements for the lawful protection and processing of personal data and will establish the necessary system to raise awareness among its employees and business partners on this matter.

1.3 Scope
This Policy covers the personal data of individuals whose personal data is processed by our company, including our employees, job applicants, company officials, company shareholders, customers, visitors, employees, shareholders and officials of institutions with whom we cooperate, and third parties, whether processed wholly or partially automatically or as part of any data recording system. This policy pertains to all personal data processed through non-automatic means.

1.4. Implementation and Validity of the Policy
The relevant legal regulations in force regarding the processing and protection of personal data shall primarily apply. In case of any inconsistency between the current legislation and this Policy, our Company accepts that the current legislation shall prevail.
This Policy is effective from April 1, 2020.
PROCEDURES REGARDING THE PROCESSING OF PERSONAL DATA
This policy serves as a guide for Uslu Solar on how to implement the rules stipulated in the
Personal Data Protection Law (KVKK) and related legislation. In accordance with Article 20 of the Constitution and Article 4 of the KVKK, our company processes personal data in a manner that is lawful and fair; accurate and up-to-date; with specific, clear, and legitimate purposes; and relevant, limited, and proportionate to those purposes.
PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH LEGISLATION
3.1. Processing in Accordance with the Law and the Rule of Fairness
Uslu Solar acts in accordance with the principles established by legal regulations and the general rule of trust and fairness in the processing of personal data. Within this framework, personal data is processed only to the extent required by and limited to the business activities of our Company.

3.2. Ensuring the Accuracy and Timeliness of Personal Data
Uslu Solar ensures the accuracy and timeliness of the personal data it processes, taking into account the fundamental rights of personal data owners and its legitimate interests. It takes the necessary measures in this regard.

3.3. Processing for Specific, Clear and Legitimate Purposes
Our Company clearly and precisely defines the legitimate and lawful purpose of personal data processing. Our Company processes personal data only to the extent necessary and connected with the services it provides.

3.4. Being Relevant, Limited, and Proportional to the Purpose for Which They Are Processed:
Our company processes personal data in a manner suitable for achieving the stated purposes and avoids processing personal data that is not related to or needed for the achievement of the purpose.

3.5. Retention for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for Which They Are Processed:
Our company retains personal data only for the period specified in the relevant legislation or for the period necessary for the purpose for which they are processed. In this context, our company first determines whether a retention period for personal data is stipulated in the relevant legislation; if a period is specified, it acts in accordance with that period; if no period is specified, it retains personal data for the period necessary for the purpose for which they are processed. Upon the expiration of the period or the cessation of the reasons requiring processing, personal data is deleted, destroyed, or anonymized by our company. Personal data is not retained by our company for the possibility of future use.
CONDITIONS FOR PROCESSING PERSONAL DATA
As a rule, personal data must be processed based on one or more of the conditions for processing personal data specified in Article 5 of the KVKK (Law on Protection of Personal Data). In this context, Uslu Solar evaluates whether its personal data processing activities fall within the scope of one of these conditions, and any personal data processing activities that do not rely on one of these conditions are stopped. The KVKK stipulates that special measures may be introduced for the processing of special categories of personal data. In this context, measures determined by the Board are taken when processing special categories of personal data.
Apart from the explicit consent of the personal data owner, the basis for a personal data processing activity may be only one of the conditions listed below, or more than one condition may serve as the basis for the same personal data processing activity:

Existence of Explicit Consent of the Personal Data Owner
One of the conditions for processing personal data is the explicit consent of the data owner. The explicit consent of the personal data owner must be given freely, based on informed knowledge, and relating to a specific matter. In the presence of the personal data processing conditions listed below, personal data may be processed without the need for the explicit consent of the data owner.

Explicit Provision in Law
: The processing of a data subject's personal data can only be considered fulfilled if it is explicitly provided for in the law, in other words, if there is an explicit provision in the relevant law regarding the processing of personal data.

Inability to Obtain Explicit Consent Due to Factual Impossibility:
If a person is unable to express their consent due to factual impossibility, or if their consent cannot be considered valid, and the processing of their personal data is necessary to protect the life or physical integrity of that person or another person, then the data subject's personal data may be processed.

Direct Relevance to the Establishment or Performance of
a Contract: This condition may be considered fulfilled if the processing of personal data is directly related to the establishment or performance of a contract to which the data subject is a party.

Fulfillment of the Company's Legal Obligations
: If the processing is necessary for our company to fulfill its legal obligations, then the data subject's personal data may be processed only for the purpose of

public
disclosure.

Data Processing is Necessary for the Establishment or Protection of a Right:
Personal data of a data subject may be processed if the processing of data is necessary for the establishment, exercise, or protection of a right.

Necessity of Data
Processing for the Legitimate Interests of Our Company: Personal data of the data subject may be processed if it is necessary for the legitimate interests of our company, provided that it does not harm the fundamental rights and freedoms of the data subject.

4.2. Processing of Special Categories of Personal Data :
Article 6 of the KVKK (Law on Protection of Personal Data) defines "special categories" of personal data as data that, if processed unlawfully, carries the risk of causing harm or discrimination to individuals; such as race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Our company acts in accordance with the regulations stipulated in the Law when processing special categories of personal data. Special categories of personal data are processed by our company in accordance with the principles stated in this Policy and by taking all necessary administrative and technical measures, including methods determined by the Board, and only if the following conditions exist:

Special categories of personal data, other than health and sexual life data,
may be processed without the explicit consent of the data subject if this is explicitly provided for in the laws, in other words, if there is an explicit provision in the law governing the relevant activity regarding the processing of personal data. Otherwise, the explicit consent of the data subject will be obtained in order to process such special categories of personal data.

Personal data of a special category relating to health and sexual life
may be processed without explicit consent by persons or authorized institutions and organizations bound by an obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing. Otherwise, the explicit consent of the data subject will be obtained in order to process such special categories of personal data.

INFORMING THE DATA SUBJECT
In accordance with Article 10 of the Personal Data Protection Law (KVKK), Uslu Solar informs data subjects about how their data will be processed during the collection of personal data. Within the scope of the relevant legislation, Uslu Solar has identified all processes through which it obtains personal data, and information texts have been prepared by our company for each of these processes. Through these texts, data subjects are informed by our company about:
(i) the identity of our company as the data controller,
(ii) the purpose for which their personal data will be processed,
(iii) to whom and for what purpose their personal data may be transferred,
(iv) the method and legal grounds for our personal data collection,
(v) their rights as data subjects
.
TRANSFER OF PERSONAL DATA
Even without the explicit consent of the personal data owner, Uslu Solar may transfer personal data to third parties if one or more of the following conditions are met, provided that due diligence is exercised and all necessary security measures are taken, including methods prescribed by the Board:

The relevant activities regarding the transfer of personal data must be explicitly provided for in the laws,
The transfer of personal data by the Company must be directly related to and necessary for the establishment or performance of a contract,
The transfer of personal data is necessary for our Company to fulfill its legal obligations,
Personal data may be transferred by our Company only for the purpose of making it public, provided that the data subject has already made the data public.
The transfer of personal data by the Company is necessary for the establishment, exercise or protection of the rights of the Company, the data subject or third parties,
Personal data transfer may be necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject.
Consent must be given in cases where the person is unable to express their consent due to factual impossibility or where their consent is not legally valid, and it is necessary to protect their own life or the life or physical integrity of another person.

Your personal data shared with our company may be transferred to foreign countries declared by the Board to have adequate protection, provided that any of the above conditions exist. If adequate protection is not available, data may be transferred to foreign countries where the data controllers in Turkey and the relevant foreign country have provided a written guarantee of adequate protection and the Board has given its permission, in accordance with the data transfer conditions stipulated in the legislation.

6.2. Transfer of Special Categories of Personal Data
Special categories of personal data may be transferred by our company in accordance with the principles stated in this Policy and by taking all necessary administrative and technical measures, including methods determined by the Board, and provided that the following conditions exist:

Special categories of personal data, excluding health and sexual life data,
may be transferred without the explicit consent of the data subject if this is explicitly provided for in the laws, in other words, if there is an explicit provision in the relevant law regarding the processing of personal data. Otherwise, the explicit consent of the data subject must be obtained.

Special categories of personal data relating to health and sexual life
may be transferred without explicit consent by persons or authorized institutions and organizations bound by an obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing. Otherwise, the explicit consent of the data subject will be obtained. If special categories of personal data are to be transferred abroad, in addition to the conditions mentioned above, the data will be transferred to foreign countries with adequate protection or to foreign countries where a data controller guarantees adequate protection.

6.3. Third Parties to Whom Personal Data is Transferred by Uslu Solar and the Purposes of Transfer
Our company may transfer the personal data and special categories of personal data of the data subject to third parties (third-party companies, official and private authorities, third-party individuals) in accordance with the purposes of processing personal data in compliance with the law and by taking the necessary security measures. Our company acts in accordance with the regulations stipulated in Article 8 of the Law.
In accordance with Articles 8 and 9 of the KVKK (Law on Protection of Personal Data), our company may transfer the personal data of data subjects managed by this Policy to the following categories of persons:

Uslu Solar business partners,
Uslu Solar suppliers,
legally authorized public institutions and organizations,
and legally authorized private legal entities.

People to whom data can be transferred	Definition	Purpose of Data Transfer
Business Partner	This document describes the parties with whom our company forms business partnerships for purposes such as carrying out various projects and obtaining services while conducting its commercial activities.	limited to ensuring the fulfillment of the purposes for which the business partnership was established.
Supplier	This document identifies the parties that provide services to our company on a contractual basis, in accordance with Uslu Solar's orders and instructions, while conducting our company's commercial activities.	Limited to ensuring that Uslu Solar procures services from suppliers on an outsourcing basis and that these services are necessary for Uslu Solar to carry out its commercial activities, the company may provide these services to our company.
Legally Authorized Public Institutions and Organizations	Public institutions and organizations authorized to obtain information and documents from Uslu Solar in accordance with the relevant legislation.	Limited to the purpose requested by the relevant public institutions and organizations within their legal authority.
Legally Authorized Private Law Entities	Private legal entities authorized to obtain information and documents from Uslu Solar in accordance with the relevant legislation.	limited to the purpose requested within the legal authority of the relevant private legal entities.

CATEGORIZATION AND PURPOSES OF PROCESSING PERSONAL DATA PROCESSED
BY OUR COMPANY In accordance with Article 10 of the Law and secondary legislation, and after informing the relevant individuals, our company processes personal data in line with the purposes of our company's personal data processing, based on at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law, and in accordance with the general principles specified in the Law, primarily the principles specified in Article 4 of the Law regarding the processing of personal data. Within the framework of the purposes and conditions stated in this Policy, the categories of personal data processed and detailed information about these categories are as follows:

PERSONAL DATA CATEGORIZATION	DESCRIPTION OF PERSONAL DATA CATEGORIZATION
Identity Information	These are data containing information about a person's identity; name and surname, Turkish Republic identity number, nationality, place of birth, date of birth, gender, workplace information, registration number, tax number, title, biography, etc., as well as documents such as driver's license, professional ID, national identity card, and passport.
Contact Information	Information such as phone number, address, email address, fax number, etc.
Transaction Security Information	Your personal data (e.g., log records, IP information, authentication information) is processed to ensure our technical, administrative, legal, and commercial security during the conduct of our operations.
Transaction Information	Data such as survey information, declaration information, shopping information, call center records, membership information, and cookie records processed by our company within the scope of activities carried out by our company, in relation to the services provided, or to protect the legal and other interests of the Company and the personal data owner.
Family Members and Close Relatives Information	Information about the personal data owner's family members (e.g., spouse, mother, father, child), relatives, and other persons who can be contacted in emergency situations, processed within the scope of the activities carried out by our company, in relation to the services provided, or to protect the legal and other interests of the Company and the personal data owner.
Physical Space Security Information	Personal data relating to records and documents collected upon entry to and during stay within a physical space; camera recordings, vehicle information records, and records taken at security checkpoints, etc.
Financial Information	Personal data processed by our company, including information, documents, and records showing all financial results created according to the type of legal relationship established with the personal data owner, as well as data such as bank account number, IBAN number, income information, and debt/receivable information.
Visual/Auditory Information	Photographs and video recordings (excluding recordings covered under Physical Space Security Information) and audio recordings.
Corporate Memory Information	Memories, interviews, and other information processed within the scope of activities carried out by Uslu Solar to create our company's corporate memory.
Special Category Personal Data	Data relating to a person's race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Legal Procedures and Compliance Information	Personal data processed for the purpose of identifying and monitoring our legal receivables and rights, fulfilling our obligations, complying with our legal responsibilities and company policies.
Audit and Inspection Information	Personal data processed in relation to our company's operational, financial, fraud and compliance audit activities.
Request/Complaint Management Information	Personal data relating to the receipt and evaluation of all requests or complaints directed to our company.

THE PURPOSES FOR PROCESSING THESE PERSONAL DATA ARE AS FOLLOWS:

MAIN OBJECTIVES (PRIMARY)	SUB-OBJECTIVES (SECONDARY)
Planning and Execution of the Company's Human Resources Policies and Processes	Execution of Personnel Recruitment Processes
Carrying out the necessary work and managing the related business processes by our relevant business units in order to perform the commercial activities conducted by the company.	Event Management
	Planning and Execution of Corporate Communication Activities
	Planning, Auditing, and Execution of Information Security Processes
	Establishment and Management of Information Technology Infrastructure
	Tracking Financial and/or Accounting Operations
	Planning and Execution of Corporate Sustainability Activities
	Planning and/or Execution of Activities for Conducting Effectiveness/Efficiency and/or Appropriateness Analyses of Business Activities
	Planning and Execution of Corporate Governance Activities
Planning and execution of the Company's Commercial and/or Business Strategies	Managing Relationships with Business Partners and/or Suppliers
	Execution of Strategic Planning Activities
Planning and Implementation of Company Human Resources Policies and Processes	Employee Request and Complaint Management
	Planning analysis and improvement activities related to company compensation management.
	Planning and supporting processes for providing employee benefits and fringe benefits to company employees.
	Providing support in planning activities related to employee wage management.
	Planning and supporting processes related to the training and career development of company employees.
	Planning and managing processes aimed at increasing employee satisfaction and commitment within the company.
	Planning and/or execution of intern and/or student recruitment, placement, and operational processes.
Managing the company's strategic human resources planning, succession planning processes, and employee performance evaluations; providing support in organizational development activities.	Managing processes related to employee performance evaluations.
	Providing support for the company's growth and succession planning activities.
	Providing support in managing the appointment and promotion processes of personnel and managers within the company.
Protecting the Trust that Uslu Solar's Reputation Has Generated in Business Life and Among Consumers	Implementing Activities to Protect the Company's Values and Reputation
	Tracking Company Customer Requests and/or Complaints
	Planning and/or Execution of Corporate Social Responsibility and/or Civil Society Activities
	Planning and Execution of Processes Aimed at Encouraging Employee Engagement and Satisfaction
Ensuring the legal, technical and commercial-business security of the Company and related persons with whom the Company has a business relationship.	Legal Affairs Monitoring
	Creating and Tracking Visitor Records
	Planning and executing the necessary operational activities to ensure that company operations are conducted in accordance with company procedures and/or relevant legislation.
	Ensuring the Security of Company Assets and/or Resources
	Ensuring the Security of Company Operations
	Providing Information to Authorized Institutions as Required by Legislation
	Performing Company and Partnership Law Transactions
	Providing support to the company in carrying out transactions under Corporate and Partnership Law.
	Ensuring that the data is accurate and up-to-date.
	Ensuring the Security of Company Premises and/or Facilities
	Planning and Execution of Company Audit Activities
Planning and Execution of Audit Activities for Uslu Solar	Providing support to the company in its fraud reporting and investigation processes.
	Planning and execution of audit activities to ensure that the company's operations are conducted in compliance with legislation.

PROVISIONS REGARDING THE PROTECTION OF PERSONAL DATA
8.1. Ensuring the Security of Personal Data
In accordance with Article 12 of the Law, our Company takes the necessary measures, according to the nature of the data to be protected, to prevent the unlawful disclosure, access, transfer, or other security deficiencies that may occur with personal data. In this context, our Company takes administrative measures and conducts or commissions audits to ensure the necessary level of security in accordance with the guidelines published by the Personal Data Protection Committee ("Committee").

8.2. Protection of Special Categories of Personal Data
The Law attaches special importance to certain personal data due to the risk of causing harm or discrimination to individuals if processed unlawfully. These data include: race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Uslu Solar is meticulous in protecting special categories of personal data, which are defined as "special categories" by law and processed lawfully. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully applied with regard to special categories of personal data, and necessary audits are conducted within Uslu Solar.

8.3. Increasing and Monitoring Awareness of Business Units Regarding the Protection and Processing of Personal Data
Uslu Solar ensures that necessary training is provided to business units to increase awareness regarding preventing the unlawful processing of personal data, unlawful access to personal data, and ensuring the preservation of personal data. Uslu Solar establishes the necessary systems to raise awareness among its employees regarding the protection of personal data and works with consultants when needed. Accordingly, our Company evaluates participation in relevant trainings, seminars, and information sessions, and updates and renews its training in parallel with the updating of relevant legislation.

9. STORAGE AND DESTRUCTION OF PERSONAL DATA
Our company retains personal data for the period necessary for the purpose for which it is processed and in accordance with the minimum periods stipulated in the legal regulations governing the relevant activity. In this context, our company first determines whether a retention period for personal data is stipulated in the relevant legislation, and if a period is determined, it acts accordingly. If no legal period exists, personal data is retained for the period necessary for the purpose for which it is processed. At the end of the determined retention periods, personal data is destroyed in accordance with periodic destruction schedules or data owner requests, and using the determined destruction methods (deletion and/or destruction and/or anonymization).
In this regard, our company has prepared a Personal Data Retention and Destruction Policy, and detailed information on this subject can be found in the Uslu Solar Personal Data Retention and Destruction Policy.

10. RIGHTS OF PERSONAL DATA SUBJECTS AND THE EXERCISE OF THESE RIGHTS
Personal data subjects have the following rights:

To find out whether your personal data is being processed,
The right to request information regarding the processing of personal data.
To learn the purpose of processing personal data and whether it is being used appropriately for that purpose.
Knowing the third parties to whom personal data is transferred, whether domestically or internationally.
The right to request the correction of personal data if it has been processed incompletely or inaccurately, and to request that this correction be notified to third parties to whom the personal data has been transferred.
Even if personal data has been processed in accordance with the Personal Data Protection Law and other relevant laws, the data subject has the right to request the deletion or destruction of their personal data when the reasons requiring its processing cease to exist, and to request that this action be notified to third parties to whom the personal data has been transferred.
The right to object to an outcome that is detrimental to oneself, resulting from the analysis of processed data exclusively through automated systems.
The right to claim compensation for damages incurred as a result of the unlawful processing of personal data.

10.2. Exercise of
Data Subject Rights In accordance with your legal rights listed in Article 10 of this Policy and provided for in the relevant laws and other legislation, you can submit your requests in writing to the address given above, either in person or via a notary public. Alternatively, in accordance with Article 5 of the "Notification on the Procedures and Principles for Applications to the Data Controller," you can send your requests to kvkk@uslusolar.com using a registered electronic mail (KEP) address, secure electronic signature, mobile signature, or the electronic mail address you previously provided to our Company and which is registered in our systems .
It is not possible for third parties to make requests on behalf of data subjects. For a person other than the data subject to make a request, there must be a special power of attorney issued by the data subject to the person making the request.
Data subjects may use the "Application Form for Applications to be Made by the Data Subject to the Data Controller Pursuant to Law No. 6698 on the Protection of Personal Data" prepared by our Company to exercise their rights. The method of application is also explained in detail in this form.

11.3. Right of the Data Subject to File a Complaint with the Personal Data Protection Board
In cases where the application is rejected, the answer given is deemed insufficient, or no answer is given to the application within the specified time, the data subject may file a complaint with the Personal Data Protection Board within thirty days from the date they learn of our Company's answer, and in any case within sixty days from the date of application, in accordance with Article 14 of the Personal Data Protection Law.

11.4. Our Company's Response to Applications
As data subjects, if you submit your requests regarding your rights to our company using the methods regulated in the Personal Data Protection and Processing Policy, our company will process the request free of charge within a maximum of thirty days, depending on the nature of the request. However, a fee may be charged by the Personal Data Protection Board. If deemed necessary, our company will charge the fee specified in the tariff determined by the Personal Data Protection Board.

Personal Data Storage and Destruction Policy

PURPOSE
This Personal Data Storage and Destruction Policy (“Policy”) has been prepared to determine the procedures and principles regarding the storage and destruction activities carried out by USLU SOLAR (“USLU SOLAR” or “the Company”) as the data controller.

As part of its legal and social responsibility, USLU SOLAR undertakes to comply with national personal data protection, processing, storage and destruction regulations within the scope of the Law No. 6698 on the Protection of Personal Data (“the Law”).
In this context, your personal data held by USLU SOLAR for any reason, including that of our employees, job applicants, customers, service providers, visitors, are stored and destroyed in accordance with the USLU SOLAR Personal Data Processing and Protection Policy and within the framework of this policy; in accordance with the Turkish Constitution, international agreements, the Law and other relevant legislation.

2. SCOPE OF THE DATA PROTECTION, STORAGE AND DESTRUCTION POLICY
This Policy applies to USLU SOLAR INC.
This Policy applies to all personal data of USLU SOLAR employees, job applicants, customers, service providers, visitors and other third parties, and to all record media and activities related to the processing of personal data owned or managed by our Company. The Policy may be

updated from time to time. Therefore, we kindly request that you regularly visit www.uslusolar.com to access the most current version of the Policy.

3. DEFINITIONS

Kanun/KVKK	Law No. 6698 on the Protection of Personal Data
Board/Institution	Personal Data Protection Board/Personal Data Protection Authority
Personal Data	Any information relating to an identified or identifiable natural person.
Contact Person	The natural person whose personal data is processed
Buyer Group	The category of natural or legal persons to whom personal data is transferred by the Data Controller.
Service Provider	A natural or legal person who provides services to our company within the framework of a specific contract.
Explicit consent	Informed and freely given consent regarding a specific matter.
Anonymizing	Making personal data impossible to link to an identified or identifiable natural person, even when combined with other data.
Deletion of Personal Data	Deletion of personal data; making personal data completely inaccessible and unusable for the Relevant Users.
Destruction of Personal Data	The process of making personal data inaccessible, irretrievable, and unusable by anyone in any way.
Processing of personal data	Personal data processing includes any operation performed on data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of personal data, whether wholly or partly automated or non-automated, provided that it is part of a data recording system.
Data processor	A natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller.
Data controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Special Category Personal Data (Sensitive Data)	Data relating to a person's race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Obligation to Provide Information	When collecting personal data, the data controller or the person authorized by them shall inform the data subjects about: the identity of the data controller and, if applicable, their representative; the purpose for which the personal data will be processed; to whom and for what purpose the processed personal data may be transferred; the method and legal basis for collecting personal data; and their other rights listed in Article 11 of the Law.
Data Controllers Registry Information System	The information system created and managed by the Presidency, accessible via the internet, which data controllers will use for applications to the Registry and other related transactions concerning the Registry.
Data Recording System	A data processing system where personal data is structured and processed according to specific criteria.
Personal Data Processing Inventory	An inventory created by data controllers detailing their personal data processing activities based on their business processes; associating these activities with the purposes of personal data processing, data category, recipient group to whom the data is transferred, and data subject group; and specifying the maximum period for which the personal data is necessary for the purposes for which it is processed, the personal data intended to be transferred to foreign countries, and the measures taken regarding data security.
Politics	Personal Data Storage and Destruction Policy
Regulations	Regulation on the Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette dated 28.10.2017 and numbered 30224.
Destruction	Deletion, destruction, or anonymization of personal data.
Periodic Destruction	If all the conditions for processing personal data stipulated in the law cease to exist, the personal data will be deleted, destroyed, or anonymized automatically at recurring intervals as specified in the personal data retention and destruction policy.
Recording Medium	Any medium containing personal data processed wholly or partly automatically, or by non-automatic means as part of a data recording system.

RESPONSIBILITY AND PERSONAL DATA PROTECTION COMMITTEE
USLU SOLAR has established a Personal Data Committee ("Committee") within the company. The Committee is authorized and responsible for taking/having taken the necessary actions and supervising the processes to ensure that the data of the relevant individuals are stored and processed in accordance with the law, the Personal Data Processing and Protection Policy, and this Policy.

All USLU SOLAR employees support the Committee in the proper implementation of the technical and administrative measures taken by the Committee within the scope of the Policy.

The Committee consists of three people: a manager, an administrative expert, and a technical expert. The titles and job descriptions of the USLU SOLAR employees serving on the Committee are as follows:

UNIT	TITLE	JOB DESCRIPTION
General manager	Personal Data Protection Committee Manager	The company is responsible for directing all planning, analysis, research, and risk assessment studies in projects carried out during the compliance process; managing the processes that must be carried out in accordance with the Law, the Personal Data Processing and Protection Policy, and the Personal Data Storage and Destruction Policy; and making decisions on requests received from relevant individuals.
IT Manager Lawyer	Personal Data Protection Law Specialist (Technical and Administrative)	The Data Protection Committee is responsible for reviewing and evaluating the requests of the data subjects and reporting them to the Data Protection Committee Manager; carrying out the processes related to the data subject requests evaluated and decided upon by the Data Protection Committee Manager in accordance with the decision of the Data Protection Committee Manager; supervising the storage and destruction processes and reporting these audits to the Data Protection Committee Manager; and managing the storage and destruction processes.

Personal data held by USLU SOLAR is securely stored in accordance with the law on the following recording media, depending on the nature of the data and our legal obligations .

Electronic Environments

Non-Electronic Environments

Servers (Backup, email, database, web, file sharing, etc.)
Software (office software, portal,)
Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)
Video Recording
Personal computers (Desktop, laptop)
Cloud System (Microsoft Computer Software Services Ltd.)
Mobile devices (phones, tablets, etc.)
Optical discs (CDs, DVDs, etc.)
Removable memory devices (USB, memory card, etc.)
Printer, scanner, photocopier

Paper
Manual data recording systems (survey forms, visitor logbook)
Written, printed, and visual media

ENSURING THE SECURITY OF RECORDING MEDIA
USLU SOLAR takes all necessary technical and administrative measures to ensure the secure storage of your personal data, to prevent its unlawful processing and access, and to ensure the lawful destruction of your personal data.

6.1. Technical Measures
USLU SOLAR takes the following technical measures in the media where your personal data is stored, to the extent that they are appropriate to the nature of the data and the media in which it is kept:

System security is being improved.
Users' access to information systems is being restricted, and an access and authorization matrix is being created.
Measures are being taken to ensure the physical security of the organization's information systems equipment, software, and data.
To ensure the security of information systems against environmental threats, both hardware (access control systems allowing only authorized personnel to enter the server room, 24/7 monitoring systems, fire extinguishing systems) and software (firewalls, intrusion prevention systems, network access control, malware blocking systems, etc.) measures are taken.
According to Article 12 of the Law, all digital media in which personal data is stored shall be protected using encrypted or cryptographic methods to meet information security requirements.
Risks related to preventing the unlawful processing of personal data are identified, appropriate technical measures are taken to address these risks, and technical checks are carried out on the implemented measures.
USLU SOLAR takes the necessary measures to ensure that deleted personal data is inaccessible and unusable for the relevant users.
The Company has established a suitable system and infrastructure to notify the data subject and the Board in the event that personal data is obtained unlawfully by others.
Security vulnerabilities are monitored, appropriate security patches are installed, and information systems are kept up-to-date.
Passwords are used in electronic environments where personal data is processed.
Secure record-keeping (logging) systems are (partially) used in electronic environments where personal data is processed.
Data backup programs are used to ensure the secure storage of personal data.
Access to personal data stored in electronic or non-electronic environments is restricted according to access principles.
Security measures are taken in the physical environments where sensitive personal data is processed, stored and/or accessed.
Personal data is destroyed in a way that makes it irreversible and leaves no audit trace.

6.2. Administrative Measures
The administrative measures taken by USLU SOLAR regarding your processed personal data are listed below:

In order to ensure effective compliance with legislation on the protection of personal data, a Personal Data Protection Committee has been established by the Board of Directors, with ultimate responsibility resting with the Board of Directors.
An Information Security Policy has been prepared.
Compliance with GDPR obligations is periodically audited by the Internal Audit unit.
Access restrictions have been stipulated.
Data minimization has been achieved.
Data retention periods have been determined.
USLU SOLAR raises awareness among its employees through meetings and training sessions that have been/will be held.
USLU SOLAR provides its employees with training on the points to be considered during the compliance process with the Law.
USLU SOLAR's business and operational processes have been brought into compliance with the law.
The data inventory identifies the conditions under which data processing takes place.
Data protection clauses have been added to all contracts with our employees and all third parties.
Employees involved in processing sensitive personal data have received training on the security of sensitive personal data, confidentiality agreements have been signed, and the access rights of users authorized to access the data have been defined.
The USLU SOLAR website provides guidance and an application form for individuals to submit requests regarding their personal data.

EXPLANATIONS REGARDING REASONS REQUIRING STORAGE AND DESTRUCTION
Personal data belonging to employees, job applicants, visitors, and third parties with whom our company has a relationship as suppliers/service providers are stored and destroyed by USLU SOLAR in accordance with the Law, Regulations, USLU SOLAR Personal Data Protection and Processing Policy, and this Policy.
USLU SOLAR retains your personal data only for the period stipulated in the relevant legislation or for the period necessary for the purpose for which it is processed. In this context, it is first determined whether a retention period for personal data is stipulated in the relevant legislation; if a period is determined, this period is complied with; if no period is determined, personal data is stored for the period necessary for the purpose for which it is processed.

Upon the expiration of the period or the cessation of the reasons requiring processing, and unless there is a legal reason allowing for longer processing, your personal data is deleted, destroyed, or anonymized in accordance with the USLU SOLAR Policy.
All transactions carried out by our Company regarding the deletion, destruction, and anonymization of personal data are recorded, and these records are kept for a period of at least 3 (three) years, excluding other legal obligations.

7.1. Reasons Requiring Retention

It is directly related to the formation and performance of contracts.
For the purpose of establishing, exercising or protecting a right,
Due to the necessity of preserving it for the legitimate interests of USLU SOLAR, provided that it does not harm the fundamental rights and freedoms of individuals,
In order for USLU SOLAR to fulfill its legal obligations ,
Because the storage of personal data is explicitly stipulated in the legislation;

Law No. 6698 on the Protection of Personal Data
Turkish Code of Obligations No. 6098
Social Security and General Health Insurance Law No. 5510
Occupational Health and Safety Law No. 6331
Law No. 4982 on the Right to Information
Labor Law No. 4857
Turkish Commercial Code No. 6102 and other secondary regulations in force pursuant to these laws.

Regarding storage activities that require the explicit consent of data subjects, data is stored because of the explicit consent of the data subjects.

7.2. Reasons Requiring Deletion
In accordance with the regulation, personal data belonging to data owners will be deleted, destroyed, or anonymized by USLU SOLAR ex officio or upon request in the following cases:

Amendments or repeals of relevant legal provisions forming the basis for the processing or storage of personal data,
The purpose requiring the processing or storage of personal data ceases to exist,
The cessation of the conditions requiring the processing of personal data as stipulated in Articles 5 and 6 of the Law,
In cases where the processing of personal data is carried out solely based on explicit consent, the withdrawal of consent by the data subject is prohibited.
The data controller's acceptance of the data subject's application for the deletion, destruction, or anonymization of their personal data within the framework of the rights stipulated in subparagraphs 2 (e) and (f) of Article 11 of the Law,
If the data controller rejects a request from the data subject for the deletion, destruction, or anonymization of their personal data, if the response given is deemed insufficient, or if the data controller fails to respond within the time limit stipulated in the Law; a complaint may be filed with the Board, and if this request is deemed appropriate by the Board,
Even though the maximum period requiring the retention of personal data has expired, there are no circumstances that would justify retaining personal data for a longer period.

METHODS OF
DESTROYING PERSONAL DATA At the end of the retention period stipulated in the relevant legislation or the retention period necessary for the purpose for which they were processed, personal data is destroyed by USLU SOLAR, either automatically or upon the request of the data subject, in accordance with the provisions of the relevant legislation and using the techniques specified below. 8.1. Deletion of Personal Data Deletion of personal data is the process of rendering personal data completely inaccessible and unusable. The deletion methods applied by USLU SOLAR, according to the storage media, are as follows:

Methods for Deleting Personal Data Stored in Physical Format
Blackout	Personal data in printed form is deleted using the redaction method. Redaction involves cutting out the personal data on the relevant document where possible, or, where this is not possible, rendering it invisible by using permanent ink that cannot be reversed or read using technological solutions. Personal data stored in physical form, for which the required retention period has expired, is rendered inaccessible and unusable by all employees except the unit manager responsible for the document archive. Additionally, it is blacked out by drawing over/painting over/erasing it to make it illegible.
Methods for Deleting Personal Data Stored Electronically
Safely Deleting from Software	When deleting data that is processed entirely or partially automatically and stored in digital environments, methods are used to delete the data from the relevant software in such a way that it becomes completely inaccessible and unusable for the relevant users. In a cloud system, data can be deleted by issuing a delete command; by removing the relevant user's access rights to the file or directory located on the central server; by deleting the relevant rows in databases using database commands; or by deleting data on portable media, i.e., flash drives, using appropriate software.

8.2. Destruction of Personal Data
The destruction of personal data is the process of rendering personal data inaccessible, irretrievable, and unusable by anyone in any way. The deletion methods applied by USLU SOLAR, according to the storage medium, are as follows:

Methods for Deleting Personal Data Stored in Physical Format
Physical Elimination	Personal data stored on paper is irreversibly destroyed in paper shredding machines.
Methods for Deleting Personal Data Stored Electronically
Physical Elimination	Data destruction is the process of physically destroying optical and magnetic media containing personal data, such as by melting, burning, or pulverizing them. Processes such as melting, burning, pulverizing, or grinding optical or magnetic media render the data inaccessible.

8.3. Anonymization of Personal Data
Anonymization is the process of rendering personal data in such a way that it cannot be linked to an identified or identifiable natural person, even when combined with other data. USLU SOLAR does not use any methods of anonymizing personal data.

9. STORAGE AND DESTRUCTION PERIODS
9.1. Storage Periods

PERIOD	STORAGE TIME
Planning and Execution of Corporate Communication Activities	Ten years following the termination of the employment relationship
Responding to court/enforcement information requests regarding personnel.	Ten years following the termination of the employment relationship
Preparation of contracts	Ten years following the termination of the employment relationship
Information contained in the job applicant's resume and job application form.	1 Year (Provided the Applicant's Explicit Consent)
Personnel data used in recruitment documents and submitted to the Social Security Institution for notifications regarding length of service and wages.	Ten years following the termination of the employment relationship
Personnel data other than those used for notifications to the Social Security Institution regarding length of service and wages, along with recruitment documents.	Ten years following the termination of the employment relationship
Occupational health and safety practices	Ten years following the termination of the employment relationship
Identity information, contact information, financial information, voice recordings of telephone calls, and Partner/Solution Partner/Consultant employee data related to the conduct of the commercial relationship between the Business Partner/Solution Partner/Consultant and USLU SOLAR.	The Partner/Solution Partner/Consultant's business/commercial relationship with USLU SOLAR shall be valid for a period of 10 years, both during and after the termination of the relationship.
Customer data includes name, surname, Turkish National Identity Number (TCKN), contact information, payment information and methods, browsing activity data, voice recordings of phone calls, product/service preferences, transaction history, and information about special occasions.	The customer has the right to a 10-year warranty from the date of delivery of each product/service purchased.
Identity information, contact information, financial information, voice recordings of telephone calls, and employee data of the institutions/companies with which USLU SOLAR collaborates, regarding the conduct of the commercial relationship between USLU SOLAR and these institutions/companies.	The institutions/firms with which USLU SOLAR collaborates shall have a warranty/commercial relationship with USLU SOLAR for the duration of that relationship and for 10 years after its termination.
Log/Recording/Tracking Systems	Ten years following the termination of the employment relationship
Payment transactions	Ten years following the termination of the employment relationship
Personnel Financing Processes	Ten years following the termination of the employment relationship
Visitor information including name, surname, Turkish National Identity Number, vehicle license plate number, camera recordings, and voice recordings of telephone calls are collected upon entry to the physical premises belonging to USLU SOLAR.	1 Year
Security Camera Footage from USLU SOLAR Buildings	15 Days

9.2. Destruction Periods
USLU SOLAR fulfills its obligation to delete, destroy, or anonymize personal data for which it is responsible pursuant to the Law, relevant legislation, USLU SOLAR Personal Data Processing and Protection Policy, and this Personal Data Storage and Destruction Policy, during the first periodic destruction process following the date of its occurrence (at the latest within 180 days following the retention period). If the data

subject requests the deletion or destruction of their personal data by applying to USLU SOLAR pursuant to Article 13 of the Law; and if

all conditions for processing personal data have ceased to exist; USLU SOLAR will delete, destroy, or anonymize the personal data in question within 30 (thirty) days from the date of receipt of the request, explaining the reason and using an appropriate destruction method. For USLU SOLAR to be considered to have received the request, the data subject must have made the request in accordance with the Personal Data Processing and Protection Policy. USLU SOLAR will inform the data subject of the actions taken.

If all conditions for processing personal data have not ceased to exist, this request may be rejected by USLU SOLAR, with an explanation of the reasons, in accordance with the third paragraph of Article 13 of the Law, and the rejection response will be notified to the data subject in writing or electronically within thirty days at the latest .

10. PERIODIC DESTRUCTION
Article 11, Paragraph 2 of the Regulation states: "The time interval for periodic destruction shall be determined by the data controller in the personal data retention and destruction policy. This period shall in no case exceed six months."
In accordance with the Regulation, USLU SOLAR has determined the periodic destruction period as 6 months. Accordingly, USLU SOLAR's periodic destruction processes will begin for the first time on June 30, 2020, and will be repeated every 6 (six) months. Periodic destruction will be carried out in June and December of each year.

11. PUBLICATION AND UPDATING OF THE POLICY
This Policy, prepared by USLU SOLAR, entered into force on April 1, 2020.
This Policy is also published on the Company's website at www.uslusolar.com and is accessible to personal data owners upon request. In case of any inconsistency between this Policy and the provisions of the Personal Data Protection Law (KVKK) and other relevant legislation, the provisions of the KVKK and other relevant legislation shall prevail.
This Policy will be updated as needed. In case of any changes to the Policy, the effective date and relevant articles will be updated accordingly.

Employee Information Notice

In accordance with the Law No. 6698 on the Protection of Personal Data (“the Law”), your personal data may be processed by Uslu Solar (“Uslu Solar” or “the Company”) as the data controller, within the scope described below.

1. IDENTITY OF THE DATA CONTROLLER
Uslu Solar, with respect to the personal data obtained from you, our employees, holds the title of “Data Controller” in accordance with the Law No. 6698 on the Protection of Personal Data and related regulations, and you can reach us through the contact information provided below.
Address: Organized Industrial Zone, Vali Erdoğan Cebeci Boulevard No: 40, Tekkeköy / SAMSUN
Phone : 0362 266 21
Email : kvkk@uslusolar.com

2. YOUR PERSONAL DATA PROCESSED
As an employee of our company; the personal data that you share with us during job applications, recruitment and subsequent work processes, or that may be subject to processing if necessary, are as follows:

Identity Data	Name, surname, date of birth, country of birth, city of birth, gender, marital status, nationality, Turkish Republic identity card information (excluding religious information), copy of national identity card (with the religious information section removed if present),
Communication Data	Phone number, full address, email address, internal company contact information (internal phone number, corporate email address)
Training Data	Educational Background, School and Department Graduated From, Foreign Language Proficiency, Training and Courses Attended, Computer Programming Ability
Work Experience Data	Work Experience (Company Title - Phone Number - Dates of Employment - Job Title - Salary), Internship Information, Reference Information
Financial Data and Personal Data	Financial and salary details, bank account information, payrolls, bonus entitlements, bonus amounts, file and debt information regarding enforcement proceedings, minimum living allowance information, wage slip, Social Security Institution (SGK) monthly premium and service certificate, SGK employment entry-exit declarations, and İşkur (Turkish Employment Agency) registration certificate.
Family and Relative Data	Marriage certificate, Spouse and Children's Names, Surnames, Turkish Republic Identity Numbers, Gender, Date of Birth, Relative's Name, Surname and Phone Number,
Health Data	Disability status/description/percentage, health data, blood type, medical reports, pre-employment medical report, chest X-ray, hearing test, eye test, pre-employment and periodic medical examination forms signed by the workplace physician, pregnancy status, pregnancy report, health and maternity leave information.
Data on Criminal Conviction and Security Measures	Criminal Record Check (If Explicit Consent is Given)
Visual Data	Photographs and camera recordings of the actual person.
Permission Data	Leave seniority base date, additional leave seniority days, leave group, departure/return date, days, reason for leave, health and maternity leave information.
Other	Enforcement File Information, Smoking Usage Information

PURPOSES OF PROCESSING YOUR PERSONAL DATA
Your personal data may be processed by Uslu Solar for the following purposes only ("Purposes"): establishment of employment contracts, performance of employment contracts, fulfillment of obligations under the Labor Law, Occupational Health and Safety Law, Social Security and General Health Insurance Law and related legislation, ensuring security within the company, fulfillment of requirements arising from the performance of customer contracts, management of the company, conduct of business and implementation of company policies :

Establishment of the employment contract
Recording the documents collected from employees during the job application and interview process.
Creating personnel files,
Notifications to SGK (Social Security Institution), İŞKUR (Turkish Employment Agency), police stations, and information regarding incentives and legal obligations.
Ensuring the opening of mandatory individual retirement insurance accounts,
Ensuring that employees' entry and exit times are controlled.
Monitoring of working hours
Payment of wage garnishment deductions for employees in enforcement files.
Making legal notifications of workplace accidents.
Implementation of occupational health and safety processes.
Pre-employment medical examination,
Managing the processes related to obtaining a health report from the workplace physician.
With your consent, position changes will be made according to your assessed health condition, and in this way, job positions suitable for your health will be provided to you.
In order to ensure that our company fulfills its obligations arising from other legislation, and for the purpose of making notifications to public institutions, we request that you be grouped according to your characteristics.
Enforcement of court orders
Ensuring workplace safety
In customer complaints, the goal is to differentiate between justified and unjustified claims, increase customer satisfaction, understand customer needs, and improve customer-related processes.
Customer service quality evaluation and employee training.
Monitoring and reporting on the performance of company employees.
Making expense payments to employees
Ensuring communication with employees.
It must be confirmed that the employee to whom a vehicle is assigned or who is allowed to use it is competent to drive and has not lost their driver's license for any reason.
Providing a vehicle for the employee and arranging parking.
Business card printing service
Ensuring that packages arriving via cargo and courier services are delivered to the relevant employee.
Monitoring the use of company vehicles for employee safety and work efficiency.
Provision of transportation and travel arrangements.
Creating an employee's work email address by entering employee data into the email service provider.
Monitoring of working hours
Ensuring communication for celebratory purposes.
Planning training sessions, reporting on training activities, preparing training certificates, tracking employees who have participated in training sessions, and monitoring employee development progress as a result of the training they have received.
Ensuring quality control.
Employee leave approval, viewing remaining leave, and making leave arrangements.
Processing the termination of employees' employment.
Ensuring payroll processing is carried out.
Making salary payments to employees
Ensuring the legal and commercial security of our company and those with whom we have business relationships; defining and implementing our company's business processes and strategies.
Creating emergency lists and conducting emergency operations,
Creating emergency situation analysis reports, conducting workplace accident investigations,
In accordance with the objectives stated in your contract with our company, maintaining and improving effective employee management,
Making overseas assignments,
With your consent, we will process your photos and videos for event management, in-house training, promotional and corporate communication purposes.

TO WHOM AND FOR WHAT PURPOSE MAY THE PROCESSED PERSONAL DATA BE TRANSFERRED?
Your personal data may be transferred in accordance with the provisions regarding the transfer of personal data and its transfer abroad, as set forth in Articles 8 and 9 of the Law, and limited to the purposes stated in Article 3 of this Disclosure Statement;

For the purpose of conducting electronic correspondence (E-mail Services), this data is processed within the E-mail Program. This data is stored in the application's own data storage environment and is transferred to Microsoft Exchange (Microsoft Computer Software Services Ltd.) due to its processing in the Microsoft Exchange database.
Information regarding the identification and calculation of incentives we can benefit from under the Social Security and General Health Insurance Law can be shared with the consulting firms we work with.
Your health data may be shared with our occupational health physician so that they can provide treatment and conduct health checks.
Certain aspects of your personal data may be shared with auditing firms and information security firms for the purpose of conducting quality, confidentiality, and standards audits.
Your personal and identity information may be transferred to our Financial Advisor for the purpose of enabling them to carry out accounting and financial activities.
Your personal data may be transferred to our lawyers so that we can exercise our right of defense, and to relevant public institutions and organizations within the scope of our obligation to fulfill legal requests such as court orders or requests for evidence, provided that it is in accordance with the law and procedure.
Your Name, Surname, Turkish Republic Identity Number, and Salary Information; your salary payments can be transferred to banks.
Necessary personal data from your records may be transferred to private pension companies in order to fulfill the Company's mandatory individual pension obligations.
Your personal data will be limited to that which is necessary for the conclusion of the contract and, where necessary;

For the purpose of providing rental vehicles, with car rental companies,
In order to provide telephone lines, we are collaborating with GSM operators,
If a meal voucher is issued, it can be transferred to catering companies.
We are working with a company regarding personnel transportation services.
The information regarding business card printing can be forwarded to the company we work with.

Emergency medical interventions and the fulfillment of occupational health and safety obligations can be facilitated by transferring this information to occupational health and safety companies, hospitals, and healthcare organizations.
Software, IT support, enterprise resource planning, reporting, marketing, etc., can be transferred to our suppliers and solution partners for the purpose of performing these functions.
This information may be shared with our relevant business partners and suppliers for the purpose of providing promotions and gifts.
Provided that the employee gives their explicit consent, information about the employee can be shared with institutions and companies requesting references.
They may be transferred to public institutions and organizations in order to fulfill legal requirements and/or comply with requests from official authorities.

The transfer of your personal data to third parties by our company is carried out in accordance with the provisions of Articles 8 and 9 of the Law regarding the transfer of personal data and its transfer abroad, and all necessary technical and legal measures are taken to prevent violations of rights during the transfer of data to third parties.

Personal data transfer is carried out with the explicit consent of our employees in cases where explicit consent is required by law (except in cases where explicit consent is not required by law) and within the framework of the conditions determined by law.
The third parties to whom the data is transferred undertake to provide adequate protection to our company.

5. METHOD AND LEGAL BASIS OF COLLECTING YOUR PERSONAL DATA We collect
your personal data;

You, our employee, can provide this information through your resume, which you personally choose to share with us via the job application form or during your application process, or through other documents you share in relation to your application.
Through the security cameras we have installed in the workplace building,
To fulfill our legal obligations, we collect legal documents and notifications transmitted to us through authorized institutions and organizations.

Your personal data is collected and processed based on the legal grounds specified in Articles 5 and 6 of the Law, namely: "explicitly provided for in the laws" , "necessity for the data controller to fulfill its legal obligations " , " necessity for the establishment, exercise or protection of a right" , "necessity for the processing of personal data belonging to the parties of a contract, provided that it is directly related to the establishment or performance of a contract" , "necessity for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject", or explicit consent.

6. DATA SECURITY MEASURES
Personal data of our employees are protected and stored in accordance with the administrative and technical measures specified in the Uslu Solar Personal Data Protection Policy.
Personal data of employees kept in physical form are filed in a way that third parties cannot see them and are stored in a locked cabinet; only a limited number of Uslu Solar employees have access to records kept in physical or digital form. All personnel authorized to access the personal data of our employees declare, through a confidentiality agreement, that they will protect the confidentiality of the accessed data.

7. Retention Periods of Your Personal Data
Your personal data is collected in physical and digital environments and is kept in physical or digital environments for the duration of your employment contract and for a period of 10 (ten) years after the termination of your employment contract, in accordance with the purposes stated in Article 3 of this Disclosure Statement.

8. Rights of the Personal Data Subject as Listed in Article 11 of Law No. 6698
We inform you that as a personal data subject, you have the following rights pursuant to Article 11 of the Law:

To find out whether your personal data is being processed,
The right to request information regarding the processing of personal data.
To learn the purpose of processing personal data and whether it is being used appropriately for that purpose.
Knowing the third parties to whom personal data is transferred, whether domestically or internationally.
The right to request the correction of personal data if it has been processed incompletely or inaccurately, and to request that this correction be notified to third parties to whom the personal data has been transferred.
Even if personal data has been processed in accordance with Law No. 6698 and other relevant laws, you have the right to request the deletion or destruction of your personal data when the reasons requiring its processing cease to exist, and to request that this action be notified to third parties to whom your personal data has been transferred.
The right to object to an outcome that is detrimental to oneself, resulting from the analysis of processed data exclusively through automated systems.
Individuals who suffer damages as a result of the unlawful processing of their personal data have the right to claim compensation for those damages.

In accordance with your legal rights listed above and stipulated in the relevant laws and other regulations, you can submit your requests in writing to the address provided above, either in person or via a notary public. Alternatively, in accordance with Article 5 of the "Notification on the Procedures and Principles for Applications to the Data Controller," you can send your requests to kvkk@uslusolar.com using a registered electronic mail (KEP) address, secure electronic signature, mobile signature, or the email address you previously provided to our company and which is registered in our systems . As
data subjects, if you submit your requests regarding your rights to our company using the methods stipulated in the Personal Data Protection and Processing Policy, our company will process your request free of charge within a maximum of thirty days, depending on the nature of the request.

However, if the Personal Data Protection Board prescribes a fee, our company will charge the fee specified in the tariff determined by the Personal Data Protection Board.

Job Applicant Information Text

In accordance with the Law No. 6698 on the Protection of Personal Data (“the Law”), your personal data may be processed by Uslu Solar (“Uslu Solar” or “the Company”) as the data controller, within the scope described below.

1. IDENTITY OF THE DATA CONTROLLER
Uslu Solar, in accordance with the KVKK and related regulations, holds the title of “Data Controller” with respect to the personal data obtained from you, our job applicants, and you can reach us through the contact information below.
Address: Organized Industrial Zone, Vali Erdoğan Cebeci Boulevard No: 40, Tekkeköy / SAMSUN
Phone : 0362 266 21
Email : kvkk@uslusolar.com

2. YOUR PERSONAL DATA PROCESSED
The personal data that may be processed by us, if you share it with us or if necessary, is as follows:

Identity Data	Name, Surname, Place and Date of Birth, Marital Status,
Communication Data	Phone number, Address information
Education Data	Educational Background, School and Department Graduated From, Foreign Language Proficiency, Training and Courses Attended, Computer Programming Ability, Knowledge of Usable Technical Devices
Work Experience Data	Work Experience (Company Title - Phone Number - Dates of Employment - Job Title - Salary), Requested Salary, References, Driver's License Information, SRC Certificate
Health Data	Information on whether they have a physical disability, and whether they have experienced a serious health problem.
Military Service Data	Military Status Information
ReferenceVerisi	Reference Information: Identity Number, Workplace, Profession, and Phone Number

PURPOSES OF PROCESSING YOUR PERSONAL DATA
Your personal data may be processed by Uslu Çelik Servis Merkezi for the purposes of evaluating and finalizing your job application, planning and executing human resources policies and processes, and limited to the following purposes (“Purposes”):

We will process your applications submitted to our company and assess your suitability for the job.
Assessment of suitability for the requested position,
Managing job application and employment processes,
Ensuring communication,
If the job interview is unsuccessful, the candidate will be considered for suitable positions that may arise in the future.
Ensuring Reference Checks are Performed.
Planning and implementing our company's Human Resources and Accounting policies and processes.

TO WHOM AND FOR WHAT PURPOSES PERSONAL DATA MAY BE TRANSFERRED
Your collected personal data is processed for the purposes stated above and is not transferred to third parties.

5. METHOD AND LEGAL BASIS FOR COLLECTING YOUR PERSONAL DATA
Your personal data is collected physically during interviews by filling out job application forms, and electronically via the internet and e-mail. Your personal data is collected and processed based on the legal grounds specified in Articles 5 and 6 of the Law; namely, that it is directly related to the establishment or performance of a contract, that the processing of personal data belonging to the parties of the contract is necessary, that the processing of data is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject, and with explicit consent.

6. DATA SECURITY MEASURES
Information received from job applicants through physical application forms is filed in a locked cabinet, preventing third parties from seeing it. Information received electronically via the internet and email is protected and stored in accordance with the administrative and technical measures specified in our company's Personal Data Protection Policy. Only a limited number of Uslu Çelik Servis Merkezi employees have access to these records, both physically and electronically. All personnel with access to job application forms declare, through a confidentiality agreement, that they will protect the confidentiality of the accessed data.

7. RETENTION PERIOD OF YOUR PERSONAL DATA
Your personal data is collected in physical and electronic environments and, in accordance with the purposes stated in Article 3 of this Disclosure Statement, is stored in physical and electronic environments for a period of 1 (one) year, provided you have given your EXPLICIT CONSENT.

8. RIGHTS OF THE DATA SUBJECT UNDER ARTICLE 11 OF LAW NO. 6698
We inform you that as a data subject, you have the following rights pursuant to Article 11 of the Law:

To find out whether your personal data is being processed,
The right to request information regarding the processing of personal data.
To learn the purpose of processing personal data and whether it is being used appropriately for that purpose.
Knowing the third parties to whom personal data is transferred, whether domestically or internationally.
The right to request the correction of personal data if it has been processed incompletely or inaccurately, and to request that this correction be notified to third parties to whom the personal data has been transferred.
Even if personal data has been processed in accordance with Law No. 6698 and other relevant laws, you have the right to request the deletion or destruction of your personal data when the reasons requiring its processing cease to exist, and to request that this action be notified to third parties to whom your personal data has been transferred.
The right to object to an outcome that is detrimental to oneself, resulting from the analysis of processed data exclusively through automated systems.
Individuals who suffer damages as a result of the unlawful processing of their personal data have the right to claim compensation for those damages.

In accordance with your legal rights listed above and stipulated in the relevant laws and other regulations, you can submit your requests in writing to the address given above, either in person or via a notary public. Alternatively, in accordance with Article 5 of the "Notification on the Procedures and Principles for Applications to the Data Controller," you can send your requests to kvkk@uslusolar.com using a registered electronic mail (KEP) address, secure electronic signature, mobile signature, or the email address you previously provided to our company and which is registered in our systems . As
data subjects, if you submit your requests regarding your rights to our company using the methods stipulated in the Personal Data Protection and Processing Policy, our company will process the request free of charge within a maximum of thirty days, depending on the nature of the request. However, if a fee is prescribed by the Personal Data Protection Board, our company will charge the fee specified in the tariff determined by the Personal Data Protection Board.

Security Camera Recording Systems Information Text
This Privacy Notice has been prepared in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”) to inform data subjects about the procedures and principles regarding the processing of personal data collected through the Closed-Circuit Recording Systems of Security Cameras used in Uslu Solar (“Uslu Solar” or “the Company”) locations.

1. IDENTITY OF THE DATA CONTROLLER
Uslu Solar is the “Data Controller” in accordance with the KVKK and related regulations with respect to the personal data obtained from you, and you can reach us through the contact information given below.
Address: Organized Industrial Zone, Vali Erdoğan Cebeci Boulevard No: 40, Tekkeköy / SAMSUN
Phone : 0362 266 21
Email : kvkk@uslusolar.com

2. YOUR PERSONAL DATA PROCESSED
Visual data recording is done with the security cameras located in the locations belonging to our Company, but audio data (voice) recording is not done.

3. PERSONAL Purposes of Processing Your Data

Personal data collected through security cameras may be processed for the following purposes (“Purposes”) within the framework of the personal data processing conditions specified in Articles 5 and 6 of the Law:
- Ensuring the legal, technical, and commercial-business security of individuals and entities with whom our company has a business relationship.
- Within the scope of ensuring the security of our company buildings, our mission is to assist in ensuring and protecting the safety of our employees, customers, and assets, and to identify and obtain evidence of any potential legal violations.
- Conducting/supervising business activities,
- Execution of goods production and operation processes,
- Conducting internal audit/investigation activities.
- Tracking requests/complaints,
- Execution of customer relationship management processes,
1. TO WHOM AND FOR WHAT PURPOSE THE PROCESSED PERSONAL DATA MAY BE TRANSFERRED
  
  Your collected personal data may be transferred to judicial authorities or relevant law enforcement agencies in accordance with the conditions and purposes of personal data processing specified in Articles 8 and 9 of the Law, for the resolution of legal disputes or upon request as required by relevant legislation.
  
  5. METHOD AND LEGAL BASIS FOR COLLECTING YOUR PERSONAL DATA
  Your personal data collected through security cameras is processed automatically based on the legal grounds stated in Article 5 of the Law: “being necessary for the data controller to fulfill its legal obligations” and “ being necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject” .
  
  6. Retention Periods of Your Personal Data
  : Your personal data is collected electronically through closed-circuit camera systems located at our company's premises and is stored digitally for a period of 15 (fifteen) days, in accordance with the purposes stated in Article 3 of this Disclosure Statement.
  
  7. ACCESS AUTHORIZATION AND DATA SECURITY MEASURES:
  Only a limited number of Uslu Solar employees have access to the records recorded and stored digitally. All personnel with access authorization to our company's security camera recordings and live camera images declare, through a confidentiality agreement, that they will protect the confidentiality of the accessed data.
  No privacy violations are committed in any way, and security purposes (such as access to restrooms) are not exceeded. In these data processing operations, the data subjects are informed by the data controller or the person authorized by them in accordance with Article 10 of the Law (a notice regarding monitoring and recording is posted at the entrances of the areas where monitoring is carried out).
  In accordance with Article 12 of the Law, all necessary technical and administrative measures are taken to ensure the security of personal data obtained as a result of camera surveillance activities. Access to/viewing of these recordings is only carried out by a limited number of company employees who have undertaken a confidentiality commitment, and the relevant data is recorded in a digital data recording system. In accordance with Article 12 of the Law, all necessary technical and administrative measures are taken to ensure the security of personal data obtained as a result of camera surveillance activities.
  
  8. RIGHTS OF THE PERSONAL DATA SUBJECT UNDER ARTICLE 11 OF LAW NO. 6698
  We inform you that as a personal data subject, you have the following rights pursuant to Article 11 of the Law:
- To find out whether your personal data is being processed,
- The right to request information regarding the processing of personal data.
- To learn the purpose of processing personal data and whether it is being used appropriately for that purpose.
- Knowing the third parties to whom personal data is transferred, whether domestically or internationally.
- The right to request the correction of personal data if it has been processed incompletely or inaccurately, and to request that this correction be notified to third parties to whom the personal data has been transferred.
- Even if personal data has been processed in accordance with Law No. 6698 and other relevant laws, you have the right to request the deletion or destruction of your personal data when the reasons requiring its processing cease to exist, and to request that this action be notified to third parties to whom your personal data has been transferred.
- The right to object to an outcome that is detrimental to oneself, resulting from the analysis of processed data exclusively through automated systems.
- Individuals who suffer damages as a result of the unlawful processing of their personal data have the right to claim compensation for those damages.
In accordance with your legal rights listed above and stipulated in the relevant laws and other regulations, you can submit your requests in writing to the address given above, either in person or via a notary public. Alternatively, in accordance with Article 5 of the "Notification on the Procedures and Principles for Applications to the Data Controller," you can send your requests to kvkk@uslusolar.com using a registered electronic mail (KEP) address, secure electronic signature, mobile signature, or the email address you previously provided to our company and which is registered in our systems . As
data subjects, if you submit your requests regarding your rights to our company using the methods stipulated in the Personal Data Protection and Processing Policy, our company will process the request free of charge within a maximum of thirty days, depending on the nature of the request. However, if a fee is prescribed by the Personal Data Protection Board, our company will charge the fee specified in the tariff determined by the Personal Data Protection Board.

Application Form

Regarding Applications to be Made by the Personal Data Subject to the Data Controller within the Scope of Law No. 6698 on the Protection of Personal Data

Personal data subjects, defined as data subjects in the Law No. 6698 on the Protection of Personal Data ("the Law") (hereinafter referred to as "the Applicant"), are granted the right to make certain requests regarding the processing of their personal data in Article 11 of the Law.

In accordance with the first paragraph of Article 13 of the Law, applications regarding these rights must be submitted to our Company (Uslu Solar), which is the data controller, in writing or through other methods determined by the Personal Data Protection Board ("Board").

In this context, applications to our Company in writing can be submitted by printing out this form and:
(a)  applying in person by the Applicant,
(b)  through a Notary Public,
(c)  by sending it to the Company's registered electronic mail address after signing it with a "secure electronic signature" as defined in the Electronic Signature Law No. 5070,
(d) by filling out the application form and sending it electronically to kvkk@uslusolar.com using a mobile signature or the electronic mail address previously notified to the data controller by the data subject and registered in the data controller's system.

Below is information regarding the specific channels through which written applications can be submitted to us.

Application Method	Address where the application will be submitted	Information to be Included in Application Submission
In-person application (Applicant must come in person and present identification documents)	Organized Industrial Zone, Vali Erdoğan Cebeci Boulevard No: 40, Tekkeköy / SAMSUN	The envelope should be labeled "Information Request under the Law on the Protection of Personal Data".
Notification via notary public	Organized Industrial Zone, Vali Erdoğan Cebeci Boulevard No: 40, Tekkeköy / SAMSUN	The envelope containing the notification should be marked "Information Request under the Law on the Protection of Personal Data".
Using a secure electronic signature.	kvkk@uslusolar.com	The subject line of the email should read "Information Request Regarding the Personal Data Protection Law".

Furthermore, after the other methods to be determined by the Board are announced, our Company will also announce how applications will be received through these methods. Applications submitted to us will be answered within thirty (30) days from the date the request is received by us through one of the methods described above, depending on the nature of the request, in accordance with the second paragraph of Article 13 of the Personal Data Protection Law. Our responses will be delivered to the applicant in writing or electronically, in accordance with the provisions of Article 13 of the relevant Personal Data Protection Law.

Professional Solutions with Our Expert Team Operating on the principle of renewable and sustainable energy, Uslu Solar continuously improves itself and offers all its customers valuable and high-quality solutions that generate long-term profits.

67+ Annual Industry Experience

50k Piece Solar Panel Manufacturing

35k m² Closed Production Factory

150+ Worker Full Capacity Production