I. Policy Purpose and Scope

Gürok Turizm ve Madencilik A.Ş. (hereinafter referred to as “ Gürok ”), a joint-stock company within the scope of the Turkish Commercial Code No. 6102 , aims to fully comply with all legal regulations regarding the protection and lawful processing of personal data as the data controller.

Policy ("Policy"), prepared within the scope of Article 16 of the Law on the Protection of Personal Data No. 6698 and Article 5 of the Regulation on the Deletion, Destruction or Anonymization of Personal Data , is to determine the required storage periods and minimum standards to be applied in the destruction of personal data of persons, employees, candidate employees and other third parties who receive products or services and are processed by Gürok .

This Policy constitutes the basis for the process of determining the maximum period necessary for the purpose of processing of personal data processed by the data controller Gürok and for the deletion, destruction and anonymization process.

This Policy applies to all units, processes and business relationships with other third parties of Gürok . This Policy applies to all Company managers, employees, consultants, service providers or service providers who may collect, process or access data (including personal data and/or special personal data).

This Policy applies to all personal data and information collected by the Company. The electronic and non-electronic recording media and/or documents that contain personal data and are regulated by this Policy are as follows:

o Servers (domain, backup, email, database, web, file sharing, etc.)

o Software (office software, portal etc.)

o Information security devices (firewall, intrusion detection and prevention, log file, anti-virus, etc.)

o Personal computers (desktop, laptop)

o Mobile devices (phone, tablet, etc.)

o Optical discs (CD, DVD, Blu -Ray etc.)

o Removable memories (USB, Memory Card, Portable Memory, etc.)

o Printer, scanner, photocopier.

o Information and documents in printed media,

o Video and audio recordings,

o Data generated by physical access control systems.

II. Relevant Legislation and Other Documents

o Personal Data Protection Law No. 6698

o Regulation on the Deletion, Destruction or Anonymization of Personal Data dated 28 October 2017

o Regulation on Data Controllers Registry dated 30 December 2017

o Communiqué on the Procedures and Principles to be Followed in Fulfilling the Disclosure Obligation dated 10 March 2018

o Turkish Code of Obligations No. 6098

Labor Law No. 4857

o Social Insurance and General Health Insurance Law No. 5510

Occupational Health and Safety Law No. 6361

o Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications

he Gürok Personal Data Protection and Processing Policy

he Gürok Special Personal Data Processing Policy

he Gürok Clean Desk & Clean Screen Policy

he Gürok KVKK Related Person Application Procedure

he Gurok Employee Communication & IT Tools Usage and Audit Procedure

III. Definitions

this Policy have the meanings given below.

Definition	Explanation
Buyer Group	Category of natural or legal persons to whom personal data is transferred by the data controller
Explicit Consent	Consent based on informed consent and expressed freely on a specific subject
Anonymization	Matching personal data with other data so that it cannot be associated with an identified or identifiable natural person.
Contact Person	The natural person whose personal data is processed
Related User	Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of data.
Destruction	Deletion, destruction or anonymization of personal data
Law or KVKK	Personal Data Protection Law No. 6698
Recording Environment	Any environment where personal data is processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system.
Personal Data	Any information relating to an identified or identifiable natural person
Personal Data Processing Inventory	The inventory in which data controllers create personal data processing activities that they carry out in connection with their business processes, by relating them to the personal data processing purposes, data category, the recipient group to which the data is transferred and the data subject group, and detail the maximum period required for the purposes for which personal data is processed, the personal data planned to be transferred to foreign countries and the measures taken regarding data security.
Processing of Personal Data	Any operation performed on personal data, such as obtaining, recording, storing, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.
The Board	Personal Data Protection Board
Organisation	Personal Data Protection Authority
Special Personal Data	Data regarding individuals' race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Destruction	It is the process of deleting, destroying or anonymizing personal data, which is specified in the personal data storage and destruction policy and will be carried out ex officio at recurring intervals, in case all the processing conditions of personal data specified in the law are eliminated.
Company or Gurok	Gurok Tourism and Mining Joint Stock Company
Data Processor	A natural or legal person who processes personal data on behalf of the data controller based on the authority granted to him.
Data Recording System	A registration system in which personal data is structured and processed according to certain criteria.
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry Information System (VERBIS)	The information system created and managed by the Institution, accessible via the internet, to be used by data controllers in applying to the Registry and other relevant transactions related to the Registry.
Regulations	Regulation on the Deletion, Destruction or Anonymization of Personal Data dated 28 October 2017

IV. General Storage Principles

Storage Period

The Company defines and updates the period definition for documents and electronic records that must be kept during the personal data retention period in the Storage and Destruction Periods Table in Annex-1 .

Unless otherwise stated in this Policy and its annexes, personal data included in the data categories in the Company Personal Data Processing Inventory are stored, as a rule, for the periods specified in Annex-1, starting from the date the relevant personal data is obtained.

Exceptionally, data retention periods may be extended in the following cases:

o In case of request in investigations or inquiries conducted by official authorities and/or in cases required by the Company's legal obligations or legal rights;

o In cases where it is necessary to exercise rights under the current legislation in litigation or other legal processes.

When determining the maximum retention period required for the purpose for which personal data is processed;

o The period accepted by general practice in the sector in which the Company operates, within the scope of the purpose of processing the relevant data category,

o The period that necessitates the processing of personal data in the relevant data category and the legal relationship established with the relevant person will continue,

o The period during which the Company's legitimate interest will be valid in accordance with the law and rules of integrity, depending on the purpose of processing the relevant data category,

o The period during which the risks, costs and responsibilities arising from the storage of the relevant data category will continue legally, depending on the purpose of processing,

o Whether the maximum period to be determined is suitable for keeping the relevant data category accurate and up-to-date when necessary,

o The period during which the Company is obliged to store personal data in the relevant data category in accordance with its legal obligations,

o The limitation period determined by the Company for asserting a right related to personal data in the relevant data category,

into consideration .

While determining and implementing the maximum periods required for the purpose for which personal data is processed, the Company monitors the compliance of the said periods with the information in the Company Personal Data Processing Inventory and whether the maximum periods are exceeded. Regarding the personal data processed by the Company within the scope of its activities;

o The retention periods on a per-personal data basis for all personal data within the scope of activities carried out in connection with the processes are stated in the Personal Data Processing Inventory;

o Retention periods based on data categories are recorded in VERBIS ;

o Process-based retention periods are specified in the Personal Data Storage and Destruction Policy.

place .

If necessary, updates are made to the storage periods in question. Personal data whose storage periods have expired are automatically deleted, destroyed or anonymized.

Storage Rules and Precautions

In the process of storing personal data, the possibility of deterioration of the data medium (written, digital, etc.) used for storing or archiving the relevant personal data is taken into account. If the storage method of personal data in electronic form is chosen, access is limited and only authorized persons are provided between network components during the storage period.

Personal data stored in devices or on paper in the Company are protected against threats such as theft or loss of these devices and papers by taking physical security measures. Similarly, physical environments where personal data is located are protected against external risks (fire, flood, etc.) with appropriate methods. Entrances to / exits from these environments are controlled.

The same level of precautions are taken for paper media, electronic media and devices located outside the Company and containing personal data belonging to the Company.

The measures taken by the Company to ensure the security of personal data processed are listed below:

o The Company takes the necessary precautions by revealing risks, threats, vulnerabilities and gaps, if any, regarding information systems through penetration tests.

o Risks and threats that may affect the continuity of information systems are constantly monitored by the Company.

o Access to information systems and authorization of users are done through access and authorization matrix and security definitions.

o Necessary measures are taken for the physical security of the company's IT systems equipment, software and data.

o In order to ensure the security of information systems against environmental threats, hardware (access control system that ensures only authorized personnel enter the system room, 24/7 monitoring system, ensuring the physical security of the edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, intrusion prevention systems, network access control, systems that block malware, etc.) measures are taken.

o Risks to prevent unlawful processing of personal data are identified, appropriate technical measures are taken against these risks, and technical controls are carried out regarding the measures taken.

o Reporting and analysis studies regarding access to personal data are carried out by creating access procedures within the company.

o Access to storage areas containing personal data is recorded and inappropriate access or access attempts are kept under control.

o The Company takes the necessary measures to ensure that deleted personal data is inaccessible and non-reusable for the relevant users.

o In case personal data is obtained by others unlawfully, the procedure in ANNEX-2 has been prepared by the Company to notify the relevant person and the Board and a system and infrastructure has been established accordingly.

o Security vulnerabilities are monitored, appropriate security patches are installed, and information systems are kept up to date.

o Strong passwords are used in electronic environments where personal data is processed.

o Secure record keeping (logging) systems are used in electronic environments where personal data is processed.

o Data backup programs are used to ensure the safe storage of personal data.

o Access to personal data stored in electronic or non-electronic media is limited according to access principles.

o A separate policy called “Processing of Special Personal Data Policy” has been determined for the security of special personal data .

V. Information Security Measures

The following policies and procedures regarding information security measures, precautions and steps to be taken have been prepared within the Company and have been approved and put into effect by the Company's Board of Directors:

Policies:

1- Information Security Policy

2- Access Control Policy

3- Network Policy

4- Cryptographic Controls and Key Management Policy

5- Secure System Development Policy

6- Remote Working Policy

7- Equipment and Media Security Policy

8- Acceptable Use Policy

9- Information Exchange Policy

10- Password Management Policy

11- Physical and Environmental Security Policy

12- Privilege Rights Management Policy

Procedures

1- Asset Management Procedure

2- Incident Violation Management Procedure

3- IT Project Management Procedure

4- Social Media Usage Procedure

Forms and Other Documents

1- Data Destruction Form

2- Access Authority Matrix

3- Company Computer Allocation and Usage Instructions

4- Company Line and Telephone Allocation and Usage Instructions

VI. Destruction of Personal Data

General Conditions for Destruction of Personal Data

If the reasons requiring the processing of personal data are eliminated, personal data will be deleted, destroyed or made anonymous by the Company, either ex officio or upon the request of the relevant person. Accordingly;

o Amendment or repeal of relevant legislative provisions that form the basis for processing personal data,

o The contract between the company and the relevant person has never been established, the contract is not valid, the contract automatically ends, the contract is terminated or the contract is withdrawn,

o The purpose requiring the processing of personal data disappears,

o Processing personal data is against the law or the rule of honesty,

o In cases where personal data is processed only based on explicit consent, the person concerned must withdraw his/her consent,

o The Company accepts the application of the relevant person regarding the processing of personal data within the framework of his/her rights in subparagraphs (e) and (f) of Article 11 of the Law,

o In cases where the Company rejects the application made by the relevant person requesting the deletion or destruction of his/her personal data, the response given is found insufficient or does not respond within the period stipulated in the Law; a complaint is made to the Board and this request is approved by the Board,

o Although the maximum period for which personal data must be stored has passed, there are no circumstances that would justify storing personal data for a longer period,

o The conditions requiring the processing of personal data in Articles 5 and 6 of the Law are eliminated,

In such cases, personal data must be deleted, destroyed or made anonymous.

Personal Data Destruction Techniques

Deletion of personal data is the process of rendering the personal data in question inaccessible and non-reusable by the relevant users in any way. The Company ensures that deleted personal data is inaccessible and non-reusable by the relevant users.

The following process is applied when deleting personal data by the Company:

o Determining the personal data that will be subject to deletion;

o Identifying the relevant users for each personal data using an access authorization and control matrix or similar system;

o Determining the authorizations and methods of the relevant users, such as access, retrieval and re-use;

o Closing and eliminating the access, retrieval and re-use authorizations and methods of the relevant users within the scope of personal data.

Depending on the recording medium, personal data is subject to deletion as follows:

o For personal data on the servers whose storage period has expired, the system administrator will delete the data by revoking the access authorization of the relevant users.

o Personal data in electronic media, whose storage period has expired, are rendered inaccessible and non-reusable by any means for employees (related users), except for the database administrator.

o Personal data kept in a physical environment, for which the period requiring storage has expired, is rendered inaccessible and non-reusable by any employees other than the unit manager responsible for the document archive. In addition, it is darkened by drawing/painting/erasing it so that it cannot be read.

o Personal data on removable media whose storage period has expired are encrypted by the system administrator and stored in secure environments with encryption keys, with access authorization granted only to the system administrator.

Destruction is the process of rendering all physical recording media suitable for storing information irretrievable and unusable.

Depending on the recording medium, personal data is subject to destruction as follows:

o Personal data on paper whose storage period has expired are destroyed irreversibly in paper shredders.

o Personal data on optical and magnetic media that have expired are physically destroyed by melting, burning or pulverizing them. In addition, magnetic media is subjected to a high magnetic field by passing it through a special device, rendering the data on it unreadable.

Anonymization of personal data is the process of making personal data incapable of being associated with an identified or identifiable natural person, even if it is matched with other data. In this context, if it is possible to understand who the data belongs to after tracking and matching it with other data, it cannot be considered that the data has been made anonymous.

Since anonymized data will no longer have the characteristics of personal data, it will not be subject to the provisions of the Law. Since data sets have the characteristics of personal data until the moment they are subject to anonymization processes, any operation performed on these data is considered as processing of personal data.

All operations regarding the deletion, destruction and anonymization of personal data are recorded and the records in question are kept for at least three years, excluding other legal obligations.

Periodic Destruction

Gürok is subject to periodic destruction every 6 (six) months as of the first day of the relevant calendar year, in accordance with Article 11 of the Regulation on the Erasure, Destruction or Anonymization of Personal Data.

Within the scope of this Policy, personal data will be deleted, destroyed or anonymized in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.

the relevant person applies to the Company pursuant to Article 13 of the KVKK and requests the deletion or destruction of his/her personal data;

o If all the conditions for processing personal data have been eliminated; the Company deletes, destroys or anonymizes the personal data subject to the request. The Company finalizes the request of the relevant person within thirty days at the latest and informs the relevant person.

o If all the conditions for processing personal data have been eliminated and the personal data in question has been transferred to third parties, the Company notifies the third party of this situation; and ensures that the necessary procedures are carried out within the scope of this Policy and relevant legislation with the third party.

o If all the conditions for processing personal data have not been eliminated, this request may be rejected by the Company, explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the rejection will be notified to the relevant person in writing or electronically within thirty days at the latest.

VII. Policy Officers

this Policy . In this context, all units and employees of the Company actively support the responsible units in terms of the due implementation of the technical and administrative measures taken by the responsible units within the scope of the Policy, the training and awareness raising, monitoring and continuous supervision of the unit employees, and the taking of technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent the unlawful processing of personal data, prevent unlawful access to personal data and ensure the lawful storage of personal data.

Specifically, the Human Resources Unit is responsible for ensuring that employees comply with the policy; the Information Technologies Unit is responsible for providing the technical solutions needed to implement the Policy , and both units are also authorized and tasked with developing, executing, publishing and updating the Policy in relevant media.

VIII. Compliance with the Policy

All Company employees are obliged to fully and duly comply with the provisions of the Policy during the processing and storage of personal data, and the said policy constitutes an integral part of the employees' employment contracts.

this Policy , the Company's management body will investigate suspected Policy violations and take the necessary measures. Failure to comply with this Policy may result in various negative consequences, including, but not limited to, loss of customer trust, litigation, loss of prestige, financial loss, damage to the Company's reputation or personal harm. Therefore, any failure to comply with this Policy may result in disciplinary proceedings or termination of employment or contract against Company employees or other relevant persons. Such violation may also lead to legal action being taken against the persons involved.

IX. Entry into Force

This Policy, prepared by with the aim of full compliance with the current legislation in the processing of personal data, has been approved and entered into force with the decision of the Board of Directors of Gürok Turizm ve Madencilik Anonim Şirketi dated … / … /2019.

The policy is published in two different media: printed paper and electronic media. It is disclosed to employees in an electronic medium dedicated to internal communication, and the printed paper copy is kept in the Human Resources Department. The policy is reviewed as needed and the relevant departments are updated when necessary.

Annex-1: Storage and Destruction Periods Table

Related Process and Data Category	Storage Period	Explanation
Personal health data of employees	5 years from the date of termination of the employment relationship	It is kept for 5 years during and after the employment contract is terminated in case of detection and notification of possible occupational diseases/accidents.
Recruitment files and personnel data of employees	20 years from the date of termination of the employment relationship	The data used to establish the contract is kept for 20 years after the continuation of the service contract and its termination, in case of a possible service/wage determination request or a receivable claim from the Social Security Institution.
Employee candidate application forms, resumes	1 year from the date of application	Your CV and application forms will be kept for a period of time before they become outdated, up to a maximum of 2 years.
Personal data obtained within the scope of occupational health and safety practices	15 years from the date of termination of the employment relationship	It is kept for 15 years from the date of termination of the employment relationship in case of any health problem claim within the scope of the responsibilities imposed on the parties by the employment contract.
Potential customer information	2 years from the date of receipt of the information	In order to establish a sales contract, the data obtained from prospective customers is kept for 2 years.
Data obtained during customer request and complaint management	1 year from the date of first registration	Personal data collected for the purpose of ensuring the continuity of the service, improving its quality and evaluating the recipient's requests are stored for a period of 1 year from the date of the first registration.
Records of financial/payment transactions	10 years from the date of termination of the employment relationship	Data collected to pay wages to employees under the obligations imposed on the parties by the contract are stored for a period of 10 years.
Information shared with companies/institutions that Gürok Turizm ve Madencilik Anonim Şirketi cooperates with	During the employment contract and 10 years from the end	The data transferred during the employment contract is stored for the duration of the relevant employment and for a period of 10 years after its completion, which is specified as the contract statute of limitations.
Personal data of subcontractor/subcontractor employees	10 years from the termination of the relevant contract	Personal data of employees of companies that have a contractor/subcontractor relationship with the Company are kept for 10 years in accordance with the contractual relationship.
Personal data within the scope of the sales contract	10 years from the end of the employment relationship	It is kept for the duration of the contract limitation period in case of disputes that may arise from the contract.
Personal data within the scope of contracts signed with third parties	10 years from the end of the contract	It is stored for a 10-year statute of limitations period due to the contractual relationship.
Security camera recordings	180 days	In order to ensure workplace safety, it is kept for six months, taking into account the complaint period.
Registration of visitors and meeting participants	2 years following the end of the event	The data received is kept for a period of 2 years, which is the statute of limitations for torts, against any negative situations that may occur due to security reasons within the company.
Data obtained within the scope of vehicle allocation to employees	5 years following the termination of the employment contract	Personal data collected to supply vehicles to employees in order to fulfill obligations arising from the employment relationship are stored for a period of 5 years, which is the statute of limitations for wage receivables.
Data on wireless internet service usage	2 years from the date of first registration	The data obtained to provide internet access service is stored for 2 years as required by law.
Data kept within the scope of log record tracking systems	2 years from the date of registration	Personal data obtained in order to provide internet access service in a secure environment is stored for 2 years in accordance with the law.
Gül Palas and Ali Bey Hotels & Resorts for hotel reservations/registrations	10 years from the end of the service relationship	Identity information and contact information obtained within the scope of accommodation services are kept for a period of 10 years, which is the statute of limitations of the contract.
Data received from guests of Gül Palas and Ali Bey Hotels & Resorts for hotel organizations	10 years from the end of the service relationship	In order to meet the demands of hotel guests with the services provided, the data received within the scope of the contract is kept for 10 years.

Annex-2: Personal Data Breach Notification Procedure

in the provision of paragraph (5) of Article 12 of the Law , “In case the processed personal data is obtained by others through illegal means, the data controller shall notify the relevant person and the Board of this situation as soon as possible… ” shall be interpreted as 72 hours.

In this context , Gürok will notify the Board without delay and within 72 hours at the latest as of the date it learns of the breach in question, and following the determination of the persons affected by the data breach by Gürok , the relevant persons will be notified within the shortest reasonable period of time, by appropriate methods such as directly, if the contact address of the relevant person can be reached, or by publishing it on the data controller's own website if it cannot be reached.

Gürok fails to notify the Board within 72 hours with a justified reason, the reasons for the delay will be explained to the Board along with the notification.

The “Personal Data Breach Notification Form” on the Board’s website will be used for notification to the Board. In cases where it is not possible to provide the information on the form at the same time, this information will be provided to the Board in stages without any delay.

Gürok will be recorded and made available for review by the Board.

Gürok is obtained by others through illegal means, arrangements are made for the data processor to notify Gürok without any delay.

In the event of a data breach, the Information Technologies unit informs the company units affected by the breach and prepares a report on the possible consequences. It prepares a response plan regarding the precautions to be taken and the steps to be taken and puts it into action.