KVKK CLARIFICATION TEXT

CUSTOMER INFORMATION NOTICE ON THE PROTECTION OF PERSONAL DATA

Data Controller: FORECO MÜHENDİSLİK SAN. VE TİCARET LİMİTED ŞİRKETİ
Address: 23 NİSAN MAHALLESİ ATA BULVARI GİZEMLER PLAZA 3 NO.5 İÇ KAPI 4, NİLÜFER, BURSA, TÜRKİYE
Phone: +90 224 502 71 33
Website: www.foreco.com.tr
E-mail: info@foreco.com.tr
Mersis No: 0388161990300001

This Clarification Text has been prepared and published by FORECO MÜHENDİSLİK SAN. VE TİCARET LİMİTED ŞİRKETİ (“Company”), in accordance with Article 10 of the Personal Data Protection Law No. 6698 (“KVKK”) and the Communiqué on the Principles and Procedures to be Followed in the Fulfillment of the Obligation to Inform (“Communiqué”), to inform our customers regarding the procedures and principles to be followed in the protection of personal data in relation with the Company.

According to Article 10 of KVKK: “At the time personal data is obtained, the data controller or the person authorized by it shall provide the data subject with information regarding: the identity of the data controller and its representative, if any; the purpose for which personal data will be processed; to whom and for what purpose the processed personal data may be transferred; the method and legal grounds of collection of personal data; and the rights specified in Article 11.”

DEFINITIONS UNDER THE LAW

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: Any operation performed on personal data, wholly or partly by automated means or otherwise, as part of a data recording system, such as collection, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, acquisition, making available, classification, or prevention of use.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data, and is responsible for the establishment and management of the data recording system. In this context, the data controller is FORECO MÜHENDİSLİK SAN. VE TİCARET LİMİTED ŞİRKETİ, located at the address stated above.

Data Recording System (VERBIS): The system in which personal data is processed and structured according to specific criteria.

Explicit Consent: Freely given, specific, informed, and unambiguous consent of the data subject.

Board: Refers to the Personal Data Protection Board.

CUSTOMER PERSONAL DATA

The personal data of customers may be processed by our Company for the purposes and under the conditions set forth in this Clarification Text. Personal data subject to processing includes:

Identity Data: Name, surname, parents’ names, date of birth, Turkish ID number, gender, marital status, ID card serial number, job title and position, company information, company title, address, tax ID number, contact details, and authorized personnel information.

Contact Data: Phone number, e-mail address, postal address, internal corporate communication details (corporate phone, extension, corporate e-mail, registered e-mail address).
Financial Data: Bank IBAN, fees and details, debt information.

Visual and Audio Data: Photographs, camera recordings of individuals.

Other Data: Invoice, promissory note, and cheque details, order history, IP address, website log-in and log-out information, handwriting and signature, request and complaint details.

PURPOSES OF PERSONAL DATA PROCESSING

In accordance with Article 10 of KVKK and Article 5 of the Communiqué, and in line with the data processing conditions specified in Article 4 of KVKK, customer personal data may be processed for the following purposes:

- Fulfilling obligations arising from service agreements;
- Ensuring legal and commercial security of individuals in contact with our Company;
- Informing about changes in service terms;
- Resolving customer complaints and processing access or correction requests;
- Preparing all records and documents in physical or electronic format forming the basis of processing;
- Managing contractual processes under the Code of Obligations, Commercial Code, and other legislation;
- Carrying out sponsorship activities;
- Complying with legal obligations and exercising rights granted under applicable legislation;
- Providing information to authorized persons, institutions, and organizations;
- Managing emergency processes;
- Conducting communication, accounting, and finance operations;
- Organizing and managing events;
- Ensuring information security processes;
- Managing storage and archiving;
- Ensuring physical space security.

METHOD AND LEGAL BASIS OF COLLECTING PERSONAL DATA

Personal data may be collected directly from the data subject during the establishment of a legal relationship, from third parties, or from legal authorities. Data may be collected verbally, in writing, or electronically through contracts, emails, application forms, and communication with our Company.

Under Article 5 of KVKK, personal data cannot be processed without explicit consent, except for specific cases stipulated in the law, such as:
- Where clearly provided by law;
- Where necessary for the establishment or performance of a contract;
- Where required to fulfill legal obligations;
- Where made public by the data subject;
- Where necessary for the establishment, exercise, or defense of a legal right;
- Where processing is necessary for legitimate interests of the data controller, provided it does not harm the fundamental rights and freedoms of the data subject.

Our Company processes personal data in accordance with the legal grounds stated above, KVKK Articles 5 and 6, and other applicable regulations, to fulfill the purposes outlined in this Clarification Text.

TRANSFER OF PERSONAL DATA

Personal data of customers may be shared with:
- Suppliers,
- Shareholders,
- Authorized dealers,
- Private legal entities providing services (audit, event, legal, etc.),
- Independent audit firms,
- Financial institutions,
- Direct and indirect affiliates,
- Domestic and international business partners,
- Storage, archiving, IT support providers (server, hosting, software, cloud computing) located within or outside Türkiye,
- Legally authorized public institutions,

provided that sufficient and effective security measures are taken as per Articles 8 and 9 of KVKK and relevant regulations.

DATA RETENTION PERIOD

Your personal data processed for the purposes stated in this Clarification Text shall be retained as long as necessary to fulfill such purposes. When the purpose no longer exists and/or the statute of limitations required by law expires, your data shall be deleted, destroyed, or anonymized in accordance with our Personal Data Retention and Disposal Policy under Article 7 of KVKK.

HOW WE PROTECT DATA

FORECO MÜHENDİSLİK SAN. VE TİCARET LTD. ŞTİ. implements necessary technical and administrative measures to ensure the security of collected personal data. Measures comply with the Personal Data Security Guide published by the KVKK Board, ISO/IEC 27001 Information Security, ISO/IEC 27017 Cloud Security, ISO/IEC 27701 Privacy Information Management standards, and the EU GDPR to prevent unauthorized access, misuse, disclosure, or alteration.

DATA SUBJECT RIGHTS

Data subjects are entitled to the following rights:
- To learn whether their personal data is processed;
- To request information if their data has been processed;
- To learn the purpose of processing and whether it is used accordingly;
- To know third parties to whom data is transferred domestically or abroad;
- To request correction if data is incomplete or incorrect;
- To request deletion or destruction of data under KVKK and other applicable laws;
- To request notification of rectification, deletion, or destruction to third parties;
- To object to any adverse outcome through automated systems;
- To seek compensation in case of unlawful data processing.

EXCEPTIONS TO APPLICATION RIGHTS

Under Article 28/2 of KVKK, data subjects may not exercise the rights specified in Article 11, except for the right to claim damages, in the following cases:
- If personal data is processed for the prevention of a crime or for criminal investigation;
- If the data has been made public by the data subject themselves.
Data subjects may apply to exercise their rights in accordance with the procedures set forth in the Communiqué on Application Procedures to Data Controllers. Applications may be submitted by filling out the form available at www.foreco.com.tr and using one of the following methods:

1. Written Application:
Personally signed application or via notary to:
Address: 23 NİSAN MAHALLESİ ATA BULVARI GİZEMLER PLAZA 3 NO.5 İÇ KAPI 4 NİLÜFER BURSA TÜRKİYE
Envelope must state: “Information Request within the Scope of the Law on the Protection of Personal Data”

2. Registered Email Application (from registered address in Company systems):
To: info@foreco.com.tr
Subject line: “Information Request Regarding Personal Data Protection Law”

3. Application via Email Not Registered in Company Systems (with mobile or e-signature):
To: info@foreco.com.tr
Subject line: “Information Request Regarding Personal Data Protection Law”

Responses will be provided in writing or electronically within 30 days in accordance with Article 13 of KVKK. If the request is accepted, it will be fulfilled without delay.

FEES

If the response to your application is provided in writing, no fee shall be charged for up to ten pages. A processing fee of 1 TRY per page may be charged for requests exceeding ten pages. If the response is provided on a CD or flash drive, the cost of such medium may be charged.