1. Purpose

ARTIM METAL INDUSTRY AND TRADE INC. (hereinafter referred to as "ARTIM METAL") prioritizes the processing of personal data of real persons, including our customers, suppliers, and employees, in accordance with the Constitution of the Republic of Turkey, international conventions on human rights to which our country is a party, and primarily the Law No. 6698 on the Protection of Personal Data ("KVKK"), as well as ensuring that the rights of individuals whose data is processed are effectively exercised.

Accordingly, including but not limited to, all personal data obtained automatically or through non-automatic means as part of any data recording system during our activities—pertaining to our employees, suppliers, customers, users visiting our website, and all real persons we interact with—are processed, stored, and transferred in accordance with the ARTIM METAL Personal Data Protection and Processing Policy (hereinafter referred to as the "Policy").

The protection of personal data and the safeguarding of the fundamental rights and freedoms of individuals whose personal data is collected constitute the core principle of our policy. Therefore, we conduct all our activities while respecting the privacy of personal life, confidentiality of communication, freedom of thought and belief, and the right to use effective legal remedies. We take all administrative and technical measures required by the legislation and current technology to protect personal data, tailored to the nature of the data.

This Policy outlines the methods we follow for the processing, storage, transfer, and deletion of personal data shared during our commercial or social responsibility activities, in line with the principles set forth in the KVKK.

2. Scope

All personal data processed by the Company, including that of our customers, business contacts, business partners, employees, suppliers, potential customers, and other third parties, fall within the scope of this Policy.

Our Policy is applied to all activities related to the processing of personal data owned or managed by the Company and has been prepared by taking into account the KVKK, other relevant legislation on personal data, and international standards in this field.

3. Definitions and Abbreviations

This section briefly explains the specific terms, expressions, concepts, and abbreviations used in the Policy.

• Company: ARTIM METAL INDUSTRY AND TRADE INC.
• Explicit Consent: Consent given for a specific matter, based on information and free will, expressed clearly without any doubt, and limited to that specific transaction.
• Employee: Company personnel.
• Personal Data Subject (Data Subject): The real person whose personal data is processed.
• Personal Data: Any information relating to an identified or identifiable real person.
• Sensitive Personal Data: Data relating to a person’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data.
• Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing its use, whether fully or partially automated or non-automated as part of any data recording system.
• Data Processor: A real or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
• Data Controller: A real or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
• KVK Board: Personal Data Protection Board.
• KVK Authority: Personal Data Protection Authority.
• KVKK: Law No. 6698 on the Protection of Personal Data, published in the Official Gazette dated April 7, 2016, numbered 29677.
• Policy: ARTIM METAL INDUSTRY AND TRADE INC. Personal Data Protection, Processing, and Privacy Policy.

4. Duties and Responsibilities

Personal Data Protection Committee

The Personal Data Protection Committee, established within ARTIM METAL and consisting of representatives from Human Resources, Accounting, IT, Quality, Sales Departments, and Senior Management, is responsible for drafting and keeping this Policy up to date. In the event of detecting any behavior contrary to the principles set out in this Policy, the Personal Data Protection Committee evaluates the situation in accordance with the Personal Data Breach Incident Management Procedure.

5. Legal Obligations

Our legal obligations as a data controller under the KVKK regarding the protection and processing of personal data are listed below:

5.1 Our Obligation to Inform

As a data controller, when collecting personal data, we are obliged to inform the Data Subject about:

• The purposes for which your personal data will be processed,
• Our identity and, if applicable, the identity of our representative,
• To whom and for what purposes your processed personal data may be transferred,
• Our method and legal basis for collecting the data,
• Rights arising from the law.

As a company, we ensure that this Policy, which is publicly available, is clear, understandable, and easily accessible.

5.2 Our Obligation to Ensure Data Security

As a data controller, we take the administrative and technical measures stipulated by the legislation to ensure the security of personal data under our responsibility. Our obligations and measures regarding data security are detailed in Sections 9 and 10 of this Policy.

6. Classification of Personal Data

6.1 Personal Data

Personal data refers to any information relating to an identified or identifiable real person. The protection of personal data applies only to real persons, and information pertaining to legal entities that does not contain information about real persons is excluded from personal data protection. Therefore, this Policy does not apply to data belonging to legal entities.

6.2 Sensitive Personal Data

Data relating to a person’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data, are considered sensitive personal data.

7. Processing of Personal Data

7.1 Principles for Processing Personal Data

We process personal data in accordance with the principles listed below:

7.1.1 Processing in Compliance with Law and Good Faith

We process personal data in accordance with the principles of good faith, transparency, and our obligation to inform.

7.1.2 Ensuring Personal Data is Accurate and Up-to-Date When Necessary

We take the necessary measures in our data processing procedures to ensure that the processed data is accurate and up-to-date. We also provide the Personal Data Subject with the opportunity to update their data and request corrections for any errors in the processed data.

7.1.3 Processing for Specific, Explicit, and Legitimate Purposes

As a company, we process personal data within the scope and content clearly defined for legitimate purposes determined in line with the legislation and the ordinary course of commercial life to carry out our activities.

7.1.4 Personal Data Being Relevant, Limited, and Proportionate to the Purpose of Processing

We process personal data in a manner that is relevant, limited, and proportionate to the clearly defined purpose. We avoid processing personal data that is irrelevant or unnecessary for the purpose. Therefore, unless required by law, we do not process sensitive personal data or, when necessary, we obtain explicit consent.

7.1.5 Retention of Personal Data for the Period Stipulated by Legal Regulations or Required for the Purpose of Processing

Many regulations in the legislation mandate the retention of personal data for a specific period. Therefore, we retain the personal data we process for the duration stipulated by the relevant legislation or as necessary for the purposes of processing. Upon the expiration of the retention period specified in the legislation or when the purpose of processing no longer exists, we delete or destroy the personal data. The principles and procedures regarding retention periods are detailed in Section 9.1 of this Policy.

7.2 Obtaining Explicit Consent for Processing Data of the Data Subject

We obtain the explicit consent of the Data Subject, except in cases specified in the Law where explicit consent is not required.

7.3 Purposes of Processing Personal Data

As a company, we process personal data for purposes including, but not limited to, the following:

• Conducting our activities,
• Determining, planning, and executing human resources policies,
• Providing support services to customers within the scope of contracts and service standards,
• Identifying the preferences and needs of our customers to shape and update the services provided accordingly,
• Ensuring compliance with legal obligations as required or mandated by legal regulations,
• Conducting market research and statistical studies,
• Organizing surveys, competitions, campaigns, promotions, and sponsorships,
• Evaluating job applications,
• Maintaining communication with individuals in business relationships with the Company,
• Monitoring marketing processes,
• Managing compliance,
• Managing vendor/supplier relationships,
• Planning and executing advertising and promotional activities,
• Legal reporting,
• Invoicing,
• Planning commercial and business strategies,
• Managing relationships with business partners/suppliers.

7.4 Processing of Sensitive Personal Data

Sensitive personal data is processed by us in cases where it is required by law, with the administrative and technical measures stipulated by the KVK Board, and with explicit consent or when mandated by legislation.

Sensitive personal data related to health and sexual life can only be processed by persons or authorized institutions and organizations under an obligation of confidentiality for purposes such as protecting public health, preventive medicine, medical diagnosis, treatment, and care services, as well as planning and managing healthcare services and their financing. Therefore, we do not process such data except for that of our employees. Such data pertaining to our employees may be processed by persons specified in the law.

7.5 Processing of Personal Data Collected Through Cookies on Our Website

We use cookies to improve the functionality and usage of our website and to make the time you spend on our site more efficient and enjoyable. Additionally, we use certain cookies to remember your preferences on our website, thereby providing you with an enhanced and personalized experience.

7.6 Processing of Personal Data for Human Resources and Employment Purposes

During the application process as a job candidate, we process, store, and transfer the personal data you share with us in documents such as resumes and diplomas for the purpose of evaluating your job application. The processing, transfer, and storage of personal data shared by job candidates are governed by this Policy and the Personal Data Protection Policy for Candidate Employees.

7.7 Exceptional Cases Where Explicit Consent is Not Required for Processing Personal Data

We may process personal data without obtaining explicit consent in the following exceptional cases arising from the law:

• Where explicitly stipulated by laws,
• Where it is necessary to process personal data of the parties to a contract, provided it is directly related to the establishment or performance of the contract,
• Where it is mandatory for the establishment, exercise, or protection of a right,
• Where it is mandatory for our legitimate interests as the data controller, provided it does not harm fundamental rights and freedoms,
• Where it is mandatory to fulfill any legal obligation as the data controller,
• Where it is necessary to protect the life or physical integrity of the person or another individual who is unable to express consent due to actual impossibility or whose consent is not legally valid,
• Where the data has been made public by the Data Subject themselves.

8. Transfer of Personal Data

8.1 Transfer of Personal Data Within the Country

As a company, we act in accordance with the provisions of the KVKK and the decisions and regulations of the KVK Board regarding the transfer of personal data.

Except in exceptional cases provided by the legislation, personal data and sensitive personal data are not transferred to other real or legal persons by us without the explicit consent of the Data Subject or, if the Data Subject is under 18 years of age, without the explicit consent of their guardian or legal representative.

In exceptional cases stipulated by the KVKK and other legislation, data may be transferred to administrative or judicial institutions or organizations authorized by law without the explicit consent of the Data Subject or their guardian or legal representative, within the limits and manner prescribed by the legislation.

8.2 Transfer of Personal Data Abroad

Personal data may be transferred to countries deemed to have adequate protection under the conditions specified in the Law, provided the explicit consent of the Data Subject is obtained. In cases where adequate protection is not available, transfers may be made to foreign countries where the data controllers in Turkey and the relevant foreign country provide a written commitment to adequate protection and the KVK Board grants permission, in accordance with the data transfer conditions stipulated by the legislation.

8.3 Institutions and Organizations to Which Personal Data is Transferred

Personal data may be transferred, including but not limited to:

• Our suppliers,
• Our business partners and business contacts,
• Our company’s affiliates and group companies,
• Legally authorized public institutions and organizations,
• Legally authorized private legal entities,
• Individuals or third parties from whom services are received, or consultants, organizations, or authorities with whom we collaborate,
• Our shareholders,

in accordance with the principles and rules explained above and the conditions and purposes specified in Articles 8 and 9 of the Law.

8.4 Measures Taken to Ensure Lawful Transfer of Personal Data

8.4.1 Technical Measures

• We establish the internal technical organization to process and store personal data in compliance with the legislation,
• We create the technical infrastructure to ensure the security of the databases where your personal data is stored,
• We monitor and audit the processes of the established technical infrastructure,
• We establish procedures for reporting the technical measures and audit processes we implement,
• We periodically update and renew technical measures,
• We re-evaluate risky situations and produce necessary technological solutions,
• We use virus protection systems, firewalls, and similar software or hardware security products and establish security systems in line with technological developments,
• We employ staff specialized in technical matters.

8.4.2 Administrative Measures

• We establish access policies and procedures for personal data, including for our company and affiliate employees,
• We inform and train our employees on the lawful protection and processing of personal data,
• In contracts with our employees and/or in the Policies we establish, we document the measures to be taken in cases where personal data is processed unlawfully by our employees,
• We supervise the personal data processing activities of the data processors we work with or their partners.

9. Retention of Personal Data

9.1 Retention of Personal Data for the Period Stipulated by Relevant Legislation or Required for the Purpose of Processing

We retain personal data for the duration stipulated by the relevant legislation, provided such periods are reserved, or for as long as necessary for the purpose of processing the personal data.

In cases where we process personal data for multiple purposes, the data is deleted or destroyed upon the disappearance of the processing purposes or upon the request of the Data Subject or, if the Data Subject is under 18 years of age, their guardian or legal representative, provided there is no legal impediment under the legislation. The provisions of the legislation and the decisions of the KVK Board are complied with regarding deletion or destruction.

9.2 Measures Taken Regarding the Retention of Personal Data

9.2.1 Technical Measures

• We establish technical infrastructures and related audit mechanisms for the deletion and destruction of personal data,
• We take necessary measures to ensure the secure retention of personal data,
• We employ staff with technical expertise,
• We develop business continuity and emergency plans to address potential risks and establish systems for their implementation,
• We establish security systems for data retention areas in line with technological developments.

9.2.2 Administrative Measures

• We inform our employees about technical and administrative risks related to the retention of personal data to raise awareness,
• In cases where we collaborate with third parties for the retention of personal data, we include provisions in contracts with these companies to ensure that the persons to whom the personal data is transferred take the necessary security measures for the protection and secure retention of the transferred personal data.

10. Security of Personal Data

10.1 Our Obligations Regarding the Security of Personal Data

We take administrative and technical measures based on technological capabilities and implementation costs to ensure:

• The prevention of unlawful processing of personal data,
• The prevention of unlawful access to personal data,
• The lawful retention of personal data.

10.2 Measures Taken to Prevent Unlawful Processing of Personal Data

• We conduct and have conducted necessary audits within our company,
• We train and inform our employees about the lawful processing of personal data,
• We evaluate the activities carried out by our company in detail across all business units and process personal data specifically for the commercial activities conducted by the relevant units based on this evaluation,
• In cases where we collaborate with third parties for the processing of personal data, we include provisions in contracts with these companies to ensure that the persons processing personal data take the necessary security measures,
• In the event of unlawful disclosure or data leakage of personal data, we notify the KVK Board and conduct the investigations and take the measures stipulated by the legislation.

10.2.1 Technical and Administrative Measures to Prevent Unlawful Access to Personal Data

• We employ staff with technical expertise,
• We periodically update and renew technical measures,
• We establish access authorization procedures within our company,
• We establish procedures for reporting the technical measures and audit processes we implement,
• We create and periodically audit the data recording systems used within our company in compliance with the legislation,
• We develop emergency assistance plans for potential risks and establish systems for their implementation,
• We train and inform our employees on access to personal data and authorization matters,
• In cases where we collaborate with third parties for activities such as the processing and retention of personal data, we include provisions in contracts with these companies to ensure that the persons accessing personal data take the necessary security measures,
• We establish security systems in line with technological developments to prevent unlawful access to personal data.

10.2.2 Measures Taken in Case of Unlawful Disclosure of Personal Data

We take administrative and technical measures to prevent the unlawful disclosure of personal data and update these measures in accordance with the relevant procedures. If we detect that personal data has been disclosed without authorization, we establish systems and infrastructures to notify the Data Subject or, if the Data Subject is under 18 years of age, their guardian or legal representative, and the KVK Board.

Despite all administrative and technical measures taken, if an unlawful disclosure occurs, the KVK Board may, if deemed necessary, announce this situation on its website or through another method.

11. Rights of the Personal Data Subject

We inform the Personal Data Subject within the scope of our obligation to inform and establish systems and infrastructures for this purpose. We make the necessary technical and administrative arrangements to enable the Personal Data Subject to exercise their rights regarding their personal data.

The Personal Data Subject has the following rights regarding their personal data:

• To learn whether their personal data is being processed,
• To request information if their personal data has been processed,
• To learn the purpose of processing their personal data and whether it is used in accordance with that purpose,
• To know the third parties to whom their personal data is transferred domestically or abroad,
• To request the correction of their personal data if it is incomplete or incorrectly processed,
• To request the deletion or destruction of their personal data if the reasons requiring its processing no longer exist,
• To request that the correction, deletion, or destruction operations mentioned above be notified to third parties to whom the personal data has been transferred,
• To object to any result arising against them due to the analysis of processed data exclusively through automated systems,
• To demand compensation for damages in case of harm due to the unlawful processing of their personal data.

11.1 Exercising Rights Regarding Personal Data

The Personal Data Subject may submit their request regarding their personal data using the method determined by the KVK Board, if specified, or by sending it to elk.kisiselverilerim@artimmetal.com using the “KVKK Application Form” available on our website, in writing with a wet signature, or to our registered electronic mail address artimmetal@hs01.kep.tr with a secure electronic signature.

For the Personal Data Subject to exercise the rights mentioned above, the application must include explanations regarding the right they wish to exercise; the request must be clear and understandable, pertain to the applicant personally or, if acting on behalf of someone else, the applicant must be specifically authorized and this authority must be documented, and the application must include identity and address information along with identity-verifying documents.

11.2 Evaluation of the Application

11.2.1 Response Time for the Application

Requests regarding personal data are finalized as soon as possible and, in any case, within a maximum of 30 (thirty) days, free of charge or, if the conditions in the tariff to be published by the KVK Board regarding fees are met, for the fee specified in that tariff.

Additional information and documents may be requested during the application or its evaluation.

11.2.2 Our Right to Reject the Application

Applications regarding personal data may be rejected with justification in the following cases:

• Processing of personal data for purposes such as research, planning, and statistics by anonymizing it with official statistics,
• Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided it does not violate privacy or personal rights or constitute a crime,
• Processing of personal data made public by the Personal Data Subject,
• The application not being based on a justified reason,
• The application containing a request contrary to the relevant legislation,
• Failure to comply with the application procedure.

11.3 Procedure for Evaluating the Application

For the response period specified in Section 11.2.1 of this Policy to commence, the requests must be submitted in writing with a wet signature or electronically signed via KEP or using other methods determined by the KVK Board, along with identity-verifying information and documents.

If the request is accepted, the relevant action is taken, and notification is provided in writing or electronically. If the request is rejected, the reason is explained and notified to the applicant in writing or electronically.

11.4 Right to File a Complaint with the Personal Data Protection Board

In cases where the application is rejected, our response is deemed insufficient, or no response is provided within the specified period, the applicant has the right to file a complaint with the KVK Board within 30 (thirty) days from the date they learn of the response and, in any case, within 60 (sixty) days from the application date.

12. Privacy Policy

This Privacy Policy covers our policy regarding your personal data while providing services related to our company’s website. In accordance with Law No. 6698 on the Protection of Personal Data (“KVKK”), as the Data Controller, we inform you that the personal data you provide to us, which we request in a manner connected, limited, and proportionate to the purpose and duration of processing, will be recorded, stored, retained, reorganized, shared with institutions legally authorized to request such personal data, and, under the conditions and circumstances stipulated by the KVKK, transferred to third parties domestically or abroad, assigned, classified, and processed in other ways specified in the KVKK.

13. Processing of Personal Data at Company Entrances/Exits and Within the Company

For the purposes of ensuring security and maintaining operations, our company conducts surveillance activities with security cameras in our buildings (inside and outside) and tracks guest entries and exits, processing personal data in compliance with the Constitution, the KVKK, and other relevant legislation.

14. Deletion and Anonymization of Personal Data

In accordance with Article 7 of the KVKK and other relevant legal provisions, personal data processed, despite the reasons requiring its processing no longer existing, is deleted or destroyed by the data controller either on its own initiative or upon the request of the Personal Data Subject.

15. Publication and Storage of the Document

This Policy is stored in two different formats: printed paper and electronic media.

16. Update Period

This Policy is reviewed at intervals determined by the Company and updated as necessary in accordance with laws, regulations, and internal company principles.

17. Entry into Force

This Policy is deemed to have entered into force upon its publication in the Company’s Document Management System (QDMS) and on the company website.