We build a trust-based future with our corporate principles

Personal Data Protection and Processing Policy

CHAPTER ONE
Introduction, Objective, Scope and Definitions

1. Introduction

Turkish Petroleum Off-Shore Technology Center Anonim Şirketi (“TP-OTC”) attaches great importance on the protection and processing of personal data, in accordance with the right to privacy and fundamental rights and freedoms guaranteed by the Constitution of the Republic of Türkiye.

2. Objective and Scope

The main purpose of TP-OTC's Personal Data Protection and Processing Policy ("Policy") is to provide explanations regarding the protection and processing of personal data carried out by TP-OTC in accordance with the Personal Data Protection Law No. 6698 ("Law") and in line with the principles adopted, and to remind individuals whose personal data is processed of the rights granted by the Law and provide necessary information within this scope.

In relation to the issues specified in this Policy, necessary procedures are organised within TP-OTC and clarification texts are created in accordance with the Personal Data Processing Inventory, personal data protection and confidentiality agreements are made with TP-OTC employees and third parties, job descriptions are revised, necessary administrative and technical measures are taken for data security, and necessary audits are carried out and made within this scope.

This Policy is prepared for all personal data processed through automatic or non-automatic means within the scope of our current employees, employee candidates, visitors, and third parties with whom we cooperate, and it will be applied to the individuals specified.

3. Definitions

Explicit Consent: Consent relating to a certain subject which is based on information and taken at one's free will.

Data Subject: The real person whose personal data is being processed.

Law: Personal Data Protection Law No. 6698.

Personal Data: Any kind of information relating to an identified or identifiable natural person.

Personal Data Processing Inventory: The inventory created by data controllers in accordance with their business processes, by associating personal data processing activities with the purposes and legal bases of processing, data categories, recipient groups to whom the personal data is transferred, data subject groups, and by disclosing the maximum retention period necessary for the purposes for which personal data is processed, as well as the personal data envisaged to be transferred to foreign countries and the measures taken for data security.

Anonymization of Personal Data: The process by which personal data is rendered in a way that it cannot be associated with a specific or determinable real person, even by matching it with other data.

Processing of Personal Data: Any operation carried out on personal data, either fully or partially, by automated means or non-automated means, which form part of any data recording system, including collection, recording, storage, retention, alteration, reorganization, disclosure, transferring, taking over, making retrievable, classifying, or preventing the use thereof, provided that it shall not be a process that changes the identity of personal data.

Deletion of Personal Data: Making personal data inaccessible and unavailable to relevant users.

Destruction of Personal Data: The process of making personal data inaccessible, irretrievable and irreversible and non-reusable by anyone in any way.

Board: The Personal Data Protection Board.

Institution: Personal Data Protection Agency.

Special Categories of Personal Data: Data on individuals' race, ethnicity, political opinion, philosophical belief, religion, sect, appearance, membership of associations, foundations or trade-unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

Policy: TP-OTC Protection and Processing of Personal Data Policy.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

CHAPTER TWO
General Principles

4. Implementation of the Policy and Relevant Legislation

The relevant legal regulations in force regarding the processing and protection of personal data will primarily apply. In case of any inconsistency between the current legislation and the Policy, TP-OTC acknowledges that the current legislation will prevail in its implementation.

5. For What Purposes Do We Process Your Personal Data

• Execution of Emergency Management processes

• Execution of Information Security Processes

• Execution of Employee Candidate / Intern / Scholarship Processes

• Execution of Employee Candidate Application Processes

• Fulfillment of the Obligations Arising From the Work Flow and Legislation

• Determining Equipment to be Provided to Employees

• Execution of Training Activities

• Execution of Access Authorisations

• Execution of Finance and Accounting Transactions

• Ensuring Physical Space Security

• Monitoring and Managing Legal Affairs

• Execution of Internal Audit / Investigation / Intelligence Activities

• Execution of Communication Activities

• Planning of the Human Resources Processes

• Execution of Occupational Health and Safety Activities

• Execution of Performance Evaluation Processes

• Execution of Storage and Archive Activities

• Execution of Travel Organizations

• Execution of Contract Processes

• Execution of Insurance Processes

• Foreign Personnel Work and Residence Permit Procedures

• Informing Authorized Persons, Institutions and Organizations

• Creating and Monitoring Visitor Records

• Other Activities That Will Be Included In Our Personal Data Processing Purposes

6. Issues Regarding the Protection of Personal Data

In accordance with Article 12 of the Law, TP-OTC is obliged to take necessary technical and administrative measures to prevent the unlawful processing of personal data, to prevent unauthorized access to data, and to ensure the security of data at an appropriate level, and to conduct the necessary audits.

TP-OTC, in this context, takes and oversees the necessary technical and administrative measures to ensure the required security level in accordance with the guidelines published by the Personal Data Protection Board ("Board").

6.1 Technical and Administrative Measures

The main technical and administrative measures taken by TP-OTC to ensure the lawful processing of personal data, prevent unauthorized access, and secure data in safe environments are outlined below.

• Network security and application security are ensured.

• Closed system networks are used for transferring personal data over the network.

• Security measures are taken within the scope of information technology system procurement, development, and maintenance.

• Necessary authorizations and role distributions exist for access to our information systems.

• Employees are required to sign confidentiality agreements, and disciplinary processes are applied for violations.

• Access logs are regularly maintained.

• Access is recorded, and unauthorized accesses are controlled.

• Data masking measures are implemented when necessary.

• Employees who have changed duties or left their jobs are de-authorised.

• Current antivirus systems are used.

• Security vulnerabilities are monitored and appropriate patches are installed.

• Firewalls are used.

• Signed contracts contain data security provisions.

• Necessary physical security measures for IT equipment, software, and data are taken.

• Security measures are implemented for entries and exits to physical environments containing personal data.

• Personal data is backed up and securely stored.

• Encrypted external backup systems with no external access are used.

• User account management and authorization control systems are implemented.

• Log records are maintained in a way that prevents user intervention.

• Special category data is protected using secure encryption/cryptographic keys.

• Intrusion detection and prevention systems are used.

• Server cabinets are kept locked.

• Cybersecurity measures are continuously monitored.

• Servers are protected by redundant firewalls, antivirus and two-factor authentication.

• Regular penetration tests are conducted and vulnerabilities are addressed.

• Computer systems operate with redundancy measures.

• Data loss prevention software is used.

7. Matters Regarding the Processing of Personal Data

TP-OTC processes personal data in accordance with Article 20 of the Constitution and Article 4 of the Law, in compliance with the law, accuracy, legitimacy, relevance, proportionality, and storage limitations.

7.1 Processing in Compliance with Lawfulness and Fairness

TP-OTC processes data according to legal principles and good faith, ensuring proportionality.

7.2 Ensuring that Personal Data is Accurate and Up-to-date

TP-OTC takes necessary measures to keep data accurate and up-to-date.

7.3 Processing for Specified, Explicit and Legitimate Purposes

TP-OTC determines lawful processing purposes clearly and processes only necessary data.

7.4 Relevant, Limited and Proportionate Processing

Unnecessary or irrelevant personal data is not processed.

7.5 Storage for Required Period

Personal data is retained only as long as necessary under legislation or for the processing purpose, then deleted, destroyed, or anonymized.

8. Method of Personal Data Collection

Data is collected through email, fax, career platforms, social media, forms, consultants, CCTV and other channels, and may be processed without explicit consent if Article 5/2 and Article 6/3 conditions apply.

9. Transfer of Personal Data

TP-OTC may transfer data to third parties in compliance with Article 8, to group companies, shareholders, business partners, auditors, and institutions both domestically and abroad, ensuring necessary safeguards.

10. Deletion, Destruction and Anonymisation of Personal Data

At the end of legal retention periods, personal data is deleted, destroyed, or anonymized automatically or upon request.

11. Rights of Personal Data Subject

11.1 Rights of Data Subject

• To find out whether their personal data has been processed

• To request information on processed data

• To learn the purpose of processing and use in line with the purpose

• To know domestic or international third-party recipients

• To request correction of incomplete or inaccurate data

• To request deletion or destruction of data

• To request notification to third parties of correction/deletion

• To object to unfavorable outcomes from automated processing

• To request compensation for damages

11.2 Situations where Rights Cannot Be Exercised

• Processing by natural persons for personal/family activities without disclosure

• Official statistics once anonymized

• Artistic, historical, scientific, or expression-related processing within legal limits

• Preventive/protective intelligence activities by competent authorities

• Judicial or enforcement authority processing

11.3 Application Procedure and Response Time

Applications must be submitted with the Data Subject Application Form. TP-OTC responds within 30 days.

11.4 Additional Information Requests

TP-OTC may request additional information to confirm identity or clarify the application.

11.5 TP-OTC's Right to Refuse the Personal Data Subject's Application

TP-OTC reserves the right to reject the data subject's application in the presence of any of the following situations:

• Processing of personal data for research, planning, or statistical purposes by rendering them anonymous through official statistics.

• Processing of personal data for artistic, historical, literary, or scientific purposes, or for the freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy, personal rights, or constitute a crime.

• Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by authorized public institutions and organizations for purposes such as national defense, national security, public security, public order, or economic security.

• Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial, or enforcement proceedings.

• The necessity of processing personal data for the prevention or investigation of a crime.

• Processing of personal data that has been made public by the data subject.

• Processing of personal data by authorized public institutions, regulatory public bodies, or professional organizations with public authority for the purpose of performing supervisory or regulatory duties or conducting disciplinary investigations or prosecutions.

• Processing of personal data being necessary for the economic and financial interests of the State in matters related to budget, taxation, or finance.

• Cases where the data subject's request may prevent the rights and freedoms of other individuals.

• Requests requiring disproportionate effort.

• Situations where the requested information is publicly available.

• Existence of any condition excluded from the scope under the Law.

CHAPTER THREE
Final Provisions

12. Other Provisions

Hereby this Policy is published on TP-OTC's website at www.tp-otc.com and disclosed to the public on the website.

Hereby this Policy may be updated in cases necessitating updates, such as amendments in the Law, decisions issued by the Board, or changes and developments in the industry, and/or when required. You may send any questions or opinions regarding this Policy to kvkk@tp-otc.com.

13. Validity

This Policy becomes valid on the date it is approved by the TP-OTC Board of Directors.

14. Enforcement

The provisions of this Policy are executed by the TP-OTC Board of Directors.