“LAW ON THE PROTECTION OF PERSONAL DATA” Declaration Definitions Personal Data: All the information relating to an identified or identifiable natural person, Law on the Protection of Personal Data (“KVKK”): the Law on Personal Data Protection Nr.6698 enacted on 7th April 2016 after published on the Official Gazette, Data Processor: The natural or legal person who processes personal data on behalf of the controller upon his authorization Data Controller: The natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system. Data Subject: The natural person, whose personal data is processed. NORM HOLDING A.Ş. (“Company”) has the principles of protecting the fundamental rights and freedoms, protecting the privacy of private life, ensuring and protecting the information security, and respect for the ethical values. For this reason, in order to fulfill our responsibility of clarification arising from the Article 10 of the Law on Personal Data Protection (KVKK), below is the declaration; Data Controller For your personal data, the “Data Controller” is “NORM HOLDING A.Ş.” registered with registration number “198267” in İzmir Trade Registry and having MERSIS number of 0631078677800001. The address of registered office is “10007 SOKAK NO:1/3 A.O.S.B. ÇİĞLİ/İZMİR”. Parties the Data Are Collected From Within the scope of the Law on the Protection of Personal Data, the parties that are listed below and we are in business relationship with are as follows; Our employees and employee candidates Family members and relatives of our employees and employee candidates Our clients and/or patients Our suppliers Our consultants Our business partners Our shareholders Our company managers Our company deputies Person(s) and their employees with whom we have a contract Party/parties of legal transactions Survey participants Our visitors Data Collected and Processed by Our Company Within the scope of Articles 5 and 6 of the Law on Personal Data Protection, our Company collects and processes the data specified below; Family and social life data, Educational data, Employment data, Data on the request/complaint management, Data on the legal procedures, Data on the compliance with ethical values and law, Financial data, Audit data, Data on electronic media usage, Data on the goods and services procured, Business activity data, Data on trade and other license and permits, Data on the physical site security, Visual and auditory data (photo, camera, voice records), Telecommunication records, Data on the use of e-mail and information systems, Entry records, Medical reports and health information, Biometric data, and Criminal record data Our Company’s Objectives for Data Collection Within the scope of Articles 5 and 6 of the Law on Personal Data Protection, our Company collects and processes personal data within the scope of and limited to the following objectives; Fulfilling business activities of our Company. Fulfilling the business transactions related with business activities, Managing and maintaining the relationships with business partners and/or suppliers, Technically managing the websites of our Company, Customer and/or Patient management and to follow up the complaints, Monitoring the product surveys and our questions sent to our Company, Conducting the operations required for having you benefit from our products and services, Planning and conducting the sales, marketing, and after-sale processes of products and/or services, Providing information about the contents of products and services, Upon obtaining the legal approval, sending commercial electronic messages, Conducting contests, activities, and other organizations, Maintaining the legal and business relationships with persons having business relationship with our Company and ensuring the security of these relationships, Administrative operations performed by our Company and aiming the communication, Employee management and administration, Ensuring the physical security and control of locations owned by the Company, Planning the logistic activities, Managing the PR projects, Conducting the legal operations and procedures, as well as the compliance with ethical values and law, Following the contractual processes and/or legal requests, Planning and conducting the Human Resources and Personnel Recruitment processes and monitoring and conducting the training activities, Planning and/or conducting the occupational health and/or safety processes, Planning and conducting the corporate communication and corporate management activities, Conducting the information security management services, Monitoring and auditing the finance and/or accounting activities, and determining the financial risks of customers, Setting and implementing the commercial and business strategies of our Company, Establishing and following the visitor records, Other objectives and purposes that shall be reported to the person while collecting the information, Fulfilling the legal obligations required or obliged by the legal regulations, Transfer of Data Collected and Processed within the Scope of Our Company’s Objectives Your data collected by our Company within the scope of personal data processing objectives and conditions specified in Articles 8 and 9 of the Law on Personal Data Protection may be shared with our associates, shareholders (only anonymously), and legally authorized institutions and persons and other persons within the limit of objectives specified above. Method and Legal Reason of Data Collection by Our Company In accordance with the principle of proportionality and limited to the legally specified and legitimate purposes specified above, the personal data are verbally, written, and/or electronically collected, used, recorded, stored, and processed by our Company by clearly and understandably informing the personal data owners in written or orally through written, oral, and/or electronic notifications and by obtaining their explicit consent (if necessary). We undertake that your personal data will never be processed, transferred to 3rd parties within or outside our country, and never be stored for the purposes other than those specified in this declaration. Retention Period for the Data Collected by Our Company Your personal data are stored for a period specified in relevant regulations or, if not specified in the relevant regulations, as long as needed for the processes of our Company and the practice in business life or required by the data processing objectives specified above. At the end that period, your personal data will be erased, destructed or anonymized according to the Article 7 of the Law on Personal Data Protection. Security of Your Data Collected and Processed by Our Company In order to protect your personal data from any damage, loss and/or unauthorized access while processed and stored, the technical and administrative measures specified by Information Security Management System (ISO 27001 Standard and Code of Good Conduct 27018, 27701) encouraged by our administration, the requirements specified for Personal Data Protection Management System (Bureau Veritas – Technical Standard of Data Protection), and necessities specified in Personal Data Security Guideline of the Personal Data Protection Board are continuously followed and enhanced within the principle of continuous improvement. The Rights of Person, Whose Personal Data Have Been Collected and Processed According to the Article 11 of the Law on Personal Data Protection, each person has the right to apply to the Data Controller and a) to learn whether his personal data are processed or not, b) to request information if his/her personal data are processed, c) to learn the purpose of his data processing and whether this data is used for intended purposes d) to know the third parties to whom his personal data is transferred at home or abroad e) to request the rectification of the incomplete or inaccurate data, if any f) to request the erasure or destruction of his personal data under the conditions laid down in Article 7, g) to request notification of the operations carried out in compliance with subparagraphs (d) and (e) to third parties to whom his personal data has been transferred, h) to object to the processing, exclusively by automatic means, of his personal data, which leads to an unfavourable consequence for the data subject ı) to request compensation for the damage arising from the unlawful processing of his personal data. Methods for Application within the Scope of Data Subject’s Rights According to the Paragraph 1 of Article 13 of Law on Protection of Personal Data, your request to exercise your rights upon the “Notification on the Principles and Procedures of Application to the Data Controller” published on 10th March 2018 with Nr.30356 shall be made using the methods and information specified below. Necessary information for application; Applicant’s Name and Surname. TR ID Number if the applicant is a citizen of Turkish Republic or Passport Number or ID Number with nationality if the applicant is not a citizen of Turkish Republic. Applicant’s business or residential address. Applicant’s electronic mail address, phone number, or fax number. Applicant’s subject of application. Applicant’s information and documents related with the subject of application. Application Methods; Applicant may apply in person to the address of NORM HOLDING A.Ş. by filling the «Application Form» and putting the form in a sealed envelope by writing “Information Request upon the Law on the Protection of Personal Data”. Applicant may send a notice via a notary to the address NORM HOLDING A.Ş. but the note of “Information Request upon the Law on the Protection of Personal Data” shall be placed on the notice envelope. The application using “Secure Electronic Signature” defined in the Law on Electronic Signature Nr.5070 can be made in person by the applicant to the registered e-mail address of NORM HOLDING A.Ş normholding@hs02.kep.tr by stating the subject “Information Request upon the Law on the Protection of Personal Data”. *Address of “NORM HOLDING A.Ş”: 10007 SOKAK NO:1/3 A.O.S.B. ÇİĞLİ/İZMİR Registered electronic mail address: normholding@hs02.kep.tr