1- KÜÇÜK GROUP INC. PERSONAL DATA PROCESSING AND PROTECTION POLICY
CONTENTS
1. DEFINITIONS AND ABBREVIATIONS ............................................................................................................... 3
2. PURPOSE .................................................................................................................................................. 4
3. SCOPE ...................................................................................................................................................... 4
4. PROCESSING OF PERSONAL DATA .............................................................................................................. 5
A- PRINCIPLES COMPLIED WITH IN THE PROCESSING OF PERSONAL DATA .................................... 5
B- CONDITIONS FOR PROCESSING PERSONAL DATA ....................................................................... 5
C- CONDITIONS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA .............................. 6
D- INFORMING THE DATA SUBJECT .............................................................................................. 6
E- GROUPS OF PROCESSED PERSONAL DATA ............................................................................... 7
F- PURPOSE OF PROCESSING PERSONAL DATA ............................................................................ 7
G- RETENTION PERIOD OF PERSONAL DATA .................................................................................. 9
5. TRANSFER OF PERSONAL DATA ................................................................................................................. 9
A- PRINCIPLES AND PROCEDURES FOR TRANSFER OF PERSONAL DATA ....................................... 9
B- RECIPIENT GROUP AND PURPOSE OF TRANSFER .................................................................... 10
6. RIGHTS OF THE DATA SUBJECT .............................................................................................................. 11
A- RIGHTS .................................................................................................................................. 11
B- EXERCISE OF RIGHTS ............................................................................................................. 11
C- RESPONSE OF THE DATA CONTROLLER TO REQUESTS ............................................................ 12
7. SECURITY OF PERSONAL DATA .............................................................................................................. 13
A- TECHNICAL MEASURES .......................................................................................................... 13
B- ADMINISTRATIVE MEASURES ................................................................................................ 14
8. DESTRUCTION OF PERSONAL DATA ....................................................................................................... 15
A- REASONS REQUIRING DESTRUCTION .................................................................................... 15
B- METHODS OF DESTRUCTION OF PERSONAL DATA ................................................................. 15
9. PUBLICATION / STORAGE OF THE POLICY, EFFECTIVE DATE AND UPDATES ........................................... 16

KÜÇÜK GROUP INC. Personal Data Processing and Protection Policy

1. DEFINITIONS AND ABBREVIATIONS
Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller.
Inventory: Refers to the Personal Data Processing Inventory.
Relevant User: Persons who process personal data within the organization of the data controller or in line with the authority and instructions received from the data controller, excluding those responsible for the technical storage, protection, and backup of the data.
Destruction: The deletion, destruction, or anonymization of personal data.
OHS Law: Refers to the Occupational Health and Safety Law.
Law: Refers to the Personal Data Protection Law No. 6698.
Recording Environment: Any environment in which personal data processed fully or partially automatically or non-automatically as part of any data recording system is stored.
Personal Data Processing Inventory: An inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with processing purposes, data categories, recipient groups, and data subject groups.
Board: Refers to the Personal Data Protection Board.
Authority: Refers to the Personal Data Protection Authority.
Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Destruction: The process of deletion, destruction, or anonymization to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy in the event that all conditions for processing personal data stipulated in the Law are eliminated. In this Policy, it refers to the months of June and December.
Policy: KÜÇÜK GROUP INC. Personal Data Processing and Protection Policy
Registry: The Data Controllers’ Registry maintained by the Presidency of the Personal Data Protection Authority.
Data Recording System: A recording system in which personal data is structured and processed according to specific criteria.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
KÜÇÜK GROUP INC.: KÜÇÜK GROUP KABLO SANAYİ TİCARET ANONİM ŞİRKETİ (Data Controller)
Company: KÜÇÜK GROUP KABLO SANAYİ TİCARET ANONİM ŞİRKETİ (Data Controller)

2. PURPOSE
KÜÇÜK GROUP INC. Personal Data Processing and Protection Policy has been prepared to determine the procedures and principles regarding the business processes and operations related to processing and protection activities carried out by KÜÇÜK GROUP INC.
KÜÇÜK GROUP INC.; in line with the fundamental principles set forth by law, prioritizes the processing of personal data belonging to company employees, employee candidates, service/product providers, customers, visitors, and other third parties in accordance with the Constitution of the Republic of Türkiye, international conventions, the Personal Data Protection Law No. 6698 (“Law”), and other relevant legislation, as well as ensuring that data subjects can effectively exercise their rights.
All processes and operations related to the processing and protection of personal data are carried out by KÜÇÜK GROUP INC. in accordance with this Policy.
3. SCOPE
KÜÇÜK GROUP INC. Personal Data Processing and Protection Policy (hereinafter referred to as the “Policy”) covers the departments of KÜÇÜK GROUP INC. where personal data is processed, its employees, and the legal/natural persons, third parties, public institutions and organizations, and authorized legal/natural persons with whom KÜÇÜK GROUP INC. shares data or from whom it procures services.
This Policy covers the protection activities related to all processing activities carried out by KÜÇÜK GROUP INC. on personal data and shall apply to all processing operations.
In case of amendments or updates in the relevant legislation, KÜÇÜK GROUP INC. will update this Policy in compliance with the legislation and publish it on its website.
If there is a legal obstacle in the implementation of this Policy, any inconsistency arises, and/or an update becomes necessary in light of new regulations, KÜÇÜK GROUP INC. may redefine, modify, and update the Policy and its implementation.
5- KÜÇÜK GROUP INC. Personal Data Processing and Protection Policy
4. PROCESSING OF PERSONAL DATA
A- PRINCIPLES COMPLIED WITH IN THE PROCESSING OF PERSONAL DATA
The following universal principles and rules are complied with by our company in the protection of personal data:
• Processing in a lawful, fair, and transparent manner.
• Being accurate and, where necessary, kept up to date.
• Processing for specific, explicit, and legitimate purposes.
• Being relevant, limited, and proportionate to the purposes for which they are processed.
• Retaining for the period required by the relevant legislation or for the purpose for which they are processed.
B- CONDITIONS FOR PROCESSING PERSONAL DATA
• Explicit Consent of the Data Subject
One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject must relate to a specific matter, be based on informed consent, and be given freely.
In the presence of the following conditions, personal data may be processed without the explicit consent of the data subject.
• Explicitly Provided for by Law
If the processing of personal data is explicitly provided for by law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, this condition shall be deemed to exist.
• Inability to Obtain Explicit Consent Due to Actual Impossibility
If it is mandatory to process personal data to protect the life or physical integrity of a person who is unable to express consent due to actual impossibility or whose consent is not legally valid, personal data may be processed and/or transferred.
• Directly Related to the Establishment or Performance of a Contract
If it is necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract, this condition shall be deemed fulfilled.
• Fulfillment of the Company’s Legal Obligations
If processing is necessary for the Company to fulfill its legal obligations, personal data of the data subject may be processed.
6- KÜÇÜK GROUP INC. Personal Data Processing and Protection Policy
• Personal Data Made Public by the Data Subject
If the data subject has made their personal data public, such data may be processed limited to the purpose of disclosure.
• Necessity for the Establishment or Protection of a Right
If data processing is necessary for the establishment, exercise, or protection of a right, personal data may be processed.
• Necessity for the Legitimate Interests of the Company
Provided that it does not harm the fundamental rights and freedoms of the data subject, personal data may be processed if it is necessary for the legitimate interests of the Company.
C- CONDITIONS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA
Special categories of personal data are processed by our Company in accordance with the principles set out in this Policy, by taking all necessary administrative and technical measures, including the methods determined by the Board, and under the following conditions:
• Special categories of personal data other than health and sexual life may be processed without explicit consent if explicitly provided for by law. Otherwise, explicit consent of the data subject shall be obtained.
• Special categories of personal data relating to health and sexual life may be processed without explicit consent by persons under confidentiality obligations or authorized institutions and organizations for purposes such as protection of public health, preventive medicine, medical diagnosis, treatment, and care services, and planning and management of health services and financing. Otherwise, explicit consent shall be obtained.
Health data obtained within this scope may also be processed without consent within the scope of Occupational Health and Safety Law and mandatory medical practices, limited to the cases listed above.
D- INFORMING THE DATA SUBJECT
KÜÇÜK GROUP INC., in accordance with Article 10 of the Law and secondary legislation, informs data subjects. Within this scope, KÜÇÜK GROUP INC. provides information on who processes personal data as the data controller, for what purposes it is processed, to whom and for what purposes it is transferred, the method and legal basis of collection, and the rights of data subjects.
In line with international legislation, the retention period of data or, where it is not possible to specify, the criteria used to determine such period are stated, and whether processing is mandatory and the consequences of failure to carry out mandatory processing are indicated.
Accessibility standards under the Law on Disabled Persons are observed when presenting camera recording notices required for physical security and monitoring.
7- KÜÇÜK GROUP INC. Personal Data Processing and Protection Policy
E- CATEGORIES OF PERSONAL DATA PROCESSED
Data subjects whose personal data are processed within the scope of this Policy by KÜÇÜK GROUP INC. are categorized as follows:
• KÜÇÜK GROUP INC. Employee Candidates
Individuals who have not yet established an employment contract with KÜÇÜK GROUP INC. but are under evaluation.
• KÜÇÜK GROUP INC. Customers, Representatives, and Employees
Real person representatives, shareholders, employees, businesses, and companies with which KÜÇÜK GROUP INC. has a commercial relationship.
• KÜÇÜK GROUP INC. Visitors
Real persons visiting KÜÇÜK GROUP INC. premises or websites operated by KÜÇÜK GROUP INC.
• Other Real Persons
All real persons not covered under the KÜÇÜK GROUP INC. Employees Personal Data Protection and Processing Policy.
F- PURPOSE OF PROCESSING PERSONAL DATA
• Determination, planning, and implementation of KÜÇÜK GROUP INC.’s short/medium/long-term commercial policies:
i. Execution of strategic planning activities
ii. Management of relationships with customers and suppliers
• Designing and executing KÜÇÜK GROUP INC.’s human resources activities:
i. Execution of recruitment processes
ii. Planning and execution of internship and student placement processes
iii. Planning HR processes
iv. Fulfillment of legal and contractual obligations for employees
v. Monitoring and auditing employee activities
vi. Planning and execution of employee benefits
vii. Planning and execution of termination processes
ix. Planning and execution of internal training activities
x. Management of customer and supplier relations
xi. Wage management
xii. Execution of occupational health and safety activities
8- KÜÇÜK GROUP INC. Personal Data Processing and Protection Policy
xiii. Fulfillment of information and document obligations in legal and administrative processes
• Ensuring that company activities are carried out in compliance with legislation and company policies:
i. Finance and accounting operations
ii. Risk management processes
iii. Corporate communication activities
iv. Corporate sustainability activities
v. Efficiency and performance analysis
vi. Organization and event management
vii. Establishment and management of IT infrastructure
viii. Information security processes
• Other purposes:
i. Ensuring commercial, technical, and legal security of related persons and maintaining communication;
ii. Protecting the commercial reputation of KÜÇÜK GROUP INC.;
iii. Complying with legal obligations regarding information storage, reporting, and informing authorities;
iv. Evaluating and responding to requests from authorities or individuals;
v. Ensuring physical security through camera systems;
vi. Fulfilling burden of proof in legal disputes;
vii. Processing in accordance with Articles 5 and 6 of the Law.
9- KÜÇÜK GROUP INC. Personal Data Processing and Protection Policy
G- RETENTION PERIOD OF PERSONAL DATA
PROCESS — RETENTION PERIOD — DESTRUCTION PERIOD
Execution of Commercial Activities — 5 Years — First periodic destruction following retention period
Legal Process — 10 Years — First periodic destruction following retention period
Customer Transactions — 5 Years — First periodic destruction following retention period
End of Communication Activities — 5 Years — First periodic destruction following retention period
Application Form to Data Controller — 10 Years — First periodic destruction following retention period
Narbulut Record Tracking Systems — **** — *****
Camera Records — 25 Days — Automatically deleted after 25 days
Corporate Memory — 99 Years — First periodic destruction following retention period
5. TRANSFER OF PERSONAL DATA
A- PRINCIPLES AND PROCEDURES FOR TRANSFER
Even without explicit consent, personal data may be transferred to third parties by our Company by taking all necessary security measures, provided that one or more of the following conditions exist:
• Clearly stipulated by law,
• Necessary for the establishment or performance of a contract,
• Necessary for fulfilling legal obligations,
• Made public by the data subject, limited to its purpose,
• Necessary for establishment or protection of a right,
• Necessary for legitimate interests of the Company without harming fundamental rights,
10- KÜÇÜK GROUP INC. Personal Data Processing and Protection Policy
• Necessary to protect life or physical integrity where consent cannot be obtained.
Additionally, personal data may be transferred to foreign countries declared by the Board to have adequate protection. If not, transfer may occur to countries where data controllers commit to adequate protection and Board approval is obtained.
B- RECIPIENT GROUP AND PURPOSE OF TRANSFER
KÜÇÜK GROUP INC. acts in compliance with Articles 8 and 9 of the Law in data transfers:
i. Domestic Transfer: carried out in compliance with Article 8.
ii. International Transfer: carried out in compliance with Article 9 and adequate protection rules.
iii. Recipient Groups:
• Customers, limited to business purposes,
• Authorized public institutions and private entities within legal authority,
• Third parties in compliance with legal conditions.
11- KÜÇÜK GROUP INC. Personal Data Processing and Protection Policy
6. RIGHTS OF THE DATA SUBJECT

A- RIGHTS
Personal data subjects have the following rights:
• To learn whether personal data is being processed,
• To request information if personal data has been processed,
• To learn the purpose of processing personal data and whether it is used in accordance with its purpose,
• To know the third parties to whom personal data is transferred domestically or abroad,
• To request correction of personal data if it is incomplete or incorrectly processed and to request notification of such correction to third parties to whom the data has been transferred,
• To request deletion or destruction of personal data if the reasons requiring its processing no longer exist, despite being processed in accordance with the Law and other relevant legislation, and to request notification of such action to third parties to whom the data has been transferred,
• To object to any result against the person arising from analysis of processed data exclusively through automated systems,
• To request compensation for damages arising from unlawful processing of personal data.
In cases where the application is rejected, the response is insufficient, or no response is given within the legal period, the data subject may file a complaint with the Personal Data Protection Board within thirty days from the date of learning the response and in any case within sixty days from the application date. According to Article 13 of the Law, it is not possible to file a complaint without exhausting the application procedure.
Within the scope of international legislation, data subjects also have the right to request restriction of processing of their personal data and to withdraw consent regarding processing or transfer of their personal data.
B- EXERCISE OF RIGHTS
Data subjects may exercise their rights by using the Data Controller Application Form available at http://www.kucukgroup.com/ (see Application Statement), via written application in person, via notary, with an electronically signed document, mobile signature, or via the previously registered e-mail address in the system.
12- KÜÇÜK GROUP INC. Personal Data Processing and Protection Policy
Application Statement:
Application Method
Application Address
Information to be Included in Application
In-Person Application [Applicant must apply in person with identity verification document]
3. ORGANIZED INDUSTRIAL ZONE, BÜYÜKKAYACIKOSB DISTRICT, T. ZİYAEDDİN AKBULUT STREET NO: 4/1 SELÇUKLU / KONYA
Envelope must state: “Information Request under Personal Data Protection Law”
Notary Application
3. ORGANIZED INDUSTRIAL ZONE, BÜYÜKKAYACIKOSB DISTRICT, T. ZİYAEDDİN AKBULUT STREET NO: 4/1 SELÇUKLU / KONYA
Delivery envelope must state: “Information Request under Personal Data Protection Law”
Application via Secure Electronic Signature [Application via Registered Electronic Mail (REM) signed with secure electronic signature]
info@kucukgroup.com
Email subject must state: “Information Request under Personal Data Protection Law”
Mobile Signature or Email Application [Using the email address previously registered in the company system]
info@kucukgroup.com
Email subject must state: “Information Request under Personal Data Protection Law”
In cases where the application is rejected, the response is insufficient, or no response is provided within the legal period, the data subject may file a complaint with the Personal Data Protection Board within thirty days from learning the response and in any case within sixty days from the application date. According to Article 13 of the Law, complaint procedures cannot be initiated without exhausting the application process.
Data provided through the application form is processed and protected in accordance with the procedures and principles set out in this Policy.
C- RESPONSE BY THE DATA CONTROLLER
Our Company takes necessary administrative and technical measures to conclude applications made by data subjects in accordance with the Law and secondary legislation.
If a data subject submits a request in accordance with the procedures above, our Company will conclude the request as soon as possible and in any case within 30 (thirty) days free of charge depending on the nature of the request. However, if the process requires additional cost, a fee may be charged according to the tariff determined by the Board.
13- KÜÇÜK GROUP INC. Personal Data Processing and Protection Policy
7. SECURITY OF PERSONAL DATA
A- TECHNICAL MEASURES
The technical measures taken by KÜÇÜK GROUP INC. regarding processed personal data are listed below:
• Risks, threats, vulnerabilities, and possible security gaps in IT systems are identified through various tests and necessary precautions are taken.
• IT systems are continuously monitored against risks and threats through real-time analysis via information security incident management.
• Access and authorization of users in IT systems are managed through access matrices and corporate active directory security policies.
• Necessary measures are taken for physical security of IT equipment, software, and data.
• Hardware and software security measures such as cameras, alarm systems, firewalls, intrusion prevention systems, network access control, and malware protection systems are implemented.
• Risks related to unlawful processing of personal data are identified and technical measures are implemented accordingly, with regular technical controls performed.
• Access procedures are established and access logs and analyses are carried out.
• Access to storage environments is recorded and unauthorized access attempts are monitored.
• Measures are taken to ensure deleted data cannot be accessed or reused.
• A system is established to notify relevant persons and the Board in case of unlawful access by third parties.
• Security vulnerabilities are monitored and systems are kept up to date with security patches.
• Strong passwords are used in electronic environments where personal data is processed.
• Secure logging systems are used.
• Backup systems are used to ensure secure storage of personal data.
14- KÜÇÜK GROUP INC. Personal Data Processing and Protection Policy
• Access to physical and electronic storage environments is restricted.
• A separate policy is established for special categories of personal data.
• Employees handling special categories of data are trained, confidentiality agreements are signed, and access rights are defined.
• Special category data in electronic environments is protected using cryptographic methods; keys are securely stored and systems are regularly tested and monitored.
• Physical environments where special category data is stored are secured against unauthorized access.
• If transfer is required via email, it is encrypted or sent via corporate email/secure mail; physical transfers are marked confidential.
B- ADMINISTRATIVE MEASURES
The administrative measures taken by KÜÇÜK GROUP INC. include:
• Training employees on data protection, security, and legal compliance.
• Signing confidentiality agreements with employees.
• Establishing disciplinary procedures for violations.
• Including data protection obligations in contracts with third parties.
• Ensuring physical security of storage areas and restricting access.
• Preparing a personal data processing inventory.
15- KÜÇÜK GROUP INC. Personal Data Processing and Protection Policy
• Conducting periodic and random internal audits.
• Providing physical destruction equipment in workplaces.
• Ensuring accessibility compliance for camera recording notices.
8. DESTRUCTION OF PERSONAL DATA
A- REASONS REQUIRING DESTRUCTION
Personal data is destroyed when:
• Relevant legal provisions are amended or repealed,
• The purpose requiring processing or storage no longer exists,
• Processing becomes unlawful,
• The data subject’s request is accepted,
• The Board accepts a complaint regarding refusal of deletion request,
• Maximum retention period has expired,
• Contract never established or terminated,
• Consent is withdrawn.
B- TYPES OF DESTRUCTION
Personal data destruction is carried out in three ways: deletion, destruction, or anonymization.
i. Deletion: Making data inaccessible and unusable for users. Data is deleted when legal retention reasons no longer apply.
ii. Destruction: Making data completely inaccessible, irrecoverable, and unusable. Applied mainly in physical environments.
16- KÜÇÜK GROUP INC. Personal Data Processing and Protection Policy
iii. Anonymization: Rendering data impossible to associate with an identifiable person, even when combined with other data.
9. PUBLICATION, STORAGE, EFFECTIVE DATE AND UPDATES OF THE POLICY
The Policy is published both in printed (wet-signed) and electronic form and is made publicly available on the website. The printed copy is stored in company files. The Policy enters into force upon publication on the website. If it is decided to revoke it, printed copies are cancelled by authorized persons and stored for at least 5 years.