Corporate Governance Documents

A. PURPOSE

The purpose of the Anti-Bribery and Anti-Corruption Policy (‘the Policy’) is to ensure the compliance of TSKB Sürdürülebilirlik Danışmanlığı A.Ş. (‘the Company’) with legal regulations against bribery and corruption, ethical and professional principles, and universal rules.

B. SCOPE

The Anti-Bribery and Anti-Corruption Policy covers all Company employees including the Board of Directors as well as intermediaries, proxies, suppliers, contractors, third persons, affiliated agencies and co-workers. This Policy is an inseparable part of the Ethical Principles and other internal regulations adopted by the Board of Directors and all employees as well as Company regulations and other legal regulations.

C. DEFINITIONS

Bribery is a person’s gaining unfair advantage upon acting in violation of the requirements of their duty by performing or not performing, speeding up or slowing down a specific work within the framework of an agreement they reached with a third person. Corruption is direct or indirect bribery, and the act of offering, demanding, giving or accepting bribery or all sorts of other illegal benefits, which prevents the person from executing their duty in line with the laws or from performing the required acts.

D. POWERS and RESPONSIBILITIES

It is the duty of the Company’s Board of Directors to ensure the Anti-Bribery and Anti-Corruption Policy is established, applied and updated. The Company shall impose disciplinary sanctions if the employees act in violation of these principles. The CEO shall be assigned by the Company Board to the task of investigating such cases. Company employees shall be responsible for filling in a complaint form to report to the CEO any suspicious or uncertain cases including bribery and corruption. The CEO shall examine such forms completed by Company employees but the identity of the reporting employee and the contents of the report shall be kept confidential. At the end of the investigation, if necessary, the reporting employee shall receive feedback.

E. MAJOR RISK AREAS FOR ACTS OF BRIBERY AND CORRUPTION

The Company aims full compliance with the relevant laws, regulations and principles, and shall never tolerate any act of bribery or corruption irrespective of its purpose. Any business relations with third parties that wish to receive services from the Company through bribery shall be terminated. The major risk areas where bribery and corruption may take place are described in detail below:

  • Gifts and Business Hospitality: A gift is a product which is usually given by customers or persons having a business relationship with the Company as a means of appreciation or commercial courtesy and does not require a financial payment. All gifts given to third parties by the Company shall be offered explicitly and unconditionally in good faith. Although the same principles apply for accepting a gift, gifts which are not customary and have a nature and value that could result in a sanction must not be accepted except for symbolic gifts given in line with these principles. In order to build commercial communication networks and improve commercial relations, business hospitality may be offered to clients, consultants, lawyers, auditors and other companies with which the Company has business relations. The Company shall offer such business hospitality to third parties explicitly and unconditionally in good faith. Even if it complies with this Policy, no gifts or business hospitality that could lead to a conflict of interest or could be perceived as such shall be offered or accepted.
  • Political Donations: No politically-motivated donations shall be made in the name of the Company.
  • Outsourcing Companies and Business Partners: Before considering an outsourcing company for support services, among others, or a business partner, the Company shall conduct due diligence and not work with those persons and companies that prove to be notorious for bribery or corruption. Outsourcing companies and business partners shall be obliged to comply with this Policy and other relevant regulations. The Company shall inform the said companies and business partner on their obligation to follow this Policy. Business relations with any persons and companies that do not follow the said principles and other relevant regulations shall be terminated.
  • Facilitation Payments: The Company shall not allow the persons or companies covered by this Policy to offer facilitation payments in a bid to secure or speed up a routine transaction or procedure before public agencies.

F. POLICY VIOLATIONS AND SANCTIONS

All Company employees shall be responsible for complying with this Policy as well as all legal anti-corruption regulations. If Company employees violate the principles of this Policy, disciplinary action including termination of employment shall be taken depending on the nature of violation. In addition, those who fail to follow the legal anti-corruption regulations in force might face penal sanctions. It is unacceptable for an employee to face mistreatment for refusing to participate in an act of bribery or corruption, reporting any violations of the principles in this Policy or expressing any concerns on possible corruption cases in the future.

G. EDUCATION

As a legal requirement, all Company employees shall be regularly provided with trainings on ‘Anti-Money Laundering and Counter Terrorist Financing (AML/CTF) Measures’ and ‘Competition Law’. The said training events shall be held under the support of TSKB Human Resources Department.

H. REVIEW

This Policy shall be reviewed and updated as required on a regular basis.

I. ENTRY INTO FORCE

The Anti-Bribery and Anti-Corruption Policy has entered into force with the decision of the Board of Directors no.15 at May 30th.2019.

Document No: 41721120201

1. INTRODUCTION

Ethics is the entire set of measures analyzing the values, norms and rules setting the foundation of personal and social relations from the perspective of what is right or wrong, or good or bad. Professional ethics regulate the relations of professionals with the society while organizational ethics introduce certain rules for offering solutions to internal and external issues to define the internal culture of conduct. The purpose of this code is to outline the basic rules that must be adhered to and prevent any disputes and conflicts of interest that may arise between employees, business partners, customers and the Company (TSKB Sürdürülebilirlik Danışmanlığı A.Ş.).

2. CORE PRINCIPLES

Managers and employees must ensure that they carry out their daily activities and sustain their relations with others in compliance with the basic principles provided in this document to maintain the reputation of the Company. In circumstances not covered by these rules, employees must act in line with the principles of due diligence and loyalty.

3. ROLES and RESPONSIBILITIES

3.1 Board of Directors

The Board of Directors is responsible for setting and supervising the enforcement of the reporting, inspection and enforcement mechanisms put into place in case of failure to comply with the rules in the document as well as regulations.

The Board of Directors is responsible for preparing, developing, executing and updating this policy.

The Board of Directors is also responsible for;

a. taking the necessary measures to ensure the compliance of employees with the principles of this policy,
b. reporting to the CEO any matters contrary to this policy for review,
c. taking the necessary measures to ensure the compliance of outsourcing companies and business partners with this policy.

3.2 TSKB Sürdürülebilirlik Danışmanlığı A.Ş Employees

TSKB Sürdürülebilirlik Danışmanlığı A.Ş employees are responsible for;

a. adhering to and complying with the policies, regulations and procedures,
b. working in accordance with the legislation in force,
c. reporting any conduct, activity or practice contrary to this policy to the Company.

3.3 Outsourcing Companies and Business Partners

Outsourcing companies and business partners must comply with the principles of this policy and other relevant regulations. All business relations with non-compliant persons and/or organizations shall be terminated.

3.4 In-house Circulation

The CEO is responsible for the in-house circulation of this policy document.

4. PRINCIPLES OF IMPLEMENTATION

4.1. Conflicts of Interest

The basic principles governing conflicts of interest and the management thereof are provided below.

  • Our employees shall not use their duties and powers for the benefits of their own, their families or third parties to gain personal and private interests in any manner whatsoever.
  • Our employees shall neither accept direct or indirect gifts and obtain benefits in relation with the Company business nor accept debts from persons or companies that the Company has business relations with.
  • Our employees shall neither give gifts nor provide benefits to third parties and organizations which will influence their impartiality, decisions and behaviors.
  • The resources and the means of the Company shall not be used for the purpose of supporting political activities. No political activities shall be carried out within the Company. No donations shall be made to political parties or the candidates thereof, and political campaigns shall not be supported.

The details about the above articles are presented below.

4.1.1. Gifts That May Be Given

Employees must make sure that the gifts to be given to parties with which the Company has business relations are in line with the rules set forth in this document. The below rules shall apply to the gifts that may be given accordingly.

  • The basic rule here is not to make any amount of payments in cash or give gifts that can easily be converted into cash. However, as per our traditions and customs, the gifts that our employees may give due to private or general celebrations (weddings, engagement ceremonies, birthdays, etc.), in accordance with their status and position are outside of this scope.
  • The value of the gift given shall not exceed TL 500. The approval of the CEO shall be required for exceptions. The amount stated herein shall be increased annually at a rate equal to the Wholesale Price Index.
  • The gifts given must not aim to influence the impartiality, decisions and behaviors of the other party with regard to any business affair, agreement or bureaucratic transaction that the Company is involved in.

4.1.2. Gifts That Can Be Accepted

Employees shall not ask for any personal payments or gifts from third parties that have business relations with the Company nor act in a manner to imply such requests. Provided that the rules of integrity and good faith are complied with, gifts may be accepted only as per the following rules.

  • Our employees shall not accept payments in any manner and quantity whatsoever. This includes instruments that can easily be converted into cash (gift cheques, etc.).
  • Gifts may be accepted provided that they do not exceed TL 500, are not related with any business or agreement that concerns the Company and it is clear that such gifts are not given for the purpose of influencing employees.
  • In case they are offered non-cash gifts or offerings the value of which exceeds TL 500, employees shall not accept such gifts as a principle. However, exceptionally, if a gift is presented in a manner and for a reason that does not lead to a conflict of interest, such gifts may be accepted upon the written approval of the Management. Written approvals shall be obtained from the CEO.

Approvals indicating that any gifts may be accepted must be kept by the party obtaining the permission.

4.1.3. Gifts That Can Be Given to Public Officials

When there is an intention to give gifts to any public official or public employee, decisions taken and periodically updated by the Public Officials Ethics Committee shall be respected.

4.1.4. Business Lunches and Dinners

When inviting someone for, or attending to, a lunch or dinner invitation, employees must be careful to ensure that the invitation is suitable for the purpose. As a principle, an invitation extended as a business lunch/dinner must be at a location that is suitable for the concept of a business lunch/dinner, and the positions of the attendees.

4.1.5. Activities of a Political Nature

The Company respects the rights of the employees to individually take part in political events. However, those who take part in political events must clearly specify that they are not representing the Company. The following are expected from the employees who take part in political events:

  • To clearly reveal the fact that they are not representing the Company in any manner whatsoever.
  • To absolutely avoid using Company resources in fulfilling or supporting personal political activities (including Company time, telephones, papers, e-mail and other assets).

4.1.6. Sideline/Second Jobs

Company employees shall not work at a paid second job neither during work days, weekends, national holidays and general holidays nor during their annual paid leave days. The Company CEO shall be informed for any cultural, artistic or scientific work carried out in return for royalties.

Furthermore, in case employees receive an offer that requires them to receive remuneration such as consultancy or a similar position, or in case they hold direct or indirect shares at a company, they must obtain the written approval of the CEO.

In addition, employees may carry out voluntary activities (such as those for legally-founded charities, foundations or non-governmental organizations) in such a manner as to not disrupt their duties and responsibilities at the Company. However, they shall not use their corporate titles and positions during the course of such activities.

4.1.7. Personal Investments

When employees are managing their personal investments, they shall not make personal investments with the shares of the companies or other investment instruments which will create any possible conflict of interest with their duties and responsibilities at the Company.

4.2. Relations with the Stakeholders

The basic principles that the employees must take into consideration in regard to their relations with each other or stakeholders such as business partners, customers and suppliers are listed below.

  • The principles of integrity, trust, consistency, professionalism, long term relations, and respect for mutual interests are observed in relations with the customers, suppliers, and other persons and organizations that the Company has business relations with.
  • The objectives regarding services and products include superior quality, and meeting the needs and expectations of the customers fully.
  • Competitors’ products shall not be slandered, and misleading advertising shall not be allowed.
  • In management, no discrimination based on race, ethnic origin, nationality, religion and gender shall be allowed. Persons of equal standing shall be provided with equal opportunities. Performance and efficiency shall be taken as the basis for remuneration and promotions.
  • Unless expressly authorized, employees shall not undertake any commitments or make statements on behalf of the Company.
  • Company operations shall be carried out taking into account the legislation in effect, the articles of association of the Company, internal regulations and the policies created.
  • Employees shall carry out their duties in an equitable, transparent, accountable and responsible manner.
  • Mutual respect, trust and cooperation are essential in relations between employees.
  • All employees shall fulfill their responsibilities to protect and further the prestigious image of the company. Accordingly, all employees shall ensure that their personal attitude and behavior are in compliance with the law and the general code of ethics.
  • The Company is sensitive about its social responsibilities. It complies with the regulations concerning the environment, consumers and public health. The Company supports and respects internationally recognized human rights. It fights all sorts of corruption, including malversation and bribery.

4.2.1. Communication

Giving wrong, misleading and exaggerated information during contact with our customers or other organizations must absolutely be avoided.

4.2.2. Media Researches and Interview Requests

Any and all kinds of interviews or disclosure requests to be used in the media shall be coordinated and replied by the CEO in writing.

Employees shall not make any disclosures to any media organization, whether written, verbal, or visual, on matters regarding the Company without the permission of the CEO or the Chairman of the Board of Directors.

Delivering speeches and presentations during events such as congresses, conferences and seminars organied by others or attending such events as panelists require the written approval of the CEO. Likewise, no articles, writings or pictures shall be prepared by using the job titles at the Company without approval.

4.2.3. Pricing

For the pricing of all products and services delivered by the Company, employees shall be obliged to comply with the internal regulations as well as the relevant legal obligations. Compliance with the rules set forth in this document hereby and the reputation of the company shall be taken into consideration with regard to pricing.

4.2.4. Customer Complaints

Any and all complaints of customers with regard to corporate products and services must be directed to the required channels in order to ensure a fast and proper solution. Any and all serious and extraordinary complaints,which may affect the reputation of the Company must be conveyed to the Board of Directors and the CEO without delay.

4.2.5. Transactions Against the Competition Law

Employees shall not be involved in agreements with the competitors that may create a dominant position in the market or influence the pricing and marketing policies or violate the competition regulations under no circumstances whatsoever. In case of uncertainties, opinions of the Legal Affairs Department shall be sought.

4.2.6. Legal Matters

In case employees are involved in a penal or administrative investigation, taken under custody, arrested, interrogated or convicted due to any reason whatsoever (to be heard as witnesses or as the defendant or suspect), they must immediately inform the CEO in writing, or, in cases that is not possible, orally. The CEO shall inform the Legal Advisor in such a case and, where necessary, the employeee shall be provided with the services of an attorney.

4.3. Flow of Information

4.3.1. Security of Information

All company related information is subject to the principle of confidentiality, and it is forbidden to convey such information to third parties and trade such information. Accordingly;

  • Any and all kinds of Company information as well as the personal information of the employees, customers and business partners shall be kept confidential.
  • Employees shall not disclose any confidential and non-public information about the Company nor shall they use such information in their own favor and in the favor of others.
  • Care shall be exercised with regard to restrictions concerning royalties, trademarks, trade secrets and patents.
  • Information related to the customers of the Company shall be kept confidential within the context of protection of personal data. They shall not be provided to third parties by any means except for the written orders of competent authorities.

4.3.2. Information Regarding the Company

Proprietary trade secrets, financial information, customer and employee information, and all information acquired during the working time, materials, programs and documents, computer and telecommunication systems, hardware and software, and all other arrangements and practices as well as all works, agreements, and products developed by the employees during their term with the company, are confidential, and are owned by the Company. The information related with third parties acquired during such works shall also be included within this scope.

It is absolutely forbidden to use such documents for personal or private interests or for the benefit of third parties, entities and organizations while working at the Company or afterwards upon leaving work.

4.3.3. Prohibition of Insider Trading

It is absolutely forbidden for employees who possess any and all confidential information on the Company, its customers or transactions, to use such information when buying and selling any capital market instruments and financial instruments including shares to gain personal interests or to convey this information to third parties to confer benefits on such third parties.

4.3.5. Confidentiality of Electronic Documents or Other Information

Essentially, employees should not use the equipment, system or e-mail systems of the Company to prepare, store or send personal and private information. However, in case of such use, they shall be deemed to have waived the confidentiality of their personal information, and the employees responsible for the supervision and security of the Company shall be entitled to examine such information.

5. PRACTICE

Employees are expected to comply with the principles set forth within the scope of the Code of Ethics and Conduct. Accordingly;

  • Action shall be taken as per the Labor Law, other relevant legislation and the provisions of the internal procedures about those who violate the rules set forth in this document hereby.
  • Employees who know/suspect of any rule violations, but do not inform the Company CEO about the issue shall be held equally responsible as the employee who is in violation.

6. The Company’s Code of Ethics and Conduct policy has entered into force with the decision of the Board of Directors No.8 at May 27th.2019.

Document No: 41921120201

1. PURPOSE AND SCOPE

1.1. Purpose

TSKB Sürdürülebilirlik Danışmanlığı A.Ş. (hereinafter referred to as “Escarus” in its trade name) manages the personal data it uses and processes in its business operations under this framework policy document.

1.2. Scope

The document consists of the following policies:

  • Personal Data Protection and Processing Policy (PDPPP)
  • Personal Data Storage and Disposal Policy (PDSDP)
  • Sensitive Personal Data Policy (SPDP)

2. DEFINITIONS

Explicit Consent: This refers to the consent regarding a specific subject that is based on information and is expressed in free will.

Anonymization: This refers to making personal data impossible to relate to an identified or identifiable person even if such personal data is matched with other data.

Escarus: This refers to TSKB Sürdürülebilirlik Danışmanlığı A.Ş.

Relevant User: This refers to persons who process personal data within the organization of the Data Controller or in line with the powers and instructions they receive from the Data Controller, except for the Escarus employee or unit responsible for the technical storage, protection and backup of personal data.

Disposal: This refers to the deletion, destruction or anonymization of personal data.

Law: This refers to the Law No. 6698 on the Protection of Personal Data.

Recording Medium: This refers to any medium that contains personal data which is processed via fully or partially automated methods, or via non-automated methods, provided that the latter is part of any data recording system.

Registered Electronic Mail (REM): This refers to a qualified form of electronic mail that provides legal evidence regarding the use of electronic messages, including their sending and delivery.

Personal Data Processing Inventory: This refers to the inventory which offers the details of personal data processing activities, is established by relating the purposes of processing personal data, data category, the group of recipients to whom the data is transferred and the data subject group, and explains the maximum time required for the purposes of processing personal data, the personal data to be transferred and the data security measures taken.

Personal Data Storage and Disposal Policy (PDSDP): This refers to the policy that includes the process of determining the maximum time required for processing personal data, and the steps to be taken for deletion, destruction and anonymization.

Personal Data Storage and Disposal Procedure: This refers to the procedure prepared to regulate the process rules in detail as specified in the Personal Data Storage and Disposal Policy.

Personal Data: This refers to all kinds of information regarding an identified or identifiable real person.

Processing of Personal Data: This refers to any operation which is performed on personal data such as collection, recording, storage, safekeeping, alteration, reorganization, disclosure, transfer, reception, making available, classification or restriction of use, via fully or partially automated methods, or via non-automated methods, provided that the latter is part of any data recording system.

Principles for the Protection and Processing of Personal Data: This refers to the principles which are prepared by Escarus and set out the general principles regarding the protection and processing of personal data.

Personal Data Protection and Processing Policy (PDPPP): This refers to the policy that includes explanations about the content, categories, usage and processing methods of the personal data Escarus processes, the conditions of their storage, the rights of data subjects and the measures taken to protect personal data.

Cryptographic Methods: Cryptographic methods or "encryption" refers to all methods used to transform the information contained in readable data into a form that cannot be understood by unwanted parties. Cryptography is a set of mathematical methods and aims to provide the required confidentiality, integrity, authentication and non-repudiation for the security of important information. These methods aim to protect the information (hence the interests of the sender, recipient, carrier, the subject of the information and any other party) from active attacks or passive perceptions that may be encountered during the transmission and storage of information.

Board: This refers to the Personal Data Protection Board.

Sensitive Personal Data Policy (SPDP): This refers to the policy that defines the rules for the security of sensitive personal data and covers all activities that will ensure management in this field.

Periodic Disposal: This refers to the deletion, destruction or anonymization process that is specified in the Personal Data Storage and Disposal Policy and will be carried out ex officio at periodic intervals in the event that all the conditions for processing personal data stipulated in the Law are removed.

Policy: This refers to the Personal Data Management Policy.

Secure Socket Layer (SSL): SSL refers to a security protocol that provides privacy and reliability, allows the communication between the server and the client to be encrypted for the integrity and confidentiality of the information during information transfer on the network, thus ensuring the protection of its privacy and integrity.

sFTP: This refers to secure file transfer protocol. It is a secure way to transfer files online between machines.

Data Recording System: This refers to a recording system in which personal data are structured and processed according to certain criteria.

Data Subject: This refers to the unit where personal data is processed and which is responsible for the data at the database and application levels of Escarus systems, obliged to prevent unauthorized access by restricting access to the relevant data, and helps other employees to comply with the procedures.

Data Controller: This refers to Escarus.

VPN: VPN refers to "virtual private network". It is an internet technology that enables connecting to different networks through remote access.

Board of Directors: This refers to Escarus Board of Directors .

3. PERSONAL DATA PROTECTION AND PROCESSING POLICY (PDPPP)

3.1. PURPOSE AND SCOPE

3.1.1. Purpose

For Escarus, the confidentiality and privacy of personal data is of great importance. The primary goal of Escarus is to take necessary security measures and implement controls to protect personal data. The purpose of the Personal Data Protection and Processing Policy is to ensure that the personal data Escarus manages in project processes are duly protected and processed.

3.1.2. Scope

The efforts regarding the protection of personal data primarily include the determination of personal data in written, printed or electronic media that are transmitted to Escarus as personal data for various purposes and through various channels, the establishment of appropriate controls, the preparation of safe environments for the storage of these data, and the process of ensuring that access to these data is possible by only a limited number of authorized persons.

The primary goal of Escarus is to ensure that the service network and business processes that are developing rapidly via today's technology are reliable, legal and transparent thanks to this governance system.

All employees of the company, particularly Escarus management, are responsible for taking and implementing appropriate security measures in the process of protecting and processing personal data.

PDPPP covers a governance system in which business processes and procedures are developed as well as technical improvements required to manage the risks that personal data may encounter. It is the responsibility of Escarus management and employees to continuously improve and keep this system up to date.

In order to increase the interaction of PDPPP, which is one of the cornerstones of the governance system created for the protection of personal data, with business processes, a "Regulation on Protection and Management of Personal Data" will also be drafted.

As part of these efforts, Escarus employees are obliged to make maximum effort to fully comply with the policies and procedures established to ensure the confidentiality and security of personal data as well as business processes.

4. PERSONAL DATA STORAGE AND DISPOSAL POLICY (PDSDP)

4.1. PURPOSE AND SCOPE

4.1.1. Purpose

The purpose of Personal Data Storage and Disposal Policy is to set out the processes of deletion, destruction or anonymization of the personal data processed by Escarus as well as the maximum time required for the purpose for which they are processed, and to define the roles and responsibilities of the persons who will take part in such processes.

4.1.2. Scope

The scope of PDSDP covers the maximum durations of storing personal data, the technical and administrative measures taken to legally store and dispose of personal data, the employees involved in the execution of the relevant processes within Escarus, and the recording media listed below:

  • Electronic Recording Media: This refers to any cloud and physical server such as the Logo accounting software server and Microsoft One Drive used by Escarus.
  • Physical Recording Media: This refers to the media where personal data are physically stored, such as archive room, files, folders and cabinets.

4.2. Responsibility

Under PDSDP, Escarus is obliged to fulfill the following roles and responsibilities:

  • To comply with the storage periods that are set out in the Personal Data Inventory and are legally mandatory,
  • To manage the personal data disposal process during the periodic disposal period,
  • To review the PDSDP at least once a year,
  • To draft and publish the Personal Data Storage and Disposal Procedure, which will regulate the process rules in detail based on the PDSDP, as well as other procedures it deems necessary,
  • To distribute the duties as required for the PDSDP, to authorize the appropriate persons, and to organize the necessary training events regarding compliance with the Law,
  • To monitor the implementation of all kinds of technical and administrative measures taken in accordance with the data security obligations imposed by the law and to plan the relevant audits,
  • To determine what needs to be done in order to comply with the law and the relevant legislation, to observe the implementation thereof, and to ensure the required coordination,
  • To track the processes related to applications and requests made by real persons whose personal data are processed and to ensure that the necessary actions are taken to solve problems which may arise regarding the implementation of the Law and/or the relevant policy and procedure,
  • To maintain relations with the Board.

4.3. Security Principles Regarding Data Storage and the Prevention of Illegal Processing of and Access to Data

The data provided by Escarus under the Personal Data Protection and Processing Policy are classified within the framework of the rules listed in the Personal Data Processing Inventory and set out in the Law.

To this end, the following personal data definitions in the Law are used as the classification methodology that forms the basis of PDSDP:

  • Group 1/Personal Data: This refers to all kinds of data regarding an identified or identifiable natural person.
  • Group 2/Sensitive Personal Data: This refers to personal data on racial or ethnic origin, political opinions, philosophical beliefs, religion, sect and other religious beliefs, clothing, membership to associations, foundations or unions, health, sexual life, and criminal record as well as biometric and genetic data.
  • Group 3/Other Data: This refers to data that are not covered by the definition of personal data.

To safely store data in group 1 and 2 and prevent illegal processing of and access to the said data, Escarus takes all technical and administrative measures, as allowed by technological means, including but not limited to restriction of access authorization to personal data, encryption/masking, confidentiality and information security measures, preparing a "Personal Data Processing Inventory", training employees on the subject, drafting technical policies and procedures, and keeping them up to date.

4.4. Reasons Requiring the Storage and Disposal of Data

Personal data are processed by Escarus as the Data Controller on the basis of the aforementioned legal reasons in order to:

  • allow Escarus to communicate with relevant persons,
  • provide the services stipulated within the scope of the relevant legislation,
  • conclude contracts to which Escarus is a party and to duly fulfill their requirements,
  • allow Escarus to offer its products and services, to provide information about products and services or to offer solutions as part of complaint management,
  • give references regarding Escarus' services and projects to people and institutions with whom cooperation or agreement has been made,
  • create a database required for Escarus to fulfill its obligations, to obtain identity, address and other necessary information to determine the information regarding the data subject, to issue all records and documents that will set the basis for the proposed transactions,
  • ensure internal communication in accordance with the procedure,
  • comply with the regulations in the relevant legislation,
  • comply with information storage, reporting, information and other obligations stipulated by official institutions,
  • inform the public through printed or visual news or bulletins

If the purpose of processing ceases to exist or the storage durations set out in the relevant legislation and/or by Escarus expire, personal data will be destroyed in accordance with the principles specified in the PDSDP.

4.5. Data Storage Durations Under Relevant Legislation

Storage durations are set for all personal data stored by Escarus. When determining the storage durations, the durations set out in the relevant legislation are taken into account. If there is no duration stipulated by the relevant legislation, the time required for personal data processing is taken into consideration, and the relevant durations are included in the Personal Data Inventory.

Pursuant to Other Relevant Legislation For the duration stipulated in the relevant legislation
Pursuant to Article 146 of the Code of Obligations regulating the statute of limitations for general cases 10 years
Pursuant to Articles 66 and 68 of the Turkish Penal Code if the relevant personal data is subject to a crime within the scope of the Turkish Criminal Code or other legislation imposing another penal provision or such data is related to a crime During the limitation for action and penalty

Personal data included in the Personal Data Processing Inventory are stored in accordance with the legal regulations that are provided in the table above, unless there is any legal case that tolls or stops the limitation period, and are disposed of on the first periodic disposal date following the storage duration.

4.6. Security Principles Regarding Data Disposal

Personal data provided by Escarus under the Personal Data Protection and Processing Policy and stored as specified in the Personal Data Inventory are subjected to either of the processes of deletion, destruction or anonymization in line with the nature of the personal data and the recording medium and at the request of either the natural person whose personal data are processed or the Data Controller unit or ex officio if the purpose of the processing of such data has ceased to exist or the storage durations specified in the relevant legislation and/or policy have expired. Such disposal is performed in line with the details set out in the Personal Data Storage and Disposal Procedure.

The following disposal methods are used by Escarus:

4.6.1. Deleting Data

This is the process of making personal data inaccessible and unavailable in any way for relevant users.

4.6.2. Destroying Data

This is the process of making personal data inaccessible, unrecoverable and non-reusable by anyone.

4.6.3. Anonymizing Data

This is the process of making personal data impossible to relate to an identified or identifiable person even if such personal data is matched with other data.

4.6.4. Performing the Disposal Process

Personal data stored by Escarus are disposed of when the storage durations expire, on the condition that data confidentiality is preserved.

  • It is Escarus' responsibility to perform the disposal process for data belonging to group 2 when the reasons for processing of such data cease to exist. The disposal method for such data is determined by Escarus.
  • The disposal process for data belonging to group 2 is then started by Escarus. Escarus informs the data subject for the relevant data on how it proceeds with the disposal process.
  • All transactions regarding the deletion, destruction and anonymization of personal data are recorded in a report signed by two authorized signatories, and the said records are kept for at least 3 (three) years, excluding other legal obligations.
  • The following durations are taken into consideration within the scope of Escarus' obligation to delete, destroy or anonymize personal data. Personal data are deleted, destroyed or anonymized during the first periodic disposal transaction following the date when the disposal obligation within the storage duration specified in the data inventory arises.
  • The timeframe for the periodic disposal process is a maximum of 6 (six) months.
  • Persons who have personal data at Escarus have the right to request the disposal of such data via the "Personal Data Contact Form" available on the Escarus website. In the event that this right is exercised,
    • If all the conditions for processing personal data have ceased to exist, the personal data subject to the request are deleted, destroyed or anonymized by Escarus. The deletion or destruction requests by relevant persons are finalized by the Data Controller within 30 (thirty) days at the latest, and the person requesting the deletion of their personal data is informed about the transaction in writing or electronically.
    • If all the processing conditions applicable to personal data have ceased to exist and the data subject to a deletion request were previously transferred to third parties, Escarus will inform the third party to perform the deletion within 30 (thirty) days following the date of the request, demand feedback from third parties that the disposal transaction is carried out, and then follow up on this notification.
    • If all the conditions for processing personal data have not ceased to exist, this request may be turned down by providing the justification for rejection, and the rejection response is notified to the relevant person in writing or electronically within 30 (thirty) days at the latest.

5. SENSITIVE PERSONAL DATA POLICY (SPDP)

5.1. PURPOSE AND SCOPE

5.1.1. Purpose

The purpose of the Sensitive Personal Data Policy is to determine the principles regarding the protection and processing of sensitive personal data by Escarus.

5.1.2. Scope

The scope of the SPDP covers processing and protecting personal data on racial or ethnic origin, political opinions, belief, religion, sect and other religious beliefs, clothing, membership to associations, foundations or unions, health, sexual life, criminal record, and security measures as well as biometric and genetic data ("sensitive personal data").

5.2. Practices and Measures Regarding the Protection and Processing of Sensitive Personal Data

5.2.1. Measures applicable to Escarus employees as part of the processing of sensitive personal data:

  • Employees are regularly trained on the law and related regulations as well as the security of sensitive personal data,
  • The required non-disclosure agreements on the matter are signed between Escarus and its employees,
  • The scope and duration of the authorization of users who have access to data are clearly defined,
  • Authorizations are periodically checked,
  • Employees who change positions or leave their jobs are immediately removed from their relevant authority, and the data inventory allocated to them by the data controller is returned.

5.2.2. Measures regarding the electronic media where sensitive personal data are processed, stored and/or accessed:

  • Data are stored using cryptographic methods (Secret-Key Cryptography, Public-Key Cryptography, Digital Signature, Encryption Algorithms, Secure Socket Layer-SSL),
  • Cryptographic keys are kept in secure media,
  • Transaction records of all transactions performed on the data are securely recorded,
  • The security updates at the media where the data are located are continuously monitored; the required security tests are carried out regularly; and the test results are recorded,
  • If a software is used to access data, the user authorization for such software is performed; regular security tests are carried out for this software; and the test results are recorded,
  • If remote access to data is required, a minimum two-step authentication system is provided.

5.2.3. Measures regarding the physical media where sensitive personal data are processed, stored and/or accessed:

  • Adequate security measures (against electrical leakage, fire, flood, theft, etc.) are taken according to the nature of the medium where sensitive personal data are stored,
  • The physical security of such media is ensured, and Escarus prevents any unauthorized entry to and exit from such media.

5.3. Core Principle for Processing Sensitive Personal Data

The core principle observed by Escarus in the processing of sensitive personal data is to check whether the explicit consent of the relevant person is obtained and whether the measures set out by the Personal Data Protection Board are taken in the processing of the data.

5.4. Core Principles for Transferring Sensitive Personal Data

The core principles observed by Escarus in the transfer of sensitive personal data are as follows:

  • If the data have to be transferred via e-mail, they are transferred in encrypted form, using a corporate e-mail address or a Registered Electronic Mail (REP) account,
  • If the data have to be transferred via a medium of media such as a flash drive, CD or DVD, such data are encrypted using cryptographic methods, and the cryptographic key is kept in different media,
  • If data are transferred between servers located in different physical media, this transfer is performed in a technically safe manner,
  • If data have to be transferred in print form, necessary measures are taken against risks such as theft, loss or being seen by unauthorized persons, and the document is sent in a "classified manner" (documents bearing the phrases top secret, secret, confidential and restricted).

6. ENTRY INTO FORCE

This Personal Data Management Policy hereby entered into force upon the Board of Directors Resolution No. 20 of September 28, 2020.

Document No: 1228920201

Escarus (TSKB Sürdürülebilirlik Danışmanlığı A.Ş.) is a corporation that values the confidentiality and security of data. The website confidentiality approach describes the basic rules adopted to protect the confidentiality of information provided or collected by Escarus when visiting the corporate website escarus.com ("website").

Visitors can visit the Escarus website pages, get information about products and services, and read reports safely without providing any personal information.

Escarus is bound by a legal obligation to ensure the confidentiality and security of the information of its visitors and exerts maximum prudence to that end. Escarus implements detailed corporate policies in order to ensure that all employees act in maximum prudence in terms of the confidentiality, security and protection of personal data.

Escarus attaches utmost importance to the protection of visitor information in all applications and processes carried out on the website.

Protecting all visitor information from unauthorized access, misuse, changes, corruption and destruction; and ensuring the confidentiality, integrity and availability of information are the two elements that outline the Escarus approach to confidentiality.

In order to protect the personal data of visitors, Escarus takes the necessary measures by keeping the system and Internet infrastructure maximally safe and reliable. You can access Escarus applications regarding the protection of personal data at this link.

Escarus may work with different organizations to get support services related to the website. In such cases, Escarus ensures that service providers comply with Escarus’ confidentiality terms and standards.

The commitments in the Escarus confidentiality approach only cover visits to the corporate website (www.escarus.com).

In accordance with legal regulations, the records of all transactions performed by visitors on Escarus website are fully and correctly kept in a secure environment. If requested by official bodies, these transactions and records are submitted to them without providing any information to the data subject. The said transactions and records are not shared with third parties in any manner whatsoever.

Document No: 41321120201

Escarus (TSKB Sürdürülebilirlik Danışmanlığı A.Ş.) attaches utmost importance to protecting fundamental rights and freedoms, particularly the right to privacy. To this end, Escarus takes maximum security measures to protect confidentiality during the legal collection, processing, sharing and storage of personal data. With this disclosure statement, Escarus aims to transparently inform its customers about the security measures it has taken.

Purpose and Scope of Personal Data Protection and Processing

In its capacity as the "data controller", Escarus collects and processes personal data belonging to its customers pursuant to the Personal Data Protection Law No. 6698 ("PDPL") and within the framework below.

Personal data of customers are processed in connection with and limited to the purposes stated below and to the extent to ensure the fulfillment of the purpose, based on the Conditions of Processing Personal Data and the Conditions of Processing Sensitive Personal Data in the PDPL.

Pursuant to the PDPL No. 6698, the conditions for the processing of personal data are as follows:

  • It is expressly provided for by the laws,
  • It is mandatory for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid,
  • Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract,
  • It is mandatory for compliance with a legal obligation to which the data controller is subject,
  • Personal data have been made public by the data subject himself/herself,
  • Data processing is mandatory for the establishment, exercise or protection of any right,
  • Processing of data is mandatory for the legitimate interests pursued by the data controller, provided that such processing does not violate the fundamental rights and freedoms of the data subject.

Since the fulfillment of the identification and suspicious transaction reporting obligations regulated under the Law No. 5549 on the Prevention of Laundering Proceeds of Crime is obligatory for the data controller to perform its legal obligation in accordance with the article on the "conditions of processing personal data" in the PDPL, personal data are processed for the purposes stated below:

  • Planning and executing the obligations to analyze and monitor the current situation of existing and potential customers in order to measure risks,
  • Planning and executing risk management processes for Escarus’ products and services; prevention of fraud, money laundering and laundering of proceeds of crime as well as the financing of terrorism as part of consultancy operations; and reporting suspicious transactions to authorized public institutions and organizations,
  • Performing information, reporting and audit obligations legally prescribed for Escarus and the shareholders thereof by the Central Bank of the Republic of Turkey, Banking Regulation and Supervision Agency, Capital Markets Board, Financial Crimes Investigation Board, Competition Board, Revenue Administration, Ministry of Treasury and Finance, Central Securities Depository of Turkey, Banks Association of Turkey, Risk Center of the Banks Association of Turkey, Credit Bureau, Credit Guarantee Fund of Turkey, and Turkish Capital Markets Association as well as other authorities,
  • Planning and executing internal audit and inspection activities that are obligatory to fulfill,
  • Planning and executing Escarus information security processes,
  • Planning and executing operational and system infrastructure processes specific to Escarus’ products and services,
  • Planning and executing legal compliance processes.

Personal data are processed for the following purposes, since the data subject has made the data public by himself in accordance with the article on the "conditions of processing personal data" in the PDPL:

    >
  • Planning and execution of communication and marketing activities as well as consultancy activities,
  • Finalizing, fulfilling and evaluating requests, appeals and complaints from customers or third parties regarding Escarus' activities, and planning and executing customer relations to that end,
  • Executing administrative and legal proceedings for the follow-up/collection/protection of Escarus' rights and receivables; exercising rights and obligations in investigations and lawsuits; performing judicial activities,
  • To the extent permitted by the PDPL and other relevant legislation, promoting products and services provided within the scope of consultancy activities; planning and executing marketing and information activities,
  • Fulfilling customer segmentation and modeling processes; planning and executing risk analysis, statistics and reports as well as market research activities,
  • Planning and executing corporate governance and corporate sustainability activities,
  • Ensuring the security of the premises and facilities regarding visits to Escarus headquarters and branch office,
  • Planning and executing efficiency/effectiveness analysis for consultancy activities,
  • Planning and executing existing and/or potential customer information and communication as well as corporate communication activities,
  • Planning and executing Escarus' social responsibility or civil society activities as well as sponsorship activities,
  • Planning events and receptions organized by Escarus exclusively and in cooperation with other persons, institutions and organizations; carrying out organizational activities; and posting news on such events and receptions on Escarus website and social media channels,
  • Planning and executing Escarus' corporate communication, marketing communication and brand communication activities and, within this framework, planning and executing cooperation activities with institutions, organizations and individuals that Escarus is a business partner of,
  • Performing the actions committed by Escarus in civil society and social responsibility projects in which it is a stakeholder, and carrying out corporate communication activities to that end.

Transfer of Personal Data and the Purpose of Transfer

Personal data of customers are transferred to the following institutions, organizations, authorities and persons in accordance with the articles regulating personal data transfer in the PDPL, on the condition that such transfer is limited to the realization of the aforementioned purposes in this text and the fulfillment of the obligations imposed by the relevant legislation:

  • Third parties that Escarus receives services from in Turkey; natural and legal persons with which Escarus has an agency relationship; Escarus' business partners; institutions it has agreements with; lawyers, for the purposes of settlement of legal disputes; and other third parties (but for exceptions, personal data cannot be transferred without the explicit consent of the data subject).
  • Third parties abroad, in accordance with the conditions stipulated in the relevant law and legislation, and provided that all necessary security measures are taken.

Personal data, as detailed below, can be recorded, stored, preserved, reorganized, disclosed, transferred, classified and processed by third parties on the condition that the PDPL is complied with.

Personal data can be shared with the following:

  • Public agencies and regulatory authorities such as Banking Regulation and Supervision Authority, Capital Markets Board, Central Bank of the Republic of Turkey, Financial Crimes Investigation Board, Competition Board to provide information on behalf of itself and its shareholders to fulfill their obligations for information and audit in accordance with the legislation,
  • Organizations residing abroad in order to fulfill the actions that Escarus has committed to in the contracts concluded regarding the products and services provided by Escarus,
  • Escarus shareholders in order to fulfill legal obligations,
  • Suppliers, individuals, business partners, support service organizations, consultants and lawyers offering their products and services in order to carry out Escarus activities and ensure their sustainability, and to ensure the establishment, use and protection of rights to that end,
  • Business partners or financial institutions in order to secure the legitimate interests of Escarus, provided that the fundamental rights and freedoms of customers remain unharmed,
  • Organizations or persons owning the venue and private security companies responsible for the physical security of the venue in relation to events, conferences and receptions that Escarus organizes by itself or with third parties,
  • Agencies and event companies with which Escarus has a contractual relationship and from which Escarus provides services in order to carry out the announcements and organization of events, conferences and receptions that Escarus organizes by itself or with third parties.

Collection Method of Personal Data of Customers and the Legal Reason Thereof

For the purposes stated above and in accordance with the basic principles stipulated in the PDPL, personal data of customers are collected by the following methods, based on the legitimate interests of Escarus, on the condition that it is provided for in the laws, the contract is executed, the data controller can fulfill its legal obligation, the data have been made public by the other party, and that the fundamental rights and freedoms of the data subject are not harmed:

  • Orally, in writing or electronically through CCTV systems if the Escarus office is visited,
  • As part of all kinds of contracts, protocols, instructions, information forms and other documents regarding consultancy activities,
  • Via e-mail applications,
  • By written communication via fax,
  • Through building management for security reasons,
  • Through the applications and software used by Escarus,
  • In cases where the corporate website is visited or the social media accounts are followed,
  • Through mutual communication channels at sectoral events and receptions.

Rights of Data Subject

Pursuant to the PDPL article on "rights of data subject", customers have the following rights as the data subject:

  • To learn whether their personal data are processed or not,
  • To request information if their personal data are processed,
  • To learn the purpose of the processing of their data and whether their data are used for intended purposes,
  • To know the third parties to whom their personal data are transferred at home or abroad,
  • To request the rectification of the incomplete or inaccurate data, if any, and to request the notification of such transaction to third parties to whom their personal data have been transferred,
  • To request the deletion or destruction of personal data processed in accordance with the PDPL and other laws in the event that the reasons requiring their processing cease to exist, and to request the notification of such transaction to third parties to whom their personal data have been transferred,
  • To file an objection if they are convinced that the analysis of the processed data exclusively by automatic systems has led to an unfavorable consequence for themselves,
  • To request compensation for the damages arising from an unlawful processing of their personal data.

To that end, on the condition that applications are in accordance with the procedure specified under "application procedure" in the Communiqué on the Principles and Procedures of Application to the Data Controller, which was published in the Official Gazette No. 30356 of March 10, 2018, applications can be filed through the following methods:

Escarus (TSKB Sürdürülebilirlik Danışmanlığı A.Ş.)

Address : Meclisi Mebusan Cad. Ömer Avni Mah.
Karun Çıkmazı Sk. No:2 34427 Beyoğlu/İSTANBUL
Tel : +90 (212) 334 54 60
Fax : +90 (212) 334 54 62
E-mail : info@escarus.com
Trade registry number : 770420
Mersis no : 0787033138300014

Document No: 41421120201