PALMERA YOUTH ROOM FURNITURE INDUSTRY AND TRADE LTD. ("PALMERA") PALMERA attaches great importance to the protection of personal data in its activities and considers it among its priorities in its business and processes. PALMERA Personal Data Protection and Processing Policy ("Policy"), According to the Law No. 6698 on the Protection of Personal Data ("Law") The defined personal data processing procedures and principles constitute the fundamental regulation for the compliance of PALMERA's organizational and business processes. In accordance with these policy principles, PALMERA processes and protects personal data with a high level of responsibility and awareness, and ensures the necessary transparency by informing personal data owners.

1.1. Aim

The purpose of this Policy is to ensure that the procedures and principles stipulated by the Law and other relevant legislation are harmonized with PALMERA's organizational structure and processes, and effectively implemented in its operations. PALMERA takes all necessary administrative and technical measures for the processing and protection of personal data, establishes necessary internal procedures, raises awareness, and provides all necessary training to ensure understanding. All necessary measures are taken to ensure the compliance of shareholders, officers, employees, and business partners with the Law, and appropriate and effective control mechanisms are established.

1.2. Scope

This policy covers all personal data obtained through automated means in PALMERA business processes or through non-automated means as part of any data recording system.

1.3. Rest

This policy is based on the law and relevant legislation. Personal data is processed to fulfill legal obligations arising from the Consumer Protection Law No. 6502, the Identity Reporting Law No. 1774, the Labor Law No. 4857, the Occupational Health and Safety Law No. 6331, the Social Security and General Health Insurance Law No. 5510, the Unemployment Insurance Law No. 4447, the Turkish Commercial Code No. 6102, the Tax Procedure Law No. 213, and other relevant legislation.

In cases of inconsistency between current legislation and the Policy, current legislation shall apply. Regulations stipulated by the relevant legislation are incorporated into the Policy and PALMERA practices.

1.4 Definitions

Explicit consent	It refers to informed and freely given consent regarding a specific matter.
Application form	This is an application form prepared in accordance with the Law No. 6698 on the Protection of Personal Data and the Communiqué on the Procedures and Principles for Applications to the Data Controller issued by the Personal Data Protection Authority, containing the application that the data subject (Personal Data Subject) will make to the data controller to exercise their rights.
The relevant user	Data subjects are individuals within the data controller organization, or those acting under the authority and instructions of the data controller, who process personal data, excluding the person or unit technically responsible for the storage, protection, and backup of the data.
Destruction	Deletion, destruction, or anonymization of personal data.
Recording medium	Any medium containing personal data processed wholly or partly automatically, or by non-automatic means as part of a data recording system.
Personal data	Any information relating to an identified or identifiable natural person.
Processing of personal data	Personal data processing includes any operation performed on data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of personal data, whether wholly or partly automated or non-automated, provided that it is part of a data recording system.
Anonymization of personal data	Making personal data impossible to link to an identified or identifiable natural person, even when combined with other data.
Data subject	The natural person whose personal data is processed by or on behalf of PALMERA.
Deletion of personal data	Deletion of personal data means making personal data completely inaccessible and unusable for the Relevant Users. bringing.
Destruction of personal data	The process of making personal data inaccessible, irretrievable, and unusable by anyone in any way.
Board	Personal Data Protection Board
Organisation	Personal Data Protection Authority
Special categories of personal data	Data relating to individuals' race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures. biometric and genetic data.
Periodic destruction	If all the conditions for processing personal data stipulated in the law cease to exist, the personal data will be deleted, destroyed, or anonymized automatically at recurring intervals as specified in the data retention and destruction policy.
Data Processor	Natural or legal persons who process personal data on behalf of the data controller, based on the authority granted by the data controller.
Data Recording System	A data processing system where personal data is structured and processed according to specific criteria.
Data subject / Data party	The natural person whose personal data is being processed.
Data controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Representative	A natural person appointed by law to fulfill the Data Controller's duties under the relevant articles of the law.
Regulations	Regulation on the Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017.

2. PERSONAL DATA PROTECTION ISSUES

2.1. Ensuring the Security of Personal Data

PALMERA takes the necessary measures stipulated in Article 12 of the Law, according to the nature of the personal data, to prevent unlawful disclosure, access, transfer, or other security problems that may arise from personal data. PALMERA takes measures and conducts audits to ensure the necessary level of personal data security in accordance with the guidelines published by the Personal Data Protection Authority.

2.2. Protection of Special Categories of Personal Data

Measures taken to protect sensitive personal data such as race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data, are carefully implemented and necessary controls are carried out.

2.3. Personal Data Protection And Developing Awareness of Processing

PALMERA provides the necessary training to individuals to ensure the lawful processing and access to personal data, data storage, and to raise awareness about exercising their rights.

To increase employees' awareness of personal data protection, PALMERA establishes the necessary business processes and seeks support from consultants when needed. Deficiencies encountered in implementation and the results of training are evaluated by PALMERA management. Based on these evaluations and changes in relevant legislation, new training sessions are organized as needed.

3. PROCESSING OF PERSONAL DATA

3.1. Processing Personal Data in Compliance with Legislation

Personal data is processed in accordance with the legislation, based on the principles listed below.

Acting in Accordance with the Law and the Principle of Honesty

Personal data is processed to the extent required by business processes, limited to these processes, without harming the fundamental rights and freedoms of individuals, and in accordance with the law and the principle of fairness.

Ensuring that Personal Data is Current and Accurate

Measures are taken to ensure that the processed personal data is kept up-to-date and accurate, and work is carried out in a planned and systematic manner.

Processing for Specific, Explicit and Legitimate Purposes

Personal data is processed for legitimate purposes as defined and explained in the business processes carried out.

Being relevant, limited, and proportionate to the purpose for which they are committed.

Personal data is collected to the extent and nature required by business processes and is processed only for the specified purposes and within limited scope.

Necessary The one which Duration Much Casing E tme

Personal data is retained for at least the period stipulated in the relevant legislation and necessary for the purpose for which the personal data is processed. Primarily, if a retention period is stipulated in the relevant legislation for personal data, it is retained for that period; if no period is stipulated, personal data is retained for the period necessary for the purpose for which it is processed. At the end of the retention periods, personal data is destroyed periodically according to destruction schedules or upon the data owner's request, using appropriate methods (deletion, destruction, or anonymization).

3.2. Conditions for Processing Personal Data

Personal data is processed with the explicit consent of the data subject or based on one or more of the other conditions specified below.

The explicit consent of the personal data owner is required.

Personal data is processed with the explicit consent of the data subject. Explicit consent from the data subject occurs when they are informed about a specific matter and give their free will.

Absence of Explicit Consent from the Personal Data Subject

Personal data may be processed without the explicit consent of the data subject if any of the following conditions are met.

Explicitly Regulated in the Laws

Personal data may be processed without the data subject's consent if there is an explicit regulation in the laws regarding the processing of personal data.

Inability to Obtain the Explicit Consent of the Person Concerned Due to Factual Impossibility

Personal data of a data subject may be processed if, due to factual impossibility, the person is unable to express their consent or their consent cannot be considered valid, and the processing of this data is necessary to protect the life or physical integrity of that person or another person.

Directly related to the formation or performance of the contract.

Personal data may be processed if the processing of such data is directly related to the establishment or performance of a contract to which the data subject is a party.

Fulfillment of Legal Obligation

PALMERA may process the personal data of the data subject if data processing is necessary to fulfill its legal obligations.

Making Personal Data Public by the Data Subject

Personal data of data subjects who have made their personal data public may be processed only for the purpose of making the data public.

Necessary Data Processing for the Establishment or Protection of a Right

Personal data of the data subject may be processed if it is necessary for the establishment, exercise or protection of a right.

Necessary Data Processing for Legitimate Interests

PALMERA may process personal data if it is necessary for its legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.3. Processing of Special Categories of Personal Data

PALMERA processes special categories of personal data in accordance with the principles set forth in the Law and Policy, using the methods determined by the Board, and taking all necessary administrative and technical measures, following the procedures and principles below:

Special categories of personal data other than health and sexual life, Data processing can be carried out without the explicit consent of the data subject if there is an explicit provision in the laws allowing it. In cases not explicitly provided for in the laws, the explicit consent of the data subject must be obtained.
Special categories of personal data relating to health and sexual life may be processed by persons or authorized institutions and organizations bound by an obligation of confidentiality, without seeking the explicit consent of the data subject, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing. Otherwise, the explicit consent of the data subject must be obtained.

3.4. Informing the Data Subject

PALMERA informs data subjects, in accordance with relevant legislation, about the purposes for which their personal data is processed, with whom it is shared and for what purposes, the methods used to collect it, the legal basis, and the rights data subjects have regarding the processing of their personal data. In this respect, the protection of personal data is carried out in accordance with the principles in this Policy and other policy documents and information texts prepared within this framework.

3.5. Transfer of Personal Data

PALMERA may transfer personal data and sensitive personal data to third parties (third-party companies, group companies, third-party individuals) in accordance with the law and by taking the necessary security measures for the purposes of personal data processing. PALMERA carries out these transfer operations in accordance with the regulations stipulated in Article 8 of the Law.

1. Transfer of Personal Data

While the explicit consent of the data subject is required for the transfer of personal data, personal data may be transferred to third parties based on one or more of the conditions stated below, and by taking all necessary security measures, including the methods foreseen by the Board.

If it is explicitly provided for in the laws,
It must be directly related to and necessary for the formation or performance of a contract.
It is necessary for PALMERA to fulfill its legal obligations.
Provided that the personal data has been made public by the data subject, it is limited to the purpose of making it public.
It is necessary for the establishment, exercise or protection of the rights of PALMERA, the data subject or third parties,
Provided that it does not prejudice the fundamental rights and freedoms of the data subject, and if it is necessary to serve PALMERA's legitimate interests,
Consent must be given in cases where the person is unable to express their consent due to factual impossibility or where their consent is not legally valid, and it is necessary to protect their own life or the life or physical integrity of another person.

Personal data may be transferred to foreign countries that have been determined by the Board to have adequate protection and declared as " Foreign Countries with Adequate Protection", in accordance with any of the above-mentioned conditions. Personal data may also be transferred to foreign countries that do not have adequate protection, but have a data controller in Turkey or the foreign country who has provided a written guarantee of adequate protection and has the Board's permission, in accordance with the conditions stipulated in the legislation.

2. Transfer of Special Categories of Personal Data

Special categories of personal data will be processed in accordance with the principles set forth in the Policy and using methods determined by the Board. also including to be insofar as, necessary each various administrative And technical measures It can be transferred under the following conditions:

Special categories of personal data other than health and sexual life, If there is an explicit provision in the laws regarding the processing of personal data, the explicit consent of the data subject may not be required; otherwise, the explicit consent of the data subject must be obtained.
Health And sexual related to life special qualified personal Data may be processed by persons or authorized institutions and organizations bound by an obligation of confidentiality, without seeking explicit consent, or otherwise with the explicit consent of the data owner, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.

Personal data, “ Sufficient” To protect Owner Foreign Country" to those in their status If any of the above conditions are met, and adequate protection is not available, then those with the status of "Foreign Country with a Data Controller Committing to Adequate Protection" shall apply. according to the data transfer conditions stipulated in the legislation personal data It can be transferred. PALMERA does not transfer sensitive personal data abroad.

4. PERSONAL DATA INVENTORY PARAMETERS

PALMERA processes personal data categories and personal data belonging to job applicants, employees, shareholders/partners, potential product or service buyers, interns, supplier representatives, product or service recipients, parents/guardians/representatives, and visitors in its management, human resources, administrative affairs, financial affairs (accounting-finance), planning-logistics-information technology, production, product development-quality, R&D, marketing-sales, and purchasing business processes. (Annex-1) , purposes of personal data processing (Appendix-2) Data is processed accordingly. Details regarding processing purposes and data subject groups, categorized by data type, can be found on PALMERA's website. https://verbis.kvkk.gov.tr/ It is reported in the field at the address provided.

The purposes of personal data processing are determined according to the categories of personal data, in accordance with Article 10 of the Law and other legislation, to inform the data subjects, based on at least one of the conditions for processing personal data specified in Articles 5 and 6 of the Law, and in a limited manner, in accordance with the general principles specified in the Law, primarily the principles specified in Article 4 of the Law regarding the processing of personal data.

Personal data may be transferred to: natural persons or private legal entities, shareholders, business partners, affiliates and subsidiaries, suppliers, authorized public institutions and organizations, private insurance companies, auditors, consultants, domestic organizations with whom we have contracted services or with whom we cooperate, for the purposes specified in section "3.5. Transfer of Personal Data" of the Policy. (Appendix-3) Personal information can be shared. However, there is no transfer of personal information with foreign countries.

5. MEASURES TAKEN REGARDING THE PROTECTION OF PERSONAL DATA

PALMERA takes the necessary technical and administrative measures to protect the personal data it processes in accordance with the procedures and principles determined by law, conducts the necessary audits in this context, and carries out awareness and training activities.

Even if all technical and administrative measures have been taken to ensure that processed personal data is obtained by third parties through unlawful means, PALMERA will notify the relevant individuals and units as soon as possible.

6. STORAGE AND DESTRUCTION OF PERSONAL DATA

PALMERA retains personal data for a period no longer than that stipulated in the relevant legislation, and for a period no specific legislation mandates. PALMERA retains personal data primarily for the period specified in the legislation; if no legal period is specified, it retains personal data for the period necessary for the purpose of processing. At the end of the specified retention periods, personal data is destroyed periodically or upon request from the data owner, using a specified method (deletion, destruction, or anonymization).

7. RIGHTS OF PERSONAL DATA SUBJECTS AND THE EXERCISE OF THESE RIGHTS

7.1. Rights of the Personal Data Subject

Data subjects have the following rights arising from the law:

To find out whether your personal data is being processed,
The right to request information regarding the processing of personal data.

To learn the purpose of processing personal data and whether it is being used appropriately for that purpose.

Knowing the third parties to whom personal data is transferred, whether domestically or internationally.
The right to request the correction of personal data if it has been processed incompletely or inaccurately, and to request that this correction be notified to third parties to whom the personal data has been transferred.
Even if personal data has been processed in accordance with the law and other relevant legal provisions, the right to request the deletion or destruction of personal data when the reasons requiring its processing cease to exist, and to request that this action be notified to third parties to whom the personal data has been transferred.

The right to object to an outcome that is detrimental to oneself, resulting from the analysis of processed data exclusively through automated systems.
The right to claim compensation for damages incurred as a result of the unlawful processing of personal data.

7.2. Exercise of Data Subject Rights

Data subjects may submit their requests regarding the rights listed in Article 7.1 to PALMERA through the methods determined by the Board. Data subjects and those entitled to apply on their behalf may apply to PALMERA by filling out the "Data Subject Application Form" (Annex-4).

7.3. Responding to Applications

PALMERA processes requests made by personal data owners in accordance with the Law and other legislation. Requests duly submitted to PALMERA are processed free of charge as soon as possible, and no later than 30 (thirty) days. However, if the process requires additional costs, a fee may be charged in accordance with the tariff determined by the Board.

7.4. Rejection of the Data Subject's Application

PALMERA may refuse an applicant's request, stating the reasons, in the following circumstances:

The processing of personal data for purposes such as research, planning, and statistics through official statistics and by anonymizing it,
Personal data may be processed for artistic, historical, literary or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy or personal rights, or constitute a crime.

The processing of personal data by public institutions and organizations authorized by law to carry out preventive, protective, and intelligence activities aimed at ensuring national defense, national security, public safety, public order, or economic security.

Processing of personal data by judicial authorities or enforcement agencies in relation to investigation, prosecution, trial or execution proceedings,
The processing of personal data is necessary for the prevention of crime or for criminal investigation,
Processing of personal data that has been made public by the data subject,

Personal data processing is permitted when authorized and competent public institutions and organizations, as well as professional organizations with the status of public institutions, are necessary for the performance of their supervisory or regulatory duties, or for disciplinary investigations or prosecutions, based on the authority granted by law.
The processing of personal data is necessary for the protection of the State's economic and financial interests in relation to budgetary, tax and financial matters,

The data subject's request may infringe upon the rights and freedoms of other individuals,
The fact that disproportionately demanding requests were made,
The requested information must be publicly available.

7.5. The Right of the Personal Data Subject to File a Complaint with the Personal Data Protection Board

In accordance with Article 14 of the Law, if the application is rejected, the response is deemed insufficient, or no response is given within the prescribed time, a complaint may be filed with the Board within thirty days of learning of PALMERA's response, and in any case within sixty days of the application date.

Information that may be requested from the Data Subject making the application.

PALMERA may request information from the data subject to determine whether they are the data subject. PALMERA may also ask the data subject questions regarding their application to clarify the points raised in their application.

8. EXECUTION

The policy has been approved and put into effect by the Policy Management Board. The technical implementation of the policy is provided by the “Personal Data Storage and Destruction Policy” (Annex-5).

In business processes, the implementation of the Policy by the parties is governed by the " Customer Information Text on Personal Data Processing ". (Appendix-6), “ Supplier Privacy and Personal Data Protection Agreement” (Appendix-7) “Employee Personal Data Processing Information Text” (Annex-8), “Employee Candidate Information Text ” (Appendix-9), “Website Cookie Information Text” (Appendix-10), “Camera Recording Systems Information Text” (Appendix-11) This is accomplished through...

The Board of Directors is responsible for the implementation and, when necessary, updating of the Law and Policy, while the PALMERA Personal Data Protection Committee is responsible for monitoring, coordinating, and supervising all related tasks and transactions.

9. EFFECTIVE DATE AND ANNOUNCEMENT

This policy entered into force as of the date of its publication. Any changes to this policy will be published on PALMERA's website ( www.palmera.com.tr) . (published and made available to personal data owners, relevant individuals). Policy changes come into effect on the date they are announced.

APPENDICES

Appendix 1 - Data Categories and Personal Data

Appendix 2 - Purposes of Personal Data Processing

Appendix 3 - Persons to Whom Personal Data is Transferred and the Purposes of Transfer

Appendix 4 - Data Owner Application Form

Appendix 5 - Personal Data Storage and Destruction Policy

Appendix 6 - Customer Information Text Regarding the Processing of Personal Data

Appendix 7 - Supplier Privacy and Personal Data Protection Agreement

Appendix 8 - Employee Personal Data Processing Information Text

Appendix 9 - Job Applicant Information Text

Appendix 10 - Website Cookie Policy

Appendix 11 - Camera Recording Systems Information Text

APPENDIX 1 - Data Categories and Personal Data

Data Categories	Personal Data
Identity	First Name, Last Name
	Mother's and Father's Names
	Mother's Maiden Name
	Date of birth
	Birthplace
	Marital Status
	Identity Card Serial Number
	Turkish Republic Identity Number
	Passport Number
	Temporary Turkish National Identity Number
	Gender Information
	Turkish Republic Identity Card
	Driver's License
Communication	Address
	Email Address
	Contact Address
	Registered Electronic Mail Address (KEP)
	Phone Number
Location	Location information of the place, etc.
Personal	Payroll Information
	Disciplinary Investigation
	Employment Entry-Exit Document Records
	Resume Information
	Performance Appraisal Reports
Legal Transaction	Information from correspondence with judicial authorities, information in the case file, etc.
Customer Transactions	Invoice
	promissory note
	Check Information
	Entry-Exit Information
	Order Information
	Appointment Information
Physical Space Security	Employee and Visitor Entry and Exit Records
Physical Space Security	Camera Recordings
Transaction Security	Transaction Security (such as IP address information, website login and logout information, password and login credentials)
	IP Address Information
	Website Login and Logout Information
	Password and PIN Information
Risk Management	Information processed for the management of commercial, technical, and administrative risks.
Finance	Balance Sheet Information
	Financial Performance Information
	Credit and Risk Information
	Asset Information
	Bank Account Number
	IBAN Number
Professional Experience	Diploma Information
	Courses Attended
	In-service Training Information
	Certificates
Marketing	Shopping History Information
	Questionnaire
	Cookie Records
	Information Obtained Through Campaign Work
Visual and Auditory Recordings	Closed-Circuit Camera System Video and Audio Recording.
Clothing and Attire	Information regarding dress and attire
Union Membership	Union membership information
Health Information	Information Regarding Disability Status
	Blood Group Information
	Personal Health Information
	Information on Devices and Prostheses Used
	Laboratory and Imaging Results
	Test Results
	Inspection Data
	Prescription Information
Criminal Conviction and Security Measures	Information Regarding Criminal Conviction
Criminal Conviction and Security Measures	Information Regarding Security Measures
Family Information	Number of Children
	Family Book
	Partner Work Information
	Children's Education and Age Information
Study Data	Department
	Working Method
	His profession
	References
	Information about the last company worked for.
Signature	Documents containing personal data include wet or electronic signatures, fingerprints, and special markings.
Website Usage Data	Application Form Completion Date
	Frequency/Time of Site Login
	Last Login Date
	IP Address
Request/Complaint Management Information	Survey Data
Request/Complaint Management Information	Personal data relating to the receipt and evaluation of all requests or complaints directed to the company.
Reputation Management Knowledge	Information collected to protect the company's commercial reputation, along with related evaluation reports and information on actions taken.
Incident Management Information	Personal data processed for the purpose of taking necessary legal, technical and administrative measures against developing events in order to protect the commercial rights and interests of the company and the rights and interests of its customers.
Insurance	Private Insurance Data
Insurance	Social Security Institution Data
Vehicle Information	Vehicle license plate, make, model, model year, engine chassis number, registration date, registration certificate copy, damage history information.
Compliance Information	Personal data processed within the scope of compliance
Audit and Inspection Information	Personal data processed during internal or external audit activities
Residence Permit Information for Foreigners	Information Regarding Residence Permits for Foreigners

APPENDIX 2 - Categorical Purposes of Personal Data Processing

Implementation of Emergency Management Processes

Implementation of Information Security Processes

Execution of Job Candidate / Intern / Student Selection and Placement Processes

Managing the Application Processes for Job Applicants

Implementing Employee Satisfaction and Engagement Processes

Fulfillment of Obligations Arising from Employment Contracts and Legislation for Employees

Managing Employee Benefits and Advantage Processes

Conducting Audit/Ethics Activities

Conducting Educational Activities

Execution of Access Permissions

Ensuring that activities are carried out in accordance with the legislation.

Execution of Finance and Accounting Operations

Implementing Company/Product/Service Loyalty Processes

Ensuring Physical Security of Spaces

Execution of Assignment Processes

Monitoring and Execution of Legal Affairs

Conducting Internal Audit/Investigation/Intelligence Activities

Conducting Communication Activities

Planning Human Resources Processes

Execution / Supervision of Business Activities

Implementation of Occupational Health and Safety Activities

Receiving and evaluating suggestions for improving business processes.

Implementing Business Continuity Activities

Execution of Logistics Activities

Execution of Goods/Services Procurement Processes

Execution of After-Sales Support Services for Goods/Services

Execution of Goods/Services Sales Processes

Execution of Goods/Services Production and Operation Processes

Execution of Customer Relationship Management Processes

Conducting activities aimed at customer satisfaction.

Organization and Event Management

Conducting Marketing Analysis Studies

Conducting Performance Appraisal Processes

Execution of Advertising/Campaign/Promotion Processes

Execution of Risk Management Processes

Execution of Storage and Archiving Activities

Conducting Social Responsibility and Civil Society Activities

Execution of Contract Processes

Execution of Sponsorship Activities

Implementation of Strategic Planning Activities

Tracking Requests/Complaints

Ensuring the Security of Movable Property and Resources

Execution of Supply Chain Management Processes

Implementation of Wage Policy

Execution of Marketing Processes for Products/Services

Ensuring the Security of Data Controller Operations

Foreign Personnel Work and Residence Permit Procedures

Execution of Investment Processes

Execution of Talent/Career Development Activities

Providing Information to Authorized Persons, Institutions and Organizations

Execution of Administrative Activities

Creating and Tracking Visitor Records

Planning and managing access rights for business partners and suppliers to information and facilities.

Managing Relationships with Business Partners and Suppliers

Collection of Entry and Exit Records of Business Partner/Supplier Employees

Planning and Management of Harmonization of Operations with Relevant Legislation or Company Procedures

APPENDIX 3 – Persons to Whom Personal Data is Transferred and the Purposes of Transfer

In accordance with Articles 8 and 9 of the Law, PALMERA may transfer the personal data of participants, customers and employees to the following categories of individuals:

Data transfer is possible. People	Definition	Purpose and Scope of Data Transfer
Natural persons or private legal entities	PALMERA's natural or legal persons with whom it interacts and conducts transactions as part of its operations.	Limited to the work and transaction performed.
Shareholders	Individuals who have established a partnership relationship with PALMERA	Limited to the planning, execution and supervision of strategies related to PALMERA's commercial activities.
Business Partners	PALMERA's business partners and partner banks with whom it maintains relationships for purposes such as the promotion and marketing of its products and services, and after-sales support.	Limited to the purposes and activities of establishing and managing business partnerships.
Authorized Public Institutions and Organizations	Public institutions and organizations authorized to obtain information and documents from PALMERA in accordance with the relevant legislation, such as the Social Security Institution and Tax Offices, etc.	Limited to the purpose requested by the relevant public institutions and organizations within their legal authority.
Legally Authorized Private Law Entities	Institutions or organizations established in accordance with certain conditions pursuant to the relevant legislation and operating within this framework.	Limited to topics within their areas of activity.
Private Insurance Companies	Private healthcare, retirement, and private pension schemes.	Limited to the scope of private insurance registration and notifications.
Board Members	Board Members	PALMERA Board of Directors may use this information for limited purposes only to conduct its activities.
Organizations from which services are received, with whom collaborations are made.	Contracted service providers, collaborating organizations	Limited to the principles of the agreement and cooperation protocol.
Lawyer	Lawyers authorized to act as lawyers in accordance with relevant legislation.	The company's activities and employee transactions are limited to matters that may have legal consequences.
Supplier	Parties providing services to PALMERA in accordance with its data processing purposes and requests	Palmera's limited rights to procure goods and services from external sources for the purpose of carrying out its commercial activities.
Consultants	Experts and those whose experience is utilized	Experts and those whose experience is utilized
Auditors	Auditors authorized to conduct audits in accordance with relevant legislation.	The limits of authority and duties as defined in the legislation.