Protection of Personal Data

Customs and Tourism Enterprises Trade Inc. (GTİ)

CLARIFICATION TEXT ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

At GTİ, your privacy and security are of paramount importance to us. We are committed to informing you about the personal data we process in compliance with Article 10, titled “Information Obligation of the Data Controller” of the Law on the Protection of Personal Data No. 6698 (KVVK), which was published in the Official Gazette dated April 7, 2016, numbered 29677. This law aims to protect the fundamental rights and freedoms of individuals, with a particular focus on safeguarding the right to privacy in relation to the processing of personal data. Additionally, we adhere to the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Information Obligation, published in the Official Gazette dated March 10, 2018, numbered 30356.

1. DATA CONTROLLER

Customs and Tourism Enterprises Trade Inc. (GTİ) is the Data Controller under the Personal Data Protection Law No. 6698 (KVKK) and related regulations concerning the personal data collected from the candidate employees. For any inquiries or to exercise your rights regarding your personal data, please contact us using the information below:

Head Office Address:

Dumlupınar Bulvarı No: 252 (Eskişehir Yolu 9. Km) TOBB İkiz Kuleler C Blok Kat 25-26 06520 Çankaya/ANKARA
Phone : 0 (312) 218 82 00
Fax  : 0 (312) 218 82 00
Website :  http://www.gtias.com.tr
E-Mail  :  info@gtias.com.tr

2. TYPES OF PERSONAL DATA COLLECTED AND PROCESSED

In accordance with the relevant provisions of the Law on the Protection of Personal Data No. 6698 ("KVVK"), the Company processes the following categories of personal data, collected during the course of your relationship with us:

(i) Identity Information:  Full name, date and place of birth, age, photograph, national identification number, and a copy of official identification.

(ii) Contact Information:  Personal and/or professional address, email address, telephone number, and residence information.

(iii) Education, Employment, and Professional Data:  Academic background, employment history, name of employers, professional qualifications, curriculum vitae (CV), and military service status.

(iv) Financial and Banking Information:  Bank account details, including account number, IBAN, and related financial data.

(v) Visual and Audio Data:  Photographs and video/audio recordings.

(vi) Security Data:  Access records to company premises, including entry/exit logs and surveillance camera footage.

(vii) Location Data:  Geolocation data collected for security or operational purposes.

(viii) CyberSecurity Data:  Usernames, passwords, IP addresses, activity logs, and other data related to cybersecurity measures.

(ix) Legal Transaction Data:  Information regarding legal actions or proceedings involving you.

(x) Criminal Record and Security Data: Information regarding criminal convictions and security measures, including the existence of any criminal records.

3.  PURPOSES OF PERSONAL DATA PROCESSING

In accordance with your relationship with the Company, your personal data may be processed for the following purposes:

• Fulfillment of contractual, legal, and regulatory obligations with accuracy and efficiency
• Enhancement and continuous development of services provided to meet customer needs
• Conducting quality assurance assessments, audits, and ensuring compliance with industry standards
• Responding to legitimate information requests from public authorities and regulatory bodies
• Safeguarding the legal and commercial interests of the Company
• Storing, managing, and processing case files, legal notices, and documents related to enforcement procedures
• Issuance and proper management of power of attorney documents
• Maintaining records for contracted legal representatives, including the creation of power of attorney and signature authorizations
• Managing financial and accounting transactions, ensuring compliance with relevant regulations and standards
• Preparing and submitting proposals, and handling related negotiation and follow-up processes
• Drafting, managing, and maintaining contracts, ensuring proper execution, and monitoring of legal processes
• Acquiring and updating signature circulars and related documents
• Organizing, managing, and overseeing tender processes, including business relations with awarded companies
• Storing and managing tender-related audio and video records for compliance and auditing purposes
• Issuing and maintaining invoices, receipts, accounting records, and preparing necessary declarations
• Managing payments to individual companies and ensuring timely settlements
• Facilitating the return of letters of guarantee and related financial documentation
• Issuing invoices to foreign entities in compliance with international regulations
• Ensuring the physical security and safety of Company premises
• Coordinating guest hosting processes and managing visitor information
• Organizing travel arrangements, including flight bookings and hotel reservations for business purposes
• Administering insurance-related transactions for incidents or damages occurring at border gates
• Collecting, processing, and managing records of commercial vehicles passing through border gates for regulatory and operational purposes
• Conducting and documenting General Assembly activities, including related meetings and decisions
• Managing communication activities and facilitating engagement with senior management, along with hosting quests
• Maintaining and updating electronic guide records for internal and external stakeholders
• Collecting and processing data from interns within the scope of the Joint Education Program for educational and operational purposes
• Managing hotel business operations and related transactions
• Preparing marketing and promotional materials to support business development and outreach efforts
• Monitoring and processing company email communications, ensuring proper routing and response
• Managing the flow of incoming and outgoing documents, including organization, numbering, and distribution to relevant departments
• Administering annual health insurance transactions for senior management and their families
• Maintaining and overseeing records of subcontractor company employees, ensuring payroll and benefits management
• Managing operations and services provided by Taşodalar Hotel, including guest services and related administrative tasks

4. TRANSFER OF PROCESSED PERSONAL DATA

Your personal data may be shared with relevant departments within the Company, as well as with domestic public institutions and authorities, third-party real and legal entities with whom we maintain affiliations, contracted legal representatives, business partners, service providers, insurance companies, and suppliers, in accordance with the purposes outlined in Article 3 of this Clarification Text. This data transfer will occur in compliance with the applicable provisions of the Personal Data Protection Law (KVKK) concerning the transfer of personal data, including any potential transfers to foreign countries, where necessary and lawful.

5. PERSONAL DATA GATHERING METHODS AND LEGAL GROUNDS

GTİ collects your personal data directly from you, third parties, and legal authorities during the establishment and continuation of your business relationship with our Company. This collection occurs through various channels, including internet, telephone, e-mail, as well as physical, written, verbal, and electronic media. The processing of your personal data is carried out in accordance with the legal grounds outlined in Articles 5/2(a), 5/2(c), 5/2(ç), 5/2(e), 5/2(f), 6/2, and 8 of the Personal Data Protection Law, for the purposes and services mentioned above.

6.  RIGHTS OF THE DATA SUBJECT

In accordance with Article 11 of the Personal Data Protection Law (KVKK), you, as the data subject, are entitled to the following rights concerning your personal data:

• To inquire whether your personal data is being processed;
• To request information regarding your personal data if it has been processed;
• To find out the purpose of processing your personal data and verify whether it is being used in accordance with that purpose;
• To know the third parties, both domestic and international, to whom your personal data has been transferred;
• To request the correction of any incomplete or inaccurate personal data;
• To request the deletion or destruction of your personal data, provided that the conditions for processing under the KVKK are no longer applicable;
• To request that any corrections, deletions, or destructions of your personal data be communicated to third parties to whom your personal data has been transferred;
• To object to any outcomes that may arise solely from the automated processing of your personal data, which may result in an adverse consequence for you;
• To request compensation for any damages incurred as a result of unlawful processing of your personal data.

7.  PROCEDURE FOR EXERCISING YOUR RIGHTS AND SUBMITTING REQUESTS

To exercise your rights as outlined above, you may submit your requests by submitting a petition, via a notary, or by using a secure electronic signature or mobile signature, to GTİ at the following address:

Dumlupınar Bulvarı No:252 (Eskişehir Yolu 9. Km) TOBB İkiz Kuleler C Blok Kat 25-26 06520 Çankaya/ANKARA, either in writing or by using the e-mail address previously provided to our Company and registered in our system.

Alternatively, you may submit your request in person, provided that identity verification is completed at our premises. Upon receipt, we will process your request promptly and endeavor to respond within 30 days, based on the nature of the request.

For written responses, no fee will be charged for up to 10 pages. For each page exceeding this limit, a processing fee may be imposed in accordance with Article 7 of the "Communiqué on the Procedures and Principles of Application to the Data Controller." Should the response be provided on a medium such as a CD, flash drive, or other electronic formats, a fee corresponding to the cost of the recording medium may apply.

DATA CONTROLLER

GTİ