Personal Data Protection Law

INTRODUCTION
The protection of personal data is an important matter for 7 Mehmet Restaurant Tourism Petroleum Food Construction Agriculture Livestock Industry and Trade Ltd. (hereinafter referred to as the "Company"). Since its establishment, 7 Mehmet has kept the personal data obtained from individuals confidential within the scope of its activities and has taken all technical and administrative measures to protect personal data and ensure data security. 7 Mehmet adopted and implemented the confidentiality of personal data as a working principle even before April 7, 2016, the date on which the Law No. 6698 on the Protection of Personal Data came into force. The Company has carried out all its activities in accordance with the laws of the Republic of Turkey. In order to operate in accordance with the Constitution, the Personal Data Protection Law (KVKK), and related secondary legislation, the organization adopts all the principles stipulated in the KVKK and fulfills its obligations regarding the processing, deletion, destruction, anonymization, transfer of personal data, informing the data subject, and ensuring data security. This Personal Data Protection Policy, prepared within this scope, is made available to individuals whose personal data is processed.
TANIMLAR

PURPOSE AND SCOPE OF THE PERSONAL DATA PROTECTION POLICY
This Personal Data Protection Policy explains the issues related to the acquisition, use, transfer, destruction, and other forms of processing of personal data by 7 Mehmet, as well as the technical and administrative measures taken by the Company to protect personal data and the rights of the data subjects. This Personal Data Protection Policy applies to the personal data of:

• Employees,
• Job applicants,
• Company shareholders,
• Company officials,
• Visitors,
• Employees of collaborating institutions,
• Those who access all types of applications and services offered by the Company, and
• Third parties,

personal data processed within the scope of the Personal Data Protection Law. Personal data obtained with the explicit consent of the data subjects or within the scope of other legally compliant cases listed in the Personal Data Protection Law are processed by 7 Mehmet for the fulfillment of its legal obligations, the proper provision of its services, the improvement of the quality of the services provided, the improvement of the quality policy, and other purposes specified in this Personal Data Protection Policy.

PROCESSING OF PERSONAL DATA
GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
Mehmet adheres to the principles listed in Article 4 of the Personal Data Protection Law (KVKK) when carrying out its personal data processing activities.
• Compliance with the law and rules of honesty:
Mehmet questions the source of personal data obtained from the data subject or third parties and attaches importance to obtaining and processing this data in accordance with the law and rules of honesty. In this context, the Company makes the necessary warnings and notifications to third parties to whom it transfers personal data for the purpose of protecting personal data.
• Accuracy and timeliness:
Mehmet attaches importance to ensuring that all data within its legal entity is accurate, does not contain false information, and updates personal data when changes are communicated to it. The Company demonstrates reasonable care and attention regarding the accuracy and timeliness of the personal data declared by its customers or third parties who contact it.
• Processing for specific, clear, and legitimate purposes:
7 Mehmet clearly and explicitly states the legitimate and lawful purposes of data processing before commencing personal data processing activities. Personal data is not processed for purposes other than those defined in this way.
• Being relevant, limited, and proportionate to the purpose for which they are processed:
7 Mehmet carries out personal data processing activities only within the scope of the processing purpose. Personal data unrelated to the defined purpose is not processed by 7 Mehmet.

• Retention for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed:
7 Mehmet retains personal data for the period stipulated by the legislation or required by the purpose of processing. However, when the period stipulated by the legislation expires or when all processing purposes cease to exist, personal data is deleted, destroyed, or anonymized.
These principles apply regardless of whether the Company has processed personal data based on explicit consent or in accordance with other data processing conditions. In this regard, 7 Mehmet processes personal data in accordance with data processing conditions and general principles and fulfills its obligation to inform.
CONDITIONS FOR PROCESSING PERSONAL DATA
Mehmet processes personal data with explicit consent or in accordance with other data processing conditions in the following cases:
• When explicitly provided for in the laws.
• When it is necessary for the protection of the life or physical integrity of the person who is unable to express their consent due to factual impossibility or whose consent is not legally valid, or for the protection of the life or physical integrity of another person.
• When it is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract.
• When it is necessary for the data controller to fulfill its legal obligations.
• When the data has been made public by the data subject themselves.
• When data processing is necessary for the establishment, exercise or protection of a right. • When data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
According to the Personal Data Protection Law (KVK), personal data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, are considered special categories of personal data.
Mehmet takes the additional measures stipulated by the KVK and the Personal Data Protection Board in the processing of special categories of personal data.
In the processing of special categories of personal data, the data processing conditions listed in Article 6 of the KVK and the additional measures announced by the Personal Data Protection Board are complied with. In this context, special categories of personal data are processed in the following cases:
• With the explicit consent of the data subject.
• When the processing of special categories of personal data other than health and sexual life is stipulated by law.
• When data relating to health and sexual life is processed by persons under an obligation of confidentiality for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. The procedures and principles regarding the processing, destruction, and protection of special categories of personal data are regulated by the 7 Mehmet Special Categories of Personal Data Protection and Processing Policy.

PURPOSES OF PROCESSING PERSONAL DATA
Mehmet processes personal data for the purposes listed below, within the framework of the legal grounds set forth in Articles 5 and 6 of the Personal Data Protection Law:
Within the scope of planning and execution of human resources activities; the personal data of job applicants are processed for the purpose of evaluating suitability for the job and conducting personnel recruitment processes; the personal data of employees are processed for the purposes of fulfilling the employment contract, establishing fringe benefits, conducting promotion/bonus/salary increase processes, fulfilling obligations arising from the legislation to which the Company is subject, primarily the Labor Law, carrying out social insurance processes, evaluating employee performance, etc. In addition, the Company processes personal data within the scope of ordinary company activities and services provided to its customers; Data processing is carried out for purposes such as planning and executing corporate sustainability activities, event management, managing relationships with business partners or suppliers, executing/monitoring financial reporting and risk management processes, executing/monitoring legal affairs, planning and executing corporate communication activities, executing corporate governance activities, carrying out company and partnership law transactions, managing requests and complaints, managing investor relations, ensuring the security of 7 Mehmet buildings and facilities, creating and monitoring visitor records, determining and implementing the company's commercial and business strategies, resolving the problems and complaints of relevant individuals, ensuring their satisfaction and providing effective service, responding to information requests from administrative and judicial authorities, ensuring compliance with legal processes and legislation, ensuring information and transaction security and preventing malicious use, etc. If the processing activity carried out for the aforementioned purposes does not meet any of the other data processing conditions stipulated in the Personal Data Protection Law, explicit consent is obtained from the relevant individual by 7 Mehmet regarding the relevant data processing process.

METHOD OF COLLECTING PERSONAL DATA
Mehmet collects personal data through contracts, digital platforms, notifications from administrative and judicial authorities, email, and other communication channels, in auditory, electronic, or written form, both physically and electronically, in accordance with the personal data processing conditions specified in the Personal Data Protection Law (KVKK) and in line with the legal grounds stated in this GDPR Policy. This personal data is primarily processed for the purpose of establishing a contract and providing better service to the data subjects within the scope of this GDPR Policy. In this context, personal data may be obtained when utilizing the services offered by the Company, establishing a legal relationship with the Company (purchase, brokerage, employment, etc.), or contacting the Company (by mail, email, etc.) regarding the services. Mehmet adheres to the principle of acting lawfully when obtaining personal data from both its business partners and solution partners. Data is collected from business partners and solution providers only to the extent necessary for the service, with a commitment to data confidentiality, and measures are taken to ensure data security at this point. Mehmet processes the personal data of its employees without obtaining consent to the extent necessary for business relationships and in other cases permitted by relevant legislation, and ensures the confidentiality and protection of the personal data of its employees.
TRANSFER OF PERSONAL DATA
The Company transfers personal data to third parties only for the purposes stated in this Personal Data Protection Policy and in accordance with Articles 8 and 9 of the Personal Data Protection Law. In this context, the Company may transfer the personal data it collects to the following individuals and institutions for specific purposes:
To the Company's business partners, limited to ensuring the fulfillment of the purposes of establishing the business partnership, to the Company's suppliers, limited to ensuring the provision of services that the Company obtains from external sources and that are necessary for the Company's commercial activities, to the Company's customers, to authorized public institutions and organizations upon request, to the Company's solution partners, the purpose of the Company's sharing of personal data is to provide access to services, fulfill its legal obligations, ensure the implementation of the contract it has entered into with the data subject, carry out purchase and sale transactions, or prevent and detect fraudulent or illegal activities related to services, and to conduct its other commercial activities in a lawful manner. 7. Mehmet adheres to the principle of acting in accordance with the law in its data sharing activities. Personal data is shared with third parties only to the extent required by the service. Maximum care is taken to ensure that these parties take necessary measures regarding data security. The personal data subject to domestic and international transfers mentioned above are protected legally through data transfer agreements, as well as through technical measures to ensure data security. The company may share the personal data it processes with public institutions and organizations legally authorized to request this information in order to fulfill its legal obligations (including but not limited to combating crime, threats to state and public security, and similar situations where the company has a legal or administrative obligation to provide notification or information).

STORAGE AND DESTRUCTION OF PERSONAL DATA
In accordance with the Personal Data Protection Law (KVKK), personal data is kept accurate and up-to-date, and retained for the period stipulated in the relevant legislation or necessary for the purpose for which it is processed. This period is determined separately for each category of personal data, and after the expiration of this period, the relevant personal data is deleted, destroyed, or anonymized at the end of the periodic destruction periods determined in accordance with the Regulation on the Deletion, Destruction, or Anonymization of Personal Data. Deletion of personal data refers to the process of making personal data completely inaccessible and unusable for the relevant users; destruction of personal data refers to the process of making personal data completely inaccessible, irretrievable, and unusable by anyone; and anonymization of personal data refers to making personal data such that, even if matched with other data, it cannot be linked in any way to an identified or identifiable natural person. In this context, 7 Mehmet has determined the necessary periodic destruction periods and created a Personal Data Storage and Destruction Policy. The company records all processes related to the deletion, destruction, and anonymization of personal data and retains these records for at least three years, excluding other legal obligations.
When individuals request the deletion or destruction of their personal data by applying to the Company, Mehmet will:
• Delete, destroy, or anonymize the personal data in question if all conditions for processing personal data have ceased to exist. It will finalize the request of the data subject within thirty days at the latest and inform the data subject.
• If all conditions for processing personal data have ceased to exist and the personal data in question has been transferred to third parties, it will notify the third party of this situation and ensure that the necessary actions are taken by the third party.
• If all conditions for processing personal data have not ceased to exist, it may reject this request by explaining the reason in accordance with the third paragraph of Article 13 of the Personal Data Protection Law and will notify the data subject of the rejection in writing or electronically within thirty days at the latest.

TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE SECURITY OF PERSONAL DATA
7 Mehmet takes technical and administrative measures to ensure the lawful processing of personal data, in accordance with technological capabilities and implementation costs. Technical and administrative measures taken for the protection of personal data are applied meticulously and with additional precautions for sensitive personal data, and necessary audits are periodically conducted at the highest level within the Company.
7 Mehmet has taken all appropriate security measures to ensure that personal data is processed only within the scope of the purposes stated in this Personal Data Protection Policy and to reduce risks such as malicious use, unauthorized access to, sharing, destruction, or alteration of personal data. These security measures also include other precautions taken regarding the transfer of personal data to countries that may not provide an adequate level of data protection.
Personal data is confidential, and 7 Mehmet respects this confidentiality. Only authorized persons within the Company can access personal data. In this context, compliance with standards of software, careful selection of third parties, and adherence to the data protection policy within the Company are ensured.

7. Mehmet, within the scope of the technical and administrative measures it has taken to ensure data security, includes:
• Organizing regular training and awareness-raising activities for its employees on the protection of personal data.
• Creating policies based on the company's personal data processing inventory and designing the necessary processes for the implementation of these policies.
• Identifying its risks under personal data protection law and diligently carrying out work to eliminate these risks. In this context, it creates active information and explicit consent channels.
• Conducting periodic internal audits to fulfill obligations related to personal data protection law.
• Continuously obtaining legal consultancy services regarding compliance with updated legislation.
• Creating a separate policy for the protection of special categories of personal data and implementing additional measures determined by the Board.
• Implementing necessary data sharing agreements and other measures to manage relationships with data processors.
• Using generally accepted security technology standards such as firewalls and Secure Socket Layer (SSL) encryption.
• Using virus protection systems, secure databases, servers, and firewalls.
• It takes the broadest and most appropriate preventive security measures to protect personal data in light of current technological developments, including the encryption of email information, by analyzing the risk situation.
• It establishes a secure technical infrastructure to ensure the security of databases where personal data will be stored.
• It defines procedures for reporting on the technical measures taken and audit processes.
• It takes other administrative measures regarding the protection of personal data.
• Security measures are periodically renewed and improved.
Despite 7 Mehmet taking the necessary information security measures, in the event that personal data is damaged or falls into the hands of unauthorized third parties as a result of attacks on platforms operated by 7 Mehmet or the Company system, 7 Mehmet will immediately take action to remedy the breach and minimize the damage to the relevant party. 7 Mehmet will immediately notify the relevant parties and the Board of this situation and take the necessary measures.
RIGHTS OF DATA SUBJECTS REGARDING THEIR PERSONAL DATA
According to the Constitution of the Republic of Türkiye, everyone has the right to request the protection of their personal data. In this context, the rights of the data subject regarding their personal data are listed in Article 11 of the Personal Data Protection Law as follows:
• To learn whether their personal data is being processed,
• To request information regarding the processing of their personal data if it has been processed,
• To learn the purpose of the processing of their personal data and whether it is being used in accordance with its purpose,
• To know the third parties to whom their personal data has been transferred domestically or abroad,
• To request the correction of their personal data if it is incomplete or inaccurate,
• To request the deletion or destruction of their personal data within the framework of the conditions stipulated in Article 7 of the Personal Data Protection Law,
• To request that these deletion, destruction, or correction processes be notified to the third parties to whom the personal data has been transferred,
• To object to a result that is detrimental to the data subject arising from the analysis of their processed data exclusively through automated systems,
• To demand compensation for damages if they suffer damage due to the processing of their personal data in violation of the Personal Data Protection Law. If the data subjects submit their requests regarding the rights listed above to the Company in accordance with the application procedures stipulated in the Communiqué on Application Procedures and Principles to the Data Controller, 7 Mehmet will process this request free of charge as soon as possible and within a maximum of 30 (thirty) days, depending on its nature. However, if the process requires additional costs, 7 Mehmet may charge the fee specified in the tariff determined by the Board. The data subject may submit their requests within the scope of the rights mentioned above in writing or by using a registered electronic mail (KEP) address, secure electronic signature, mobile signature, or the electronic mail address previously notified to the Company by the data subject and registered in 7 Mehmet's system. The application must include:
• Name, surname and signature if the application is in writing,
• For Turkish citizens, Turkish Republic Identity Number (T.C. Kimlik No.) • Identity number, for foreigners their nationality, passport number or identity number if available,
• Residential or business address for notification purposes,
• Email address, telephone and fax number for notification purposes, if any,
• Subject of the request
It is mandatory to include relevant information and documents with the application. Applications will only be considered if they are in Turkish. In order for third parties to submit an application request on behalf of the relevant person, there must be a special power of attorney issued by the relevant person through a notary public for the person who will submit the application.
CHANGES TO THE DATA PROTECTION POLICY
7. Mehmet may make changes to this Data Protection Policy at any time. These changes will become effective on the day the revised Data Protection Policy is published. Relevant individuals will be notified of any changes to this Data Protection Policy.