KARMETAL DEFENSE AMMUNITION WEAPONS TECHNOLOGIES
INDUSTRY AND FOREIGN TRADE INC.

INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA

This Information Notice has been prepared by KARMETAL DEFENSE AMMUNITION WEAPONS TECHNOLOGIES INDUSTRY AND FOREIGN TRADE INC. (the “Company”) for the purpose of informing the Company’s customers regarding the processing of their personal data by the Company within the scope of the Personal Data Protection Law No. 6698 (the “Law”).

1. a) Methods of Collection of Personal Data and Legal Grounds

Your personal data are collected in electronic or physical form. Your personal data collected for the legal grounds specified in this Information Notice may be processed and shared within the framework of the personal data processing conditions set forth in Articles 5 and 6 of the Law.

1. b) Purposes of Processing Personal Data

Your personal data are processed, within the framework of the personal data processing conditions set forth in Articles 5 and 6 of the Law, for the purposes of planning and execution of the activities required for recommending and promoting the products and services offered by the Company by customizing them according to the preferences, usage habits and needs of the relevant persons; carrying out the necessary works by the relevant business units to enable the relevant persons to benefit from the products and services offered by the Company and conducting the related business processes; carrying out the necessary works by the relevant business units for the performance of the commercial activities conducted by the Company and conducting the related business processes; planning and execution of the Company’s commercial and/or business strategies; and ensuring the legal, technical and commercial–occupational safety of the Company and the relevant persons who have a business relationship with the Company.

In addition, due to the fact that the Company operates within the scope of the defense industry, personal data may also be processed for the purposes of protecting national security, public security and trade secrets; fulfilling contractual obligations and obligations arising from legislation with authorized public institutions and organizations; ensuring information security; and preventing unauthorized access.

1. c) Parties to Whom Personal Data May Be Transferred and Purposes of Transfer

Your personal data may be shared, within the framework of the personal data processing conditions and purposes set forth in Articles 8 and 9 of the Law, with the Company’s business partners and suppliers, legally authorized public institutions and organizations, and legally authorized private law legal entities, for the purposes of planning and execution of the activities required for recommending and promoting the products and services offered by the Company by customizing them according to the preferences, usage habits and needs of the relevant persons; carrying out the necessary works by the relevant business units to enable the relevant persons to benefit from the products and services offered by the Company and conducting the related business processes; carrying out the necessary works by the relevant business units for the performance of the commercial activities conducted by the Company and conducting the related business processes; planning and execution of the Company’s commercial and/or business strategies; and ensuring the legal, technical and commercial–occupational safety of the Company and the relevant persons who have a business relationship with the Company.

Personal data are transferred, due to the nature of defense industry activities, only to the extent permitted by the legislation and limited to authorized persons and institutions.

1. d) Rights of Data Providers and Exercise of These Rights

If you submit your requests regarding your rights listed below as personal data provider to the Company through the methods specified under the heading “Exercise of Rights by Data Providers,” your requests will be evaluated and finalized by our Company as soon as possible and in any case within thirty (30) days.

Pursuant to Article 11 of the Law, as a personal data provider, you have the following rights:

• To learn whether your personal data are processed,
• To request information if your personal data have been processed,
• To learn the purpose of processing of your personal data and whether they are used in accordance with their purpose,
• To know the third parties to whom your personal data are transferred domestically or abroad,
• To request correction of your personal data if they are incomplete or inaccurately processed and to request notification of the transaction carried out within this scope to the third parties to whom personal data have been transferred,
• To request deletion or destruction of your personal data in case the reasons requiring processing cease to exist, even though they have been processed in accordance with the Law and other relevant laws, and to request notification of the transaction carried out within this scope to the third parties to whom personal data have been transferred,
• To object to the occurrence of a result against yourself by analyzing the processed data exclusively through automated systems,
• To request compensation for damages in case you suffer damage due to unlawful processing of your personal data.

Article 28, paragraph 2 of the Law lists the cases where data providers do not have the right to make a request. Accordingly, the above-mentioned rights may not be exercised in cases where:

• Personal data processing is necessary for the prevention of crime or for criminal investigation,
• Personal data have been made public by the data provider, himself/herself,
• Personal data processing is necessary for the execution of supervisory or regulatory duties by authorized public institutions and organizations or professional organizations having the status of public institutions based on the authority granted by law, or for disciplinary investigation or prosecution,
• Personal data processing is necessary for the protection of the State’s economic and financial interests with respect to budgetary, tax and financial matters.

Pursuant to Article 28, paragraph 1 of the Law, personal data shall be outside the scope of the Law in the following cases; therefore, the requests of data providers regarding such data shall not be processed:

• Processing of personal data by real persons within the scope of activities relating exclusively to themselves or their family members living in the same household, provided that such data are not disclosed to third parties and that obligations regarding data security are complied with,
• Processing of personal data for purposes such as research, planning and statistics by rendering them anonymous through official statistics,
• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights, or does not constitute a crime,
• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security,
• Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

Exercise of Rights by Data Providers

Data providers may submit their requests regarding their rights set forth in Article 11 of the Personal Data Protection Law No. 6698 to the data controller in writing or by other methods prescribed in Article 13 of the Law. Within this scope, applications may be submitted:

• Together with documents verifying the identity of the relevant data provider(s),
• By hand delivery with a wet signature, via notary public or by registered mail with return receipt, to the address
[İkitelli OSB Mah. İsteks Industrial Site, İsteks D3 Block Street No:14, Başakşehir, Istanbul / TURKEY],

or

• By following a method prescribed by the Personal Data Protection Board.

The Company responds to data provider who wish to exercise their rights within the limits prescribed by the Law, in the manner prescribed by the Law, within a maximum of thirty (30) days. In order for third parties to submit an application request on behalf of the personal data provider, a special power of attorney issued via a notary public in the name of the person who will make the application must be present.

Applications by data providers are, as a rule, processed free of charge; however, a fee may be charged in accordance with the tariff determined by the Personal Data Protection Board [1].

The Company may request information from the applicant in order to determine whether the applicant is the personal data provider and may direct questions to the personal data provider regarding his/her application in order to clarify the matters stated in the application.

[1] Pursuant to the “Communiqué on the Procedures and Principles of Application to the Data Controller” published in the Official Gazette dated 10.03.2018 and numbered 30356, no fee shall be charged for written responses up to ten pages. A processing fee of 1 Turkish Lira may be charged for each page exceeding ten pages. If the response to the application is provided on a recording medium such as a CD or flash drive, the fee that may be requested by the Authority shall not exceed the cost of the recording medium.