INFORMATION SECURITY AND PERSONAL DATA MANAGEMENT POLICY

As the top management of EKİN ÖRMECİ;

Within EKİN ÖRMECİ Services; the main theme of the systems established in line with the ISO/IEC 27001:2022 Information Security Management System (ISMS) standard together with the ISO/IEC 27701 Personal Information Management System (PIMS) requirements is to demonstrate that information security and privacy management are ensured within all processed personal data, including people, infrastructure, software, hardware, customer information, corporate information, all business activities and operations, information belonging to third parties and financial resources; to secure quality and risk management; to measure the performance of information–quality–privacy management processes; and to regulate relationships with third parties regarding quality, information security, personal data protection and customer satisfaction.

In this context, the purpose of our ISMS and PIMS Policy is:

❖ To protect EKİN ÖRMECİ information assets and processed personal data against all kinds of threats that may arise internally or externally, intentionally or unintentionally; to ensure accessibility of information as required by business processes; to comply with applicable legal regulations (including the Turkish Personal Data Protection Law – KVKK and related legislation); and to carry out continuous improvement activities,

❖ To ensure the continuity of the three fundamental elements of the Information Security Management System in all activities carried out; Confidentiality: preventing unauthorized access to important information and personal data, Integrity: protecting the accuracy and completeness of information and personal data, Availability: ensuring that authorized persons can access information and personal data when required,

❖ To ensure that personal data are processed for specific, explicit and legitimate purposes; to adopt the principle of data minimization; and to process data that are relevant, limited and proportionate to the purposes of processing,

❖ To determine retention periods for personal data and to ensure the secure destruction of data whose retention period has expired,

❖ To ensure that data subject requests (access, rectification, erasure, objection to processing, etc.) are evaluated and concluded within the legal time limits,

❖ To record and assess possible personal data breaches and, where necessary, to notify the relevant authorities and data subjects,

❖ To ensure the security of not only electronically stored data but also all information and personal data in written, printed, verbal and similar formats,

❖ To increase awareness and consciousness by providing Information Security and Personal Data Protection training to all personnel,

❖ To ensure that all actual or suspected vulnerabilities in the field of information security and privacy are reported to the ISMS/PIMS Team and that the necessary investigations are conducted,

❖ To prepare, maintain and test business continuity plans and to ensure the uninterrupted continuity of personal data processing activities,

❖ To periodically assess information security and privacy risks, identify existing risks, review action plans and monitor their implementation,

❖ To prevent any disputes arising from contracts, conflicts of interest and data confidentiality risks; and to secure information security and personal data protection provisions in agreements with third parties,

❖ To jointly meet business requirements for information accessibility and information systems together with personal data protection obligations.

Leadership and Commitment:
The Top Management of our Company provides leadership in the establishment, implementation and continuous improvement of the ISMS and PIMS; undertakes to ensure the provision of necessary resources; and commits to regularly reviewing the effectiveness of the systems.

We hereby undertake.