Privacy Policy

GSI GENERAL SURVEY GÖZETME A.Ş. PERSONAL DATA PROTECTION (KVKK) & GDPR POLICY

Last updated: April 2, 2026

GENERAL OVERVIEW

The protection of personal data is a Constitutional right and is among the top priorities of our Company. To this end, a continuously updated system has been established, and this policy has been formulated. In accordance with the Personal Data Protection Law No. 6698 (KVKK), acting as the Data Controller, GSI GENERAL SURVEY A.Ş. (the "Company") fulfills its general disclosure and information obligations towards its business partners, shareholders, customers, and natural or legal persons with whom it maintains legal relations and communication. This Policy regulates the fundamental principles regarding the protection of personal data of our customers, potential customers, employees, employee candidates, shareholders, company officials, visitors, and the employees/shareholders/officials of our collaborating institutions and third parties.

To implement the matters specified in this Policy, necessary procedures are regulated within the Company, special disclosure texts are created, confidentiality agreements are executed, and job descriptions are revised. GSI GENERAL SURVEY A.Ş. takes the necessary administrative and technical measures for the protection of personal data and conducts or commissions required audits. The subject of Personal Data Protection is supported by senior management, and personal data protection processes are managed through a specialized committee (Company KVK Committee).

PURPOSE OF THE POLICY

The primary purpose of this Policy is to set forth the principles regarding personal data processing activities and data protection conducted lawfully by GSI General Survey A.Ş. Within this scope, it aims to ensure transparency by enlightening and informing individuals—primarily customers, potential customers, employee candidates, shareholders, company officials, visitors, and third parties—whose personal data is processed by our company.

SCOPE

This Policy applies to all personal data of our customers, potential customers, employees, employee candidates, shareholders, company officials, visitors, and third parties, processed through automated or non-automated means, provided that they are part of any data recording system.

PROCESSING OF PERSONAL DATA

In accordance with Article 20 of the Constitution and Article 4 of the KVKK Law, our Company processes personal data lawfully, fairly, and correctly, keeping it up-to-date where necessary. Processing is conducted for specific, clear, and legitimate purposes that are relevant, limited, and proportionate to the intended use. Our Company retains personal data for the period stipulated by law or required by the purpose of processing.

Pursuant to Articles 20 of the Constitution and 5 of the KVKK Law, our Company processes personal data based on one or more conditions specified in Article 5 of the KVKK Law regarding personal data processing.

Pursuant to Article 419 of the Turkish Code of Obligations, and without prejudice to Law No. 6698 (KVKK), our Company processes personal data of employees and employee candidates based on suitability for work and the performance of the employment contract.

In accordance with Articles 20 of the Constitution and 10 of the KVKK Law, our Company informs data subjects and provides necessary information if they request it or apply to exercise their legal rights, responding to applications within the legal timeframe.

Our Company acts in accordance with the regulations provided for the processing of special categories of personal data pursuant to Article 6 of the KVKK Law.

In accordance with Articles 8 and 9 of the KVKK Law, our Company complies with the rules regarding the transfer of personal data and implements practices by considering the decisions taken by the KVK Board, published communiqués, and the lists of secure countries.

I. PROCESSING PERSONAL DATA IN ACCORDANCE WITH LEGAL PRINCIPLES AND RULES

1. Principles of Personal Data Processing

A) Processing in Accordance with Law and Honesty: Our Company acts in compliance with the principles brought by legal regulations and the general rules of trust and honesty.

B) Ensuring Accuracy and Timeliness: Our Company ensures that processed data is accurate and up-to-date, taking necessary measures by considering the fundamental rights of data subjects.

C) Processing for Specific, Explicit, and Legitimate Purposes: Purposes are determined clearly before processing activities begin.

D) Relevance, Limitation, and Proportionality: Data processing is limited to what is necessary to achieve the specific purpose.

E) Retention for the Period Required by Law or Purpose: Data is deleted, destroyed, or anonymized once the legal period expires or the purpose for processing is fulfilled.

2. Rules for Processing General Personal Data

Personal data is processed without the explicit consent of the data subject only if:

• It is expressly provided for by law,
• It is mandatory to protect the life or physical integrity of a person who is unable to express consent due to physical impossibility,
• It is necessary for the establishment or performance of a contract,
• It is mandatory for the data controller to fulfill a legal obligation,
• It has been made public by the data subject themselves,
• It is mandatory for the establishment, exercise, or protection of a right,
• It is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

3. Rules for Processing Special Categories of Personal Data

Special categories of data (race, ethnicity, political opinion, religion, health, sexual life, criminal convictions, biometric data, etc.) are processed with high sensitivity:

• Special categories other than health and sexual life may be processed if provided for by law or with explicit consent.
• Data related to health and sexual life can only be processed for purposes of public health protection, preventive medicine, medical diagnosis, treatment, and care services, or planning and management of health services, by persons or authorized institutions under the obligation of confidentiality.

4. Enlightenment and Information of the Data Subject

Pursuant to Article 10 of the KVKK, the Company informs data subjects about the identity of the Data Controller, purposes of processing, to whom and why data may be transferred, methods and legal reasons for collection, and the rights of the data subject (Article 11).

PERSONAL DATA TRANSFER

Personal data may be transferred to third parties (group companies, business partners, third-party real persons) by taking necessary security measures.

1. Principles of Transfer

Transfers are based on the legal grounds mentioned in Section I.2 above. All transfer processes are conducted in accordance with general data processing principles.

2. Transfer of Special Categories of Personal Data

Special categories of data are transferred with high care, taking necessary security measures and adequate precautions stipulated by the KVK Board.

3. Transfer of Personal Data Abroad

Personal data may be transferred to "Foreign Countries with Adequate Protection" or "Foreign Countries where Data Controllers Commit to Adequate Protection" in writing and with the permission of the KVK Board, in accordance with Article 9 of the KVKK Law.

4. Third Parties to Whom Data is Transferred and Purposes

• Business Partners: To ensure the fulfillment of the partnership's objectives.
• Suppliers: To provide outsourced services necessary for commercial activities.
• Main Shareholders: For the design of strategies and auditing activities.
• Authorized Public Institutions: Within their legal authority.
• Authorized Private Entities: Within their legal authority.

LEGAL BASES AND PURPOSES OF PROCESSING

Processing is conducted to:

• Improve, develop, and diversify services.
• Determine and implement commercial and business strategies.
• Ensure the legal and commercial security of the Company and its business associates.
• Manage human resources (recruitment, payroll, health and safety).
• Perform financial and accounting operations.
• Fulfill legal obligations arising from the KVKK Law and other regulations.

STORAGE AND DESTRUCTION POLICY

Personal data is stored in physical or electronic environments securely within the limits of Law No. 6698, Turkish Code of Obligations, Turkish Commercial Code, Labor Law, and other relevant legislation.

Retention and Destruction Reasons

Data is stored for human resources management, corporate communication, security, statistical studies, and legal reporting. Data is deleted, destroyed, or anonymized when:

• Conditions in Articles 5 and 6 of the KVKK no longer exist.
• The purpose for processing is fulfilled or becomes obsolete.
• The data subject withdraws consent (where processing is based on consent).
• Relevant legislation is changed or revoked.

Applied Technical and Administrative Measures

Administrative: Information security management systems, confidentiality agreements, risk analysis, employee training, and internal audits.

Technical: Penetration tests, intrusion prevention systems, access/authority matrices, encryption (SHA 256 Bit RSA), secure logging, and HTTPS protocols for the website.

Note: Our systems operate on Windows Hyper-V Server 2019 virtualization.

RIGHTS OF THE DATA SUBJECT

Pursuant to Article 11 of the KVKK, you have the right to:

• Learn whether your personal data is being processed,
• Request information if it has been processed,
• Learn the purpose of processing and if it is used accordingly,
• Know the third parties to whom data is transferred,
• Request correction of incomplete/incorrect data,
• Request deletion or destruction of data,
• Request notification of corrections/deletions to third parties,
• Object to results purely from automated analysis,
• Claim compensation for damages due to unlawful processing,
• Withdraw explicit consent at any time.

GSI GENERAL SURVEY GÖZETME A.Ş.