PERSONAL DATA PROCESSING AND PROTECTION POLICY

TEMSA SKODA SABANCI ULASIM ARACLARI ANONIM SIRKETI (TEMSA)

PERSONAL DATA PROCESSING AND PROTECTION POLICY

1. PURPOSE AND PRINCIPLES

Protection of personal data is highly sensitive to TEMSA Skoda Sabancı Ulaşım Araçları Anonim Şirketi (TEMSA or Company) and its affiliates and is among our Company’s top priorities. Personal Data Processing and Protection Policy (the Policy) sets out the principles of data protection and processing rights of the Company’s customers, potential customers, web-site users, employees, employee candidates, previous employees, visitors and shareholders and directors of the Company with respect to their personal data collected, processed and protected subject to the Law on Protection of Personal Data No. 6698 (LPPD) and General Data Protection Regulation (GDPR).

2. PERSONAL DATA PROCESSING POLICY

2.1. Principles of Personal Data Processing

TEMSA processes personal data in compliance with LPPD and GDPR. Our personal data principles notes that the personal data shall be:

• Processed lawfully and fairly.
• Accurately and where necessary, kept up to date.
• Processed for specific, clear and legitimate reasons.
• Used and disclosed in limited and reasonable manner.
• Kept no longer than predetermined periods noted in the related legislation or necessary for the purposes of processing.

2.2 Reasons of TEMSA for Processing Personal Data

TEMSA informs the relevant persons when collecting personal data. TEMSA heads light on the identity of TEMSA and its representatives (if applicable), the purpose for processing the personal data, to whom and why the processed personal data may be transferred, the method for collecting personal data, the lawful reasons for collection and the rights of the relevant persons.

TEMSA processes personal data subject to the conditions and in accordance with the purposes listed below.

2.1.1. Terms

• TEMSA may process personal data if it is required to fulfil a legal obligation or if law requires the personal data or allows these transactions;
• TEMSA may process personal data in case the processing of personal data is directly related to and necessary for signing or performing a contract [Personal data may be processed to draft a proposal before concluding a contract or to fulfil the inquiries of such relevant persons as a result of a contract.];
• TEMSA may process personal data provided that it is made anonymous and for the limited purposes of transforming such data into an anonymous form;
• TEMSA may process personal data in case it is required to establish, use or protect the rights of TEMSA, of the individuals whose data is being processed or of other parties;
• TEMSA may process personal data for its own legitimate interest provided that the fundamental rights and freedoms of the persons whose data is processed are not violated [legitimate interests are interests that are in line with the law, morals and customs including commercial and material interests];
• TEMSA may process personal data to protect the data owner’s or someone else’s life or bodily integrity even when it is impossible or not legally valid for the personal data owner to express consent;
• TEMSA may process private personal data except the ones related to the health and sex life of the data owner, in circumstances defined in applicable laws.

If the conditions stated above do not exist, TEMSA shall ask for the explicit consent to process personal data from the personal data owners.

2.1.2. Purposes

Your personal data shall be processed in accordance with the following purposes stated below:

• Contractual processes such as sales, after-sales support and car-renting, execution and follow-up of all required transactions, starting, evaluating and concluding rental demand process of car rental customers, performing risk assessments, performing contractual processes and planning operational processes and execution regarding car rentals,
• Preparing and managing customer registrations,
• Executing obligations regarding after sales support, valuation of damage and accident processes, performing and follow-up of loss in damage processes,
• Performing financial and accounting processes including invoice activities regarding sales and executing risk assessments,
• Executing evaluation, analyses and risk assessments with customers in accordance with legal boundaries,
• Follow-up of guarantee obligations, motor insurance and insurance processes,
• Performing customer relations and execution of corporate governance activities,
• Managing and follow-up of customer demands and complaints,
• Improving and developing the services of our Company, determining and implementing commercial and business strategies,
• Maintaining operations and business, performing Company activities and procedures,
• Risk assessment, ensuring business continuity, follow-up of contractual processes or legal demands,
• Planning information security processes, establishing and managing information technology infrastructure,
• Ensuring the legal and commercial services with the products and services offered by our Company to the individuals who have business relations with our Company,
• Planning and follow-up of work carried out with business partners, subsidiaries or distributors,
• Follow-up and execution of legal processes and communication processes with government agencies,
• Follow up, planning and conducting credit evaluation transactions to be made by credit provider companies in case of application for credit facilities offered by the credit-provider companies for our products and/or services,
• Developing and updating the efficiency reports by obtaining information on customer-based developments,
• Planning and organizing activities to make marketing researches to ensure and/or increase its commitment to product and services,
• Programming and follow-up of sales, marketing and promotion of products and services,
• Organization and follow-up of activities such as vehicle test drives,
• Control and analysis of customer data for the purpose of planning and follow-up of employee’s performance evaluation processes and/or business activities
• Planning and execution of specific sales and marketing activities,
• Customizing products and services in accordance with your tastes, usage habits and needs,
• Planning and execution of activities such as gifts and gestures for the customers in accordance with their tastes, usage habits and needs,
• Proposing campaign and offers to the customers by evaluating their shopping histories and sending e-mails messages to the customers or potential customers prior to their shopping histories,
• Customizing, advertising and planning and execution of activities related to the products and services according to the tastes, usage habits and needs of the individuals for the purposes of establishing or increasing the commitment to the products and services offered by our Company, executing satisfactory and commitment surveys,
• Sending marketing instruments, campaigns, proposals and activity invitations to the potential rental customers, vehicle purchase customers and/or other customers, planning, executing and keeping the registrations of activities and organizations.

2.3. Processing Personal Data of Candidate Employees

TEMSA shall process personal data of candidate employees in order to fulfil the legal obligations pursuant to Labor Law and related regulation and to perform determined recruitment activities of TEMSA HR department provided that TEMSA shall inform employee candidates and ask for the explicit consent to process personal data from the employee candidates. Personal data of candidate employees shall be collected and processed during job interviews and/or any written or electronic methods. Since TEMSA is an international company and holds information systems in different countries and it is possible for new candidates to be evaluated in different positions, personal data of candidate employees may be transferred other TEMSA’s subsidiaries located other countries pursuant to regulations. TEMSA shall inform public authorities as required by regulation. The main purpose of the processing of personal data of employee candidates is recruitment and personal data shall also be processed for the following purposes:

• To evaluate qualifications, experience and interest of the employee candidate for open position(s);
• If necessary; to check the accuracy of the information given by the employee candidate or contact the third-party individuals (such as references) to conduct research on the employee candidate;
• To contact the employee candidate regarding process of application and recruitment or where appropriate; to contact with the employee candidate for any open positions in such country or abroad;
• To fulfil the requirements of the relevant regulation or the request of the authorized institution(s).

The personal data of employee candidates shall be kept for a period in compliance with the deadlines referred to in under the Article titled Retention Periods for Personal Data of the current this Policy. Following the deadlines, the personal data shall be terminated or anonymized.

3. SECURITY OF PERSONAL DATA

TEMSA shall take necessary measures to provide an appropriate level of security to prevent illegal processing of the personal data, illegal access to personal data and to ensure protection of personal data and prevent illegal processing by third parties.

4. TRANFERRING PERSONAL DATA

4.1. Domestic Transfer of Personal Data

TEMSA may transfer personal data and private personal data to third parties (its business partners, shareholders, affiliates, public institution(s) in which TEMSA has legal obligation to and other third parties) by taking all the safety measures defined and in compliance with regulations.

4.2. Cross Border Transfer of Personal Data

TEMSA may transfer personal data being processed in Turkey or being processed and stored overseas, as mentioned above, including that data being processed via external resource usage, to unrelated persons in Turkey or overseas, on condition that it is transferred in line with the conditions defined in the regulation, taking all the safety measures defined in regulation or, if applicable, the contract signed with the data owner. Under exceptional conditions where explicit consent is not required to transfer personal data defined in regulation, in addition to the processing and transfer requirements it is required that sufficient protection is available in the country where the data is to be transferred. Personal Data Protection Board (Board) shall determine whether sufficient protection is provided. If there is not sufficient protection, data personnel both in Turkey and overseas need to approve sufficient protection in writing and the Board needs to grant a permission for the purpose.

4.3. Institutions and Entities to which Data is Transferred

TEMSA may share the information requested by public legal entities due to their authority and subject to conditions of regulations. Other persons and institutions to whom the personal data might be transferred for the purposes mentioned above are as follows: subsidiaries and/or direct/indirect domestic/overseas institutions and other unrelated persons, who provide services, cooperate with TEMSA, alongside of TEMSA, for taking data security measures such as the protection of all kinds of personal data and preventing unauthorised access and illegal processing.

5. RETENTION PERIODS FOR PERSONAL DATA

TEMSA applies the principle that, in case available, the personal data shall be kept for the periods specified in the relevant laws and regulations. In case a retention period is not determined with the relevant legislations, the personal data shall be deleted, terminated or anonymized after being processed for the time required for the practices of TEMSA and commercial practices or the statutory time limits prescribed by the relevant laws depending on the activity carried out for that transaction. In accordance with the relative legislations, durations for retention and deletion of personal data are as follows:

Retention and Deletion Periods of TEMSA

Category of Data Retention Period (Following the termination of the Relation) Regular Deletion Periods

Data arising out of contractual relationship (General statute of limitation regulated on Turkish Code of Obligations) 10 (ten) Years Periodically within the month in which ten (10) years has expired for each data and/or within the six (6) month data deletion cycles determined by the data controller after the expiry of such retention period.

Data arising out of tenancy

5 (five) Years Periodically within the month in which five (5) years has expired for each data and/or within the six (6) months data deletion cycles determined by the data controller after the expiry of such retention period.

Data regarding employees’ wage rights

5 (five) Years Periodically within the month in which five (5) years has expired for each data and/or within the six (6) months data deletion cycles determined by the data controller after the expiry of such retention period.

Medical examination data of Employees

15 (fifteen) Years Periodically within the month in which fifteen (15) years has expired for each data and/or within the six (6) months data deletion cycles determined by the data controller after the expiry of such retention period.

Tax-related records 5 (five) Years Periodically within the month in which five (5) years has expired for each data and/or within the six (6) months data deletion cycles determined by the data controller after the expiry of such retention period.

Processed personal data of consumers

2 (two) Years Periodically within the month in which two (2) years has expired for each data and/or within the six (6) months data deletion cycles determined by the data controller after the expiry of such retention period.

Personal data of employee candidates 6 (six) Months Periodically within the month in which six (6) months has expired for each data and/or within the six (6) months data deletion cycles determined by the data controller before the expiry of such retention period.

Personal data of visitors 6 (six) Months Periodically within the month in which six (6) months has expired for each data and/or within the six (6) months data deletion cycles determined by the data controller before the expiry of such retention period.

6. THE RIGHTS OF PERSONS WHOSE PESONAL DATA IS BEING PROCESSED BY TEMSA AND HOW DO DATA OWNERS MAKE USE OF THEIR RIGHTS

Persons whose personal data is processed by TEMSA have the following rights to:

1. Learn whether her/his personal data is being processed;
2. Request information as to the possibility of processing of his/her data,
3. Learn the purposes of such processing of personal data and whether processed data is being used in accordance with these purposes,
4. Learn whether his/her personal data is being transferred within the country or to abroad,
5. Request amendment in case his/her personal data processed is incomplete or inaccurate and request that the process carried out in this context to be notified to the third parties to whom the personal data is transferred,
6. Request the deletion or termination of his/her personal data in the event that the reasons for its processing are no longer present, despite having been processed in accordance with the laws, and request that the process carried out in this context to be notified to the third parties to whom the personal data is transferred,
7. Request that the parties to whom his/her data is transferred are informed of the transactions carried out as per paragraphs (d) and (e),
8. Object to the occurrence of a result to the detriment of the person himself/herself, by means of analysing the processed data exclusively through automated systems,
9. Request compensation for the damages in case the person incurs damages due to unlawful processing of his/her personal data.

You may exercise your rights within the scope of the LPPD and GDPR in writing.

Such notifications could be sent to our Company’s headquarter address Sarıhamzalı Mahallesi, Turhan Cemal Beriker Bulvarı No.563/A 0111110Seyhan/Adana – Turkey or to our Istanbul branch at Küçük Çamlıca Mahallesi, Kısıklı Caddesi, Şehit İsmail Moray Sokak No:2/1 34398
Altunizade-Üsküdar/İstanbul/Turkey.

You may use the Application Form at our website for the purposes. Please find below the link for such form:

Application Form

Your inquiries noted in your application shall be evaluated within the shortest time and within thirty (30) days at the latest.

7. DELETION, TERMINATION AND ANONYMISATION OF PERSONAL DATA BY TEMSA

Even if personal data is processed as per the terms of the relevant law, if the reason for processing the data no longer exists, the personal data shall be deleted, terminated or anonymised upon a decision by TEMSA or the request of the personal data owner.

TEMSA reserves the right to reject the data owner’s request in cases where TEMSA has the right or is obliged to keep the data as per the terms of relevant regulation.

TEMSA shall delete, terminate or anonymise the personal data within six (6) months upon the end of retention periods set forth in relevant regulation or at the end of the required processing period, by using one or more of the anonymizations and deletion techniques specified in the guidelines for Deleting, Termination or Anonymizing Personal Data published by the Board.

8. OTHER ISSUES

If there is a conflict between this Policy and the LPPD, GDPR and the terms of other relevant regulation, the LPPD, GDPR and other relevant regulation shall prevail.

TEMSA may make changes or update in this Policy in line with legal regulations and its Company policies. The new Policy reflecting all these changes and updates shall be published at the Company’s website.

Privacy Policy for Call Center

In application of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable personal data protection legislation, you will find below the privacy policy of Temsa Skoda Sabancı Ulaşım Araçları A.Ş (“TEMSA”) for 24/7 Call Center (“Call Center”).

Please note that this policy may be subject to change, and we encourage you to check it regularly.

1. Data Controller

Temsa Skoda Sabancı Ulaşım Araçları A.Ş

Sarıhamzali Mahallesi Turhan Cemal Beriker Blv. No: 563 /1 Seyhan/Adana

TEMSA acts as the data controller and serves as your point of contact for any inquiries related to this policy and the described data processing. You can reach us via email at kvk@temsa.com.

2. Collection and Processing of Personal Data

TEMSA collects and processes various personal data relating to our customers, beneficiaries, business partners, suppliers, contact persons, and their representatives (employees, managers, etc.) to manage the business relationship and comply with legal obligations (“Data Subjects”). The personal data is collected when you contact the Call Center.

The data processed for this purpose includes:

· Identification information: surname, first name, postal address, email address, telephone number, signatures.

· Location data.

· Professional information: title, function, company.

· Inquiries and feedback.

· Economic and financial information: bank details, billing data.

· Photo, video, and sound recordings with your prior consent.

· Vehicle data.

· Contractual data.

The processing of this data is justified on:

(i) it is necessary for the performance of a contract between TEMSA and the data subject, to provide the agreed service and roadside assistance if necessary.

(ii) it is necessary to fulfill legal or regulatory obligations imposed on TEMSA, such as invoicing and accounting processes.

(iii) it is based on TEMSA's legitimate interest in defending its rights and interests in potential litigation and contacting you (B2B) about our services. You have the option to object to email communications.

(iv) it is based on your consent for voice recordings. You can withdraw your consent at any time.

3. Data Retention Period

TEMSA retains the personal data mentioned above for as long as necessary, considering legal obligations and the need to protect TEMSA against disputes or litigation. The maximum retention periods for different types of data are as follows:

Data subjects Data Type Retention Period

Customers, beneficiaries,

business partners, suppliers and

contact persons and their

representatives (employees,

managers, etc.) Accounting and tax documents 10 years from the end of the accounting year and accounting approval. contact information, copy of contracts, other information necessary for the execution of contracts (bank details, etc.) 5 years from the end of the business relationship.

Voice recordings 6 months from the recording, if used in a litigation process, until the finalized decision regarding the mentioned litigation process. Location data 1 months from the recording, if used in a litigation process, until the finalized decision regarding the mentioned litigation process.

4. Data Access

TEMSA ensures that personal data is accessible only to its internal services, third-party recipients designated by law, or necessary subcontractors involved in the processing. If required by law or a public authority, we may be obligated to share personal data.

Access to data by TEMSA employees: TEMSA employees may access and process your data within the scope of their respective responsibilities.

Access to data by external service providers: We engage external service providers for specific purposes. These providers may access and store the personal data mentioned above as required for their tasks. TEMSA may disclose your personal data to organizations in compliance with applicable legislation.

TEMSA uses subcontracting service providers selected by it to carry out all or part of the indicated processing. TEMSA servers are located outside the European Union and TEMSA may have to use service providers located outside the European Union. If necessary, TEMSA ensures that the transfer of data outside the European Union benefits from the protection guarantees provided under the GDPR.

Subcontractor Country Type of guarantee (if outside the EU)

24/7 GmbH Austria DPA, SCC

The Subcontractor may engage additional subcontractors, who will also be party to a DPA and SCC with TEMSA.

5. Security Measures

TEMSA implements organizational and technical measures to maintain an appropriate level of security for your personal data, ensuring confidentiality, integrity, and accessibility safeguards.

6. Rights of the data subject

Regarding the processing of your personal data, you have the following rights.

•  Right of information and access

You have the right to be informed about the collection and use of your personal data. You have the right to request from us a copy of the personal data we hold about you in a readable and comprehensible format, as well as a copy of this policy.

•  Right to rectification

You have the right to obtain the rectification of data concerning you, to correct, complete or update them, if they appear to be inaccurate, incomplete, or obsolete. In this case, you may contact us. In case of exercise of this right, we undertake to communicate any rectification to all recipients of your data.

•  Right to erasure

You may request the deletion of all or part of the data we hold about you, provided that at least one of the following conditions is met:

· You have withdrawn your consent to the processing and want TEMSA to destroy the data concerned.

· You have objected to the continuation of this processing in accordance with the above, and furthermore want TEMSA to destroy the data concerned.

· The data concerned no longer appear necessary for any of the purposes set out above.

· You consider that TEMSA has collected and/or processed the data concerned in a manner contrary to the law.

· The erasure of the data concerned is imposed under a legal obligation.

· The data concerned relates to a person who was less than fifteen (15) years old at the time of collection of this data.

This right is not an absolute right and TEMSA is entitled to oppose the deletion of certain data for legal or legitimate reasons, when their retention is necessary for particularly important reasons, such as the protection and defense of its interests in court. TEMSA may also choose, instead of deleting the data, to proceed to their complete and irreversible anonymization. In this way, we will be entitled to store this data in a format that no longer allows you to be identified (e.g. for statistical purposes).

• Right to object to processing

You have the right to object at any time to the processing of your data for processing based on our legitimate interest. You can ask TEMSA to cease any of these processing about you, setting out the reasons that justify this request. However, this right is not an absolute right and TEMSA may, for legal or legitimate reasons, refuse your request for opposition, if the continuation of this processing is necessary for compelling reasons (for example: if the data concerned is necessary for the protection and defence of TEMSA’s legal claims). The objection (if it is based on valid reasons and there are no compelling reasons to the contrary) will result in the cessation of processing for the future, but not necessarily the destruction of the data concerned: to obtain this destruction you must exercise your right to erasure under the conditions described above.

• Right to restrict processing

You have the right to object to us processing your personal information for purposes, to have your information deleted if we are keeping it too long or have its processing restricted in certain circumstances. In these cases, we will isolate the data that is the subject of a restriction request for the necessary duration, for example by means of a "Do not use – Right to restriction" marking.

• A right to data portability

You have the right to request and receive your data that you have provided to us, in a structured, commonly used, and machine-readable format, for your personal use or to transmit them to a third party of your choice. This right only applies when the processing of your data is based on your consent, on a contract or this processing is carried out by automated means.

This right to portability differs from the right of access in that its purpose is not to obtain a copy necessarily readable by you, but a reusable copy of the data, with a view to a change of service provider. It is possible, however, that TEMSA refuses to exercise this right if it requires technical means deemed excessive.

•  The right to withdraw your consent at any time

You may withdraw your consent to the processing of your data where the processing is based on your consent without having to provide any justification. The withdrawal of consent shall not affect the lawfulness of processing based on consent prior to such withdrawal.

• The right to give instructions regarding the fate of your data after your death

You have the right to tell us how you want us to handle your data in the unfortunate event of your death.

· In particular, you can ask us to destroy all of your data (subject to any imperative retention needs we may have, for example for the purpose of defending TEMSA’s legal claims), or to transmit a copy of all this data to a person of your choice.

· You may also designate any person of your choice as responsible for the execution of these "last wishes"; This person does not necessarily have to be one of your heirs or even the executor in charge of your estate.

TEMSA will respond to any exercise of legal rights as soon as possible and in any event within 30 days of receipt of the request. TEMSA reserves the right to:

· Request proof of the applicant's identity in case of reasonable doubt about it to respect its obligation of confidentiality.

· To extend the response period by two months, informing the applicant of this extension and the reasons for the postponement within one month of receipt of the request.

· To refuse to respond to an exercise of rights if it was considered abusive (in view of their number, their repetitive or systematic nature).

How to exercise your rights over your personal data:

To exercise your rights, you can contact us:

Temsa Skoda Sabancı Ulaşım Araçları A.Ş

Sarıhamzali Mahallesi Turhan Cemal Beriker Blv. No: 563 /1 Seyhan/Adana

kvk@temsa.com

If, despite our efforts and commitments, you believe that your rights regarding your personal data were not respected, you can submit a complaint to the related authorities.