RENAR TOURISM AUTOMOTIVE CONSTRUCTION RENT A CAR INDUSTRY AND TRADE INC.

PERSONAL DATA PROTECTION POLICY

INTRODUCTION

1. Definitions

2. Purpose

3. Risk Assessment

4. Scope of Application

5. Data Protection Principles

6. Data Transfer

7. Rights of the Data Subject

8. Application to the Data Controller

9. Role and Responsibilities of the Data Controller

10. Information Security Organization

11. Notification Obligation

12. Data Destruction Policy

Annex 1 - Data Protection Agreements with Third Parties Annex 2 - Notification of Obligations Regarding Data Protection Breaches Annex 3 - Personal Data Retention Periods

INTRODUCTION RENAR TOURISM AUTOMOTIVE CONSTRUCTION RENT A CAR INDUSTRY AND TRADE INC. is committed to ensuring a high level of protection in the processing of personal data. Our personal data protection policy is a sustainable and innovative policy that ensures the protection of the personal data of customers, employees, suppliers, and subcontractors. The fundamental principles of the existing legislation on the confidentiality/protection of personal data have been reviewed, and our policy has been prepared in compliance with the legislation. While preparing the policy in compliance with the legislation, the services we provide in our sector have also been taken into account. The services and activities supported and offered by RENAR TOURISM AUTOMOTIVE CONSTRUCTION RENT A CAR INDUSTRY AND TRADE INC. have been analyzed as a reference. We would like to express our pride in being among the companies that provide the highest level of data protection beyond our sector.

The PERSONAL DATA PROTECTION POLICY is a mandatory discipline regulated by Law No. 6698, and we would like to state that we have benefited from the following legislation while preparing the policy:

• GDPR (General Data Protection Regulation), Regulation (EU) 2016/679

• Law No. 6698 on the Protection of Personal Data

• Regulation on the Working Procedures and Principles of the Personal Data Protection Board

• Regulation on the Deletion, Destruction, or Anonymization of Personal Data

• Regulation on the Data Controllers Registry

• Communiqué on the Procedures and Principles of Application to the Data Controller

• Communiqué on the Principles and Procedures to be Followed in Fulfilling the Obligation to Inform

• Board Decisions

RENAR TOURISM AUTOMOTIVE CONSTRUCTION RENT A CAR INDUSTRY AND TRADE INC. ensures that the POLICY is accessible, understandable, and readable by all (customers, suppliers, partners, and employees). RENAR TOURISM AUTOMOTIVE CONSTRUCTION RENT A CAR INDUSTRY AND TRADE INC. establishes a system that is compatible with its corporate values defined in its company profile and can maintain accreditation criteria in the future. Based on this Policy, the Management considers the development of a system as a strategic choice.

Our company collects personal and special categories of personal data of its customers and employees in order to operate in the sector, establish a valid contractual relationship, and fulfill mandatory notifications to public institutions and organizations.

2. PURPOSE The processing of personal data is part of RENAR TOURISM AUTOMOTIVE CONSTRUCTION RENT A CAR INDUSTRY AND TRADE INC.'s responsibility as a company subject to Law No. 6698. The purpose of this Policy is to ensure data protection and minimize risks related to protection.

3. RISK ASSESSMENT Violations related to data protection may have serious legal consequences and ensuring a high level of personal data protection provides economic benefits to our companies, customers, employees, or related parties. Since protecting personal data is also crucial for our company’s reputation, we comply with the obligations stipulated under the “Technical and Administrative Measures to Be Taken by the Data Controller” issued by the Personal Data Protection Authority and the obligations under KVKK. To mitigate risks, necessary measures such as securely storing personal data, masking when needed, destroying data when required, ensuring processing only by authorized personnel, and keeping data in secure physical or digital environments have been implemented. The implementation of this Policy minimizes risks related to data protection.

4. SCOPE OF APPLICATION This Policy covers the processing of personal data, particularly by data processors appointed by the data controller. The Policy applies to customers, employees, suppliers, and subcontractors.

5. DATA PROTECTION PRINCIPLES Personal data must be processed legally and in a manner that protects privacy rights. For this purpose, the following data protection principles must be followed:

5.1 Processing in Compliance with Law and Fairness: This fundamental principle ensures transparency in data processing activities.

5.2 Proportionality: The principle of proportionality must be considered in the processing of personal data. Data must be processed in a way that is proportionate to its purpose.

5.3 Transparency: As a principle, data subjects should be able to access their data upon request and must be adequately informed by the data controller.

5.4 Data Economy and "Need to Know" Principle: Personal data should only be processed to the extent necessary for achieving defined objectives. As a rule, personal data should not be collected in advance or stored for potential future use. Legal regulations, contract management, and requests from public institutions determine the proportional processing of personal data. When data destruction conditions arise, data will be deleted. Access to personal data is provided based on the "need to know" principle, ensuring that only those who need access to perform their duties can obtain it.

5.5 Data Quality: Personal data must be collected and processed accurately and objectively. Necessary measures should be taken to ensure that incorrect or incomplete data is corrected, updated, and integrated.

5.6 Processing Confidentiality: Personal data must be protected against unauthorized access. It is prohibited for unauthorized persons to process personal data. Additionally, authorized individuals must not transfer data processing activities or access rights to unauthorized parties. This principle is enforced through policies and confidentiality agreements.

6. DATA TRANSFER Personal data may only be transferred to subcontractors, suppliers, and other firms in contractual relationships, in connection with the purpose of data processing. Transfer conditions are separately regulated in the information notice. Transfers are made in proportion to the purpose and nature of the transaction, under the authority of the data controller. Data sharing is only possible with the explicit consent of the data subject. Personal data cannot be shared with anyone, including close relatives, without explicit consent. If the data subject wants a third party to access their data, the request must be made with a valid notarized authorization document containing special authority. In case of the data subject's death, personal data may only be shared with heirs through a court order.

7. RIGHTS OF THE DATA SUBJECT If personal data is processed, data subjects must have the opportunity to obtain information regarding their data. Article 11 of KVKK lists the rights of data subjects, which include:

7.1. Right to learn whether persaonal data is being processed. 7.2. Right to request information if personal data has been processed. 7.3. Right to learn the purpose of processing and whether it is used appropriately. 7.4. Right to know third parties to whom data has been transferred domestically or abroad. 7.5. Right to request correction of incomplete or incorrect data. 7.6. Right to request deletion or destruction of data when processing duration expires. 7.7. Right to seek compensation for damages incurred due to unlawful processing of personal data.

8. APPLICATION TO THE DATA CONTROLLER The relevant person shall first submit their requests for the implementation of KVKK provisions to the data controller. This application can be made in writing, via a registered email address, e-signature, m-signature, an email address previously notified and recorded by the data controller, or through a software application developed for application purposes.

A complaint application to the Board can be filed within 30 days from the date the data controller's response is received, and in any case, within 60 days. Click here for the application form.

9. ROLE AND RESPONSIBILITIES OF THE DATA CONTROLLER The data controller is responsible for preventing the unlawful processing of personal data, preventing unauthorized access, and ensuring the preservation of data.

If data is processed by another real/legal person, joint and several liability applies.

RENAR TURİZM OTOMATİV İNŞAAT RENT A CAR SANAYİ VE TİC. A.Ş. takes all necessary administrative and technical measures to protect personal data and ensures that the required audits are conducted timely.

In case personal data is obtained by unauthorized parties despite all administrative and technical measures, the data controller promptly notifies the Personal Data Protection Board.

RENAR TURİZM OTOMATİV İNŞAAT RENT A CAR SANAYİ VE TİC. A.Ş. has two main areas of data processing:

1. Processing data of employees, suppliers, and customers in the role of a data controller.

2. Vehicle automation data and mobile data.

PERSONAL DATA AUTHORITY MATRIX

PERSONAL DATA CONTROLLER CHAIRMAN OF THE COMPANY BOARD (Ensuring the implementation of KVKK within the company)

PERSONAL DATA CONTACT PERSON

• Managing relationships with KVKK

• Ensuring personnel training and awareness

• Ensuring and supervising the lawful recording of personal data

• Conducting/arranging administrative audits

• Conducting/arranging technical audits

PERSONAL DATA PROCESSORS

• Processing personal data in accordance with the instructions of superiors and legal regulations

• Not sharing personal data with unauthorized persons

• Attending relevant training as required by superiors

• Promptly reporting system and operational deficiencies to superiors

10. INFORMATION SECURITY ORGANIZATION Referring to technical and corporate measures, our policy is designed based on KVKK, regulations, and international standards to ensure the highest level of protection for personal data. For this reason, a data security organization has been established within our company and its subsidiaries. The organizational chart is structured as follows:

11. NOTIFICATION OBLIGATION In the event of a breach of the principles outlined here, RENAR TURİZM OTOMATİV İNŞAAT RENT A CAR SANAYİ VE TİC. A.Ş. takes the necessary administrative and technical measures and reports the violation to the Board as soon as possible. This situation is documented in a report, detailing the administrative/technical measures taken and listing the implemented precautions.

12. PERSONAL DATA DESTRUCTION POLICY

PERSONAL DATA RETENTION AND DISPOSAL POLICY

We would like to inform data subjects whose personal data we process about how long their data is stored in our system and the conditions and durations for its disposal within the scope of the Personal Data Protection Law No. 6698 and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data. As the data controller, RENAR TURİZM OTOMOTİV İNŞAAT RENT A CAR SANAYİ VE TİC. A.Ş. will implement this retention and disposal policy.

Definitions

• Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller.
• Explicit Consent: Consent that is related to a specific subject, based on information, and declared with free will.
• Data Processor: Persons who process personal data within the organization of the data controller or under the authority and instructions of the data controller, excluding those responsible for the technical storage, protection, and backup of data.
• Data Recording System: The recording system in which personal data is processed by structuring it according to specific criteria.
• VERBIS: Data Controllers Registry Information System.
• Destruction: The deletion, destruction, or anonymization of personal data.
• Recording Medium: Any medium containing personal data processed, whether fully or partially automated, or non-automated as part of a data recording system.
• Regulation: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017.
• Policy: Personal Data Retention and Disposal Policy.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing of Personal Data: Any operation performed on personal data, whether fully or partially automated or non-automated as part of a data recording system, including collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use.
• Anonymization of Personal Data: The process of making personal data unidentifiable with an identified or identifiable natural person, even when matched with other data.
• Deletion of Personal Data: The process of making personal data completely inaccessible and unusable for related users.
• Destruction of Personal Data: The process of making personal data completely inaccessible, unrecoverable, and unusable by anyone.
• Board: The Personal Data Protection Board.
• Periodic Disposal: The process of deleting, destroying, or anonymizing personal data at recurring intervals specified in the data retention and disposal policy, in cases where all conditions for processing personal data have ceased to exist under the law.
• Data Subject/Relevant Person: The natural person whose personal data is processed.
• Personal Data Inventory: The inventory prepared by data controllers that associates personal data processing activities with business processes, specifying the purposes and legal grounds for processing, the category of data, the recipient group to whom the data is transferred, the maximum retention period required for processing purposes, any personal data foreseen for transfer to foreign countries, and the security measures taken regarding data protection.

Principles

First and foremost, we would like to emphasize that as a company, we use a data retention method and tool that complies with the necessary requirements.

• A disposal policy that contradicts Law No. 6698, relevant regulations, Convention 108+, and the decisions of the Personal Data Protection Board has not been adopted.

• Appropriate security measures have been implemented to protect personal data contained in automated data files from unauthorized access, modification, or disclosure, as well as from accidental or unauthorized destruction.

• Necessary precautions have been taken to safeguard files against both natural risks such as accidental loss or destruction and human-induced risks such as unauthorized access, fraudulent misuse of data, or infection by computer viruses.

• The personal data we collect in the areas specified in our personal data protection policy and disclosure text are recorded and stored in a secure environment. Apart from our legal obligation to retain data, these records are kept for a minimum of three years.

• Law No. 6698 and the relevant regulations grant us the right to choose and manage the method of data disposal. The data controller will determine the appropriate disposal method depending on the type of personal data. If the data subject requests data disposal, the appropriate method will be selected with an explanation of the rationale. Before deleting the data, the data controller will notify the data subject via their registered email or postal address, informing them of the disposal method to be used.

• Administrative and technical measures will be taken during the disposal process of personal data. Once disposed of, records of the disposal will be kept in a secure environment for at least three years. The retention period required by legal obligations remains in effect.

• Data of inactive customers, job applicants, employees, subcontractors, and suppliers will be disposed of immediately, except for legally required retention periods. Information about the disposal process and the disposal method will be communicated to the relevant individual using an appropriate method.

• If all conditions for processing personal data specified in Articles 5 and 6 of the Law are no longer met, personal data will be deleted, destroyed, or anonymized by the Company, either ex officio or upon the request of the data subject.

• The data subject also has the right to request the deletion of their data from the Company. In such cases, the Company will respond to the request within a maximum of 30 days. The groups to which the data was transferred will also be informed about the request, and if the conditions for deletion are met, the data will be erased. If the deletion conditions are not met, the data subject will be informed of the reason why the data was not deleted and when it is expected to be deleted.

Explanations Regarding the Reasons for Retention and Disposal

The personal data of the data subject is processed and stored for the following reasons:

• Establishment and execution of contractual relationships,
• Requests from authorized public institutions and organizations,
• Management of employer-employee relations, ensuring occupational health and safety, evaluating employee performance, and establishing employment contracts,
• Ensuring workplace and employee security,
• Establishing and maintaining supply and subcontractor agreements,
• Conducting marketing and advertising activities,
• Managing legal proceedings.

The retention activity does not exceed the period stipulated by law for mandatory data retention.

For this purpose:

• Personal data is retained as it is directly related to the establishment and execution of contracts,
• It is retained for the establishment, use, or protection of a right,
• It is retained as necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of individuals,
• It is retained for the Company to fulfill any legal obligations,
• It is retained if explicitly required by regulations,
• It is retained based on the explicit consent of data subjects when required.

Your Data Will Be Deleted or Destroyed in the Following Cases:

• If the retention period has expired or legal obligations regarding retention conditions have changed,
• If the purpose of processing has ceased to exist,
• If the conditions for processing personal data stated in Articles 5 and 6 of the Law have disappeared,
• If the data subject withdraws their explicit consent for processing,
• If the data subject's request under Article 11 of the Personal Data Protection Law (KVKK) is accepted,
• If the data controller rejects a request from the data subject for deletion, destruction, or anonymization of their personal data, provides an insufficient response, or does not respond within the legally prescribed period, and the data subject files a complaint with the Authority, leading to a recommendation from the Authority,
• If the maximum retention period for personal data has been exceeded.

Retention and Disposal Periods

When determining retention and disposal periods, the Company evaluates the following criteria within the framework of Law No. 6698 and the relevant regulations:

• The period generally accepted as standard within the relevant sector,
• The duration of the legal relationship established with the data subject,
• The period during which the data controller's legitimate interest remains legally and ethically valid,
• The duration for which legal risks, costs, and responsibilities associated with retention persist,
• Whether the maximum retention period is suitable for keeping the data accurate and up to date,
• The period required by legal obligations for retaining personal data within the relevant data category,
• The statute of limitations for asserting a right related to personal data.

Personal data whose retention period has expired is anonymized, deleted, or destroyed in accordance with the methods specified in this Policy at six-month intervals. All deletion, destruction, and anonymization processes are recorded, and these records are retained for at least three (3) years, excluding other legal obligations.

---

Technical and Administrative Measures for the Retention and Disposal of Personal Data

Administrative Measures:

As part of administrative measures, the Company:

• Restricts internal access to stored personal data to only those employees who require access for their job duties. The sensitivity and importance of the data are considered when determining access limitations.
• If personal data is obtained unlawfully by third parties, promptly informs the data subject and the Personal Data Protection Authority.
• Ensures data security by signing framework agreements or adding data security provisions to existing agreements with individuals and entities with whom personal data is shared.
• Employs knowledgeable and experienced personnel for data processing and provides training on data protection laws and security measures.
• Conducts necessary audits within its legal entity to ensure compliance with the Law and takes corrective actions if security vulnerabilities are identified.
• Implements sufficient security measures based on the data storage environment (e.g., protection against electrical leakage, fire, flooding, theft, etc.) and prevents unauthorized access.

Technical Measures:

Within the scope of technical measures, the company:

• Conducts penetration tests to identify risks, threats, vulnerabilities, and potential security gaps in the organization's IT systems, taking necessary precautions accordingly. Through information security incident management, real-time analyses are performed to mitigate risks and threats that could impact IT system continuity.

• Implements both hardware-based (e.g., access control systems allowing only authorized personnel into system rooms, 24/7 monitoring systems, physical security measures for edge switches in local area networks, fire suppression systems, climate control systems, etc.) and software-based (e.g., firewalls, intrusion prevention systems, network access control, malware prevention systems, etc.) security measures to protect IT systems from environmental threats.

• Identifies risks related to the unlawful processing of personal data, ensures the implementation of appropriate technical measures, and conducts technical audits of these measures.

• Establishes access procedures within the organization and conducts reporting and analysis related to access to personal data.

• Logs access to storage areas containing personal data, keeping unauthorized access or access attempts under control. The organization ensures that deleted personal data remains inaccessible and unrecoverable for relevant users.

• Has implemented a system and infrastructure to notify the relevant individual and the authorities in case of unlawful acquisition of personal data by unauthorized persons.

• Monitors security vulnerabilities, applies relevant security patches, and keeps IT systems up to date.

• Requires the use of strong passwords in electronic environments where personal data is processed.

• Uses secure logging systems in electronic environments where personal data is processed and employs data backup programs to ensure secure storage.

• Has established a separate policy for securing sensitive personal data. Employees involved in the processing of sensitive personal data receive specialized training on data security, sign confidentiality agreements, and have their access privileges clearly defined. Electronic environments where sensitive personal data is processed, stored, and/or accessed are protected using cryptographic methods, cryptographic keys are stored securely, all transactions are logged, security updates are regularly monitored, necessary security tests are conducted periodically, and test results are recorded. Physical environments where sensitive personal data is processed, stored, and/or accessed are equipped with sufficient security measures to prevent unauthorized entry or exit. If sensitive personal data must be transmitted via email, it is sent in encrypted form through corporate email accounts or KEP (Registered Electronic Mail) accounts.

• If sensitive personal data must be transferred via portable storage devices, CDs, or DVDs, it is encrypted using cryptographic methods, and the cryptographic key is stored in a separate environment. If data is transferred between different physical servers, the transfer is conducted through a VPN or sFTP. If transfer via paper documents is necessary, measures are taken to prevent theft, loss, or unauthorized viewing of the documents, and they are marked as "confidential."

Duties and Authorities of the Personal Data Protection Unit

The Personal Data Protection Unit:

• Communicates policies and other information related to personal data protection to relevant departments and monitors their compliance.
• Plans and oversees periodic training sessions and audits.
• Follows legal and regulatory changes and ensures the policy and related texts are updated accordingly.
• Regularly tracks decisions made by the Data Protection Authority.

Implementation of the Policy, Violations, and Sanctions

• This policy will take effect once it is communicated to all employees and will be binding for all business units, consultants, external service providers, and anyone involved in personal data processing.
• In case of a violation, the relevant department manager must directly inform the data controller and the designated contact person and take necessary measures to ensure policy enforcement.
• The Personal Data Protection Unit must also be informed of any policy violations.
• Appropriate action will be taken promptly against those who violate the policy.

Annex-1: Table Showing Personal Data Retention and Disposal Periods

Personal data will be retained for the periods specified in the table below, in accordance with Article 4 of the policy, and will be anonymized or destroyed after the specified period.

Süreç	Saklama Süresi	İmha Süresi
Data retained under Labor Law (e.g., performance records, etc.)	5 years after termination of employment	Within 6 months after the end of the retention period
Data collected under occupational health and safety regulations (e.g., health reports, etc.)	15 years after termination of employment	Within 6 months after the end of the retention period
Data retained under Social Security Law	10 years after termination of employment	Within 6 months after the end of the retention period
Documents that may be used in claims/lawsuits related to work accidents/occupational diseases	10 years after termination of employment	Within 6 months after the end of the retention period
Data collected as required by other relevant regulations	As long as required by the relevant regulation	Within 6 months after the end of the retention period
Personal data related to an offense under the Turkish Penal Code or other criminal regulations	During the statute of limitations period	Within 6 months after the end of the retention period
Customer data	10 years after being recorded	Within 6 months after the end of the retention period

The company reserves the right to retain data for longer periods than those specified above when necessary and, upon the request of the relevant individual, explains the conditions for deletion along with the justification.