Personal Data Protection and Processing Policy

 NUROL BAE SYSTEMS HAVA SİSTEMLERİ A.Ş. (BNA)

 PERSONAL DATA PROTECTION AND PROCESSING POLICY

 1. PURPOSE OF THE POLICY

 Law no. 6698 on Protection of Personal Data (LPPD) which is currently in force in our country sets forth the protection of the fundamental rights and freedoms of persons, in particular their rights to privacy, with respect to the procession of personal data, and the obligations of natural and legal persons who process personal data and the principles and procedures to be followed. 

 According to the Constitution of the Republic of Turkey, everyone has the right to ask for protection of personal data about herself/himself.

 Within this scope, Nurol BAE Systems Hava Sistemleri A.Ş. (BNA) informs its employees and third parties while collecting data, provides training to its employees in terms of data protection; takes the necessary technical and administrative measures to ensure the appropriate level of security achieved to protect the data and in order to prevent unlawful processing of personal data which is being processed, to prevent unlawful access to the data in accordance with Article 12 of the LPPD and in this context, BNA performs or carries out the necessarychecks.

 The main objective of this Policy is to provide information regarding the adopted systems in order to protect personal data and data processing activities performed by BNA in accordance with the law. In this regard, our aim is to provide transparency by informing Our Employee Candidates, Our Employees, Our Shareholders, Our Visitors, employees, shareholders and authorized representatives of the institutions, third party individuals, especially those whose personal datas are processed by our Company.

 2. SCOPE OF THE POLICY

 This Policy; relates to all personal data of Our Employee Candidates, Our Employees, Our Shareholders, Our Visitors, Employees, Shareholders and Authorized Representatives of the Institutions, Third Party Individuals that we are working with (hereinafter referred to as individually or collectively “Data Subject(s)”) that is processed automatically or in non-automatic ways, being part of any data recording system.

 In countries where the data of legal entities is protected to the same extent as personal data, this Policy applies equally to data of legal entities.

 3. IMPLEMENTATION OF THE RELATED LEGISLATION AND THIS POLICY

This Policy comprises the internationally accepted personal data privacy principles without replacing the existing national laws. This Policy supplements the national data protection laws (For Turkish Republic Law no. 6698 on Protection of Personal Data and related legislation is valid). 

 The content of this Policy must also be followed in the absence of corresponding national legislation. The reporting and registry requirements for data processing under national laws must be observed.In the event of conflicts between international legislation and the Policy, BNA will work to find a practical solution that meets the purpose of the Policy.

 4. FUNDAMENTAL PRINCIPLES FOR PROCESSING PERSONAL DATA

4.1. Lawfulness and conformity with rules of bona fides

When processing personal data, the individual rights of the Data Subject(s) must be protected. Personal data must be collected and processed in a fair manner and in accordance with the bona fide rules.

4.2. Being processed for specific, explicit and legitimate purposes

Personal data can be processed only for the purpose that was defined before the data was collected. Subsequent changes to the purpose are only possible to a limited extent and require substantiation.

 4.3. Transparency

The Data Subject(s) must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. BNA, when the data is collected, ensure the Data Subject is either be aware of, or informed of the below mentioned articles:

» The identity of the Data Controller

» The purpose of data processing

» Third parties or categories of third parties to whom the data might be transmitted

4.4. Being relevant with, limited to and proportionate to the purposes for which they are processed.

Before processing personal data, it is determined in BNA whether and to what extent the processing of personal data is necessary in order to achieve the purpose for which it is undertaken. Anonymous or statistical data should be used when the purpose is acceptable and proportionate.

Personal data may not be collected in advance and stored for potential future purposes unless required or permitted by national law.

 4.6. Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed

The personal data covered by this Policy shall be retained in BNA for the period of time stipulated by relevant legislation or the purpose for which they are processed. 

Each department of BNA must be clear about the length of time that the data will be kept and the reason why the information is being retained. To meet this requirement each Department should adhere to records management guidelines as set out in BNA’s Quality Management System.

 4.5. Deletion

Despite being processed, personal data shall be erased, destructed or anonymized by BNA, ex officio or upon demand by the Data Subject, if there is no continuing requirement for the processing of the data. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or as long as it is lawful to retain the data required for historical purposes of the corporate archive

4.7. Accuracy; up-to-dateness of data, where necessary

Personal data on file must be correct, complete, and – if necessary – kept up to date. Relevant BNA employees should abide by the policy, process and procedures as set out in BNA’s Quality Management System in order to ensure that inaccurate or incomplete data are deleted, corrected, supplemented or updated.

4.8. Confidentiality and data security

Personal data is subject to data secrecy. BNA has taken suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction. BNA employees should abide by the relevant policy, process and procedures as set out in BNA’s Quality Management System.

5. CONSENT OF DATA PROCESSING

Collecting, processing and using personal data is permitted only under the legal bases detailed below. 

 At least one of these legal bases is required if the purpose of collecting, processing and using the personal data is being changed from its original purpose.

 Personal data may be processed without seeking the explicit consent of the Data Subject only in cases where one of the following conditions is met:

a) it is clearly provided for by the laws.

b) it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid.

 c) processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of that contract.

ç) it is mandatory for the controller to be able to perform his legal obligations.

d) the data concerned is made available to the public by the Data Subject himself.

e) data processing is mandatory for the establishment, exercise or protection of any right.

f) it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the Data Subject.

 In this regards, personal data may be processed by BNA with the below mentioned purposes:

a) Internal and external audit of the transactions carried out within the scope of Company activity,

b) Activities carried out to comply with the certification rules within the scope of the company quality management system,

 c) Planning and conducting of corporate sustainability activities,

 d) Management of relations with business partners or suppliers,

e) Execution of BNA personnel recruitment processes,

f) Financial reporting and risk management transactions of BNA,

 g) Legal enforcement/follow up of BNA legal case,

h) Planning and performing corporate communication activities,

i) Relevant legislative alignment activities for defense industry security and facility security,

j) The fulfillment of the commitments of BNA undertaken by the contract,

k) BNA’s interest that is required to be protected in the course of work during BNA’s R&D activities or any other activity, intellectual and industrial property rights registration procedures,

l) Performance of organizational management activities,

m) Realization of companies and partnership legal transactions,

 n) Demand and complaint management,

o) Planning and recruitment processes of the rights and interests of senior management in BNA and its shareholding companies,

p) Planning and enforcement of audit activities for the purpose of ensuring that of BNA activities are carried out in accordance with the procedures of its shareholders and relevant legislation,

q) to carry out activities to protect the reputation of BNA and its shareholders,

r) Providing information to authorized institutions and organizations,

s) Forming and follow-up of visitor records.

 In the event that the processing activity carried out for the purposes mentioned above fails to meet any of the conditions stipulated under the provisions of the LPDP, BNA to provide clear consent for the relevant processing period.

5.1 Customer and partner data

5.1.1 Data processing for a contractual relationship

Personal data of the relevant Data Subject(s), customers and partners can be processed in order to establish, execute and terminate a contract. This may also include advisory services for the party to the contract if this is related to the contractual purpose. Prior to a contract – during the contract initiation phase – personal data can be processed to prepare bids or purchase orders or to fulfill other requests of the prospect that relate to contract conclusion. Data Subject(s) can be contacted during the contract preparation process using the information that they have provided. In this context, if there are limitations demanded by Data Subject(s), these limitations should be observed to the extent they are appropriate.

5.1.2 Data processing for advertising purposes

If the Data Subject contacts BNA to request information (e.g. request to receive information material about a product), data processing to meet this request is permitted. 

 Customer loyalty or advertising measures may be subject to further legal requirements. Personal data can be processed for advertising purposes or market and opinion research, provided that this is consistent with the purpose for which the data was originally collected. The Data Subject(s) must be informed about the use of his/her data for advertising purposes. If data is collected only for advertising purposes, the disclosure from the Data Subject is voluntary. The Data Subject shall be informed that providing data for this purpose is voluntary. When communicating with the Data Subject, consent shall be obtained from him/her to process the data for advertising purposes. When giving consent, the Data Subject should be given a choice among available forms of contact such as regular mail, e-mail and phone.

 If the Data Subject refuses the use of his/her data for advertising purposes, it can no longer be used for these purposes and must be blocked from use for these purposes. Any other restrictions from specific countries regarding the use of data for advertising purposes must be observed.

5.1.3 Consent to data processing

Data can be processed following expilicit consent by the Data Subject. Before giving consent, the Data Subject must be informed in accordance with Article 8 of this Policy. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In some circumstances, such as telephone conversations, consent can be given verbally. The granting of consent must be documented.

5.1.4 Data processing pursuant to legal authorization

The processing of personal data is also permitted if national legislation requests, requires or  allows this. The type and extent of data processing must be necessary for the legally authorized data processing activity, and must comply with the relevant statutory provisions.

 5.1.5 Data processing pursuant to legitimate interest

Personal data can also be processed if it is necessary for a legitimate interest of the BNA. Legitimate interests are generally of a legal (e.g. collection of outstanding receivables) or commercial nature (e.g. avoiding breaches of contract). Personal data may not be processed for the purposes of a legitimate interest if, in individual cases, there is evidence that the interests of the Data Subject(s) merit protection, and that this takes precedence. Before data is processed, it is necessary to determine whether there are interests that merit protection.

5.1.6 Processing of data of special nature(highly sensitive data) 

Personal data of special nature can be processed only if the law requires this or the Data Subject has given explicit consent. This data can also be processed if it is mandatory for asserting, exercising or defending legal claims regarding the Data Subject. If there are plans to process data of special nature, the Legal & Compliance Officer must be informed in advance.

 5.1.7 Automated individual decisions

Automated processing of personal data that is used to evaluate certain aspects (e.g. creditworthiness) cannot be the sole basis for decisions that have negative legal consequences or could significantly impair the Data Subject. The Data Subject must be informed of the facts and results of automated individual decisions and the possibility to respond. To avoid erroneous decisions, a test and plausibility check must be made by an employee.

5.1.8 User data and internet

If personal data is collected, processed and used on websites or in apps, the Data Subject(s) must be informed of this in a privacy statement and, if applicable, information about cookies. The privacy statement and any cookie information must be integrated so that it is easy to identify, directly accessible and consistently available for the Data Subject(s). 

 If use profiles (tracking) are created to evaluate the use of websites and apps, the Data Subject(s) must always be informed accordingly in the privacy statement. Personal tracking may only be effected if it is permitted under national law or upon consent of the Data Subject. If tracking uses a pseudonym, the Data Subject should be given the chance to opt out in the privacy statement. 

 If websites or apps can access personal data in an area restricted to registered users, the identification and authentication of the Data Subject must offer sufficient protection during access.

5.2 Employee data

5.2.1 Data processing for the employment relationship

In employment relationships, personal data can be processed if needed to initiate, carry out and terminate the employment agreement. When initiating an employment relationship, the

applicants’ personal data can be processed. If the candidate is rejected, his/her data must be deleted in observance of the required retention period, unless the applicant has agreed to

remain on file for a future selection process. Consent is also needed to use the data for further application processes or before sharing the application with other shareholders’ companies.

 In the existing employment relationship, data processing must always relate to the purpose of the employment agreement if none of the following circumstances for authorized data processing apply. 

If it should be necessary during the application procedure to collect information on an applicant from a third party, the requirements of the corresponding national laws have to be observed. In cases of doubt, consent must be obtained from the Data Subject. There must be legal authorization to process personal data that is related to the employment relationship but was not originally part of performance of the employment agreement. This can include legal requirements, collective regulations with employee representatives, consent of the employee, or the legitimate interest of the company.

 5.2.2 Data processing pursuant to legal authorization

The processing of personal employee data is also permitted if national legislation requests, requires or authorizes this. The type and extent of data processing must be necessary for the legally authorized data processing activity, and must comply with the relevant statutory provisions. If there is some legal flexibility, the interests of the employee that merit protection must be taken into consideration.

5.2.3 Consent to data processing

Employee data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily. Involuntary consent is void. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In certain circumstances, consent may be given verbally, in which case it must be properly documented. In the event of informed, voluntary provision of data by the relevant party, consent can be assumed if national laws do not require express consent. Before giving consent, the Data Subject must be informed in accordance with Article 8. of this Policy.

 5.2.4 Data processing pursuant to legitimate interest

Personal data can also be processed if it is necessary to enforce a legitimate interest of BNA. Legitimate interests are generally of a legal (e.g. filing, enforcing or defending against legal claims) or financial (e.g. valuation of companies) nature. Personal data may not be processed based on a legitimate interest if, in individual cases, there is evidence that the interests of the employee merit protection. Before data is processed,it must be determined whether there are interests that merit protection. 

 Control measures that require processing of employee data can be taken only if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must also be examined. The justified interests of the company in performing the control measure (e.g. compliance with legal provisions and internal company rules) must be weighed against any interests meriting protection that the employee affected by the measure may have in its exclusion, and cannot be performed unless appropriate. 

 The legitimate interest of the company and any interests of the employee meriting protection must be identified and documented before any measures are taken. Moreover, any additional requirements under national law (e.g. rights of co-determination for the employee representatives and information rights of the Data Subject(s)) must be taken into account.

 5.2.5 Processing of highly sensitive data

Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are deemed to be highly sensitive personal data. Highly sensitive personal data can be processed only under certain conditions.Personal data, excluding those relating to health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the Data Subject, in the cases provided for by laws. Personal data relating to health and sexual life may only be processed, without seeking explicit consent of the data subject, by any person or authorised public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.Under national law, further data categories can be considered highly sensitive or the content of the data categories can be filled out differently. Moreover, data that relates to a crime can often be processed only under special requirements under national law. If there are plans to process highly sensitive data, the Legal and Compliance Officer must be informed in advance.

 5.2.6 Automated data processing

If personal data is processed automatically as part of the employment relationship, and specific personal details are evaluated (e.g. as part of personnel selection), this automatic processing cannot be the sole basis for decisions that would have negative consequences or significant problems for the affected employee. To avoid erroneous decisions, the automated process must ensure that a natural person evaluates the content of the situation, and that this evaluation is the basis for the decision.The Data Subject must also be informed of the facts and results of automated individual decisions and the possibility to respond.

5.2.7 Telecommunications and internet

Telephone equipment, e-mail addresses, intranet and internet along with internal social networks are provided by the BNA primarily for work-related assignments. They are a tool and a company resource. They can be used within the applicable legal regulations and internal company policies.There will be no general monitoring of telephone and e-mail communications or intranet/ internet use. To defend against attacks on the IT infrastructure or individual users, protectivemeasures can be implemented for the connections to the BNA network that block technically harmful content or that analyze the attack patterns. For security reasons, the use of telephone equipment, e-mail addresses, the intranet/internet and internal social networks can be logged for a temporary period. Evaluations of this data from a specific person can be made only in a concrete, justified case of suspected violations of laws or policies of the BNA. 

6. TRANSER OF PERSONAL DATA IN COUNTRY OR ABROAD

Personal data may be transferred without obtaining the explicit consent of the Data Subject if one of the conditions set forth under the following exists:

a) If it is permitted under article 5 of this Policy and/or national law,

b) On the condition that adequate measures are taken, the second paragraph of article 2.5 of this Policy.

 Personal data cannot be transferred abroad without explicit consent of the Data Subject. Personal data may be transferred abroad without explicit consent of the Data Subject provided that one of the conditions set forth in the article 5 of this Policy and/or national law, and the the second paragraph of article 2.5 of this Policy exist and that; 

(a) sufficient protection is provided in the foreign country where the data is to be transferred, 

(b) the controllers in Turkey and in the related foreign country guarantee a sufficient protection in writing and the Board has authorized such transfer, where sufficient protection is not provided. 

 The Personal Data Protection Board determines and announces the countries where sufficient level of protection is provided. 

 7. CONTRACT DATA PROCESSING

Data processing on Behalf means that a provider is hired to process personal data, without being assigned responsibility for the BNA process. In these cases, an agreement on Data Processing on Behalf must be concluded with external providers and among companies within the BNA. The Company retains full responsibility for correct performance of data processing jointly by the service provider. The provider can process personal data only as per the instructions from the company. 

 When issuing the order, the following requirements must be complied with; the department placing the order must ensure that they are met.

1. The provider must be chosen based on its ability to cover the required technical and organizational protective measures.

 2. The order must be placed in writing. The instructions on data processing and the responsibilities of the company and provider must be documented.

 3. The contractual standards for data protection provided by the Legal and Compliance Officer must be considered.

 4. Before data processing begins, the company must be confident that the provider will comply with the duties. A provider can document its compliance with data security requirements in particular by presenting suitable certification. Depending on the risk of data processing, the reviews must be repeated on a regular basis during the term of the contract.

 5. In the event of cross-border contract data processing, the relevant national requirements for disclosing personal data abroad must be met. In particular, personal data from the European Economic Area can be processed in a third country only if the provider can prove that it has a data protection standard equivalent to this Policy. 

In order to document suitable data protection below mentioned tools can be used:

a. Agreement on European Union (EU) standard contract clauses for contract data processing in third countries with the provider and any subcontractors.

b. Participation of the provider in a certification system accredited by the EU for the provision of a sufficient data protection level.

 c. Acknowledgment of binding corporate rules of the provider to create a suitable level of data protection by the responsible supervisory authorities for data protection.

 8. RIGHTS OF THE DATA SUBJECT

Every Data Subject has the following rights. 

 In this respect, as the personal Data Subject, are entitled to:

a) to learn whether his personal data are processed or not,

b) to request information if his personal data are processed,

c) to learn the purpose of his data processing and whether this data is used for intended purposes,

ç) to know the third parties to whom his personal data is transferred at home or abroad,

d) to request the rectification of the incomplete or inaccurate data, if any,

e) to request deletion or destruction of personal data if, though processed in accordance with the Law no. 6698 and other relevant laws, the reasons necessitating processing of the data no longer exist and to request notification of the same to the third parties to whom your personal data have been transferred,

 f) object to any negative result via analysis of the processed data via exclusively automatic systems, and

 g) to request compensation of any damages you have sustained due to unlawful processing of your personal data.

 9. CONFIDENTIALITY OF PROCESSING

Any unauthorized collection, processing, or use of such data by employees is prohibited in BNA. Any data processing undertaken by an employee that he/she has not been authorized to carry out as part of his/her legitimate duties is unauthorized. The “need to know” principle applies in BNA. 

 BNA Employees may have access to personal information only as is appropriate for the type and scope of the task in question. This has required a careful breakdown and separation, as well as implementation, of roles and responsibilities in BNA. Employees are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorized persons, or to make it available in any other way. This obligation shall remain in force even after employment has ended.

 In BNA, Supervisors informs their employees at the start of the employment relationship about the obligation to protect data secrecy. 

10. PROCESSING SECURITY

Personal data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before the introduction of new methods of data processing, particularly new IT systems, technical and organizational measures to protect personal data must be defined and implemented. These measures must be based on the state of the art, the risks of processing, and the need to protect the data (determined by the process for information classification). The technical and organizational measures for protecting personal data are part of corporate Information Security management and is being adjusted continuously to the technical developments and organizational changes.

11. DATA PROTECTION CONTROL

Compliance with this Policy and the applicable data protection laws is checked regularly with data protection audits and other controls.

The results of the data protection controls must be reported to the Legal and Compliance Officer. 

 12. DATA PROTECTION INCIDENTS

All employees must inform their supervisor, data protection coordinator or the Legal and Compliance Officer immediately about cases of violations against this Data Protection Policy or other regulations on the protection of personal data (data protection incidents).The manager responsible for the function or the unit is required to inform the Legal and Compliance Officer immediately about data protection incidents. In cases of

» improper transmission of personal data to third parties,

» improper access by third parties to personal data, or

» loss of personal data

the required company reports (Incident Report) must be made immediately so that any reporting duties under national law can be complied with.

 13. COMPANY DATA CONTROLLER

BNA, as a data controller has taken all necessary technical and administrative measures to provide a sufficient level of security in order to: 

a) prevent unlawful processing of personal data, 

b) prevent unlawful access to personal data, 

c) ensure the retention of personal data. 

 The Legal & Compliance Officer, works towards the compliance with national and international data protection regulations. 

 Decisions made by the Legal and Compliance Officer to remedy data protection breaches must be upheld by the management of the company in question. Inquiries by supervisory authorities must always be reported to the Legal & Compliance Officer.

 Should you, as the personal Data Subject, communicate your requests regarding your rights in writing to BNA address “Üniversiteler Mah, 1605.Cad, No:3/1-3, 06800 – Çankaya/Ankara”by post or by sending an email to: nurolbaesystems@hs03.kep.tr  or calling the BNA Legal and Compliance Officer from +90 (312) 210 02 20/121 Ext, BNA will finalize your request free of charge as soon as possible and within not later than thirty days depending on the characteristics of the request. However, if the requested transaction requires an additional cost, please be advised that you will be asked to pay the fee in the fee tariff specified by the Board on Protection of Personal Data. 

14. EFFECTIVITY OF THIS POLICY

This Data Protection and Processing policy is published on the BNA website (www.nurolbaesystems.com) and is made available to the interested parties upon the request of the Data Subject(s).

We, as BNA, commit to comply utmost with our shareholders Nurol Holding A.S.’ and BAE Systems’ published lawful policies and regulations with regard to the Personal Data processing and protection. You can view our shareholder’s personal data protection

 BAE Systems: https://www.baesystems.com/en-uk/privacy

 Nurol Holding A.Ş.: https://www.nurol.com.tr/gizlilik-ve-yasal-uyari

 

ÜST