Information Privacy And Security Policy

INFORMATION PRIVACY AND SECURITY POLICY

1.   Policy Purpose and Scope This policy has been prepared in order to regulate the principles and measures to be considered and complied with by Öncü Tur employees in order to maintain and ensure the confidentiality, security, integrity and continuity of all kinds of information. Öncü Tur employees know that the use and disclosure of any information in violation of this policy will adversely affect Öncü Tur competitiveness and may harm Öncü Tur. In this respect, they are aware that they are responsible for the use and sharing of confidential information in accordance with the principles and procedures set out in this policy, ensuring and protecting its confidentiality and security, and show care and attention to this.

2.  Confidentiality of Information Pursuant to the provisions of the Turkish Code of Obligations No. 6098 and Labor Law No. 4857, employees are obliged to protect and carefully store all kinds of confidential information, primarily business secrets and/or trade secrets, within the framework of their loyalty obligations to Öncü Tour. This obligation of the employees continues during the employment relationship and after the termination of the employment relationship for any reason. Öncü Tur employees are obliged to keep confidential the information and documents they obtain during their work in accordance with the provisions of the employment contract they have signed with Öncü Tur. Confidential information cannot be used in violation of this policy and cannot be disclosed to third parties.

2.1.                            Definition        of Confidential Information Confidential information; commercial, financial, operational, contractual, technical information, trade secrets, information subject to intellectual property rights, inventions, ideas, personal data, all kinds of documents, reports, information notes, analyses, compilations, summaries, project descriptions, licenses, permits, business plans, processes, strategies and methods, descriptions of existing potential projects and products, It covers all kinds of information in any format, including, but not limited to, know-how, software, customer lists, pricing information and information that is obliged to ensure confidentiality within the scope of "confidentiality agreements" concluded with third parties and information obtained through these ("Confidential Information"). The owner of the confidential information may not only be Öncü Tur, but may also be one of the parties (employees, business partners, suppliers, customers, stakeholders, etc.) or competitors with whom Öncü Tur has established a relationship within the scope of its activities and business.

2.2.                            Disclosure      and Use of Confidential Information Öncü Tur employees cannot disclose confidential information and share it with third parties except for the following cases:

• In the event that it is necessary to share confidential information with the relevant third party within the scope of Öncü Tur's ordinary activities and limited to these activities, signing a confidentiality agreement or obtaining a written confidentiality commitment from the relevant third party in order to ensure the use and security of the confidential information disclosed between the parties and to determine the responsibilities regarding this,

3. Implementation of the instructions of official organizations and courts or the provisions of the relevant legislation, provided that he/she has notified his/her immediate supervisor in advance,

INFORMATION PRIVACY AND SECURITY POLICY

 

4. In case of disclosure of confidential information of third parties, obtaining the prior written consent of the third parties concerned,

5. If it is necessary to share confidential information without a confidentiality agreement / commitment letter, obtaining the prior written consent of Öncü Tur and/or its manager. It is essential that Öncü Tur employees comply with and pay attention to the following principles within the scope of disclosure and use of confidential information:

6.              The confidentiality of any information that can be included in the definition of confidential information must be protected, even if it is not stated in writing or verbally that the information concerned is confidential information.

7.              Confidential information is shared only with employees who are required to know it by their duties and limited to the specified purposes and subject matter, and is used by these persons for this purpose.

8.Except for the cases mentioned above, confidential information cannot be shared with third parties. This rule also applies to the employee's family members and employees and former employees of Öncü Tur who do not need to know.

9.              Confidential information may not be reproduced, modified or destroyed without permission.

10.           Confidential information may not be shared, discussed or worked on through social media accounts and mobile applications in places where third parties can hear or in public areas.

11.           Confidential information belonging to third parties, including Öncü Tur's competitors, shall not be obtained in violation of law and morality, and such confidential information shall be protected and shared with due care and attention as if it were confidential information belonging to themselves and/or Öncü Tur. In the event that confidential information is obtained or used in violation of these rules, the relevant Öncü Tur employee is obliged to immediately report this situation to his/her manager.

12.           No employee may in any way pressure or coerce another employee to share confidential information in his/her possession or knowledge.

13.           During transactions related to confidential information, the Company acts in accordance with the Law No. 6698 on the Protection of Personal Data and secondary legislation.

14.           Öncü Tur employees must protect confidential information against unauthorized access, use or destruction of confidential information within the framework of this policy and other policies and practices of the Information Technologies Department (Öncü Tur Technology) and take necessary measures.

15.           When leaving his/her position at Öncü Tur, he/she is obliged to return all confidential information (including originals and copies) that he/she has accessed during the job.

16.           It is essential that Öncü Tur employees receive support from the Legal Department regarding practices related to confidential information.

3. Information Security Öncü Tur takes the necessary measures within the scope of information security in order to ensure that the privacy, integrity, continuity and access of all kinds of information stored in various forms in both physical and electronic media are protected and carefully maintained and to prevent factors that threaten their security. Öncü Tur employees are aware that this information constitutes an important part of Öncü Tur's assets. Employees comply with the following principles and take measures to ensure the security of the information they access and use through physical and/or information technology systems:

17.           Öncü Tur employees cannot use the information they will have access to while performing their duties in violation of the relevant legislation, this policy and other practices and policies within Öncü Tur.

18.           Öncü Tur employees take into account and act in accordance with the principles of this policy regarding the disclosure and use of confidential information when they need to share information with third parties.

3

19.           Öncü Tur employees also take into account the measures and precautions that need to be implemented in terms of confidential information that is personal data, and take the necessary actions to ensure that the information requests submitted by the persons whose personal data are processed in this regard are concluded urgently by the relevant units and follow them.

20.           Access to information is limited to the information necessary to perform the work within the scope of Öncü Tur's ordinary activities and only for the identified authorized Öncü Tur employees.

21.           Öncü Tur employees should not share information such as username, password, etc. that provide access to this information with any person, including other Öncü Tur employees, and should keep this information confidential. If Öncü Tur employees suspect that there are situations that threaten the confidentiality and security of this information, they should immediately take the necessary measures and contact the (Öncü Tur Technology) Information Technologies Department.

22.           If changes are made to the information, records of the changes are kept on the servers where the information is located.

It is essential that the information and documents are kept in the workplaces of Öncü Tur and not taken out of the workplaces. If it is necessary to take this information out of the workplace, Öncü Tur employee obtains the prior approval of the manager and/or other persons responsible for the confidentiality and security of the information.

23.           Öncü Tur employees use the information they will access while performing their duties through the allocated devices within the framework of the principles and rules notified by Öncü Tur. In terms of maintaining the security of information;

24.           Information kept in physical media should be kept privately and securely in the cabinets for the personal use of Öncü Tur employees or in the areas notified by the persons responsible for the storage of the relevant information, and under no circumstances should Öncü Tur leave it open to the access of other persons in common areas (meeting rooms, printers, fax machines, etc.) in the workplace.

25.           Policies on information access, security, use, storage and destruction have been determined for the information kept in information technology systems, and within the scope of these policies, employees are periodically trained and awareness activities are carried out on information security, authorization matrix and access logs are regularly kept and updated, users' account management is monitored, necessary technological solutions are produced by examining situations involving risk, measures are taken to ensure the security of all kinds of media where information is kept, and data loss prevention software is used and information is backed up in order to ensure the continuity of information retention; relevant network and application security measures and cyber security measures are taken against negative situations such as loss, deletion, damage due to malware, cyber-attacks, information espionage, unauthorized access, copying, unauthorized modification of information, and related practices are constantly monitored and audits are carried out.

4. Implementation Öncü Tur employees should immediately seek the opinion of the Ethics Committee or notify the Ethics Committee in case they have any doubts about the implementation of the principles and measures specified in this policy, or in cases where they believe that a violation has occurred or they learn about such violations.