Privacy and GDPR Policy

1 – INTRODUCTION
1.1 Introduction
The protection of personal data is among the most important priorities of KİMSAN MOBİLYA DEKR.İNŞ.MAK.İTH.İHR.LTD.ŞTİ (“the Company”), and it makes every effort to comply with all applicable legislation in this regard. The most important aspect of this is this KİMSAN MOBİLYA DEKR.İNŞ.MAK.İTH.İHR.LTD.ŞTİ Personal Data Protection and Processing Policy (“the Policy”).
This Policy explains the principles adopted by our Company in carrying out personal data processing activities and the fundamental principles adopted in terms of our Company's compliance with the regulations in the Law No. 6698 on the Protection of Personal Data ("the Law"), thus ensuring the necessary transparency by informing personal data owners. With full awareness of our responsibility in this regard, your personal data is processed and protected within the scope of this Policy.

1.2 Scope
This Policy applies to all personal data of individuals other than our company employees and interns, whether processed automatically or non-automatically as part of any data recording system.

Detailed information regarding the data subjects in question can be found in Appendix 2 ("Appendix 2 - Data Subjects") of this Policy.

The activities carried out by our Company regarding the protection of our employees' personal data are managed under the KİMSAN MOBİLYA DEKR.İNŞ.MAK.İTH.İHR.LTD.ŞTİ Employee Personal Data Protection and Processing Policy, which is drafted in parallel with the principles in this Policy.

2 – MATTERS RELATING TO THE PROCESSING OF PERSONAL DATA
2.1 Principles for Processing Personal Data
Our company processes personal data in accordance with the procedures and principles stipulated in the Law and other relevant legislation. Accordingly, our company processes personal data as follows:

• in accordance with the law and rules of honesty
  

• accurate and up-to-date when necessary,
  

• for specific, explicit and legitimate purposes,
  

• In a manner that is relevant to the purpose for which they are processed, limited and proportionate,
  

• for the period stipulated in the relevant legislation or for the period necessary for the purpose for which they are processed.
  It is in operation.

2.2 Processing of Personal Data
2.2.1 Processing of Personal Data
The explicit consent of the data subject is only one of the legal grounds that enable the lawful processing of personal data. However, if any of the following conditions exist, our Company processes personal data without requiring the explicit consent of the data subject.
Except for explicit consent, the basis for processing personal data may be only one of the conditions specified below, or multiple conditions may serve as the basis for the same personal data processing activity. If the processed data is special categories of personal data, the conditions set forth in section 2.2.2 ("Processing of Special Categories of Personal Data") of this Policy shall apply.
Explicitly Provided for in the Laws
Personal data may be processed in cases explicitly provided for by law. In such cases, our Company processes personal data within the framework of the relevant legal regulations.
Inability to Obtain the Explicit Consent of the Person Concerned Due to Factual Impossibility
Personal data may be processed if it is necessary to protect the life or physical integrity of the data subject or another person, even if the data subject is unable to express their consent due to factual impossibility or if their consent cannot be considered valid.
Directly related to the formation or performance of the contract.
Personal data may be processed if it is necessary for the establishment or performance of a contract, provided that the processing of personal data belonging to the parties of the contract is directly related to that contract.
Fulfillment of the Company's Legal Obligations
Personal data of the data subject may be processed if it is necessary for our company, as the data controller, to fulfill its legal obligations.
Making Personal Data Public by the Data Subject
Personal data that has been publicly disclosed by the data subject in any way and has become publicly available as a result of this disclosure may be processed by our Company only for the purpose of that disclosure.
Data Processing is Necessary for the Establishment or Protection of a Right
Personal data of the data subject may be processed if such processing is necessary for the establishment, exercise, or protection of a right.
Data Processing is Necessary for the Legitimate Interests of Our Company
Personal data may be processed by our company provided that a balance of interests between our company and the data subject is maintained. In this context, when processing data based on legitimate interest, our company first determines the legitimate interest it will obtain as a result of the processing activity, evaluates the possible impact of the processing of personal data on the rights and freedoms of the data subject, and carries out the processing activity only if it is convinced that the balance is not disrupted.
2.2.2 Processing of Special Categories of Personal Data
Some personal data are regulated separately as "special categories of personal data" and are subject to special protection. Special attention is paid to this data because of the risk of causing harm or discrimination to individuals if processed unlawfully.
Special categories of personal data are processed by our Company in accordance with the principles set forth in this Policy and by taking all necessary administrative and technical measures, including methods determined by the Personal Data Protection Board ("Board"), and only if the following conditions are met:
Personal data of a special category, other than health and sexual life data, may be processed with the explicit consent of the data subject, or without explicit consent in cases explicitly provided for in the laws.
Personal data of a special category relating to health and sexual life may be processed by persons or authorized institutions and organizations bound by an obligation of confidentiality, with or without the explicit consent of the data subject, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing.
2.3 Purposes of Processing Personal Data
In accordance with the law and other relevant legislation, the purposes for which our Company processes personal data, including personal data and special categories of personal data, are detailed in this Policy are as follows:

MAIN OBJECTIVES SUB-OBJECTIVES
Carrying out the necessary work and managing the related business processes by our relevant business units in order to perform the commercial activities conducted by the company.
Event Management
Planning and Execution of Corporate Communication Activities
Planning and Execution of Supply Chain Management Processes
Planning and Execution of Production and Operation Processes
Planning, Auditing, and Execution of Information Security Processes
Establishment and Management of Information Technology Infrastructure
Planning and Execution of Information Access Rights for Business Partners and Suppliers
Tracking Financial and Accounting Operations
Planning and Execution of the Company's Human Resources Policies and Processes
Planning Human Resources Processes
Execution of Personnel Recruitment Processes
Planning and execution of human resource needs required for production.
Monitoring and Supervision of Employees' Work Activities
Planning and execution of the company's commercial and business strategies.
Managing Relationships with Business Partners and Suppliers
To enable relevant individuals to benefit from the products and services offered by the company, our business units will carry out the necessary work and execute the relevant business processes.
Planning and Execution of Sales Processes for Products and Services
Planning and Execution of After-Sales Support Services Activities
Planning and Execution of Customer Relationship Management Processes
Planning and Execution of Reporting Activities
Monitoring Contract Processes and Legal Claims
Tracking Customer Requests and Complaints
Planning and executing activities necessary for customizing and recommending the company's products and services to relevant individuals based on their preferences, usage habits, and needs.
Planning and Execution of Market Research Activities for the Sales and Marketing of Products and Services
Planning and Execution of Marketing Processes for Products and Services
Planning and Execution of Customer Satisfaction Activities
Identifying and/or evaluating individuals to be included in marketing activities based on consumer behavior criteria.
Designing and/or executing personalized marketing and/or promotional activities.
Designing and/or executing advertising and/or promotional and/or marketing activities in digital and/or other media.
Designing and/or executing activities to acquire new customers and/or create value for existing customers in digital and/or other media.
Planning and/or Execution of Data Analytics Studies for Marketing Purposes
Organizing contests/raffles for marketing purposes and ensuring customer satisfaction.
Planning and execution of activities aimed at improving and enhancing user experience related to products and services.
Ensuring the legal, technical, commercial, and occupational safety of the Company and related parties with whom the Company has a business relationship.
Legal Affairs Monitoring
Planning and executing the necessary operational activities to ensure that company operations are conducted in accordance with company procedures and relevant legislation.
Providing Information to Authorized Institutions as Required by Legislation
Creating and Tracking Visitor Records
Planning and Execution of Emergency Management Processes
Performing Company and Partnership Law Transactions
Planning and Execution of Company Audit Activities
Planning and Execution of Internal Audit and Investigation Processes
Planning and Implementation of Occupational Health and Safety Processes
Ensuring the Security of Company Campuses and Facilities
Ensuring the Security of Company Operations
Ensuring the Security of Company Assets and Resources
Planning and/or execution of the company's financial risk processes.
Planning and/or execution of the company's production and/or operational risk processes.
2.4 Categories of Personal Data Processed by Our Company
In accordance with the Law and other relevant legislation, and within the scope of the purposes and conditions stated in this Policy, our company processes the following personal data: identity information, audiovisual information, financial information, legal transaction and compliance information, family members and close relatives information, CV, contact information, vehicle information, education information, physical location security information, customer transaction information, marketing information, audit and inspection information, transaction security information, job applicant information, personnel information, request and complaint management information, insurance information, location information, reputation management information, marital status information, fringe benefits and advantages information, special categories of personal data, customer information, business partner information, and business information.

3 – MATTERS RELATING TO THE TRANSFER OF PERSONAL DATA
Our company may transfer personal data and sensitive personal data to third parties ("Third Parties") within and/or outside the country, in accordance with legally compliant personal data processing purposes and by taking the necessary security measures. In this regard, our company acts in compliance with the regulations stipulated in Articles 8 and 9 of the Law.
3.1 Transfer of Personal Data
Personal data may be transferred to Third Parties with the explicit consent of the data subject, or without the explicit consent of the data subject, provided that the following conditions are met and with due diligence and by taking all necessary security measures, including the methods prescribed by the Board:
The relevant activity regarding the transfer of personal data must be explicitly provided for in the laws,
The transfer of personal data by the Company must be directly related to and necessary for the establishment or performance of a contract,
The transfer of personal data is necessary for the Company to fulfill its legal obligations,
Personal data may be transferred by the Company only for the purpose of making it public, provided that the data subject has already made the data public.
The transfer of personal data by the Company is necessary for the establishment, exercise or protection of the rights of the Company, the data subject or third parties,
Personal data transfer may be necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject.
Consent must be given in cases where the person is unable to express their consent due to factual impossibility or where their consent is not legally valid, and it is necessary to protect their own life or the life or physical integrity of another person.
If personal data is to be transferred abroad, in addition to the conditions stated above, our Company transfers personal data to foreign countries declared by the Board as having adequate protection ("Foreign Country with Adequate Protection") or, if adequate protection is not available, to foreign countries where the data controllers in Türkiye and the relevant foreign country have provided a written guarantee of adequate protection and the Board's permission has been obtained ("Foreign Country with a Data Controller Guaranteeing Adequate Protection").
3.2 Transfer of Special Categories of Personal Data
Our company may transfer sensitive personal data domestically or internationally in accordance with lawful data processing purposes, by exercising due diligence and taking necessary security measures, including methods prescribed by the Board, and under the following conditions:
Personal data of a special category, excluding health and sexual life data, may be transferred with the explicit consent of the data subject, or without explicit consent in cases explicitly provided for by law.
Personal data of a special category relating to health and sexual life may be transferred by persons or authorized institutions and organizations bound by an obligation of confidentiality, with or without the explicit consent of the data subject, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing.
If special categories of personal data are to be transferred abroad, in addition to the conditions mentioned above, our Company may transfer special categories of personal data to foreign countries with adequate protection or to foreign countries where the data controller guarantees adequate protection.
3.3 Categories of Persons to Whom Personal Data is Transferred
In accordance with Articles 8 and 9 of the Law, our company may transfer personal data to the following recipient group categories:
Our suppliers
Our business partners
Legally Authorized Public Institutions
Legally Authorized Private Institutions
Detailed information regarding the third parties to whom the personal data is transferred can be found in Appendix 4 of this Policy (“Appendix 4 – Categories of Third Parties to Whom Personal Data is Transferred”).

4 – STORAGE AND DESTRUCTION OF PERSONAL DATA
In accordance with the obligation to delete, destroy, or anonymize personal data stipulated in the Turkish Penal Code, the Law, and other relevant legislation, personal data processed by our Company in compliance with the Law and other legislation will be deleted, destroyed, or anonymized upon the decision of our Company or upon the request of the personal data owner, if the reasons requiring the processing of such data cease to exist.

5 – ENSURING THE SECURITY AND PRIVACY OF PERSONAL DATA
Our company takes all necessary measures, within its capabilities and according to the nature of the data to be protected, to prevent the unlawful disclosure, access, transfer, or other security breaches of personal data.
In this context, our Company takes all necessary (i) administrative and (ii) technical measures, (iii) establishes an audit system within our Company, and (iv) acts in accordance with the measures stipulated in the Law in case of unlawful disclosure of personal data.
5.1 Administrative Measures Taken by Our Company to Ensure the Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data
Our company trains and raises awareness among its employees regarding the processing and protection of personal data.
In cases where personal data is transferred, our Company shall ensure that the contracts concluded with the parties to whom the personal data is transferred include clauses stating that the party to whom the personal data is transferred will fulfill its obligations to ensure data security.
Our company's personal data processing activities are examined in detail, and the steps that need to be taken to ensure compliance with the personal data processing conditions stipulated in the Law are identified.
Our company identifies the practices that need to be implemented to ensure compliance with the law and regulates these practices through internal policies.
5.2 Technical Measures Taken by Our Company to Ensure Lawful Processing of Data and Prevent Unlawful Access to Personal Data
Our company takes technical measures to the extent that technology allows regarding the processing and protection of personal data, and these measures are updated and improved in parallel with developments.
Employment of expert personnel in technical matters.
Regular inspections are carried out to ensure the implementation of the measures taken.
Software and systems are being installed to ensure security.
Access to personal data processed within our company is limited to relevant employees in accordance with the defined processing purpose.
In the protection of special categories of personal data, compliance with the measures set forth in the Law and other relevant legislation is required.
5.3 Measures to be Taken in Case of Unlawful Disclosure of Personal Data
In the event that personal data is obtained unlawfully by unauthorized persons within the scope of the personal data processing activities carried out by our company, the situation will be reported to the Board and the relevant data owners without delay.

6 – INFORMING PERSONAL DATA SUBJECTS
In accordance with Article 10 of the Law, our company informs data subjects during the collection of personal data. In this context, we provide information regarding the identity of our company and, if applicable, its representative; the purpose for which personal data will be processed; to whom and for what purpose the processed personal data may be transferred; the method and legal basis for collecting personal data; and the rights of the data subject.
Article 20 of the Turkish Constitution stipulates that everyone has the right to be informed about personal data concerning them. Accordingly, Article 11 of the Law includes the right to "request information" among the rights of the personal data owner. In accordance with Article 20 of the Turkish Constitution and Article 11 of the Law, our company provides the necessary information when the personal data owner requests it. Detailed information regarding the rights of the personal data owner is provided in section 7.1 of this Policy ("Rights of the Personal Data Owner").

7 – RIGHTS OF THE DATA SUBJECT AND THE EXERCISE OF THESE RIGHTS
7.1 Rights of the Personal Data Subject
The legal rights that a data subject can exercise regarding personal data are listed below:
To find out whether your personal data is being processed,
The right to request information regarding the processing of personal data.
To learn the purpose for which your personal data is processed and whether it is being used appropriately for that purpose,
To learn the third parties to whom your personal data is transferred, whether domestically or internationally.
The right to request the correction of personal data if it has been processed incompletely or inaccurately, and to request that this correction be notified to third parties to whom the personal data has been transferred.
Even if processed in accordance with the law and other relevant legal provisions, the right to request the deletion, destruction, or anonymization of personal data when the reasons requiring its processing cease to exist, and to request that this action be notified to third parties to whom the personal data has been transferred.
The right to object to an outcome that is detrimental to oneself, resulting solely from the analysis of processed data by automated systems.
The right to claim compensation for damages incurred as a result of the unlawful processing of personal data.
7.2 Situations Where the Data Subject Cannot Assert Their Rights
In the cases listed in Article 28 of the Law, personal data owners will not be able to exercise the rights listed in Section 7.1 ("Rights of the Personal Data Owner"). This is because these situations are outside the scope of data protection specified in the Law.
The cases listed under the aforementioned article are as follows:
The processing of personal data for purposes such as research, planning, and statistics through official statistics and by anonymizing it,
Personal data may be processed for artistic, historical, literary or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy or personal rights, or constitute a crime.
The processing of personal data by public institutions and organizations authorized by law to carry out preventive, protective, and intelligence activities aimed at ensuring national defense, national security, public safety, public order, or economic security.
Processing of personal data by judicial authorities or enforcement agencies in relation to investigation, prosecution, trial or execution proceedings.
In accordance with Article 28, paragraph 2 of the Law, personal data owners cannot exercise their rights listed in Section 7.1 ("Rights of the Personal Data Owner"), except for the right to claim compensation for damages, in the following cases:
The processing of personal data is necessary for the prevention of crime or for criminal investigation,
Processing of personal data that has been made public by the data subject,
Personal data processing is permitted when authorized and competent public institutions and organizations, as well as professional organizations with the status of public institutions, are necessary for the performance of their supervisory or regulatory duties, or for disciplinary investigations or prosecutions, based on the authority granted by law.
Personal data processing is necessary to protect the economic and financial interests of the state in relation to budgetary, tax and financial matters.
7.3 Exercise of Rights by Personal Data Subjects
Data subjects may submit their requests regarding the rights listed in section 7.1 (“Data Subject Rights”) in writing by filling out the “KİMSAN MOBİLYA DEKR.İNŞ.MAK.İTH.İHR.LTD.ŞTİ Data Subject Application Form” available at www.solenne.com.tr, or by using a Registered Electronic Mail (KEP) address, Secure Electronic Signature, Mobile Signature, or the email address you previously provided to our Company and which is registered in our system.
7.4 Our Company's Response to Applications
Our company takes all necessary administrative and technical measures to process applications made by personal data owners effectively, in accordance with the law and the principle of fairness.
Our company may accept or reject data subject applications, providing a reason for rejection. Our company may notify the data subject of its response in writing or electronically.
If the personal data owner submits their request regarding the rights set forth in section 7.1 (“Personal Data Owner’s Rights”) to our Company in accordance with the aforementioned procedures, our Company will process the request free of charge as soon as possible and within a maximum of 30 (thirty) days, depending on the nature of the request. However, if the process requires additional costs, the fee specified below may be charged.
If our Company responds to the personal data owner's application in writing, no fee will be charged for up to ten pages; however, for each page exceeding ten pages, a processing fee of 1 Turkish Lira may be charged as stipulated in the Law and other relevant legislation.

8 – GOVERNANCE STRUCTURE FOR THE PROTECTION AND PROCESSING OF PERSONAL DATA
In accordance with the decision of the company's senior management, a "Personal Data Protection Senior Committee" has been established within the company to manage this Policy and other related policies. The duties of this committee are listed below:
To prepare and implement fundamental policies regarding the protection and processing of personal data and submit them to senior management for approval.
To decide how to implement and monitor policies regarding the protection and processing of personal data, and to make internal assignments and ensure coordination in this context, and to submit them to the approval of senior management.
To identify the necessary actions to ensure compliance with the law and other relevant regulations, submit them to senior management for approval, oversee their implementation, and ensure coordination.
To increase awareness within the Company and among the institutions with which the Company collaborates regarding the protection and processing of personal data.
To identify potential risks in the company's personal data processing activities, ensure that necessary precautions are taken, and submit improvement proposals to senior management for approval.
To design and conduct training programs on the protection of personal data and the implementation of policies created in this context.
To resolve data subject applications at the highest level.
To coordinate the implementation of information and training activities to ensure that personal data owners are informed about personal data processing activities and their legal rights.
To prepare and implement changes to the fundamental policies regarding the protection and processing of personal data, and to submit them to senior management for approval.
To monitor developments and regulations regarding the protection of personal data and to advise senior management on what needs to be done within the Company in accordance with these developments and regulations.
To coordinate relations with the Board and the Personal Data Protection Authority.
To perform other tasks assigned by the company's senior management regarding the protection of personal data.

APPENDIX 1 – Definitions
Explicit consent refers to informed and freely given consent regarding a specific matter.
Data Subject Personal Data
Personal data refers to the natural person whose data is being processed. It includes any information relating to an identified or identifiable natural person (e.g., name, national identity number, email address, address, date of birth, credit card number). Therefore, the processing of information relating to legal entities is not covered by this law.

Special Category Personal Data
This includes data relating to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Processing of Personal Data
Personal data processing refers to any operation performed on data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of personal data, whether wholly or partly automated or non-automated, provided that it is part of a data recording system.

Data Processor
This refers to any natural or legal person who processes personal data on behalf of the data controller, based on the authorization given by the data controller (e.g., the cloud computing company that holds our company's data, surveyors who have customers sign forms, call center companies that make calls based on scripts).

Data Controller
It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Registered Electronic Mail (KEP) Address
It refers to a qualified form of electronic mail that provides legal evidence regarding the use of electronic messages, including their sending and delivery.

Mobile Signature
It refers to an electronic signature created using a mobile device.

Secure Electronic Signature
This refers to an electronic signature that is exclusively linked to the signatory, created using a secure electronic signature generation tool under the sole control of the signatory, and based on a qualified electronic certificate that enables the identification of the signatory and allows for the detection of any subsequent changes to the signed electronic data.

APPENDIX 2 – Data Subjects
PERSONAL DATA SUBJECT CATEGORY Explanation
The person for whom the invoice is issued is the individual whose information (personal data) is included on the invoice as a result of a transaction with our company. It also refers to members of the press who have been contacted by our company as part of our corporate communication activities.
The terms "employee" and "intern candidate" refer to individuals who have applied for a job with our Company in any way or who have submitted their resumes and related information for our Company's review.
Employee family members refers to the family members and close relatives of individuals who have an employment contract with our Company.
Former Employee refers to individuals whose employment contract with our company has been terminated for any reason (resignation, dismissal, retirement, etc.).
Former Employee refers to natural persons who are shareholders, officers, or employees of companies with which our Company collaborates or partners for purposes such as the sale, promotion, and marketing of our products and services, and the implementation of joint customer loyalty programs, in accordance with the existing contract between our Company and them.
A customer is defined as any natural person who uses or has used the products and services offered by our company, regardless of whether or not they have any contractual relationship with our company.
Potential Business Partner Officer/Employee/Shareholder refers to natural persons who are officers, shareholders, or employees of legal entities with whom our company intends to establish future cooperation, business partnerships, or program partnerships.
Potential Customers are natural persons who have shown an intention to benefit from the products or services offered by our Company, or who are considered by our Company to be likely to benefit from them.
Potential Supplier Representative/Employee/Shareholder refers to natural persons who are shareholders, officers, or employees of companies that supply goods and/or services to our Company pursuant to a possible future contract with our Company.
References refer to the individuals whose information candidates have shared with our company for the purpose of conducting reference checks.
"Supplier Employee/Officer/Shareholder" means natural persons who are shareholders, officers, or employees of companies that supply goods and/or services to our Company pursuant to the existing contract between our Company and them.
The "Recipient" in our company refers to the actual person to whom our customers wish to receive their product during a purchase.
Member Customer refers to natural persons who use or have used the products and services offered by our company as members of our loyalty program.
Visitors refer to natural persons who visit our company's physical locations.
APPENDIX 3 – Categories of Personal Data
PERSONAL CATEGORIES Data Description
Identity Information refers to all information contained in documents such as driver's licenses, national identity cards, passports, professional IDs, and similar documents that clearly identify a specific or identifiable natural person.
Contact Information refers to contact details such as telephone number, address, email address, etc., that clearly belong to an identified or identifiable natural person.
Financial Information refers to personal data relating to information, documents and records showing any financial results, which are clearly identifiable or identified as belonging to a specific natural person, and which are processed, in whole or in part automatically or non-automatically as part of a data recording system.
Customer Information refers to data obtained about a customer during the conduct of our business activities, which clearly belongs to an identified or identifiable natural person.
Customer Transaction Identity means information that clearly belongs to an identified or identifiable natural person, such as records relating to the use of our products and services, and instructions and requests from our customers regarding their use of our products and services.
Transaction Security Information refers to personal data that clearly belongs to an identified or identifiable natural person and is processed to ensure the technical, administrative, legal, and commercial security of our Company while conducting its business activities.
Physical Space Security Information refers to personal data relating to records and documents obtained upon entry to and during stay within a physical space, which clearly belongs to an identified or identifiable natural person.
Location information refers to information that clearly identifies the location of an identified or identifiable natural person.
Audit and Inspection Information refers to personal data that clearly belongs to an identified or identifiable natural person and is processed by our Company for compliance with legal obligations and company policies, and for audit purposes.
Legal Transaction and Compliance Information refers to personal data clearly belonging to an identified or identifiable natural person, relating to the receipt and evaluation of any requests and/or complaints directed to our Company.
Family and Relative Information means information about family members and relatives of our customers, employees, job applicants and/or business partners that is clearly identifiable or can be identified as a natural person.
Visual and Auditory Data refers to visual or auditory data, such as photographs or videos, that clearly relates to an identified or identifiable natural person.
Marketing Information refers to personal data that clearly belongs to an identified or identifiable natural person, processed for the purpose of customizing and marketing our products and services according to the data subject's usage habits, preferences, and needs, as well as the reports and evaluations generated as a result of this processing.
Vehicle Information Identity means information relating to vehicles that are clearly owned by an identified or identifiable natural person and are associated with the data subject.
Job Applicant Information refers to the resume information of prospective employees and/or interns who have applied to our company through any means.
Personal Information refers to information that forms the basis for the creation of personnel files and records of our employees and/or employees of companies with whom we cooperate, and which clearly identifies or belongs to a specific or identifiable natural person.
Partner Information refers to personal information relating to our Company's current or potential suppliers, business partners, dealers, or authorized service shareholders, officers, or employees, where the identity of the individual is clearly identifiable or identified.
Information on Fringe Benefits and Advantages refers to personal data that clearly belongs to an identified or identifiable natural person and is processed for the purpose of planning the fringe benefits and advantages we offer and will offer to our employees, establishing objective criteria for entitlement to these benefits, and tracking their eligibility.
Special Category Personal Data refers to data that clearly relates to an identified or identifiable natural person, including data concerning their race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

APPENDIX 4 – Categories of Third Parties to Whom Personal Data is Transferred
THIRD PARTY STATEMENT
A Business/Solution Partner refers to parties with whom our Company collaborates in conducting its commercial activities for purposes such as the sale, promotion and marketing of our Company's products and services, after-sales support, and the implementation of joint customer loyalty programs.
A legally authorized public institution refers to public institutions or organizations authorized to request information and/or documents from our company in accordance with the provisions of the relevant legislation.
Legally Authorized Private Institution refers to private institutions or organizations authorized to request information and/or documents from our Company in accordance with the provisions of the relevant legislation.
This refers to parties that provide goods or services to enable our company to continue its commercial activities, in accordance with the instructions received from the Supplier Company and pursuant to the contract between our Company and them.