POLICY FOR PERSONAL DATA PROCESSING BREACH MANAGEMENT

POLICY FOR PERSONAL DATA PROCESSING BREACH MANAGEMENT

1. PURPOSE AND SCOPE

Policy for Personal Data Processing Breach Management" ("Policy") regulates the methods and rules to be applied in case of a potential breach of personal data in accordance with Article 12(5) of the Law on the Protection of Personal Data No. 6698 by MAVİ GÖK HAVACILIK ANONİM ŞİRKETİ (hereinafter referred to as the "Company") in its capacity as the data controller. Article 12(5) states, "In the event that the processed personal data is unlawfully obtained by others, the data controller shall notify this situation to the relevant person and the Board as soon as possible. The Board may, if necessary, announce this situation on its official website or by any other means it deems appropriate.

2. DEFINITIONS

“Relevant Person”, “Data Subject”: Refers to natural persons whose personal data are processed by the Company or by persons/institutions authorised by or on behalf of the Company.

“The Contact Person": The real person notified by the Company during the registration to the Data Controllers Registry for communication with the Personal Data Protection Authority regarding the Company's obligations under the Law on Protection of Personal Data No. 6698 and secondary regulations to be issued based on this Law.

“Personal Data”: Refers to any information relating to an identified or identifiable natural person.

“Processing of Personal Data”: Refers to any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided  that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.

“Board”: Personal Data Protection Board

“Authority”: Personal Data Protection Authority

“Law”, “Law on Protection of Personal Data” :Refers to the Law No. 6698 on the Protection of Personal Data

“Policy on Protection of Personal Data”: Refers to the Policy on Protection and Processing of Personal Data adopted by the Company.

“Policy”: Policy For Personal Data Processing Breach Management

“Sorumlu Birim”: Kişisel Verilerin Korunması hakkında KVK Kanunu başta olmak üzere ilgili diğer mevzuata, idari kararlara, yargı kararlarına ve Şirket tarafından konuyla ilgili kabul edilen politikalara ve diğer iş yeri düzenlemeleri tam bir uyumla hareket edilmesi amaçlarıyla kurulan ve bu amaçları Şirkette gerçekleştirmekten sorumlu birimdir.

“Company”: MAVİ GÖK HAVACILIK ANONİM ŞİRKETİ

“VERBIS”, “Registry”: Refers to the Data Protection Officers' Registry Information System kept by the Personal Data Protection Authority. Any data declared in the system are open to public access at verbis.kvkk.gov.tr.

"Data Controller": A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

3. RESPONSIBLE UNITS AND DISTRIBUTION OF DUTIES

The responsible Company units and their duty descriptions in the relevant individual application processes are as follows:

Data Protection Committee Chairman and Members: Responsible for the preparation, development, implementation, publication, and updating of the Policy in relevant environments.

Contact Person: Responsible for managing the process in case of a breach and ensuring communication between units. Prepares and submits the notification to the Authority.

Data Protection Committee Chairman and Members: Responsible for identifying the incident causing the breach, determining the extent of impact, and identifying the affected individuals.

Data Protection Committee Chairman and Members: Responsible for ending the incident causing the breach, determining the causes of the breach, and rectifying the process.

Data Protection Committee Chairman and Members: After rectifying the breach, responsible for identifying and implementing relevant actions and updates to prevent recurrence.

4. PERSONAL DATA SECURITY MEASURES

The Company takes technical and administrative measures, taking into account technological capabilities and application costs, to ensure the lawful processing of personal data. Technical and administrative measures taken for the protection of personal data are applied meticulously, and additional measures are taken, especially for special categories of personal data. Within the Company, necessary audits are periodically conducted at the highest level to ensure the effectiveness of these security measures, and these security measures are also documented in the VERBIS system.

The Company takes every necessary security measure to ensure that personal data is processed only for specified purposes and to reduce risks such as malicious use, unauthorized access, transmission, destruction, or alteration of personal data. These security measures also cover other precautions taken regarding issues such as not transferring personal data to countries that do not provide an adequate level of data protection.The personal data processed by the Company is confidential, and the Company respects this confidentiality. Only individuals authorized by the Company can access personal data. In this context, compliance with standards for software, careful selection of third parties, and adherence to the Company's Data Protection Policy within the Company are ensured.Despite the necessary data security measures taken by the Company, in the event of personal data being compromised or falling into the hands of unauthorized third parties as a result of attacks on platforms operated by the Company or the Company's systems, the Company takes immediate action to remedy the breach and minimizes the damage to the affected individuals.

5. COMPANY'S OBLIGATIONS IN CASE OF PERSONAL DATA BREACH

In accordance with Article 12/5 of the Personal Data Protection Law, the Company shall notify the relevant person and the Personal Data Protection Board ("Board") as soon as possible when personal data processed by the Company is unlawfully obtained by others. The Board may, if necessary, announce this situation on its official website or by any other means it deems appropriate. Accordingly, the Company shall report the personal data breach to the Board by completing the form available on the Authority's official website (https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/e0413853-cd8c-428f-9315-2e8b3d874b46.pdf) as soon as possible and within 72 hours at the latest.

If the breach notification by the Company cannot be made within the specified period, it shall be made as soon as possible, with the reasons for the delay also being stated. The individuals affected by the breach shall be identified, and the breach incident shall be announced through official communication channels as deemed appropriate by the Company.

6. MANAGEMENT PROCESS OF THE BREACH INCIDENT

The Company manages personal data breach incidents by assigning responsible units as specified in this Policy and, if necessary, other departments. When fulfilling these responsibilities, at a minimum:

• Ensures monitoring of environments containing personal data and processing activities,

• Implements necessary physical and technological detection methods for breach detection,

• Takes necessary administrative and technical security measures to end the breach incident as soon as possible,

• Identifies the extent of the individuals affected by the breach and the affected personal data,

• Investigates the causes of the breach and conducts necessary investigations,

• Ensures the updating of assessments, risks, and measures,

• If the breach is caused by an employee or employees of the Company, initiates the necessary disciplinary processes against them.

7. EFFECT AND AMENDMENTS

This Policy is published on the Company's website and enters into force as of the date of publication. The Company may make changes to this Policy at any time. These changes will take effect on the date the modified new Policy is published.