Hill Investment - Privacy Policy

HILL PERSONAL DATA PROTECTION, STORAGE, DISPOSAL AND PRIVACY POLICY

Purpose and Scope

This Personal Data Protection, Storage, Disposal and Privacy Policy outlines the principles adopted by Hill Yatırım Turizm Gayrimenkul Ticaret Anonim Şirketi ("Hill" or "Company") regarding the protection and confidentiality of personal data, its processing, and the erasure, destruction, or anonymization of processed personal data, to comply with the Personal Data Protection Law No. 6698, the By-law on Erasure, Destruction or Anonymization of Personal Data, as well as other national and international regulations.

This Policy pertains to the processing of personal data of individuals other than Hill’s employees.

Definitions

Explicit Consent; means freely given, specific and informed consent.

Anonymization; means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data,

Data Subject; (natural person concerned); means the natural person, whose personal data are processed,

Law: means the current version of the Personal Data Protection Law No. 6698, published in the Official Gazette on April 7, 2016.

Personal Data; means any information relating to an identified or identifiable natural person,

Processing of Personal Data; means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof,

Policy; means Personal Data Protection, Storage, Disposal and Privacy Policy.

Data Processor; means the natural or legal person who processes personal data on behalf of the data controller upon its authorization,

Data Minimization; means the principle of collecting and processing only the personal data necessary for the purposes of processing, and erasing the data once the purpose has ended.

Data Controller; means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

Processed Personal Data

Hill processes various personal data for each data processing activity within the context of its relationship with the data subject. In this regard, Hill processes only the necessary and relevant personal data in accordance with the principle of data minimization, for the purposes of conducting the Company's management activities, carrying out the relationship between the parties, and fulfilling legal obligations.

Please refer to the descriptions under Annex 1 of this Policy for the data categories and examples of data types.

Methods of Collection of Personal Data

Hill collects personal data through the data subjects themselves, their employer, family members and relatives, via email, fax, post, websites, social media accounts, security cameras, cookies, notices from administrative and judicial authorities, and other communication channels, in accordance with conditions for processing personal data specified in the Law.

General Principles for Processing Personal Data

Personal data is processed in accordance with the principles outlined in Article 4 of the Law, as explained below. The Company records all actions related to the erasure, destruction, and anonymization of personal data, and retains the records for a minimum of 3 years:

Processing of personal data in accordance with lawfulness and fairness: The Company ensures compliance with legal rules and limits the processing activities to the intended purposes while considering the interests and reasonable expectations of the data subjects.
Being accurate and kept up to date where necessary: The Company ensures that personal data is accurate and up-to-date, making sure that incorrect or outdated data is corrected or deleted upon request.
Being processed for specified, explicit, and legitimate purposes; The Company ensures that all processing activities are for lawful purposes, clearly defined in advance, and comprehensible to the data subject.
Being relevant, limited and proportionate to the purposes for which they are processed: The Company processes only the personal data necessary for the purpose of the specific processing activity, and limits the data collected to the minimum required.
Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed: Personal data is deleted, destroyed, or anonymized after the purpose of processing has ceased, or the statutory period has expired.

Conditions for Processing Personal Data

In accordance with Article 5 of the Law, Hill processes personal data based on the following conditions:

Explicit consent obtained from the data subject, when necessary
Expressly provided for by the law regarding the processing of personal data
Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
It is necessary for compliance with a legal obligation to which the data controller is subject.
Personal data have been made public by the data subject himself/herself.
Data processing is necessary for the establishment, exercise or protection of any right.
Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.

Purposes of Processing Personal Data

Personal data may be processed for different purposes for each processing activity in accordance with the conditions outlined in Article 6 of this Policy. In this context, the personal data you share may be used by various departments of the Company for different processing activities and purposes.

In cases where explicit consent is required, the necessary information will be provided, and personal data can only be processed if explicit consent is obtained.

For detailed information about the purposes of processing personal data, please refer to the explanations in Annex-2 of this Policy.

Transfer of Personal Data

Hill transfers personal data only in-country for purposes specified in this Policy and in compliance with Article 8 of the Law.

The transfer of personal data is carried out through secure environments and channels. Depending on the content and scope of services received from third parties, pseudonymous data is used for transfers in cases where it is unnecessary to transfer the relevant personal data.

For in-country transfers, Hill takes all necessary organizational and technical measures provided by current technologies and ensures that security practices are updated in accordance with relevant legal regulations and decisions by the Board. As part of these organizational and technical measures, special contracts are made with the parties to whom data is transferred and processed, and necessary commitments are obtained.

For detailed information about the recipients of your personal data and the purposes for which it is transferred, please refer to the explanations in Annex-3 of this Policy.

Organizational and Technical Measures Taken to Ensure the Security of Personal Data and Prevent Unlawful Processing and Access

Hill undertakes to take all necessary organizational and technical measures to ensure the confidentiality, integrity, and security of your personal data for each processing activity. Hill takes steps to prevent misuse, unlawful processing, unauthorized access, disclosure, alteration, or destruction of personal data. In this context, Hill primarily ensures compliance with relevant legislation and the guidelines and decisions published by the Board.

For detailed information about the measures taken to protect your personal data, please refer to the explanations in Annex-4 of this Policy.

Legal, Technical, and Other Reasons for Storage and Disposal of Personal Data

Hill processes personal data related to employees, employee candidates, employee references, employee candidate references, family members, company officials/partners, business partners, suppliers, and customers in line with the responsibilities of its various departments. Personal data is stored for the periods determined by the legal regulations or the department's purpose for data processing. Once the storage period has expired, personal data that no longer serves its processing purpose is disposed by means of erasure, destruction or anonymization as specified in this Policy.

Technical and Organizational Measures Taken for Lawful Disposal of Personal Data

The disposal of personal data refers to the erasure, destruction, or anonymization of personal data.

Hill has established the necessary organization within its structure to ensure the lawful disposal of personal data. For personal data in electronic environments, masking methods are used when necessary. For personal data in physical environments, erasure is carried out by obscuring the data that needs to be erased.

Erasure of Personal Data

Erasure of personal data is the process of rendering personal data inaccessible and non-reusable for the users concerned, by no means. Hill takes all necessary technical and organizational measures to ensure that erased personal data is inaccessible and non-reusable for the users concerned.

Destruction of Personal Data

Destruction is the process of rendering personal data inaccessible, irretrievable or non-reusable by anyone, by no means. Hill takes all necessary technical and organizational measures to ensure the destruction of personal data.

Anonymization of Personal Data

Anonymization is the process of rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.

For personal data to be considered anonymized, it must be rendered unidentifiable through the use of appropriate technical methods suitable to the recoding medium and the relevant processing activity – such that the date cannot be associated with an identified or identifiable individual by Hill or any recipient groups, through techniques such as eversion or data matching.

The data controller is required to take all necessary technical and organizational measures to anonymize personal data.

For detailed information about the measures taken to protect and destroy your personal data, please refer to the explanations in Annex-4 of this Policy.

Titles, Units, and Job Descriptions of People Involved in the Personal Data Storage and Disposal Processes

Hill designates the necessary personnel and technical staff within its organizational structure for the data storage and disposal processes outlined in this Policy.

Storage Periods for Personal Data

Hill stores personal data in accordance with the relevant legislation or for the periods required by the purpose of processing. For approximate storage periods related to data storage and disposal, please refer to the explanations in Annex-5 of this Policy.

Periodic Disposal Period

Hill disposes personal data for which the storage period has expired and there is no further purpose of processing within 6 months after the storage period ends.

Personal Data Erasure and Destruction Periods Upon the Data Subject's Request

If a data subject requests erasure or destruction of their personal data from Hill:

If all the conditions for processing personal data have been eliminated, Hill erase, destruct, or anonymize the personal data in question. Hill responds to the request within a maximum of "thirty days".
If all conditions for processing personal data have been eliminated and the personal data has been transferred to third parties, Hill informs the third party and requests the erasure or destruction of the personal data.
If all conditions for processing personal data have not been eliminated, Hill may reject the request, explaining the reason. The rejection response is communicated to the data subject within a maximum of "thirty days".

Rights Under Article 11 of the Law

As data subjects, you have the following rights under Article 11 of the Law:

a) to learn whether his/her personal data are processed or not,

b) to demand for information as to if his/her personal data have been processed,

c) to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,

d) to know the third parties to whom his personal data are transferred in country or abroad,

e) to request the rectification of the incomplete or inaccurate data, if any,

f) to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,

g) to request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom his/her personal data have been transferred,

h) to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,

i) to claim compensation for the damage arising from the unlawful processing of his/her personal data.

To exercise your rights, please fill out the "Contact Form" available on Hill's official website and submit it to the Company using one of the following methods:

Personal Application: The Contact Form can be delivered personally to the Company headquarters. The individual must present identification. The envelope should be labeled "Application under the Personal Data Protection Law."
Notary Notification: The Contact Form can be sent via a notary. The notification should indicate "Application under the Personal Data Protection Law."
By E-Mail: The Contact Form can be sent to Hill's official email address (info@hillyatirim.com). The subject of the email should be "Application under the Personal Data Protection Law."

Hill may request additional documents for identity verification, and the application will be considered submitted once these are provided.

Upon submission of your request via the specified methods, the Company processes it and responds within the shortest time and no later than thirty days free of charge. However, if the process incurs additional costs, a fee determined by the Personal Data Protection Authority will be charged.

Changes to the Personal Data Protection, Storage, Disposal, and Privacy Policy

Hill may modify this Personal Data Protection, Storage, Disposal, and Privacy Policy at any time. These changes will take effect immediately upon the publication of a revised policy. You will be informed about any changes to this Policy.

ANNEX 1
DATA CATEGORIZATION

The categories of personal data processed by Hill are generally as follows:

Data Category	Category Description
Identity Information	Any information that helps to identify the individual. E.g. name, surname, date of birth, place of birth, gender, marital status, photocopy of ID, ID number, driver's license.
Contact Information	Any data that allows communication with the individual. E.g. phone number, email address, address information.
Family and Relatives Information	Personal data related to the individual’s family and relatives. E.g. name, surname, relationship degree, occupation, date of birth, mobile phone.
Location Information	Data regarding the individual's location. E.g. location data collected via vehicle tracking devices.
Personnel Records	Personal data found in the personnel file related to the individual or their employees. E.g. social security documents, educational history, certificates, workplace, industry, and position.
Legal Procedures	Personal data processed to protect the company’s receivables and rights. E.g. official records, notifications, payment orders, lawsuit files.
Supplier Transactions Information	Personal data collected within the context of the relationship between the company and its suppliers. E.g. supplier number, provided goods/services details, supply history, commercial relationship start/end dates and reasons, supplier requests, product quality.
Customer Transaction Information	Personal data collected within the context of the relationship between the company and its customers. E.g. customer number, product codes, product preferences, customer relationship start/end dates and reasons, customer requests, customer satisfaction data, complaints and requests related to products.
Physical Space Security	Personal data related to records and documents taken during entry into or stay within a physical space. E.g. security camera recordings, vehicle information records, and security point records.
Transaction Security Information	Personal data processed to ensure the company’s technical, organizational, legal, and commercial security. E.g. IP address data, internet logins and exits, credit card expiration dates, log records.
Risk Management	Personal data processed to manage commercial, technical, and organizational risks. E.g. creditworthiness data.
Financial Information	Any financial information, document, record, number, and result that may be processed in the context of the relationship between the company and the individual. E.g. bank account details, financial transactions, IBAN number, payment methods.
Professional Experience	Data related to the individual’s professional background and development. E.g. past work experience, diploma information, in-service trainings, certifications.
Marketing	Personal data collected to increase awareness of the products or services offered by the company. E.g. purchase history, product preference information, cookie records, survey results.
Visual and Audio Records	Personal data in the form of images or sounds in print or electronic media. E.g. security camera footage, videos, photos, call center voice recordings.

The categories and types of personal data processed may vary depending on the legal and commercial relationship. To determine which personal data is processed about you, please refer to the information provided to you in the relevant clarification document.

ANNEX 2
PURPOSES OF PROCESSING OF PERSONAL DATA

Conducting Emergency Management Processes
Conducting of Archiving and Storage Activities
Managing Information Security Processes
Conducting Employee Candidate / Intern / Student Selection and Placement Processes
Conducting Employee Candidate Application Processes
Managing Employee Satisfaction and Loyalty Processes
Fulfilling Contractual and Statutory Obligations for Employees
Managing Employee Benefits and Perks Processes
Conducting Audit / Ethical Activities
Conducting Training Activities
Managing Access Authorizations
Ensuring Activities Comply with Legislation
Conducting Finance and Accounting Affairs
Managing Company / Product / Service Loyalty Processes
Ensuring Physical Space Security
Managing Assignment Processes
Conducting Legal Affairs
Conducting Internal Audit / Investigation / Intelligence Activities
Conducting Communication Activities
Planning Human Resources Processes
Managing Business Activities / Supervision
Conducting Occupational Health and Safety Activities
Gathering and Evaluating Suggestions for Improvement of Business Processes
Conducting Business Continuity Activities
Managing Logistics Activities
Conducting Procurement Processes for Goods / Services
Providing After-Sales Support for Goods / Services
Managing Sales Processes for Goods / Services
Conducting Production and Operation Processes for Goods / Services
Managing Customer Relationship Processes
Conducting Customer Satisfaction Activities
Managing Organization and Event Activities
Conducting Marketing Analysis Studies
Conducting Performance Evaluation Processes
Conducting Risk Management Processes
Managing Retention and Archiving Activities
Managing Contract Processes
Conducting Sponsorship Activities
Conducting Strategic Planning Activities
Tracking Requests / Complaints
Ensuring the Security of Movable Property and Resources
Conducting Supply Chain Management Processes
Ensuring the Security of Data Controller Operations
Managing Work and Residence Permit Processes for Foreign Personnel
Conducting Investment Processes
Conducting Talent / Career Development Activities
Providing Information to Authorized Persons, Institutions, and Organizations
Conducting Management Activities
Creating and Tracking Visitor Records

ANNEX 3
TRANSFER OF PERSONAL DATA IN-COUNTRY

Shared Party	Purpose	Basis of Transfer
Supplier	Managing Information Security Processes	Legitimate Interest of the Data Controller
	Providing After-Sales Support for Goods / Services, Managing Logistics Activities	Legitimate Interest of the Data Controller
	Conducting Communication Activities	Establishment and Performance of the Contract
	Managing Advertisement / Campaign / Promotion Processes	Establishment and Performance of the Contract
	Managing Organization and Event Activities	Legitimate Interest of the Data Controller, Compliance with a Legal Obligation, Required by the Law
	Conducting Legal Affairs
Customer	Providing Sales and After-Sales Support for Goods / Services	Establishment and Performance of the Contract
Group Companies and Affiliates	Conducting Management Activities	Legitimate Interest of the Data Controller
	Conducting Sales and Procurement Processes for Goods / Services	Legitimate Interest of the Data Controller, Establishment and Performance of the Contract
	Ensuring the security of personal data, Ensuring the Security of Data Controller Operations	Establishment and Performance of the Contract, Compliance with a Legal Obligation
Authorized Persons, Institutions, and Organizations	Providing Information to Authorized Persons, Institutions, and Organizations	Legitimate Interest of the Data Controller Compliance with a Legal Obligation, Establishment and Performance of the Contract

Transfers in-country or abroad may vary depending on the specific legal and commercial relationship. For more information regarding transfers of your personal data, please review the information provided in the clarification document presented to you.

ANNEX 4
ORGANIZATIONAL AND TECHNICAL MEASURES

Hill takes the following technical and organizational measures in accordance with Article 12 of the Law to prevent unlawful access to the personal data it processes, to prevent unlawful processing of this data, and to ensure the safekeeping of personal data:

Organizational Measures

Determination of Personal Data Security Policies and Procedures

Hill established policies and procedures regarding the protection of personal data, both for general processing activities and specific processing processes. The Company has implemented the following key policies in this regard.

Additionally, the Company has internal guidelines that provide more detailed instructions on personal data processing activities for its employees and managers.

;The Company updates its policies, procedures, and internal guidelines based on changes in regulations and new Board decisions.

Employees' compliance with Company policies and procedures is regularly monitored.

Identification of Existing Risks and Threats

Hill identifies any risks and threats that may compromise personal data security before any violation occurs. In this context, the Company conducts internal evaluations to determine which categories of data, processing activities, and tools are related to such risks and threats.
The Company takes necessary steps to minimize, prevent, and eliminate the identified risks and threats.

Measures for Employees

To raise awareness of various information security violations and minimize the impact of human factors in the processing of personal data, Hill provides training to employees, both from the Company’s internal departments and from external legal and technical consultants.

Hill regularly offers training sessions, informative memos, verbal briefings, and internal guidelines to ensure that employees are conscious of personal data protection. Within the scope, employees receive detailed guidelines regarding each stage of processing cycle they may encounter- from data collection to its disposal. Training activities for employees continue throughout their employment, covering updates to current regulations and Board decisions on personal data protection.

In addition to confidentiality obligations in employment contracts, employees also sign commitments regarding the protection of personal data.

Data Minimization

Hill ensures that no unnecessary personal data is processed in accordance with the principles set forth in Article 4 of the Law. The Company reviews processing activities beforehand and requests only the personal data necessary to fulfill legal or commercial obligations. If an individual provides personal data that is not required, the data is immediately disposed or masked.

Measures for Data Processors

In the event that Hill engages a sub-processor in relation to its data processing activities, the Company first analyzes the competency and capability of the sub-processor regarding personal data protection.

The sub-processor shall at a minimum, provide a written undertaking to comply with the personal data policies and procedures prescribed by the Company. The sub-processor's data processing activities and efforts to ensure protection of personal data are subject to audit by the Company.

Technical Measures

Information Technology Systems

Hill collaborates with specialized service providers to ensure the security of personal data within information technology systems. In this context, the Company's requirements and vulnerabilities are regularly monitored, and support is provided where necessary.

Cybersecurity Measures

Hill takes cybersecurity measures to protect personal data processed in electronic environments. The Company ensures that necessary measures are taken, both through internal IT staff and external service providers, to avoid cybersecurity vulnerabilities.

Monitoring Personal Data Security

Hill regularly audits the protection of personal data processed physically. For example, the compliance of employees with the "clean table & clean desk" principle and the securing of documents containing personal data are checked during office inspections.
Hill also conducts tests to ensure the security of personal data processed electronically. In this context, continuous audits are carried out, particularly regarding the functionality of protective software systems and proper execution of electronic authorizations through log records.

Securing Environments Containing Personal Data

Hill applies special security measures to ensure the safety of personal data stored in physical environments. For example:
Physical spaces where personal data is stored are kept locked with restricted access.
Necessary precautions are taken against risks such as fire, flood, or theft.
Additional measures are taken when personal data is transferred via paper. Enclosed and sealed envelopes are used for such transfers.
Access to server or archive rooms is protected with enhanced security measures.

Backup of Personal Data

Hill mitigates the risk of loss, destruction, theft, or damage of personal data by using backups of personal data. The security of these backups is ensured at the highest level.

Other Examples

All fields on the website where personal data is collected are protected with SSL.
For secondary data processing purposes beyond the primary processing aim, the pseudonymization method (e.g., Ahmet Yilmaz → “A... Y...”) is used.
Personal data stored in paper form is kept in locked cabinets and is only accessible to authorized personnel.
Personal data processed through cookies by third parties is deleted from third-party systems when the membership ends.
A closed system network is used, and network and software security are maintained with up-to-date, licensed programs and data loss prevention software.
User definitions and authorization matrices are present on the network and software.
Software systems and cloud storage are used with encryption based on the user’s authorization.
Log records are maintained in a manner that does not allow user intervention.
Data masking techniques are used when necessary.

STORAGE AND DISPOSAL PERIODS OF PERSONAL DATA

Personal data will be stored approximately during the below periods, unless a longer period is required by the legislation.

Personal Data Type	Storage Period	Legal Basis	Disposal Period
Personal Data of Customers, Their Employees and Relatives	10 years from the end of the legal relationship	Establishment and Performance of the Contract, Legitimate Interest of the Data Controller, Explicit Consent	At the first periodic disposal period following the end of the storage period
Personal Data of Suppliers, Their Employees and Relatives	10 years from the end of the legal relationship	Establishment and Performance of the Contract, Legitimate Interest of the Data Controller, Explicit Consent, Compliance with a Legal Obligation	At the first periodic disposal period following the end of the storage period
Personal Data of Potential Customers and Their Employees	10 years from the end of the legal relationship	Establishment and Performance of the Contract, Legitimate Interest of the Data Controller, Explicit Consent	At the first periodic disposal period following the end of the storage period
Personal Data of Authorized Person/Shareholder of Company, and Their Relatives	10 years from the end of the legal relationship	Establishment and Performance of the Contract, Legitimate Interest of the Data Controller, Compliance with a Legal Obligation	At the first periodic disposal period following the end of the storage period
Personal Data of Business Partners and Their Employees	10 years from the end of the legal relationship	Establishment and Performance of the Contract, Legitimate Interest of the Data Controller, Explicit Consent	At the first periodic disposal period following the end of the storage period

Purpose and Scope

Definitions