Protection of personal data is among the Values and Policies that our Company AĞAOĞLU HAVACILIK ve SAVUNMA SANAYİ LTD. ŞTİ. (“Company”) attaches importance to in the corporate sense. The most important part of this issue is the protection and processing of personal data of customers, prospective customers, prospective employees, company shareholders, company officials, visitors, employees, shareholders and officials of our business partners, suppliers, third parties and employees, which are governed by this Policy.

Pursuant to Article 20 of the Constitution of the Republic of Turkey,all natural entities have the right to request protection of personal data related to themselves. Regarding the protection of personal data, which is a constitutional right, the "Company" pays due attention to the protection of personal data of customers, prospective customers, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of our business partners, suppliers, third parties and employees, which is governed by this Policy, and makes it a company policy.

In this context, the necessary administrative and technical measures are taken by “Company” to protect the personal data processed in accordance with the relevant legislation.

The main purpose of this policy is to explain the personal data processing activities carried out by the "Company" in accordance with the law and the systems adopted for the protection of personal data, and in this context, to ensure transparency and transparency by informing the persons whose personal data are processed by our company, especially customers, prospective customers, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of our business partners, suppliers, third parties and employees.

This Policy has been prepared for persons whose personal data are processed by our Company, especially Customers, Potential Customers, Employee Candidates, Visitors, Business Partners, Employees, by automatic or non-automatic means, provided that they are part of any data recording system, and will be applied within the scope of these specified persons. This Policy shall in no way apply to legal entities and legal entity data.
Our Company informs the Personal Data Owners about the Law by publishing this Policy on its website. This Policy shall not be applied if the data is not included in the scope of "Personal Data" within the scope of the Law or if the Personal Data processing activity carried out by our Company is not in the above-mentioned ways.

In line with the scope stated above, the data subjects are generally as follows,

• Customer : Real persons who benefit from the products and services offered by the Company
• Potential Customer : Real persons who are potential customers showing interest in the products and services offered by the Company
• Employee Candidate : Indicates that he/she wants to work in our company by sending a CV via digital media, filling out a job application form by applying in person or by other methods
• Visitors : Natural persons who visit the Company's physical premises and website for any purpose
• Third Parties : Natural persons other than the data category owners, employees and company partners listed above
• Business Partners : Real persons who are business partners of the Company and real persons who use or have used the services of business partners
• Employees : Real persons working under contract in the Company.

Express Consent: Consent about a specific subject based on information and expressed in free will.
"Employee": A natural person who has an employee-employer-like relationship with Ağaoğlu Havacılık ve Savunma Sanayisi based on an employment contract or service contract.
"PDP Law": Personal Data Protection Law No. 6698
"Personal Data": Any information related to the identified or identifiable real person.
"Anonymization of Personal Data": The process of making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching it with other data.
"Relevant Person/Data Subject: The natural person whose personal data is processed.
"Processing of Personal Data": All kinds of processes performed on personal data including obtaining, recording, storing, keeping, changing, re-arranging, disclosure, transmission, acquisition, making available, classification or prevention of use in whole or in part, automatically or in non-automatic ways, being part of any data recording system.
"Board": Personal Data Protection Board.
“Institution”: Personal Data Protection Authority
"Sensitive Personal Data": It means personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership of associations, foundations or trade-unions, information relating to health, sexual life, convictions and security measures, and the biometric and genetic data.
"PPD Policy": Ağaoğlu Havacılık ve Savunma Sanayi LTD. ŞTİ. Data Protection Policy
“Company”: Ağaoğlu Havacılık ve Savunma Sanayi LTD. ŞTİ.
Data Processor: Means a natural or legal person who processes personal data on his behalf on the basis of the authority conferred by the data controller,
Date Controller: Real or legal person responsible for identifying the purposes and means of personal data processing, and installing and managing data recording system.
Company Website: https://ahss.com.tr/
Company KEP Address: agaoglu@hs01.kep.tr
Anonymization: It is the process of making the data previously associated with a person impossible to associate with an identified or identifiable natural person under any circumstances, even by matching it with other data.

Regarding the processing of personal data in accordance with Article 4 of the PPD Law, our Company conducts personal data processing activities in accordance with the law and the rules of honesty, accurate and when necessary, up-to-date, specific, explicit and legitimate purposes, in a purposeful, limited and measured manner. Our Company retains personal data as long as required by law or as required for personal data processing purposes.

• Processing personal data in accordance with the law and good faith: The Company acts in accordance with the laws, secondary regulations and general principles of law in the processing of your personal data; attaches importance to processing personal data limited to the purpose of processing and taking into account the reasonable expectations of data subjects.
• Having accurate and up-to-date personal data: The Company shall pay attention to whether your personal data processed by it is up-to-date and to perform actuality checks on the data. In this context, applications by data subjects for correction or deletion of inaccurate and outdated data are meticulously evaluated and finalized.
• Processing of personal data for specific, explicit and legitimate purposes: The Company determines the purposes of data processing before each personal data processing activity and ensures that these purposes comply with the purposes specified in the Law and the law.
• Personal data is relevant, limited and proportionate to the purpose for which it is processed: Data processing activity by the Company is limited to the personal data required to fulfill the purpose of collection and necessary steps are taken to ensure that personal data not related to this purpose are not processed.
• Retention of personal data for the period required by the legislation or processing purposes: Personal data are deleted, destroyed or anonymized by the Company after the purpose of processing personal data disappears or upon expiration of the period stipulated in the legislation. Regular checks are carried out within the Company to determine whether the purpose of data processing has disappeared.

The "Company" processes personal data with explicit consent or in accordance with other data processing conditions. The conditions mentioned are listed below:

• The personal data processing activity is clearly stipulated by law
• Explicit consent of the data subject cannot be obtained due to actual impossibility and personal data processing is mandatory:
• The personal data processing activity is directly related to the establishment or performance of a contract:
• It is mandatory to carry out personal data processing activity in order to fulfill the legal obligation of the data controller
• The data subject has made his/her personal data public
• Processing of personal data is mandatory for the establishment, exercise or protection of a right:
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject
• Having the explicit consent of the personal data owner, in cases where other data processing conditions do not exist, in accordance with the general principles set out in the Law and this policy, the personal data of the data subject may be processed by the Company with the free will of the data subject, with sufficient information regarding the personal data processing activity, after the disclosure obligation is fulfilled, in a manner that leaves no room for hesitation and only if the data subject gives consent limited to that transaction.

The "Company" processes personal data for the purposes listed below within the framework of the legal reasons set out in Articles 5 and 6 of the PPD Law:

• Within the scope of planning and execution of human resources activities, personal data of employee candidates are processed for the purpose of evaluating suitability for the job and carrying out personnel recruitment processes, and for purposes such as execution of the employment contract, establishment of fringe benefits, execution of promotion/premium/increase processes, fulfillment of obligations arising from the legislation to which the Company is subject, especially the Labor Law, realization of social insurance processes, evaluation of employee performance.
• In addition to these, the Company processes personal data for purposes such as planning and execution of corporate sustainability activities, event management, management of relations with business partners or suppliers, execution/follow-up of financial reporting and risk management transactions within the scope of ordinary company activities and services provided to its customers, execution/follow-up of legal affairs, planning and execution of corporate communication activities, execution of corporate governance activities, realization of corporate and partnership law transactions, request and complaint management, managing investor relations, ensuring the security of the buildings and facilities of Ağaoğlu Havacılık ve Savunma Sanayisi, creating and monitoring visitor records, determining and implementing the Company's commercial and business strategies, resolving the problems and complaints of the relevant persons, ensuring their satisfaction and providing an effective service, responding to information requests from administrative and judicial authorities, ensuring compliance with legal processes and legislation, ensuring information and transaction security and preventing malicious use.
• In the event that the processing activity carried out for the aforementioned purposes does not meet any of the other data processing conditions stipulated under the PPD Law, explicit consent is obtained by Ağaoğlu Havacılık ve Savunma Sanayi from the relevant person regarding the relevant data processing process.

Personal data may be collected by our Company through cookies etc. that our system uses to recognize you during website visits in line with the regulations in the Law and the purposes stated above, or verbally, in writing and electronically.

Our company maintains personal data only for the time required by the relevant legislation or for the purpose for which it was processed. In this context, in the event of any dispute, the Company retains personal data limited to the purpose of carrying out administrative or judicial processes within the scope of the dispute and within the framework of special regulations in the law, for the statute of limitations determined in accordance with the relevant legislation. Personal data are deleted, destroyed or anonymized by the Company in the event of expiration of the period or disappearance of the reasons requiring the processing of the data. Personal data are not stored by the Company with the possibility of future use.

The Company may transfer personal data domestically with the explicit consent of the data subject or in accordance with the additional regulations listed in Article 8 of the Law and determined by the Personal Data Protection Board. In this respect, the Company may transfer personal data domestically to authorized public institutions and organizations, company shareholders and private institutions and organizations for the limited purpose of requesting information.

• It organizes regular training and awareness studies on the protection of personal data for its employees.
• The company creates policies based on the personal data processing inventory and establishes the necessary processes for the implementation of the policies.
• The Company identifies its risks within the scope of personal data protection law and diligently carries out activities to eliminate the risks. In this context, it creates active disclosure and explicit consent channels.
• The Company conducts periodic internal audits to fulfill its obligations regarding the law on the protection of personal data.
• It continuously provides legal consultancy services for compliance with the updated legislation.
• It creates a separate policy for the protection of special categories of personal data and implements additional measures determined by the Board.
• It implements necessary measures such as data sharing agreements etc. to manage relations with data processors.
• Establishes a secure technical infrastructure to ensure the security of databases where personal data will be stored.
• It determines the procedures for reporting the technical measures taken and audit processes.
• Safety measures are periodically being renewed and improved.
• Network security and application security are ensured.
• Closed system network is utilized for personal data transfer via the network.
• Key management is implemented.
• Security measures are taken within the scope of supply, development and maintenance of information technology systems.
• The security of personal data stored in the cloud is ensured.
• An authority matrix has been created for employees.
• Access logs are maintained regularly.
• Corporate policies on access, information security, usage, retention and disposal have been prepared and implemented.
• When necessary, data masking measures are applied.
• Employees who have been subject to change of duty or left jobs are revoked regarding their previous duties.
• Up-to-date anti-virus systems are used.
• Firewalls are implemented.
• Personal data security issues are reported quickly.
• Personal data security is monitored.
• Security of environments containing personal data is ensured.
• Personal data is backed up and the security of the backed-up personal data is also ensured.
• User account management and authority control system are implemented and these are also followed-up.
• Log records are maintained in such a way that there is no user intervention.
• Intrusion detection and prevention systems are used.
• Cyber security measures have been taken and implementation of such measures is constantly monitored.
• Encryption is performed.
• Penetration test is applied.
• Data loss prevention software is used.

Article 11 of the Law regulates the rights of the personal data subject as follows

• To learn whether personal data has been processed or not,
• To request the relevant information if personal data has been processed,
• Learning the purpose for the processing of personal data and whether those have been used in accordance with the purpose or not,
• Being informed of the third persons to whom the personal data is transferred within and out of the country,
• To tequest the rectification of the data in the event they are processed incompletely or inaccurately,
• To request deletion or destruction of personal data in case the reasons necessitating their processing cease to exist, despite personal data has been processed in accordance with Law and relevant other law provisions, and to request notification of the operations made within this context to third parties to whom your personal data has been transferred,
• To object to any adverse result arising as a consequence of analysis of processed data solely by means of automatic systems,
• To request compensation for damages in cases where damage is caused due to unlawful processing of personal data,

Pursuant to the first paragraph of Article 13 of the Law, the applications to be made by the data subject to our Company in the capacity of data controller regarding these rights must be submitted to us in writing or in accordance with the "Communiqué on the Procedures and Principles of Application to the Data Controller" published in the Official Gazette by the Personal Data Protection Board ("Board"). In the Communiqué, it is stated that the relevant persons can benefit from this right provided that they make their applications in Turkish and the applications must be made in Turkish language.

In this context, applications to be made to the Company in writing shall be submitted to our company by printing out the "Application Form" attached to this Clarification Text;

• With the applicant's personal application,
• Through a notary public,
• By being signed by the Applicant with the "secure electronic signature" defined in the Electronic Signature Law No. 5070 and sent to the e-mail address agaogluhavacilik@hs01.kep.tr' registered on behalf of the Company .

The "Company" may amend this PPD Policy at any time. These amendments shall become effective on the day the new amended PPD Policy is published. In order to be informed about the amendments in this PPD Policy, necessary notifications will be made to the relevant persons.
INFORMATION AND CLARIFICATION TEXT WITHIN THE SCOPE OF THE LPPD
Law No. 6698 on the Protection of Personal Data ("Law") entered into force after being published in the Official Gazette on 07/04/2016. It is processed by AĞAOĞLU HAVACACILIK ve SAVUNMA SANAYİ LTD.ŞTİ ("Company") as the data controller.
1 - DATA CONTROLLER
Your personal data is processed by the data controller AĞAOĞLU HAVACACILIK ve SAVUNMA SANAYİ LTD.ŞTİ ("Company") in accordance with the 6698 Law on the Protection of Personal Data ("Law").

2 - PURPOSE OF PROCESSING YOUR PERSONAL DATA
Personal data may be collected by the data controller from parties such as customers, employees, potential customers, employee candidates, business partners and suppliers in categories such as identity information, contact information, customer information, customer transaction information, transaction security information, legal transaction and compliance information and marketing sales information.

The purpose of this law is to protect the rights and freedoms of the person, especially the privacy of your private life in the processing of your personal data collected, to ensure the legal and commercial security of the persons with whom you have a business relationship, to ensure the security during the company visit and to regulate the responsibilities of real and legal persons who process this personal data and the procedures and principles to be followed.

3 - TRANSFER OF PROCESSED PERSONAL DATA
Your personal data may be transferred to public authorities, natural or legal persons under the terms and conditions determined by law.
Due to the sector in which our Company operates, the personal data collected are shared with public institutions and organizations such as relevant Ministries and District Governorships. It is transferred to real or legal persons such as cargo and transportation companies, supplier companies for the provision of products and services and after-sales follow-up only for these purposes.

4 - METHOD AND LEGAL REASON FOR PERSONAL DATA COLLECTION
Your personal data will be collected physically through records, contracts, printed forms carried out by security personnel, and digitally through e-mail, telephone, SMS, complaint forms, fax, social media accounts.
It is carried out by the Company within the framework of the legal legislation for the above-mentioned purposes and within the performance of the contract.

5 - RIGHTS OF THE DATA SUBJECT LISTED IN ARTICLE 11 OF THE LAW No. 6698
As a personal data owner, we inform that you have the following rights in accordance with Article 11 of the Law:

• • To learn whether personal data has been processed or not,
  • Requesting information as to processing if your personal data have been processed,
  • Learning the purpose of his data processing and whether this data is used for intended purposes,
  • To know the third parties to whom your personal data has been transferred inside or outside the country,
  • Requesting correction of personal data if it is incomplete or improperly processed, and requesting that third parties be notified of the processing carried out in this context,
  • To request deletion or destruction of personal data in case the reasons necessitating their processing cease to exist, despite personal data has been processed in accordance with Law and relevant other law provisions, and to request notification of the operations made within this context to third parties to whom your personal data has been transferred,
  • To object to the processing, exclusively by automatic means, of your personal data, which leads to an unfavourable consequence for you,
  • To claim damages if you incur losses due to unlawful processing of your personal data.