Supplementary Protocol On Protection Of Personal Data Drafted by ATC Air Trade Centre Havalandırma Sistemleri Sanayi Ve Ticaret Anonim Şirketi Within the Framework of Law No. 6698 on Protection of Personal Data

This Supplementary Protocol on Protection of Personal Data is hereby executed by and between ATC Air Trade Centre Havalandırma Sistemleri Sanayi Ve Ticaret Anonim Şirketi, a company having its registered seat at Seyrantepe Mah. İbrahim Karaoğlanoğlu Cad. No: 101/1 34418, Kağıthane / İstanbul, taxpayer ID no_____________ (“ATC”), and [….], a company having its registered seat at taxpayer ID no_____________ (“Company”) for the purpose of regulating the rights and obligations regarding the personal data to be processed by the parties within the scope of the commercial relationship between them.

Definitions

For the purposes of this Agreement, the terms used herein shall have the meanings ascribed to them hereinbelow:

“Law” shall mean the Law on Protection of Personal Data numbered 6698,

“Personal data” shall mean any information about an identified or identifiable natural person,

“Identifiable personal data” shall mean any data about race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and outfit, association, foundation or union membership, health, sexual life, criminal conviction, and security measures of individuals, and biometric and genetic data (the term “personal data” as used herein will also include “sensitive personal data ” as appropriate),

“Processing” shall mean all kinds of transactions performed on data such as acquisition, recording, storage, preservation, modification, reorganization, disclosure, transfer, acquisition, availability, classification, or use of personal data through fully or partially automated means, or non-automated means that are not part of any data recording system.

“Data controller” shall mean ATC, which determines the purposes and means of processing personal data and is responsible for ensuring the accuracy and timeliness of the data;

“Data processor” shall mean the company being a party hereto, which processes personal data based on the authorization granted by the data controller on its behalf and in accordance with its instructions.

Details of Transfer

Personal data may be transmitted verbally or in writing, electronically and in other ways to the Data Processor by the Data Controller.

Limited Use for Purpose

1. 1. Personal data may be processed by the Data Processor within the framework of the directions received from the Data Controller for the sole purpose of providing the service agreed between the parties. Any processing of Personal Data outside such scope will be subject to the prior written consent of the Data Controller.
   2. The data processor shall keep the Personal Data at its own disposal, and the transfer of the Personal Data to any third parties at home and abroad, including the transfer of data to third parties due to the use of third party services, is prohibited unless otherwise agreed by the parties. The data processor hereby agrees and declares that any use or transfer of the Personal Data in any anonymized form is also prohibited in this context.
   3. Upon termination of the Agreement, the data processor will deliver any media containing the Personal Data to the Data Controller against signature, and then delete and destroy all the records thereof available in its hands. However the data processor will be able to store the Personal Data to the extent required for its legal obligations. The data processor hereby agrees and declares that it will not be able to store the Personal Data for any other purposes, even through anonymization thereof.
   4. The Data Controller shall be exclusively responsible for determining and publishing the policies related to the Protection of Personal Data, preparing the disclosures about its data protection policies and sharing them with its employees.

Data Security

1. 1. The parties shall be obliged to take the necessary measures to prevent any unauthorized access to the Personal Data by their own staff or any third parties and any uses of the Personal Data for purposes other than the transfer thereof to themselves. The parties hereby acknowledge and agree that the measures to be taken in this context shall in no event be less than those taken for the security of personal data maintained by a prudent merchant operating in the field of legislation or in other similar fields.
   2. In cases where the Personal Data is transferred by the data processor to a third party as permitted by this Agreement, it will safely provide the data transfer within the framework of the directions obtained from the Data Controller, and In case of any unauthorized access to the Personal Data or of the Personal Data being made accessible to third parties in any way contrary to this Agreement, The data processor will immediately report the event to the Data Controller and will provide any information, documentation and support requested by the Data Controller to minimize the damages and losses resulting therefrom.

Rights and Obligations of the Parties

1. 1. The data processor shall be obliged to immediately fulfill the requests of any data subjects as transmitted by the Data Controller. In the event that any data subject files a request directly to the data processor in any way, a notification will be made to the Data Controller immediately in writing and actions will be taken in line with the respective requests and instructions of the Data Controller.
   2. The Data Processor does not have the competence to take any initiatives regarding any instructions and requests made or given by the Data Controller, it is also unlikely for the Data Processor to examine whether such instructions and requests are illegal. All legal and / or criminal liabilities shall be exclusively and directly assumed by the Data Controller in the event that any requests and instructions made by the Data Controller to the Data Processor are unlawful and / or cause any damages or losses. If such a liability is directed against the Data Processor, then the Data Controller shall cooperate with the Data Processor and will be involved with all processes with the Data Processor, and will provide necessary support with respect to information, documentation, and other matters. The Data Controller hereby agrees and acknowledges that any liabilities, losses, damages and expenses, lawsuits and any claims to be incurred or suffered by the Data Processor will be compensated based on the outcome of the court process, and if the Data Processor is compelled to make any payments in this regard, these amounts may be recovered from the Data Controller.

Legal Liability

1. 1. The Data processor shall be obliged to act in accordance with procedures and principles concerning protection of personal data applicable within borders of the Republic of Turkey, especially including the Law as well as respective decisions of the Council on Protection of Personal Data
   2. If any changes in the processes of the data processor are required due to any changes in or updates to the said arrangements, the data processor shall be obliged to perform such changes before the new / current regulation enters into force at the latest. If any said arrangement requires a change in this Agreement, then the parties will amend this Agreement as appropriate. The provisions hereof, which require amendment, will be implemented in accordance with then current legislation as of the effective date, even if no action has been taken by the parties in this regard.

Transfer of Agreement

1. 1. The data processor may not transfer or assign this Agreement or any of its rights and obligations hereunder to third parties, and may not subcontract the services provided hereunder without the prior written consent of the Data Controller.
   2. In case the Data Processor uses any subcontractors with the prior written consent of the Data Controller, the stipulations contained herein regarding the Personal Data must be reflected exactly in the relevant subcontractor agreement. The data processor hereby agrees that its responsibilities under the Agreement shall continue in full even if a subcontractor is used, and that the Data Processor shall be personally liable for any breaches of the subcontractor.

Term of Protocol

This Protocol shall enter into force on the date of execution and remain in effect as long as the Agreement remains in force. Even if the Protocol terminates for any reason, the obligations of the parties set forth in Article 2 will remain in effect indefinitely.

General Provisions

1. 1. This Protocol shall be governed by Turkish Law and Istanbul Courts and Enforcement Offices shall hold jurisdiction on any and all disputes arising from the Protocol.
   2. If any article or section of this Protocol is held to be invalid under law, or by legislator or by any authority or court, it shall not affect the validity of other articles and sections of this Protocol.
   3. No amendment to this Protocol, which has not been made in writing with the agreement of the parties, shall take effect.
   4. The parties hereby agree and declare their addresses set out hereinabove shall serve as their notification addresses. Unless any changes therein are notified to the other party in writing, each and every notice sent to such address will be considered to have been made properly.
   5. The Company may not assign or transfer any of its rights and obligations hereunder without prior written consent of ATC.

Consisting of 4 (four) pages and 9 (nine) articles, this Protocol was executed by the parties on______ in 2 (two) copies.

ATC Air Trade Centre Havalandırma Sistemleri Sanayi Ve Ticaret Anonim Şirketi