Employee Privacy Notice

Introduction

This privacy notice has been prepared by Ones Bilişim Teknolojileri Anonim Şirketi (“Company”) pursuant to Law No. 6698 on the Protection of Personal Data (“KVKK”) and the “Communiqué on the Principles and Procedures to Be Followed in Fulfilling the Obligation to Inform.” Its purpose is to inform our employees about the collection, processing, transfer and protection of their personal data.

• In accordance with Article 10 KVKK, the Company, as data controller, provides you with information on:
• the purposes for which personal data are processed;
• the parties to whom personal data may be transferred and the purposes thereof;
• the method and legal grounds for collecting personal data;
• the rights listed in Article 11 KVKK.

Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Special Categories of Personal Data: Sensitive data such as race, ethnic origin, political opinion, religious belief, health, sexual life, criminal conviction, biometric and genetic data.

Data Controller: The legal entity that determines the purposes and means of processing personal data.

Explicit Consent: A freely given, informed statement of approval relating to a specific matter.

VERBİS: The Data Controllers’ Registry Information System managed by the Personal Data Protection Board.

Types of Personal Data Processed

Depending on the nature of the work and legal obligations, the following categories of personal data may be processed. Special-category data are processed only with your explicit consent and for limited purposes; no special-category processing is carried out without such consent.

• Identity Data: Name, surname, Turkish ID number, date of birth, gender, nationality, passport and civil-registry details
• Contact Data: Address, telephone, e-mail, corporate contact details
• Financial Data: IBAN, salary information, garnishment and debt details
• Professional Data: Education, certificates, work experience, courses, language skills
• Visual / Audio Data: Photograph, CCTV recordings
• Personnel Data: Social-security details, leave records, disciplinary actions, performance data, criminal-record data
• Health Data: Medical reports, disability status, maternity leave, use of medical devices/prostheses
• Biometric Data: Fingerprint, facial recognition, retina, palm data
• Other Data: IP address, system logs, travel information, handwriting, voice recordings

Purposes of Processing Personal Data

Your personal data may be processed—on the legal grounds in Article 5 KVKK—for the following purposes:

• Establishment and performance of the employment contract and fulfilment of obligations
• Execution of occupational health and safety processes
• Conduct of performance evaluation and training activities
• Operation of employee-satisfaction and suggestion systems
• Internal communication, information and resource management
• Responding to requests from public authorities/private institutions
• Fulfilment of legal obligations
• Internal audit and information-security activities
• Emergency management and ensuring physical-area security
• Organisation and event management
• Payroll, accounting and financial transactions
• Assignment, access-control and shift tracking

(For the detailed purpose list, see Personal Data Processing and Protection Procedure.)

Purposes of Processing Special Categories of Personal Data

Special-category personal data may be processed only with your explicit consent for purposes such as:

• Providing statutory reports required for the Ministry of Industry R&D Centre
• Ensuring security at Ones Technology premises holding NATO and National Facility Security certificates
• Developing and testing biometric authentication systems in R&D activities

Methods and Legal Grounds for Collecting Personal Data

Your personal data may be obtained—verbally, in writing or electronically—directly from you, from third parties or from public authorities within your legal or employment relationship with the Company. Collection tools include application forms, contracts, e-mails, correspondence, CCTV/system records, surveys and online transactions.

Processing is carried out where at least one of the following conditions in Articles 5 and 6 KVKK applies:

• It is expressly provided for by law;
• It is directly related to the conclusion or performance of a contract;
• It is mandatory for the Company to fulfil its legal obligation;
• It has been made public by the data subject;
• It is necessary for the establishment, exercise or protection of a right;
• It is necessary for the Company’s legitimate interests, provided fundamental rights and freedoms are not harmed;
• The data subject has given explicit consent.

Parties to Whom Personal Data May Be Transferred and Purposes

Personal data may be shared—within the scope of Articles 8 and 9 KVKK and with necessary technical and administrative safeguards—with:

• Suppliers and service providers (occupational health and safety, security, consultancy, training, legal, event and other outsourced services)
• Affiliates and business partners (joint projects, R&D activities, operational processes)
• Financial institutions and independent auditors (salary, payroll, financial audit and reporting)
• IT service providers (hosting, software support, cloud services, data security)
• Authorised public bodies (upon request or where required by law)

Data may also be transferred abroad with your explicit consent or under KVKK exceptions. Transferred data may include, for example, your name, surname, position, corporate contact details, log records and CCTV images.

Technical and administrative measures—such as encryption, access control, log management, confidentiality agreements and periodic audits—defined in the Personal Data Processing and Protection Procedure are applied to safeguard personal data.

Retention Period of Personal Data

Your personal data are retained for the period stipulated by legislation or required by the processing purpose. After that period, they are deleted, destroyed or anonymised in accordance with the retention and destruction schedule defined in the Personal Data Processing and Protection Procedure / Deletion, Destruction and Anonymisation of Data.

Rights of the Data Subject

Under Article 11 KVKK you have the right to:

1. Learn whether your personal data are processed;
2. Request information if they are processed;
3. Learn the purpose of processing and whether they are used appropriately;
4. Know the third parties to whom they are transferred at home or abroad;
5. Request correction of incomplete or inaccurate data;
6. Request deletion, destruction or anonymisation when processing reasons cease;
7. Request notification of corrections or deletions to third parties to whom data were transferred;
8. Object to results produced solely by automated processing;
9. Claim compensation for damages arising from unlawful processing.

Application Procedure

You may submit requests regarding your rights under Article 11 KVKK—pursuant to the “Communiqué on the Principles and Procedures for Applications to Data Controllers”—in writing or via registered electronic mail (KEP), secure electronic signature or your e-mail address registered in our system:

• Written application: Send the completed KVKK Application Form to the Company address.
• KEP: Send via our KEP address.
• E-mail: Send from your registered e-mail address to ik

Your request will be concluded free of charge within 30 days of receipt. If the action requires a cost, the tariff set by the Board will be applied.