Employee Candidate Reference Privacy Notice

Introduction

This disclosure text has been prepared by Ones Bilişim Teknolojileri Anonim Şirketi (“Company”) pursuant to Law No. 6698 on the Protection of Personal Data (“KVKK”) and the “Communiqué on the Principles and Procedures to be Followed in Fulfilling the Obligation to Inform.” It aims to inform persons cited as references by job applicants about the collection, processing, transfer and protection of their personal data.

In accordance with Article 10 of the KVKK, the following information is provided to you as the data controller at the time personal data are obtained:

• Identity of the data controller
• Purposes of processing personal data
• Recipients and purposes of possible data transfers
• Method and legal grounds for collecting personal data
• Rights listed in Article 11 of the KVKK

Definitions

• Personal Data: Any information relating to an identified or identifiable natural person.
• Special Categories of Personal Data: Sensitive data such as race, ethnic origin, political opinion, religious belief, health, sexual life, criminal conviction, biometric and genetic data.
• Data Controller: The legal entity that determines the purposes and means of processing personal data.
• Explicit Consent: A declaration of consent, based on information and given freely, relating to a specific matter.
• VERBİS: The Data Controllers’ Registry Information System managed by the Personal Data Protection Board.

Types of Personal Data Processed

Depending on the nature of the work and legal obligations, the personal-data categories below may be processed. Special-category personal data are processed only with your explicit consent and for limited purposes. No processing of special-category data is carried out without such consent.

• Identity Data: Name, surname
• Contact Data: Telephone number, e-mail address, address
• Other Data: Position, title and organisation of employment

Purposes of Processing Personal Data

Your personal data may be processed, on the grounds set out in Article 5 of the KVKK, for the following purposes:

• Verifying the job applicant’s past employment and experience
• Better assessing the applicant’s suitability for the position
• Conducting human-resources and recruitment processes efficiently

(For the detailed purpose list, see Personal Data Processing and Protection Procedure.)

Purposes of Processing Special Categories of Personal Data

“Our Company does not request any special-category personal data during the reference-check process, nor does it process such data even if shared spontaneously. Should a future need arise, your explicit consent will be obtained in accordance with Article 6 of the KVKK.”

Methods and Legal Grounds for Collecting Personal Data

Your personal data are collected when you are cited as a reference during the job-application process, through the applicant’s statement or interviews with you. These data may be obtained verbally, in writing or electronically via application forms, résumés, e-mails or telephone calls.

Processing is based on at least one of the following legal grounds in Articles 5 and 6 of the KVKK:

• Direct necessity for concluding or performing the contract with the applicant
• Legitimate interests of the Company (provided fundamental rights and freedoms are not harmed)
• Your explicit consent where required

Parties to Whom Personal Data May Be Transferred and Purposes

Your personal data may be shared only with the relevant Company units—primarily the human-resources department—for the sole purpose of evaluating the applicant. No transfer is made to third parties. If a future transfer becomes necessary, it will take place only in accordance with Articles 8 and 9 of the KVKK.

For data security, the technical and administrative measures set out at Personal Data Processing and Protection Procedure —including encryption, access control, log management, confidentiality agreements and periodic audits—are applied.

Retention Period of Personal Data

Your personal data are retained until the applicant-evaluation process ends, after which they are deleted, destroyed or anonymised in line with the retention and destruction schedule defined at Personal Data Processing and Protection Procedure | Deletion, Destruction and Anonymisation of Data
 .

Rights of the Data Subject

Under Article 11 of the KVKK you have the right to:

• Learn whether your personal data are processed
• Request information if they are processed
• Learn the purpose of processing and whether they are used appropriately
• Know the third parties to whom they are transferred at home or abroad
• Request correction if they are incomplete or inaccurate
• Request deletion, destruction or anonymisation if processing reasons cease
• Request notification of corrections or deletions to third parties to whom data were transferred
• Object to results produced solely by automated processing
• Claim compensation for damage arising from unlawful processing

Application Method

You may submit requests regarding your rights under Article 11 of the KVKK to the data controller in writing or via registered electronic mail (KEP), secure electronic signature or your e-mail address registered in our system, in accordance with the “Communiqué on the Principles and Procedures for Applications to Data Controllers”:

Written application: Complete the “KVKK Application Form” and send it with wet signature by post to the Company address.

KEP: Send via our KEP address.

E-mail: Send from your registered e-mail address to idari.

Your requests are processed free of charge within 30 days from the date they reach us. If the action requires an additional cost, the tariff set by the Board will apply.