KVKK

1. PURPOSE

Emaa Blue Asset Management INC. attaches great importance to the lawful processing of personal data belonging to its employees, employee candidates, clients, and visitors.

Accordingly, the Company has prepared this Personal Data Protection and Processing Policy to ensure that personal data is protected and processed in compliance with the applicable legislation, primarily Law No. 6698 on the Protection of Personal Data (“the Law”).

2. SCOPE

This Policy outlines the Company’s declarations and explanations regarding the protection and processing of personal data of real persons, including clients, employee candidates, and Company personnel, within the scope of the Law. It also aims to inform which types of personal data are processed during Company activities, for what purposes they are processed, and to whom they may be transferred.

3. DEFINITIONS AND ABBREVIATIONS

Law: Law No. 6698 on the Protection of Personal Data

Board: Personal Data Protection Board

Authority: Personal Data Protection Authority

Explicit Consent: A declaration of will given freely and based on informed consent, concerning a specific subject by the data subject.

Anonymization: The process of making personal data unrelated to an identifiable or identifiable individual, even when matched with other data.

Data Subject: The real person whose personal data is being processed.

Personal Data: Any kind of information related to an identified or identifiable real person.

Sensitive Personal Data: Personal data subject to stricter protection under the Law due to their potential to cause victimization or discrimination if disclosed or lost.

Processing of Personal Data: Any operation performed on personal data, whether wholly or partially automated or through non-automated means that are part of a data recording system, including collection, recording, storage, retention, disclosure, transfer, acquisition, making accessible, classification, or prevention of use.

Data Recording System: A system in which personal data is processed according to specific criteria.

Data Processor: A real or legal person who processes personal data on behalf of the data controller based on the authority granted.

Data Controller: The real or legal person who determines the purposes and means of personal data processing and is responsible for establishing and managing the data recording system.

Company: Emaa Blue Asset Management INC. Senior Management: The members of the Company’s Board of Directors, the General Manager, and Deputy General Managers.

4.General Principles Regarding the Processing of Personal Data

According to Article 3/I(e) of the Personal Data Protection Law (KVK Law), “data processing” refers to any operation performed on personal data, whether fully or partially by automatic means, or by non-automatic means provided that it is part of a data recording system. Such operations include collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use of personal data.

As Emaa Blue Asset we process personal data for the purposes specified under the section titled “Purpose of Processing Personal Data” in this Policy, and in accordance with the principles listed below:

Processing in accordance with the law and the rules of good faith,

Being accurate and, where necessary, up to date,

Being processed for specific, explicit, and legitimate purposes,

Being relevant, limited, and proportionate to the purposes for which they are processed,

Being retained for the period stipulated in the relevant legislation or required for the purposes for which they are processed.

Article 5 – Personal Data Collected

The Company may process both general and sensitive personal data with the explicit consent of the data subject or, in cases stipulated under Articles 5 and 6 of the KVK Law, without the need for explicit consent. The specific personal data to be processed for each data subject may vary depending on factors such as the type and nature of the relationship between the data subject and Emaa Blue Asset, as well as the communication channels used.

Within this scope, some of the general and sensitive personal data processed by the Company, including but not limited to, are listed below:

• Turkish ID number, full name, national ID serial number, gender, marital status, place of birth, date of birth, age, profession, place of registration, certified copy of the population register, etc.

• Driver’s license number and serial number,

• Passport number,

• Email address, phone number, fax number, mobile phone number, address, etc.

• Insurance policy number,

• Customer Information (Customer number associated with the individual, income details, occupational information, vehicle license plate, other vehicle-related details, educational background, etc.)

• Communication records such as phone calls and email correspondence with Emaa Blue Asset along with other audio and video data

• Job Applicant Information

• IBAN details, premium payment information, account balances, outstanding balances, etc.

• Physical Space Security Information (Records of entry and exit to Company premises, visitor information, CCTV footage, etc.)

• Marketing Information (Reports and evaluations showing the habits and preferences of the data subject used for marketing purposes, targeting data, cookie records, data derived through enrichment activities, surveys conducted with the individual, satisfaction surveys, data and assessments obtained through campaigns and direct marketing activities, etc.)

• Investment objectives, risk and return preferences, knowledge and experience related to capital markets, amount of savings allocated or available for capital market transactions, products and services deemed suitable for the data subject, investment and ancillary services used by the data subject, domestic and foreign markets where transactions are executed, investment institutions and accounts registered in the name of the data subject at these institutions, products traded, frequency and volume of transactions, and other detailed financial data

• Request/Complaint Management Information (Information and records related to requests and complaints submitted by the data subject concerning our products and services, along with reports or correspondence produced by the relevant business units evaluating these matters, etc.)

• Internet Protocol (IP) address, device ID, unique identifier information, device type, advertising ID, unique device icon, statistics related to webpage views, inbound and outbound traffic data, referring URL, internet log information, location data, websites visited, and information regarding actions and activities performed through our websites, platforms, network, and advertising or email content

Article 6 – Purpose of Processing Personal DataThe personal data collected may be processed by the Company in accordance with the conditions specified in Articles 5 and 6 of the Law, and for the purposes outlined below:

• Fulfillment of our legal obligations

• Negotiation, establishment, and execution of contracts

• Resolution of disputes

• Promotion and marketing of the Company’s services and products, identification of suitable products, services, and platforms for customers, and the customization and development of these offerings for individual customers

• Ensuring and improving internal coordination, collaboration, and efficiency

• Ensuring and monitoring the security of the Company’s physical premises as well as its website and other electronic systems used by or belonging to the Company

• Ensuring the legal and commercial security of the Company and individuals or institutions with which the Company has a business relationship

• Investigation, prevention, and reporting of contractual or legal violations to the relevant authorities

• Responding to requests and inquiries, and making notifications relevant to the data subject

• Provided that prior consent has been obtained in accordance with the Law on the Regulation of Electronic Commerce and its secondary legislation: carrying out activities such as celebrating special occasions, participating in sweepstakes or competitions, distributing gifts or discounts, and other campaigns and promotions in favor of the data subject, as well as conducting surveys and polls to gather their opinions

• Carrying out mergers, demergers, share transfers, and other corporate transactions

• Formulating and developing the Company’s human resources policies, meeting staffing needs within this framework, and conducting and enhancing recruitment processes

5. Transfer of Personal Data

The Company may transfer personal data to third parties located within or outside Türkiye and store such data on servers or other electronic environments located in Türkiye or abroad, provided that it complies with the conditions set forth in the Personal Data Protection Law (KVK Law) and takes the necessary security measures. These transfers will be made for the purposes outlined under the section titled “Purposes of Personal Data Processing” in this Policy.

The third parties to whom personal data may be transferred may vary depending on the nature of the relationship between the data subject and Emaa Blue Asset, as well as the characteristics of the markets in which transactions are conducted. However, in general, they may include the following:

• The Capital Markets Board, Borsa İstanbul, Takasbank, Central Registry Agency Investor Compensation Center, and other domestic or international regulatory authorities, stock exchanges, central clearing and custody institutions, central counterparties, and other authorized institutions, organizations, or third parties

• Investment institutions, banks, custodians, platform operators, brokerage firms, data providers, infrastructure providers, and other business partners, suppliers, and subcontractors that Emaa Blue Asset collaborates with domestically or internationally

• In cases where it is necessary for the execution of transactions such as mergers, demergers, share transfers, and similar processes, third parties involved in such transactions

Emaa Blue Asset does not, under any circumstances, share the personal data it has obtained with third parties for their own promotional or marketing activities without the explicit and specific consent of the data subject.

6.Method of Collecting Personal Data

The Company may collect personal data through written, verbal, audio or visual recordings, or by other physical or electronic means for the purposes stated under the section titled “Purposes of Personal Data Processing” in this Policy.

While the specific methods used to collect personal data may vary depending on factors such as the type and nature of the relationship between the data subject and Emaa Blue Asset and the markets in which transactions take place, the general methods include:

• During face-to-face meetings with Company representatives or through direct contact initiated by the data subject via call centers, websites, mobile applications, or similar electronic platforms, either for the purpose of using the Company’s services or products or for other purposes. Data may be collected either directly from the data subject or by using technologies such as cookies, cameras, or similar tools.

• Through regulatory bodies such as the Capital Markets Board of Türkiye (SPK), the Capital Markets Licensing Registry and Training Institution (SPL), or the Public Disclosure Platform (KAP),

• Through the Company’s subcontractors, business partners, or other third parties with whom the Company has contractual relationships,

• Through the individuals or institutions represented by the data subject, or those representing the data subject.

Article 9 – Legal Grounds for Processing Personal Data

The Company processes your personal data based on your explicit consent or on one of the following legal grounds:

• When it is explicitly stipulated by law,

• When it is necessary to process personal data belonging to the parties to a contract, provided it is directly related to the establishment or performance of that contract,

• When processing is required for the data controller to fulfill its legal obligations,

• When the relevant data has been made public by the data subject,

• When processing is necessary for the establishment, exercise, or protection of a right,

• When processing is required for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

7. Retention Period of Personal Data

Unless a longer retention period is legally required or permitted, the Company retains personal data only for as long as necessary to fulfill the purposes stated in this Policy. Once the retention period has expired, personal data is deleted, destroyed, or anonymized by the Company in accordance with Article 7 of the Personal Data Protection Law.

8. Exercising Rights by Data Subjects

To exercise their rights, individuals may submit a request using the following methods, along with documents verifying their identity:

• By delivering a wet-signed written request in person or via a notary to the following address:

Esentepe Mahallesi, Büyükdere Caddesi, Ferko Signature No:175/8, Şişli/İstanbul.

• To be sent to the registered electronic mail address emaablueportfoy@hs01.kep.tr by being signed with a secure electronic signature issued within the scope of the Electronic Signature Law No. 5070.

• To be sent via electronic mail to info@emaaportfoy.com.tr.

• To be submitted through other methods foreseen by the Personal Data Protection Board.

The Company responds to data subjects who wish to exercise their rights within the limits stipulated in the Law, within a maximum of thirty days, as also specified in the Law.

In order for third parties to apply on behalf of data subjects, a power of attorney issued by a notary is required.

Applications are, as a rule, processed free of charge; however, if a fee schedule is stipulated by the Personal Data Protection Board, pricing may be applied according to that schedule.

The Company may request information from the relevant person to determine whether the applicant is the data subject, and may ask questions to clarify the matters specified in the application.

9. Rights of Data Subjects

According to Article 11 of the Law, data subjects have the following rights against the data controller:

• To learn whether personal data is processed,

• If personal data has been processed, to request information regarding this,

• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,

• To obtain information about third parties to whom personal data has been transferred, whether domestically or abroad,

• To request the correction of personal data if it is incomplete or incorrectly processed,

• To request the deletion or destruction of personal data under the conditions stipulated in the relevant legislation,

• To request that the transactions carried out because of correction, deletion, or destruction requests be notified to third parties to whom personal data has been transferred,

• To object to a result that is unfavorable to the individual arising from the analysis of processed data exclusively through automated systems,

• To request compensation in the event of damage due to unlawful processing of personal data.

10. Data Security

The Company takes reasonable technical and administrative measures to prevent unauthorized access, accidental data loss, deliberate deletion, or damage to ensure the security of personal data.

Within this scope, the Company:

• Records access to personal data,

• Ensures data security by using software and hardware including virus protection systems and firewalls,

• Monitors personal data processing activities on a business unit basis,

• Carries out necessary audits to ensure the implementation of the provisions of the Law in accordance with Article 12,

• Ensures compliance of data processing activities with the Law through internal policies and procedures,

• The Company makes authorizations appropriate to the nature of the data accessed within the company,

• Access to special categories of personal data is subject to stricter measures,

• Individuals with access to special categories of personal data undergo additional security checks,

• In cases where access to personal data is required from outside the Company for reasons such as outsourcing, the Company obtains commitments from external service providers to ensure compliance with the Law,

• The Company takes necessary actions to inform all employees, especially those with access to personal data, about their duties and responsibilities under the Law,

• Network security and application security are ensured,

• A closed-system network is used for personal data transfers over the network,

• Key management is applied,

• Security measures are taken in the procurement, development, and maintenance of information technology systems,

• Access logs are regularly maintained,

• Confidentiality agreements are made,

• Up-to-date antivirus systems are used,

• Firewalls are used,

• Log records are kept in a way that prevents user intervention,

• Intrusion detection and prevention systems are used,

• Cybersecurity measures are in place and their implementation is continuously monitored,

• Penetration testing is conducted,

• Data loss prevention software is used.

11. Questions and Comments You can submit your questions and comments under this Policy to our Company through the "Contact" section available at https://www.emaaportfoy.com.tr.

12. Effectiveness This Personal Data Protection and Processing Policy comes into effect upon approval by the Company’s Board of Directors, and the authority to make changes to the policy belongs to the Board of Directors.

KVKKViewDownload

Data Owner Application FormViewDownload