Personal Data Protection And Processing Policy

1. INTRODUCTION
   • Purpose
   • Abbreviations and Definitions
2. DATA CONTROLLER
3. RESPONSIBILITIES AND DUTY DISTRIBUTION
4. MATTERS RELATED TO THE PROCESSING OF PERSONAL DATA
   • Processing of Personal Data in Accordance with the Principles Prescribed by Legislation (Processing Conditions)
     • Processing in Compliance with the Law and the Principle of Fairness
     • Ensuring that Personal Data is Accurate and, When Necessary, Up-to-Date
     • Processing for Specific, Explicit, and Legitimate Purposes
     • Being Relevant, Limited, and Proportional to the Purpose of Processing
     • Retaining for the Period Required by Relevant Legislation or Necessary for the Purpose of Processing
   • Legal Grounds for Processing Personal Data
   • Processing of Special Categories of Personal Data
   • Informing the Data Subject
   • Transfer of Personal Data
     • Transfer of Personal Data Within the Country
     • Transfer of Personal Data Abroad

5. SPECIAL CIRCUMSTANCES IN WHICH PERSONAL DATA IS PROCESSED
   • Personal Data Processing Activities Conducted for Security Purposes in the Physical Premises of Our Company
     • Personal Data Processing Activities Conducted at the Entrances and Inside the Buildings and Facilities
     • Legal Basis for Surveillance Activities by Camera
     • Information Regarding Surveillance by Camera
     • Purpose of Conducting Surveillance Activities with Cameras and Limitation to the Purpose
   • Processing of Information Related to the Company’s Website and Users Provided with Internet Access
     • Processing of Website User Information
     • Processing of Information Related to Users Provided with Internet Access by the Company

6. CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND PURPOSES OF PROCESSING AND SHARING
7. STORAGE AND DESTRUCTION OF PERSONAL DATA
8. PRIVACY
9. RIGHTS OF DATA SUBJECTS AND EXERCISE OF THESE RIGHTS
10. Rights of the Data Subject.
    • Ways to Apply to Our Company Regarding Your Rights
11. PUBLICATION AND STORAGE OF THE POLICY
12. POLICY UPDATE PERIOD
13. EFFECTIVENESS AND WITHDRAWAL OF THE POLICY

1.     INTRODUCTION

1.1.  Purpose

This Personal Data Protection and Processing Policy (“Policy”) has been prepared to determine the procedures and principles regarding the personal data processing and protection activities carried out by COSMIC TICKETS AUDIOS TURİZM VE TİCARET A. Ş. (“Company”) in its capacity as the data controlle

Our Company has determined as a priority the processing and protection of personal data belonging to Company employees, former employees, job applicants, shareholders, customers, potential customers, service providers, suppliers, business partners, their authorized representatives and employees, visitors, and other relevant third parties in accordance with the principles adopted by our Company, the Turkish Constitution, international agreements, the Personal Data Protection Law No. 6698 (“KVKK”), and other relevant legislation, as well as ensuring the effective exercise of the rights of the data subjects in this regard.

All activities related to the processing and protection of personal data are carried out by the Company in accordance with the Policy prepared for this purpose. In doing so, the Company ensures the necessary transparency by informing personal data subjects of their rights and providing information on the methods and procedures for exercising these rights. With full awareness of our responsibility in this regard, your personal data and sensitive personal data are processed and protected by us within the scope of this Policy.

1.2.  Scope

This Policy covers all personal data of Company employees, former employees, job applicants, shareholders, customers, potential customers, service providers, suppliers, business partners, their authorized representatives and employees, visitors, and other third parties who establish a relationship with our Company, processed by automated means or by non-automated means provided that the processing is part of any data recording system. This Policy applies to all physical, electronic, website, and social media environments owned or managed by the Company where personal and sensitive personal data are processed, as well as to all activities related to the processing of personal data.

Under the KVKK, special emphasis is placed on certain types of personal data due to the risk of causing harm or discrimination to individuals if processed unlawfully. These data are defined as sensitive personal data, as explained in the Abbreviations and Definitions Table below. Our Company takes great care to protect sensitive personal data identified as “sensitive” under the KVKK and processed lawfully. In this regard, the technical and administrative measures taken by our Company for the storage and protection of personal data are applied with greater diligence to sensitive personal data, and additional measures outlined in Sections 4.3 and 4.5.2 below are also implemented. Moreover, necessary audits are conducted within the Company.

Furthermore, depending on the type and nature of the relationship between our Company and the data subject, it is possible for the Company to provide data subjects with personal data policies and/or notices, information texts, or procedures that differ from this Policy. Such specific policies and information texts/notices provided to data subjects may contain additional provisions to those explained in this Policy. In such cases, the specific policies and notices provided to data subjects should take precedence. Additionally, the relevant legal regulations in force regarding the processing and protection of personal data will have primary application. In the event of any inconsistency between the applicable legislation and this Policy, our Company acknowledges that the applicable legislation will take precedence. This Policy aims to concretize and regulate the rules set forth by the relevant legislation within the scope of the Company’s practices.

1.3. Abbreviations and Definitions

Recipient Group	The category of natural or legal persons to whom personal data is transferred by the data controller.
Explicit Consent	Consent that is given regarding a specific matter, based on being informed and expressed with free will.
Anonymization	The process of making personal data irreversibly unidentifiable and unlinkable to any identified or identifiable natural person, even when matched with other data.
Employee /Former Employee	Personnel  of  COSMIC  TICKETS  AUDIOS  TURİZM  VE TİCARET A.Ş. or those who have left the company.
Job Applicant	Individuals who have not yet entered into an employment contract with COSMIC TICKETS AUDIOS TURİZM VE TİCARET A.Ş. but are being considered for potential employment.
Electronic Environment	Environments where personal data can be created, read, modified, and written using electronic devices.
Non- Electronic( Physical) Environment:	All written, printed, visual, and other non-electronic formats outside of electronic environments..
Service / Expertise Service Provider	A natural or legal person who provides services or specialized expertise, such as accounting, workplace health and safety, IT, or legal services, to COSMIC TICKETS AUDIOS TURİZM VE TİCARET A.Ş. under a specific contract.
Data Subject	The natural person whose personal data is being processed.
Relevant Employee	Individuals within the data controller organization or those processing personal data based on authority and instructions received from the data controller.
Destruction	The deletion, destruction, or anonymization of personal data.

Law	Personal Data Protection Law No. 6698.
Data Recording Environment	Any environment where personal data is processed either wholly or partially automatically, or by non-automated means as part of a data recording system.
Personal Data	Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory	An inventory created by data controllers that details the personal data processing activities carried out in connection with their business processes. It includes information on the purposes and legal grounds for processing personal data, data categories, recipient groups to whom data is transferred, and the groups of data subjects. It also specifies the maximum retention period necessary for the purposes for which the data is processed, any planned transfers of personal data to foreign countries, and the measures taken to ensure data security.
Processing of Personal Data	Any operation performed on personal data, whether wholly or partially automated, or by non-automated means as part of any data recording system. This includes obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, receiving, making accessible, classifying, or restricting the use of personal data.
Board	Personal Data Protection Board
KVKK	Personal Data Protection Law No. 6698
Sensitive Personal Data	Data relating to an individual’s race, ethnicity, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and attire, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Destruction	The process of deletion, destruction, or anonymization of personal data performed automatically at recurring intervals, as specified in the data retention and destruction policy, when all conditions for processing personal data outlined in the law are no longer met.
Policy	PERSONAL DATA PROTECTION AND PROCESSING POLICY
Company	COSMIC TICKETS AUDIOS TURİZM VE TİCARET A.Ş.
Data Processor	A natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.

 

Data Recording System	A system where personal data is processed by being organized according to specific criteria.
Data Subject	The natural person whose personal data is processed.
Data Controller	A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Data Controllers’ Registry Information System (VERBIS)	An online information system created and managed by the Personal Data Protection Board, which data controllers use for registry applications and related procedures.
VERBİS	Data Controllers’ Registry Information System.

2.     DATA CONTROLLER

In relation to the processing of your personal data, COSMIC TICKETS AUDIOS TURİZM VE TİCARET A.Ş. acts as the data controller in accordance with Law No. 6698. As the data controller, we have the authority and responsibility to determine the purposes and means of processing your personal data. This Policy document has been prepared to provide you with detailed information about the Company’s data processing purposes, methods, and protection measures.

3.     RESPONSIBILITIES AND DUTY DISTRIBUTION

All units and employees of the Company actively support the responsible units in ensuring that the technical and administrative measures taken under this Policy are properly implemented. This includes providing training and increasing awareness among unit employees, monitoring, and continuously auditing to prevent unlawful processing of personal data, unauthorized access to personal data, and ensuring the lawful storage of personal data. They are also responsible for taking all necessary technical and administrative measures to ensure data security in all environments where personal data is processed.

Furthermore, neither the data controller’s representatives and employees acting in the capacity of data controller, nor individuals processing data on behalf of the Company, may disclose or use the personal data they have learned for purposes other than those specified in this Policy and the KVKK regulations. This obligation continues indefinitely, even after the completion of their duties or employment, in accordance with Article 12/4 of the KVKK.

The distribution of titles, units, and job descriptions for those involved in the processing, storage, and destruction of personal data is provided in Table 1.

Table 1: Distribution of Duties for Storage and Destruction Processes

TITLE	UNIT	RESPONSIBILITY
Company Personal	COSMIC TICKETS	Responsible  for  the  preparation,  development,
Data Protection	AUDIOS TOURISM	implementation,  publication  in  relevant
Officer	AND TRADE INC.	environments, updating of the policy, and ensuring
		that employees comply with the policy.
Company Data	Sales and Marketing	Responsible  for  providing  and  monitoring  the
Controller Contact	Department.	administrative,  physical,  and  technical  solutions
Person		needed for the implementation of the policy.
Finance and	Other Departments	Responsible for the implementation of this Policy in
Accounting,		accordance with their duties.
Administrative
Financial Affairs,
Sales, Marketing, IT
(Information
Technology)
Departments

 

 

4.     MATTERS RELATED TO THE PROCESSING OF PERSONAL DATA

 

4.1. Processing of Personal Data in Accordance with the Principles Prescribed by Legislation (Processing Conditions)

4.1.1.     Processing in Compliance with the Law and the Principle of Fairness 

Personal data is processed in a manner that does not harm individuals’ fundamental rights and freedoms, in accordance with the law (specifically, in compliance with Article 4 of the KVKK and other relevant regulations), and in line with the principles of general security and fairness. In this context, personal data is processed only to the extent and in the minimum amount required for the Company’s business activities, and is limited to that scope.

In accordance with this principle, our Company diligently adheres to the principles established by laws and other legal regulations regarding the processing of personal data and the prohibition of misuse of rights. In line with the principle of fairness, our Company, while striving to achieve its data processing objectives, also considers the interests and reasonable expectations of the data subjects. It takes measures to prevent unexpected and unnecessary outcomes for the data subjects. Furthermore, in accordance with this principle, the data processing activity is conducted transparently and in compliance with information and notification obligations.

To reiterate, in accordance with the principle of fairness, our Company pays utmost attention to ensuring that personal data is not used in a manner that would lead to unfairness towards the data subject, that the reasonable expectations of the data subject are met, and that the purpose of data

collection is not exceeded. In this context, for example, depending on the nature of the relationship established with the data subject, unreasonable data should not be requested or processed from the data subject within the scope of privacy, and within our Company, personal data should not be processed excessively by employees. This is done in accordance with the requirements of the principle of fairness.

4.1.2.     Ensuring that Personal Data is Accurate and, When Necessary, Up-to-Date

Our Company takes necessary measures to ensure that personal data is accurate and up-to-date throughout the period of processing and conducts the necessary activities at regular intervals to maintain the accuracy and currency of personal data. This includes ensuring that the sources of personal data are specific, testing their accuracy when needed, and addressing requests arising from inaccuracies in personal data.

This principle aligns with the data subject’s right to request data correction as stipulated in the KVKK. Maintaining personal data accurately and up-to-date is not only beneficial for our Company but also essential for protecting the data subject’s fundamental rights and freedoms and preventing material or moral harm. For example, if contact information is recorded incorrectly, the individual might not receive their messages on time or may receive them from the wrong person, potentially causing material and moral damage. Similarly, having accurate and up-to-date information about an employee’s number of children or spouse’s employment status is crucial for correctly calculating the minimum living allowance (AGİ). Our active obligation to ensure that personal data is accurate and, when necessary, up-to-date applies when a result concerning the data subject is derived from such data (e.g., in cases such as credit granting). Additionally, as the data controller, our Company always maintains channels to ensure that the data subject’s information remains accurate and up-to-date.

4.1.3.     Processing for Specific, Explicit, and Legitimate Purposes

Our Company ensures that all necessary informational notices and, where applicable, consent procedures related to the processing of personal data are completed before engaging in any personal data processing activities, whether physical or electronic. This way, our Company clearly and definitively outlines the personal data being processed, the methods of obtaining this data, and the purposes of processing. Additionally, personal data is processed within the scope of specific, explicit, and legitimate purposes related to the Company’s business, trade, and service activities. For example, our Company does not process personal data unrelated to our business, such as a mother’s maiden name, in any of our sales and customer relationship processes.

In this context, it is ensured that personal data processing activities are clearly understandable by the data subject, that the legal basis for processing personal data is specified, and that the purpose and details of the data processing activities are clearly defined. Therefore, the collected personal data is not processed for purposes other than those for which it was obtained, nor is it misused in any way.

4.1.4.     Being Relevant, Limited, and Proportional to the Purpose of Processing

Our Company collects personal data only to the extent and nature required for business activities and processes it in a manner limited to and related to its intended purposes. In this context, adhering to the principle of relevance and limitation means ensuring that the processed data is necessary and suitable for achieving the specified current and up-to-date purposes, and avoiding the processing of personal data that is unrelated or unnecessary for such purposes. Processing data beyond what is necessary for the purpose would be contrary to the principle of limitation. For example, sending advertisements to an email address provided for attending a symposium would violate the principle of limitation.

According to the principle of proportionality, we ensure that a reasonable balance is maintained between the data processing and the purpose intended to be achieved. In other words, we conduct data processing activities only to the extent necessary to achieve the purpose. For example, our Company does not ask any data subject for information regarding their personal preferences in any process.

4.1.5.     Retaining for the Period Required by Relevant Legislation or Necessary for the Purpose of Processing

Personal data must be retained only for the period necessary for the purpose of processing, in accordance with the principle of purpose limitation. In line with this principle, our Company does not retain personal data for purposes other than those initially intended or based on the possibility of future use after the specified period has elapsed, the purpose has been achieved, or the data processing condition has ceased. Instead, the Company takes the necessary steps for data destruction. For example, the name and vehicle license plate information collected for participation in a campaign offering rewards to those who purchase a certain quantity of products within a specified period should not be used or retained beyond the campaign’s end, if there is no other processing condition, and should be destroyed accordingly.

In this regard, as specified in Article 12 of the KVKK, our Company, as the data controller, takes all necessary technical and administrative measures to ensure an adequate level of operational and security measures. These measures are aimed at preventing the unlawful processing of personal data, preventing unlawful access to personal data, and ensuring the retention and, if necessary, the destruction of personal data.

In this context, our Company retains personal data for the minimum period necessary for the purposes for which it was processed and as prescribed by relevant legal regulations. Accordingly, our Company first determines whether the relevant legislation specifies a retention period for personal data and adheres to that period if specified. If no legal retention period is established, personal data is retained for the duration necessary for the purposes for which it was processed, taking into account the retention periods determined based on our Company’s activities. At the end of the specified retention periods, personal data is destroyed in accordance with periodic destruction schedules, data subject requests, and the designated destruction methods (deletion, destruction, or anonymization). For more detailed information on storage and destruction, you can refer to the “Personal Data

Retention and Destruction Policy” available on our Company’s website at “www.cosmic-tickets- audios.com/tours.

4.2.  Legal Grounds for Processing Personal Data

Aside from the data subject’s explicit consent, the basis for personal data processing activities can be one or more of the conditions listed below. In cases where the processed data is classified as sensitive personal data, additional conditions specified in sections 4.3 and 4.5.2 of this Policy will also apply.

4.2.1.     Presence of the Data Subject’s Explicit Consent 

The data subject’s explicit consent is one of the conditions for personal data processing. However, if the personal data processing activity is based on one of the conditions other than explicit consent listed in the KVKK and the subsequent sections, there is no need to obtain explicit consent from the data subject. Instead, priority should be given to the conditions specified other than this consent. Therefore, our Company ensures that personal data processing activities are conducted in accordance with these legal provisions while always fulfilling the obligation to provide information.

In cases where the specified legal provisions for data processing are not available or do not adequately provide for personal data processing, personal data is processed by our Company based on the data subject’s explicit consent. In such cases, utmost care and diligence are observed to ensure that the data subject’s explicit consent is informed, related to a specific issue, and provided freely. Additionally, during explicit consent-based data processing, the obligation to provide information is always fulfilled independently and beforehand, ensuring that consent is obtained in an informed manner. Similarly, obtaining explicit consent for data processing is not made a prerequisite for any goods or services, and it is carried out in a manner that does not disadvantage the data subject if consent is not given.

To reiterate, in the presence of any of the personal data processing conditions listed below, personal data will be processed by our Company based on these conditions without the need for the data subject’s explicit consent.

4.2.2.     Explicit Provision in Laws

If the processing of the data subject’s personal data is explicitly provided for by law, or in other words, if there is a specific provision regarding the processing of personal data in relevant laws such as the Tax Law, Labor Law, Commercial Code, and KVKK, then this data processing condition will apply. For example, the collection and retention of personal information and files of employees required by the Labor Law or tax identification numbers of customers required by financial regulations fall within this scope.

4.2.3.     Inability to Obtain the Data Subject’s Explicit Consent Due to Practical Impossibility

In cases where the data subject is unable to provide consent due to practical impossibility or lacks the capacity to give valid consent, and it is necessary to process their personal data to protect their own

or another person’s life or bodily integrity, the personal data of the data subject may be processed. For example, the processing of personal health information of an unconscious person or the communication and location information of a kidnapped individual falls within this scope.

4.2.4.     Directly Related to the Establishment or Performance of a Contract

If the processing of personal data of the parties to a contract is necessary directly related to the establishment or performance of the contract, then processing of such data solely for this purpose will satisfy this condition. For example, recording address information for the provision of services/ products resulting from legal relationships such as Employment Contracts, Sales Contracts, Transportation Contracts, Service Contracts, etc., or providing such information to a shipping company, or requesting a document showing the educational status from a Company employee, fall within this scope. Similarly, obtaining the account number of a creditor for payment under a contract or obtaining the salary slip, property records, or a document confirming no outstanding debt during the establishment of a guarantee contract are also examples of this situation.

Sometimes, the collection of personal data may have multiple legal bases. For example, while the legal basis for processing employees’ personal data for the purpose of preparing a payroll falls under this provision, it also simultaneously constitutes the reason for fulfilling our Company’s legal obligations, which will be discussed below.

4.2.5.     Fulfillment of Our Company’s Legal Obligations

Personal data of the data subject may be processed if it is necessary for our Company to fulfill its legal responsibilities and obligations. For example, data processing required for compliance with financial audits, security regulations, and industry-specific regulations falls under this condition. In this context, obtaining and processing data such as bank account numbers, marital status, dependents, whether the spouse is employed, and social security numbers for paying salaries to employees are examples of this situation. Additionally, providing information about employees or customers to relevant public officials during a tax audit can also be considered within this scope.

4.2.6.     Disclosure of Personal Data by the Data Subject

If the data subject has disclosed their personal data, meaning they have made their information publicly available with the intention of publicizing it and for specific purposes, the personal data can be processed solely for the purpose of that disclosure. If a person’s personal data is accidentally or due to loss only placed in a publicly accessible location, this does not constitute a legitimate disclosure. Therefore, data processing must be conducted with attention to these details. Additionally, personal data disclosed must not be used for purposes other than those for which it was disclosed. For example, contact information of individuals found on websites for buying and selling vehicles cannot be used or processed for marketing purposes.

An example of this situation would be an individual publicly posting their contact information to be contacted under certain circumstances. In cases where corporate websites share employees’ workplace phone numbers and corporate email addresses in a manner accessible to third parties, this can also be considered as publicizing. Additionally, for example, contact information of individuals

found in advertisements related to the supply or demand of goods or services within the scope of our Company’s activities can be processed for the purpose of that publicizing.

4.2.7.     Necessity of Data Processing for the Establishment or Protection of a Right

For our Company, if data processing is necessary for the establishment, exercise, or protection of a legal right, the personal data of the data subject may be processed. These data are necessary for tasks such as filing a lawsuit, registration procedures, and any kind of title deed transactions. For example, storing certain personal data and information of a former employee for the 10-year statute of limitations in case it is needed as evidence in a lawsuit falls under this category. Similarly, after the termination of a contract, retaining documents such as invoices, contract copies, and guarantees until the end of the statute of limitations for potential legal claims or proceedings will also be considered within this scope.

4.2.8.     Necessity of Data Processing for Our Company’s Legitimate Interests

Personal data may be processed if it is necessary for our Company’s current, significant, and legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject. For example, our Company may process personal data in areas such as employee promotions, salary increases, or adjustment of social benefits, as well as in role distribution during business restructuring, as long as it does not harm the employees’ fundamental rights and freedoms. Additionally, data processing for security purposes, such as recording camera footage at our workplaces, or implementing rewards and incentives to increase employee loyalty, is carried out under this scope.

In applying this provision, we must ensure a reasonable balance between our Company’s legitimate interests and the protection of the data subject’s rights and freedoms. However, it should be noted that while making this assessment, the legitimate interest of our Company should not be confused with the purpose of processing personal data. The purpose of processing personal data specifically relates to the reason for processing the data. In this context, the legitimate interest of the data controller, i.e., our Company, is interpreted more broadly as it relates to the benefit gained from the data processing activity.

4.3.  Processing of Special Categories of Personal Data 

The special categories of personal data processed by our Company are limited to the following special categories of personal data of our suppliers, business partners, employees, and job candidates. These are processed in accordance with the principles outlined in this Policy and according to the methods determined by the Board, provided that adequate precautions are taken, including all necessary administrative and technical measures, and under the conditions specified below. Our Company does not process special categories of personal data for any other group of individuals or data categories beyond those mentioned.

4.3.1.     Special Categories of Personal Data of Our Suppliers and Business Partners

Biometric data obtained through internet-based platforms used during remote work/meetings via video conferencing, related to our suppliers and business partners, are processed based on the explicit consent of the data subject, as per Article 6/3-a of the KVKK (Personal Data Protection Law). This means that before processing such data, consent will be obtained from the data subject; otherwise, no processing of such special categories of personal data will occur.

4.3.2.     Special Categories of Personal Data of Our Employees and Job Applicants

Special categories of personal data of our employees are collected and processed by our company based on the legal grounds and purposes specified in Article 6/3 of the KVKK (Personal Data Protection Law). In this context:

• Biometric data, such as video recordings obtained through internet-based platforms used during video conference meetings, are processed based on the explicit consent of the data subject, as per Article 6/3-a of KVKK.
• Health-related data,  including  workplace  health  and  safety,  employment  of  disabled

personnel, incapacity reports, and pregnancy and childbirth information for female employees, are processed based on explicit consent as per Article 6/3-a. Additionally, such data may also be processed based on explicit legal provisions under Article 6/3-b of KVKK and to fulfill legal obligations related to employment, occupational health and safety, and social security under Article 6/3-f of KVKK.

• Data related to criminal convictions and security measures are processed based on explicit

consent as per Article 6/3-a. If there is a mandatory employment obligation, such data is also processed based on explicit legal provisions under Article 6/3-b of KVKK and to fulfill legal obligations related to employment under Article 6/3-f of KVKK.

This data is processed by personnel who have signed confidentiality agreements and by occupational health and safety (OHS) doctors who are under confidentiality obligations.

In the context of processing special categories of personal data for job applicants:

• Special categories of health data, including reports on physical disabilities and any significant past illnesses or surgeries, are processed based on the explicit consent of the data subject, in accordance with Article 6/3-a of the KVKK.

Apart from these, there are no other special categories of personal data processed by our Company.

4.4.  Informing the Data Subject

Our company informs data subjects in accordance with Article 10 of the KVKK and secondary regulations about who, as the data controller, processes their personal data, for what purposes, with whom the data is shared, the methods of collection, the legal grounds, and the rights they have regarding the processing of their personal data.

If personal data is provided to our company by someone other than the data subject, meaning that a person interacting with our company provides data belonging to someone else, then the process of informing and, if necessary, obtaining consent from the relevant third party will be carried out either at the time of initial contact if the data was provided for the purpose of contacting that third party, or at the time when the data is first processed or transferred.

Examples of the situations mentioned in the paragraph above include: a customer wishing to purchase goods or services using someone else’s credit card, individuals sending reference letters for the hiring of employees, relatives of employees whose identification information is collected for additional social payments, such as the Additional Family Allowance (AGİ).

4.5. Transfer of Personal Data

Our company, in accordance with legal requirements, and with necessary security measures, may transfer personal data and special categories of personal data to third parties (such as our specialist service providers, suppliers, group companies, shareholders, business partners, and their authorized representatives and employees, as well as legally authorized institutions and organizations) both domestically and internationally, for purposes aligned with personal data processing. In this context, our company acts in accordance with the provisions outlined in Articles 8 and 9 of the KVKK (Personal Data Protection Law).

4.5.1.     Transfer of Personal Data Within the Country

Personal and special categories of personal data processed by our Company can be transferred within the country to the stakeholders mentioned above, based on the explicit consent of the data subject, in accordance with Article 8/1 of the KVKK. Additionally, pursuant to Article 8/2-a of the KVKK, personal and special categories of personal data can be transferred domestically without the explicit consent of the data subject if one of the conditions specified in Article 5/2 of the same Law, or one of the conditions specified in Article 6/3 of the same Law, is met. Provisions in other laws related to the transfer of personal data remain reserved.

In this context, according to Article 8/2-a of the KVKK, the conditions specified in Article 5/2 of the KVKK that allow the transfer of personal data by our Company without the need for the data subject’s consent are as follows:

• The relevant activities concerning the transfer of personal data are explicitly provided for in

the laws,

• The transfer of personal data by the Company is directly related to and necessary for the establishment or performance of a contract,
• The transfer of personal data is necessary for the Company to fulfill its legal obligations,
• The transfer of personal data by the Company, provided that the data has been publicly disclosed by the data subject, is limited to the purpose of disclosure,
• The transfer of personal data by the Company is necessary for the establishment, use, or

protection of the rights of the Company, the data subject, or third parties,

• The transfer of personal data is necessary for the Company’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject,

• The transfer is necessary to protect the life or bodily integrity of a person who is unable to express their consent due to practical impossibility or whose consent is not legally valid.

According to Article 8/2-b of the KVKK, the conditions specified in Article 6/3 of the KVKK that allow the transfer of special categories of personal data by our Company without the need for the data subject’s consent are as follows:

• Explicitly provided for in laws,
• Necessary to protect the life or bodily integrity of a person who is unable to express their consent due to practical impossibility or whose consent is not legally valid,
• Related to personal data that has been disclosed by the data subject and consistent with the

intention of disclosure,

• Necessary for the establishment, use, or protection of a right,
• Necessary for the fulfillment of legal obligations in the areas of employment, occupational health and safety, social security, social services, and social assistance.

4.5.2.     Transfer of Personal Data Abroad

The transfer of personal and special categories of personal data processed by our company abroad is carried out in accordance with the conditions specified in Article 9 of the KVKK (Personal Data Protection Law). In this context:

• According to Article 9/1 of the KVKK, the transfer of personal data abroad requires the existence of one of the conditions specified in Articles 5 and 6 of the same Law (detailed under the section “4.5.1. Transfer of Personal Data Within the Country” above) and the presence of an adequacy decision issued by the Board and published in the Official Gazette for the country, sectors within the country, or international organizations where the data will be transferred. In such cases, our company can transfer personal and special categories of personal data abroad.
• According to Article 9/4 of the KVKK, if there is no adequacy decision, personal data may be transferred abroad by our company if one of the conditions specified in Articles 5 and 6 of the same Law is met, and the data subject has the opportunity to exercise their rights and access effective legal remedies in the country to which the data is being transferred. Additionally, at least one of the following appropriate safeguards must be provided:

1. The existence of a standard contract announced by the Board, which includes data categories, purposes of data transfer, recipient and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures for special categories of personal data,
2. The presence of a written undertaking containing provisions that provide adequate protection and permission granted for the transfer by the Board,
3. The existence of binding corporate rules within our group of companies engaged in joint economic activities, which contain provisions on the protection of personal data and are approved by the Board.

• In accordance with Article 9/6 of the Turkish Personal Data Protection Law (KVKK), in the absence of an adequacy decision and if any of the appropriate safeguards specified in Article 9/4 of the KVKK and its paragraphs above cannot be provided, our Company may transfer personal data abroad on an exceptional basis, provided that one of the following conditions is met:

1. The data subject gives explicit consent to the transfer after being informed about possible risks.
2. The transfer is necessary for the performance of a contract between our Company, as the data controller, and the data subject, or for implementing pre-contractual measures taken upon the request of the data subject.
3. The transfer is necessary for the establishment or performance of a contract to be concluded between our Company, as the data controller, and another natural or legal person in the interest of the data subject.

ç) The transfer is necessary for reasons of public interest.

1. The transfer of personal data is necessary for the establishment, exercise, or defense of a legal right.
2. The transfer of personal data is necessary to protect the life or physical integrity of the person who is unable to express consent due to actual impossibility or whose consent is not legally valid, or to protect another person’s life or physical integrity.
3. The transfer is made from a publicly available register, provided that the conditions required to access the register in the relevant legislation are met and upon the request of a person with a legitimate interest.

In cases where personal data is transferred abroad within the scope specified above, our Company also pays special attention to the following matters:

• Safeguards provided in this Law for subsequent transfers of personal data transferred abroad and transfers to international organizations shall also be ensured, and the provisions of this article shall be applied (KVKK, Art. 9/8).
• Personal data may only be transferred abroad, without prejudice to the provisions of

international agreements, if the interests of Turkey or the data subject would be seriously harmed, and only with the permission of the Board after obtaining the opinion of the relevant public institution or organization (KVKK, Art. 9/9).

• The provisions of other laws regarding the transfer of personal data abroad are reserved

(KVKK, Art. 9/10).

5.     SPECIAL CIRCUMSTANCES IN WHICH PERSONAL DATA IS PROCESSED

5.1. Personal Data Processing Activities Conducted for Security Purposes in the Physical Premises of Our Company

5.1.1.  Personal Data Processing Activities Conducted at the Entrances and Inside the Buildings and Facilities

The data processing activities carried out in the physical premises of our company’s service units fall within this scope. In these specified physical premises, the Company monitors and records the entrances and exits of employees, customers, potential customers, visitors, company officials, shareholders, guests, and other third parties through closed-circuit camera systems 24 hours a day, 7 days a week. This is done to ensure data security and physical security, provide evidence to judicial authorities and law enforcement officers in the event of a possible legal case, control the entry and exit of employees and other persons, and ensure the safety of life and property. These video recordings, which qualify as personal data, are processed accordingly.

5.1.2.  Legal Basis for Surveillance Activities by Camera

The surveillance activity conducted by our Company through cameras is carried out in accordance with the Regulation on Business Opening and Working Licenses, the Law on Private Security Services, and other relevant legislation.

Furthermore, the Company complies with the regulations set forth in the Turkish Personal Data Protection Law (KVKK) while conducting surveillance activities by camera for security purposes. In order to ensure security in the Company’s service units, closed-circuit security camera monitoring is conducted in line with the purposes stipulated in the relevant legislation in force and in compliance with the personal data processing conditions listed in the KVKK.

5.1.3.  Information Regarding Surveillance by Camera

In accordance with Article 10 of the Turkish Personal Data Protection Law (KVKK), our Company provides information to the data subject. In this regard, information notices and warning signs, prepared in accordance with Law No. 6698 and relevant legislation, are positioned visibly in the monitored areas. Concerning general matters, our Company provides multiple methods of notification regarding surveillance activities to ensure that data subjects are informed about the camera surveillance activities. In this way, it aims to prevent any harm to the fundamental rights and freedoms of the data subject, and to ensure transparency and that the data subject is properly informed.

Additionally, regarding personal data processing through cameras, this Policy is published on the Company’s website (online policy regulation), and notices and signs regarding surveillance are placed at the entrances of monitored areas (on-site information, layered information).

5.1.4.  Purpose of Conducting Surveillance Activities with Cameras and Limitation to the Purpose

Our company processes personal data in a manner that is related to, limited to, and proportional to the purpose for which it is processed, in accordance with Article 4 of the KVKK (Personal Data Protection Law). The purpose of conducting video surveillance by the company is limited to the objectives stated in this Policy. In this regard, the monitoring areas, number of security cameras, and the times of surveillance are implemented to be sufficient and limited to achieving security purposes. Areas that could result in an intrusion into an individual’s privacy beyond the security objectives are not subject to surveillance.

5.2. Processing of Information Related to the Company’s Website and Users Provided with Internet Access

5.2.1.  Processing of Website User Information

On the company’s owned websites, IP addresses and technical means (e.g., cookies) may be used to record internet activities on the sites in order to ensure that visitors conduct their visits in a manner appropriate to their purposes, to display customized content, and to engage in online advertising activities. Detailed explanations regarding the protection and processing of personal data related to these activities can be found in the ‘Cookie Information Text’ on the website ‘www.cosmic-tickets- audios.com/tours.’

5.2.2.  Processing of Information Related to Users Provided with Internet Access by the Company

When employees, shareholders, and visitors (including any third parties) use the free internet access provided at the company’s service units, the information entered for the internet connection, along with the device’s identification number, IP and log records, and other traffic information, may be recorded in accordance with the provisions of Law No. 5651 and related regulations. Within this framework, access to the collected information is restricted to a limited number of company employees.

These records are processed only in cases where they are requested by authorized public institutions and organizations or for fulfilling our legal obligations during internal audits conducted for information security purposes, and/or for protecting and establishing our legal rights. They are not shared with third parties, except for specialized service providers.

6.     CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND PURPOSES OF PROCESSING AND SHARING

In accordance with Article 10 of the KVKK and secondary legislation, individuals are informed by our company. Personal data is processed in line with the purposes of our company’s data processing and based on at least one of the conditions for processing personal data specified in Articles 5 and 6 of the Law, and in a limited manner. This processing is carried out in compliance with the general principles and conditions specified in Article 4 of the KVKK and the general principles outlined in the KVKK.

Within the scope of personal data processing activities conducted by our company, the categories of personal data processed and their descriptions are organized and displayed in the table below:

Table 2: Categories of Personal Data

CATEGORIES OF PERSONAL DATA	DESCRIPTION
Identity Information	These are personal data containing information about a person’s identity, such as name, Turkish ID number, nationality, marital status, mother’s name, father’s name, place of birth, date of birth, age, gender, and documents such as driver’s license, ID card, and passport. This also includes tax number, SGK (Social Security) number, signature information, and similar details.
Contact Information	Personal data such as phone number, address, and email address.
Employee, Former Employee, Job Applicant Information	Personal data processed in written, visual, and electronic formats related to company employees, former employees, job applicants, and interns, in accordance with applicable legislation and commercial
Family Members and Close Contacts Information	Within the framework of operations conducted by company business units, personal data about the data subject’s family members (e.g., spouse, parents, children for purposes such as providing employee benefits or monitoring chronic illnesses in workplace health activities) and close contacts in emergency situations are processed to protect the legal interests of the company and the data subject.
Physical Space Security Information	Personal data related to records and documents collected during entry into and while staying in physical spaces; including camera recordings and records taken at security checkpoints, etc.
Process Security Information	Personal data processed to ensure the technical, administrative, legal, and commercial security of both the data subject and the company while conducting the company’s activities; including internet access and web traffic information provided by the company, security camera footage, and call center voice recordings.
Risk Management Information	Personal data processed through methods used to manage commercial, technical, and administrative risks, in accordance with generally accepted legal, commercial practices, and principles of integrity.
Financial Information	Personal data related to any financial information, documents, and records generated under the legal relationship between the company and the data subject, including bank account numbers, IBAN numbers, credit card information, and financial profiles.

 

Legal Transaction and Compliance Information	Personal data processed for the identification and monitoring of the company’s legal receivables and rights, fulfillment of debts, compliance with legal obligations and company policies, and legal follow-up of employees’ actions.
Special Categories of Personal Data	Data specified in Article 6 of the Law (e.g., health data including blood type, criminal record information).
Request/Complaint Management Information	Personal data related to the receipt and evaluation of all types of requests or complaints directed to the company, including call center voice recordings.
Reputation Management Information	Personal data associated with individuals and collected for the purpose of protecting the company’s commercial reputation (e.g., posts related to the company).
Incident Management Information	Information and assessments collected regarding incidents that could potentially affect company employees or shareholders, and associated with the personal data subject (e.g., information and assessments related to managing public relations correctly).

 

The purposes of personal data processing carried out by our company are shown in the table below:

Table 3: Purposes of Personal Data Processing

MAIN PURPOSES	SECONDARY PURPOSES
Determination, planning, and implementation of our company’s commercial policie	1.    Planning and execution of internal or external training activities 2.  Conducting financial, accounting, and fiscal transactions with customers, business partners, and suppliers, and carrying out risk management
Designing and executing the company’s Human Resources activities	1.    Planning and executing human resources and employee recruitment processes 2.  Fulfilling obligations arising from employment contracts and legislation for company employees 3.  Monitoring and supervising employees’ work activities 4.    Planning and implementing fringe benefits and perks for employees 5.  Planning and executing employee offboarding processes 6.    Planning and tracking employee performance evaluation processes 7.  Planning and executing internal training activities 8.  Managing relationships with business partners and suppliers 9.  Wage management 10.  Planning and executing internal orientation activities

 

Carrying out the necessary activities by the company’s business units to ensure that the company’s commercial activities are conducted in accordance with legislation and company policies, and executing activities accordingly	1.  Tracking financial and accounting tasks 2.  Conducting investor relations and marketing activities 3.  Planning and executing corporate communication activities 4.     Planning and executing effectiveness/efficiency and appropriateness analyses of business activities; event management 5.  Ensuring the uninterrupted execution of the supply chain and its processes 6.     Establishing and managing information technology infrastructure 7.     Planning, auditing, and executing information security processes 8.  Planning and executing business continuity activities 9.   Planning and executing information access permissions for business partners and suppliers 10.  Fulfilling post-sales support obligations
Supporting the design, planning, and execution of the company’s human resources activities	1.   Supporting the planning of the company’s human resources strategies 2.   Monitoring and announcing employee transfers, temporary assignments, promotions, and separations 3.    Supporting the planning and execution of processes for measuring employee engagement 4.  Assisting in the employee recruitment processes
Protecting the company’s commercial reputation and the trust it has established	1.  Demand and complaint management 2.   Implementing efforts to protect the company’s values and reputation

 

Our company transfers/shares personal data within the scope of this Policy in accordance with the principles set out in the KVKK (Personal Data Protection Law) and specifically Articles 8 and 9 of Law No. 6698, to the recipient groups listed below and for the purposes specified in the table below:

Table 4: Categories of parties to whom personal data is transferred and the purposes of transfer

PERSONS TO WHOM DATA IS TRANSFERRED	DEFINITION	PURPOSE OF DATA TRANSFER
Shareholders, Group	Parties  with  whom  the	Solely to ensure the establishment and
Companies, Business	c o m p a n y    e s t a b l i s h e s	fulfillment  of  the  purposes  of  the
Partners, and Their	partnerships or alliances, both	partnership/consortium
Authorized	within and outside the group,
Representatives and	f o r    p u r p o s e s    s u c h   a s
Employees	conducting  its  commercial
	activities  and  its  business
	partner
Suppliers, Service	Parties that provide goods or	Solely for the purpose of providing
Providers, Specialist	services to the company, in	goods  and  services  obtained  from
Service Providers, Their	a c c o r d a n c e    w i t h    t h e	external  sources  necessary  for  the
Authorized	company’s  instructions  and	company’s commercial activities,  as
Representatives and	b a s e d    o n   c o n t r a c t u a l	well as specialized services such as
Employees, Relevant	agreements, within the scope	Accounting, Finance, IT, and Legal
Bank Branches-	of conducting the company’s	services.
Financial Institutions,	commercial activities
Pension Fund Company
Legally Authorized	Public  i nstitutions  and	Solely for the purpose requested within
Public Institutions and	organizations  authorized  to	the  legal  authority  of  the  relevant
Organizations	receive  information  and	public institutions and organizations
	documents from the company
	according  to  relevant  legal
	provisions
Legally Authorized	Private    legal   entities	Solely for the purpose requested within
Private Legal Entities	a u t h o r i z e d   t o    r e c e i v e	the  legal  authority  of  the  relevant
	information  and  documents	private legal entities
	from the company according
	to relevant legal provisions

 7.     STORAGE AND DESTRUCTION OF PERSONAL DATA

Our company retains personal data for the duration necessary for the purpose for which it was processed and in accordance with the minimum periods prescribed by the relevant legal regulations applicable to the activity. In this regard, our company first determines whether the relevant regulations prescribe a specific retention period for personal data, and if so, adheres to that period. If no legal period is specified, personal data is retained for as long as necessary for the purpose for which it was processed. At the end of the specified retention periods, personal data is destroyed in

accordance with periodic destruction schedules or upon the data subject’s request, using the designated destruction methods (deletion, destruction, or anonymization).

Detailed information regarding the storage and destruction of personal data processed by our company, including the record environments where the data is kept, all technical and administrative measures taken to ensure its secure storage and protection, explanations related to legal reasons for retention and destruction, personal data retention periods and periodic destruction schedules by process, and destruction techniques, can be found in the “Personal Data Storage and Destruction Policy” available on our company’s website at www.cosmic-tickets-audios.com/tours.

8.   PRIVACY

Our company does not transfer or disclose your personal data to unauthorized third parties, except as specified in this Policy, the “Customer Personal Data Disclosure Statement” published on our website “www.cosmic-tickets-audios.com/tours” or other specific disclosure statements, and except for the exceptions specified in Articles 8 and 9 of the KVKK (Personal Data Protection Law), without your explicit consent. Only authorized personnel of our company with confidentiality agreements and, with respect to health data, our workplace doctors who have an additional obligation of confidentiality, can access the personal data processed by our company.

Our company may use statistical information (such as browser type, geographical location, etc.) without disclosing personal identities on our website, for the purpose of improving the website and obtaining statistics for effective and efficient operation based on legitimate interests. This information is never disclosed to third parties. However, it may be shared with the parties specified in this Policy and the Disclosure Statement in the event of legal obligations or requests from official authorities.

Our company does not guarantee that other sites you may visit through links on our website will comply with our Privacy Principles; therefore, you should evaluate the privacy practices of those sites before providing any personally identifiable information.

Our company takes all necessary measures within its means, based on the nature of the personal data being protected, to prevent the disclosure and transfer of your personal data in violation of the Law No. 6698, the provisions of this Policy, and the separate disclosure statements prepared for relevant parties as application/procedure documents of this Policy. These measures are also aimed at preventing unauthorized access to the data and addressing any potential security shortcomings.

9.   RIGHTS OF DATA SUBJECTS AND EXERCISE OF THESE RIGHTS

1.      Rights of the Data Subject

According to Article 11 of the Law, data subjects have the following rights:

1. To learn whether their personal data is being processed,
2. To request information about their personal data if it has been processed,
3. To learn the purpose of processing their personal data and whether it is used in accordance

with that purpose,

ç) To know the third parties to whom their personal data has been transferred, both domestically and internationally,

1. To request correction of their personal data if it is incomplete or inaccurate,
2. To request the deletion or destruction of their personal data if the reasons requiring processing no longer exist, as per the conditions specified in Article 7 of the KVKK,
3. To request notification of the transactions made under (d) and (e) to third parties to whom their personal data has been transferred,
4. To object to a result that is detrimental to them arising from the analysis of their processed data solely through automated systems,

ğ) To request compensation for damages incurred due to unlawful processing of their personal data,

1. To withdraw their consent for processing their personal data and any approval given for receiving electronic commercial communications at any time without providing a reason.

9.2.  Ways to Apply to Our Company Regarding Your Rights

To exercise the rights mentioned above, you can submit your requests by filling out the “Personal Data Subject Application Form” or a similar petition according to the “Regulation on the Procedures and Principles for Application to the Data Controller.” You can submit your application in person with identity verification to our company at the following address: “Gümüşsuyu Mah. İnönü Cad. Melek Apt. No: 11/2 Beyoğlu/İSTANBUL,” or via written communication through a notary, or by sending an email to “info@cosmic-tickets-audios.com“ using registered/safe electronic mail.

Depending on the nature of your request, it will be processed free of charge as soon as possible, and no later than thirty days. However, if the process requires additional costs, you may be charged according to the tariff determined by the Personal Data Protection Board.

10. PUBLICATION AND STORAGE OF THE POLICY

The Policy is published in two formats: a printed (signed) copy and an electronic version, and is made publicly available on the website. The printed copy is kept in the file maintained by the Personal Data Protection Officer, who is the designated contact person for the company.

11.  POLICY UPDATE PERIOD

The Policy is reviewed as needed and updated accordingly.

12. EFFECTIVENESS AND WITHDRAWAL OF THE POLICY

This Policy, issued by our company, is dated June 1, 2024. The Policy is considered effective and accessible to data subjects upon its publication on our website www.cosmic-tickets-audios.com/tours. If the entire Policy or specific provisions are updated, the effective date will be revised accordingly.

In the event that the Policy is withdrawn, the old signed copies will be canceled by the Company’s Data Protection Officer, either by stamping “canceled” or by writing “canceled” on them. These

canceled copies will be signed and kept in the file maintained by the Personal Data Protection Officer for a period of 10 years.