Demand Management Procedure

• 1.1. Introduction

  This Head Office address is Beylikdüzü OSB Mah. Hürriyet Bulvarı No:10/9, 34524 Beylikdüzü Istanbul, Ekom Elektrik Elektronik Sanayi ve Ticaret Anonim Şirketi ("Company") Demand Management Procedure ("Procedure"), registered in the Istanbul Trade Registry, has been prepared in order for the Company to take the necessary actions as stipulated by law as the data controller in case the data subjects submit their applications regarding their personal data to the Company by the methods determined by the Personal Data Protection Board. In line with the Communiqué on the Procedures and Principles of Application to the Data Controller, the Company meticulously fulfills the stages specified in the Procedure by carrying out the process with a sensitive approach in order to protect the fundamental rights and freedoms of data subjects who apply for their personal data and to prevent damage to their rights to access information.
  Relevant Persons may submit their requests regarding their rights listed in 1.2. of the Procedure ("Rights of the Relevant Person") by filling out the "Application Form" to the Company's Beylikdüzü OSB Mah. Hürriyet Bulvarı No:10/9, 34524 Beylikdüzü İstanbul in person or through a notary public or via info@e-kom.com e-mail address or ekom@hs02.kep.tr registered electronic mail (KEP).

• 1.2. Rights of the Personal Data Subject

  Pursuant to Article 11 of the Law, Data Subjects may always apply to the Company regarding their personal data in the following matters:

  1. Learn whether personal data is being processed,
  2. Request information if their personal data has been processed
  3. To learn the purpose of processing personal data and whether they are used for their intended purpose,
  4. To know the third parties to whom personal data is transferred domestically or abroad,
  5. To request correction of personal data in case of incomplete or incorrect processing,
  6. Request deletion or destruction of personal data,
  7. In case of correction, deletion or destruction of personal data, to request notification of these transactions to third parties to whom personal data are transferred,
  8. To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
  9. In case of damage due to unlawful processing of personal data, to demand compensation for the damage.

  With the exception of the cases listed in paragraph 1 of Article 28 of the Personal Data Protection Law, it is not possible for personal data owners to assert their rights in related matters. Again, it will not be possible for personal data owners to assert their rights, except for requesting the compensation of the damage in accordance with paragraph 2 of Article 28 of the Law.

• 3.1. Form of Application

  The Data Subject is obliged to submit his/her requests for the implementation of the Personal Data Protection Law ("Law") to the Company first. The form of the application to be made by the Data Subject is firstly a written application in accordance with the Law. Other methods other than written application are determined by the Board with the authorization granted. With the secondary regulations issued by the Board, the Board has determined the registered electronic mail (REM) address, secure electronic signature, mobile signature or the electronic mail address previously notified to the data controller by the data subject and registered in the system of the data controller or a software or application developed for the purpose of application as other application methods to be made to the data controller.
  In order for the applications to be recorded and delivered to the relevant person without delay, a contact person is determined within the Company. The person whose duty is determined quickly forwards the applications to the relevant department or employee and establishes coordination with the responsible member specified in the Internal Directive of the Company's Personal Data Protection Commission.

• 3.2. Content of the Application

  Pursuant to Article 5 of the Communiqué on the Procedures and Principles of Application to the Data Controller, the application of the Data Subject must include the name, surname and signature if the application is in writing, T.R. identification number or nationality for foreigners, passport number or identification number, if any, residential or workplace address for notification, e-mail address for notification, if any, telephone and fax number and the subject of the request.
  In accordance with this Procedure, in order to evaluate the requests of the Relevant Person, it is first determined whether the person making the application is the owner of the personal data processed by the Company. In order to process the application and deliver the result to the right person, the identity information of the applicant is determined.
  The Company uses a standard form to receive applications (Request Application Form).
  For applications that are not received by the means specified in the procedure, if the identity of the applicant has been determined and the information requested by the form has been provided, applications made by such means may also be evaluated and the Data Subject may be directed to valid application channels.
  For applications that do not meet these qualifications, the applicant may be contacted until the information requested in the form is obtained; if this is not possible, it should be stated that the application is rejected on the grounds of non-compliance with the procedure. In this respect, if the application of the Relevant Person prevents the rights and freedoms of other persons, requires disproportionate effort, or if the information is already public information, the Company may reject the request by explaining its reasoning.

• 4.1. Application by Attorney or Legal Representative

  Since there is no regulation preventing the application to be made by the attorney or legal representative of the Relevant Person, some applications may not be made directly by the Relevant Person.
  In this case, the Company checks whether the applicant is authorized to make the application. For example, in the application sent by the lawyer of the Data Subject, a copy of the power of attorney should be requested from the lawyer and it should be understood whether he/she is authorized to apply. For applications concerning the personal data of minors, copies of documents determining the authority of the legal representative are requested.

• 4.2. Remuneration

  Pursuant to Article 7 of the Communiqué on the Procedures and Principles of Application to the Data Controller; If the Company responds to the application of the Data Subject in writing, it does not charge a fee up to ten pages. A transaction fee of 1,00-TL may be charged for each page over ten pages. If the response to be given as a data controller should be given in a recording medium such as CD, flash memory, the fee that the Company may request will not exceed the cost of the recording medium.

• 5.1. Overview

  Step 1: First of all, each application is examined by being recorded by the member/team determined by the Commission and the identity information of the person is checked and it is determined whether the person is authorized to apply.
  If the personal data specified by the Data Owner in the application form is not found in the Company's database, the relevant person is notified that "there is no data record and personal data about the applicant is not processed by the company".
  Step 2: "Personal Data Processing Inventory" is applied as a guide in the responses to the applications. The relevant section regarding the Data Owner's request (data processing purpose inquiry, request for correction of missing or incorrect information, etc.) is determined. A response text is prepared in line with the Data Subject's request by looking at the data category equivalents of the data processing purposes, data shared party information, etc. in the Inventory.
  Step 3: Every action taken by the company regarding the application process, relevant documents and query results are recorded by the member/team designated by the Commission and stored in the electronic directory created for this purpose.

• 5.2. Contact Person Application Evaluation Process

  In the requests of the Relevant Person or his/her representative for correction of incomplete/incorrect information, the documents sent by the Relevant Person or his/her representative to confirm the relevant information are compared with the information contained in the Company records and examined. If it is concluded that the relevant documents are correct, the Company makes the necessary corrections and completions and delivers a response text with the updates made to the Data Subject.
  In the requests of the Data Subject for the destruction of personal data, the Company first investigates whether the relevant data is kept within the scope of a legal obligation. In the absence of a legal obligation, the destruction process is carried out in line with the request and a response text is sent to the Data Subject explaining the transaction and its results. If necessary, the relevant third parties are also requested to fulfill this request.
  If the Company stores the relevant data due to legal obligation, the Data Subject is informed that his/her personal data is stored within the framework of legal obligations and that his/her request cannot be fulfilled.
  In the event that the Data Subject or his/her representative has a claim for damages, the Company examines the situation with the legal department / consultancy or relevant units. A response regarding the result and details will be prepared and sent to the Data Subject.

All applications are responded by the Commission.
The Company must take the necessary administrative and technical measures to finalize the applications to be made by the personal Data Subject in accordance with the Law and secondary legislation. The Company is obliged to fulfill the request as soon as possible or in any case within thirty (30) days at the latest. If no response is given within this period, the applicant may file a complaint with the Board. The information that should be included in the Company's response to the Relevant Person is given below:

• Requestor
• Requests and the resulting information and documents provided
• Date of receipt of the request, if additional information and documents related to the request have been requested; the date of these requests and the date of receipt of the relevant responses
• Actions taken on the request
• Statement in response to a request
• Date of request response and authorized signature