A.IN GENERAL

As HDI Sigorta A.Ş. ("HDI Sigorta"), we show maximum sensitivity to the security of your personal data. With this awareness, we attach great importance to the processing and protection of all personal data of all persons associated with HDI Sigorta, including those who benefit from our products and services, in the best possible way and with care. With the full understanding of this responsibility, we process your personal data as Data Controller pursuant to Personal Data Protection Law, numbered 6698 ("Personal Data Protection Law") and the relevant legislation, as explained below and within the limits prescribed by the relevant legislation.

B.IDENTITY OF DATA CONTROLLER

In the paragraph (ı) of the clause 1 of the article 3 of the Personal Data Protection Law, the data controller is defined as 'the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system'. In this regard, HDI Sigorta is in the position of "data controller" in terms of the activities it will perform within the scope of this Clarification Text.

C.COLLECTION AND PROCESSING OF PERSONAL DATA, PROCESSING PURPOSES

Although your personal data may vary depending on the service, product or commercial activity provided by HDI Sigorta, they are collected verbally, in writing or electronically through agents, regional offices, departments, call centers, websites, social media channels, mobile applications and similar means, either by automatic or non-automatic methods. Your personal data can be composedand updated as long as you benefit from the services of HDI Sigorta and its brands, and can be processed for the following purposes:

• Fulfilling storage obligations arising from legislation, especially the Turkish Commercial Code No. 6102;
• Contacting with sales channels, determining agencies’ working conditions and subsequent processes;
• Performing analysis of liabilities/reserves of the company for future periods by using damage and production data;
• Preparing the relevant reports by taking the realized data of the company after the month-end closing and conducting actuarial tariff studies;
• Finalizing the files by managing the damage process and examining the claim applications;
• Making the data available to departments by transferring it;
• Creating employee’s personnel files;
• Organizing trainings;
• Detecting fraudulent damages;
• Resolving all legal problems of the company: lawsuits filed against the company, lawsuits filed by the company (excluding recovery claim for damages), written warnings, criminal complaints, debt proceedings (excluding recovery proceedings), consultancy services, preparation/review of contracts and final negotiations and finalization of problematic claim files;
• Performing audits, analyses and reportings;
• Fulfilling the administrative affairs of the company, fulfilling the sub-employer responsibilities;
• Evaluating the candidate's eligibility for the job, recording the existing staff in the performance system and including them in the evaluation;
• Examining employees at the outpatient clinic, keeping training records, recording the decisions of the Occupational Health and Safety Board, filling out and recording Near-Miss Forms, performing health screening of employees during recruitment and during the time required by the job, notifying and recording occupational accidents to SSI;
• Carrying out transactions related to policy production and collection, agent/ broker establishment, policy collection, agent debt collection, and agent brokerage fee payment;
• Keeping the accounting records of the vendors from whom the company purchases goods and services, following up their current accounts and payments, making payments related to employee personal rights and claims payments;
• Carrying out the necessary work in line with the company's risk acceptance criteria and treaty limits, as well as production and profitability targets;
• Meeting demands from customers for the products and services of the company, managing the process of directing damaged vehicles to service shops, managing the claim notification process;
• Carrying out damage prevention activities before damage in the commodity line of business, defining ships to the system, defining risk groups of countries to the system;
• Analyzing the information of the claimant and the insured with certain algorithms by comparing the past damage information of the insured, if any;
• Examining and finalizing damage files;
• Preparing price quotation, policy and addendum by making risk analysis;
• Dealing with the notifications forwarded to our Institution, which we are obliged to fulfill under the state of emergency;
• Profitable segmentation and analysis for profitable sales;
• Arranging Car Accident tariffs and reports;
• Catastrophic modeling and analysis;
• Performing Corporate Travel and Organization Planning, Advertising, Public Relations, Event management, and sponsorship management processes;
• Risk inspection;
• Ensuring that the necessary measures are taken by following the Company's executive activities and risk and informing the Management;
• Making recovery transaction to the negligent party after the damage file payment;
• Procuring the products and services required for the company;
• Backing up the systems, ensuring the security of the systems;
• Providing the identity information of the customer or beneficiaries who made a transaction of 20,000 TL or more (for whom a policy was issued or a damage compensation payment was made);
• Recording and reporting to MASAK (Financial Crimes Investigation Board) all information on suspicious transactions regarding laundering proceeds of crime or financing of terrorism;
• Implementing prohibition of transaction on embargoed and/or financially sanctioned persons;
• Carrying out the necessary work in line with the company's risk acceptance criteria and treaty limits, as well as production and profitability targets;

Your personal data may also be processed when you use our call center or website to use certain HDI Sigorta's online services and you participate in the contests, training, seminars or organizations organized by HDI Sigorta or if you visit or browse the web pages.

In addition, your personal data mentioned above can also be processed in accordance with the provisions of the Law No. 1774 on Identity Notification, Turkish Commercial Code, Law No.2918 on Highway Traffic, Law No.5684 Insurance, MASAK (Financial Crimes Investigation Board) Legislations, Law No. 6502 on Consumer Protection, the provisions of second legislation regarding the aforementioned laws, the obligations arising from tax legislation, the regulations of supervisory and regulatory institutions and organizations, and the cases required by other competent public authorities and the provisions of other legislation. And they can be transferred to the physical archives and information systems of HDI Sigorta and kept under protection both in digital and physical environments throughout their legal periods.

AIn the presence of the following situations, your explicit consent shall not be sought for the processing of your personal data:

• Provided that it does not harm the fundamental rights and freedoms of the data subject, it is necessary to process data for the legitimate interests of the data controller;
• Data processing is obligatory for the establishment, use or protection of a right;
• It is made public by the data subject;
• It is obligatory for the data controller to fulfill their legal obligations;
• Provided that it is directly related to the establishment or enforcement of a contract, it is necessary to process personal data belonging to the parties to the contract;
• It is compulsory for the protection of the life or body integrity of the person who is unable to disclose his consent due to the actual impossibility or whose consent is not legally valid;
• In the conditions that the procession of personal data is clearly stipulated in the laws.

D. TRANSFERRING PERSONAL DATA

Pursuant to the law and other legislation and for the above-mentioned purposes, your personal data may be shared with relevant in-house departments, Talanx Group Companies to which the company is affiliated, insured persons, assistance companies, Turkish Union of Insurance, Reinsurance and Pension Companies, Insurance Information and Monitoring Center, government agencies such as Turkish Undersecretariat of Treasury, Turkish Ministry of Labor, Turkish Social Security Institution, Turkish Revenue Administration, Turkish Ministry of Finance, Tax Offices, DASK, TARSIM, TOBB, and MASAK, independent audit companies, medical consultants, actuaries, contracted lawyers, agents, banks, broker companies, reinsurance companies, risk-sharing insurance companies, insurance companies to which recovery claims have been made, persons and companies to which recovery claims have been made and other third parties.

E. METHOD AND LEGAL REASON OF COLLECTING PERSONAL DATA

Your personal data is obtained with the aim of presenting the services we offer, especially insurance and after-sales services, in all kinds of verbal, written or electronic media and based on the processing conditions in Articles 5 and 6 of the Personal Data Protection Law, in line with the above-mentioned purposes, within the determined legal framework and within this scope, HDI Sigorta to fulfill its obligations arising from the agreement and the law in a complete and correct manner.

F. YOUR RIGHTS TO THE PROTECTION OF PERSONAL DATA

In accordance with the legislation on your processed personal data, you have the following rights:

• To know whether personal data is processed;
• If personal data has been processed, to request information on the subject;
• To find out the purpose of processing personal data and whether they are used appropriately for their purpose;
• To know the third parties to whom personal data are transferred domestically or abroad;
• To request the correction of personal data in case of incomplete or incorrect processing;
• To request the deletion or destruction of personal data;
• In case personal data are processed incompletely or inaccurately, to request the third parties to whom the personal data is transferred to be notified about the correction and/or deletion or destruction of personal data;
• To object in the event that an unfavorable result may arise when the processed data is processed exclusively by analyzing it through automated systems;
• In case of damage due to unlawful processing of personal data, to request the compensation of the damage.

G. DATA SECURITY

You can submit your requests under the Law and any questions about your personal data, in written form or by using your registered electronic mail (REM) address, secure electronic signature, mobile signature or the electronic mail address you have previously notified to our Company and registered by our Company or via the "Contact Us" section of our website, or after completing the application form you can apply to HDI Sigorta personally, send the mentioned form with wet signature to Sahrayıcedit Mah. Batman Sokak HDI Sigorta Binası, No.6 34734 Kadıköy-Istanbul-Turkey (via Notary or registered mail) or send the relevant form to hdisigorta@hs03.kep.tr.