As VODATECH ÇAĞRI MERKEZİ A.Ş.; in accordance with the detailed technical control “A.18.1.4 Privacy and protection of personally identifiable information” under the “A.18 Compliance” control, it is essential to ensure the privacy and protection of personally identifiable information through laws and regulations. In this direction, based on the applicable technical controls in ISO 27001:2022 Annex-A, the following articles are committed:

Data Controller Obligations

The data controller is obliged to take all necessary technical and administrative measures to ensure the appropriate level of security in order to:

• Prevent the unlawful processing of personal data,

• Prevent unlawful access to personal data,

• Ensure the safekeeping of personal data.

Joint Responsibility

In the event that personal data is processed by another natural or legal person on behalf of the data controller, joint responsibility is accepted with these persons regarding the taking of the specified measures.

Audit Activities

The data controller is obliged to carry out or have carried out the necessary audits in its own institution or organization in order to ensure the implementation of the provisions of the law.

Confidentiality and Processing Limits

Data controllers and persons who process data may not disclose the personal data they have learned to others in violation of the provisions of the law and may not use it for purposes other than the purpose of processing.

• This confidentiality obligation continues even after the personnel have left their positions.