LAW ON THE PROTECTİON OF PERSONAL DATA

BIRLESIK ODEME HIZMETLERI VE ELEKTRONIK PARA A.S.

Information Text

Birlesik Odeme Hizmetleri ve Elektronik Para A.S. (shall hereinafter be referred to as Birlesik Odeme or the Company) pays maximum care and attention to ensure confidentiality and security of any and all personal data collected and processed by the same.

Therefore; any and all personal data, processed by our Company in the capacity of Data Controller or Data Receiver, are processed and retained in accordance with the Personal Data Protection Law nr.6698 (PDP Law). For this purpose, Birlesik Odeme takes any and all administrative and technical measures, as necessary to protect your personal data, and processes your personal data subject to the terms and conditions explained hereinbelow, and to the extent as limited under the Law and the other related statutory regulations, in all your transactions.

The Privacy, adopted by us as our corporate culture, is accessible on our webpage. However; it should be underlined here that we are unable to provide any assurance for data privacy on any other websites directed (linked) by the website of Birlesik Odeme. The data privacy policy of the respective webpage should be reviewed carefully.

1.Legal Nature and Scope The section 10, titled Obligation to Inform, of the Personal Data Protection Law nr.6698 sets out that the persons, whose personal data are processed, shall be informed by the data controllers. As per the provisions of the PDP Law; Birlesik Odeme is the Data Controller in respect of the personal data possessed by the same.

This Information Text intends to provide information to the data owners about their rights, which may be raised to the data controller as listed under the section 11 of the Law, to obtain information with respect to the identity of the data controller, the purposes of collecting personal data, the persons to which personal data are transmitted, and the purposes of such transmission, the legal reasons of collecting personal data, the persons to whom such data may be transmitted, and the ways of such transmission, and to ask for updating, deleting or anonymizing such data.

2.Identity of the Data Controller Data Controller is defined as the real or legal persons who/which determine the purposes and means of processing the personal data, and are responsible for setting up and managing the data logging system under the subparagraph () of the section 3/1 of the PDP Law. Accordingly, our Company is the data controller in respect of some data.

The contact info of our Company as the Data Controller are as follows. Esentepe Mah. Buyukdere Cad. No:102 /14 Maya Akar Center B Blok K: 3 Sisli / Istanbul Turkey, info@birlesikodeme.com www.birlesikodeme.com

3.Purposes of Processing Your Personal Data Your personal data are processed for the purposes of a) payment services and electronic payment provided by our Company, and b) management of legal business processes such as running the financial security processes, KYC (Know Your Customer), AML (Anti-Money Laundering), and anti-fraud compliance programs, and fighting against any other irregular transactions, and c) ensuring the maximum level of financial and commercial data security for especially electronic services, and setting up an appropriate IT infrastructure and databases, and taking administrative and technical measures, and d) improving the services provided on the website of our Company, and responding to any future requests and complaints, and eliminating any and all errors to arise on this medium, and ensuring their conformity with the Privacy Policy accessible on our website, and e) carrying out any and all processes, as necessary, by our concerned business units to enable the Company to perform the business activities, and all other business processes associated therewith, in line with the principles prescribed under the PDP Law, subject to the terms and conditions with respect to the payment services as per the Law on Payment and Security Settlement Systems, Payment Services and Electronic Money Institutions nr.6493, and any subsidiary regulations, and prescribed under the sections 4, 5 and 6 of the PDP Law.

4.Our Principles on Processing Personal Data We, as Birlesik Odeme, have adopted the principles of a) processing your personal data in line with the principles of law and integrity, and b) taking care to ensure accuracy and up-to-dateness thereof, and c) processing such personal data for clear, explicit and legitimate purposes, and ) ensuring that such personal data are processes to the extent as limited to the intended purpose of processing, and d) retaining such personal data for a period of time, as prescribed under the related applicable regulations or as necessary to achieve the purpose of processing.

We value data minimization.

5.Ways of Processing Personal Data Your data may also be processed in cases where it is clearly prescribed so under the applicable laws, and it is mandatory for any person who is bodily incapable of giving her/his consent, and it is directly related to conclusion or fulfilment of any agreement, and it is mandatory for the data controller to be able to perform its legal obligations, as set out under the section 5 of the Law.

Processing of Sensitive Personal Data is limited to the cases where it is mandatory to recruit our staff members, and such data may be processed based on explicit consent, only.

6.Persons to Whom Any Processed Personal Data May Be Transmitted, and Purposes of Such Transmission Your personal data, collected and processed by our Company in accordance with the PDP Law, may be transmitted to legally authorized public institutions or private institutions/organizations such as BDDK (Banking Regulation and Supervision Agency), MASAK (Financial Crimes Investigation Board), Central Bank of the Republic of Turkey, and independent audit organizations to fulfill the risk management, notification, accounting, internal control & audit, and compliance obligations prescribed for Birlesik Odeme under the governing regulations such as especially the Law on Payment and Security Settlement Systems, Payment Services and Electronic Money Institutions nr.6493, and the Law nr.5549 on Prevention of Laundering of Proceeds of Crime, and the Decree nr.660 on Organization and Duties of the Public Oversight, Accounting and Auditing Standards Authority, and domestic suppliers and service providers, business & solution partners, and consultants subject to the confidentiality agreements to procure any and all administrative, financial, legal and technical materials and services, as needed by the Company, and competent public legal persons or judicial authorities due to available legal actions and transactions to establish, protect and exercise any right.

Any data may not be transmitted to any international institution/organization in the capacity of Data Controller or Data Receiver.

7.Methods and Legal Reasons of Collecting Your Personal Data Your personal data are collected through automated and nonautomated methods during provision of basic payment services by our Company under the Individual and Corporate categories such as a) carrying out the transactions in relation to the payment account such as depositing money into the payment account and transferring money from the payment account based on the payment order, and b) direct debiting transactions in relation to fund transfer in the payment account, payment transactions performed by payment card or any similar means, and money transfers including regular payment orders, and c) issuing or accepting the instruments of payment, and ) money remittance, and d) acting as an agent for payments of bills, and e) providing consolidated information regarding one or multiple payment account(s) on online platforms on the condition that the consent of the payment service user has been obtained to that end.

Accordingly, your personal data are collected primarily on either physical or electronic media upon your representations under the scope of the relationship between the Company and our Individual and/or Corporate Clients directly by the Company or through the agency of our providers and/or business partners, or the communication forms filled in electronically by you, or the information and documentation provided by you through written and verbal communications with the Company on the channels such as online assistance service, or the electronic mails sent to our Company by you using the electronic mail system.

Your personal data are collected in line with the said methods and purposes to perform and fulfill the obligations of our Company, arising from the governing regulations such as the Law nr.6493, and the Regulation on Payment Services and Electronic Money Issuance, and Payment Institutions and Electronic Money Institutions, and the Decree nr.660 on Organization and Duties of the Public Oversight, Accounting and Auditing Standards Authority, as well as the applicable agreements and the said regulations, fully and duly.

Your personal data, collected for such legal purpose, may be processed for the purposes, specified hereunder, subject to the terms and conditions applicable to personal data, in accordance with the sections 4, 5 and 6 of the PDP Law, and the Law nr.5651.

8.How Do We Protect Your Personal Data? Any and all technical and administrative measures are taken to protect any and all personal data, collected by Birlesik Odeme, and to prevent such data from being captured by any unauthorized persons, and to prevent our customers and potential customers from experiencing any grievance. Accordingly, it is ensured that our software are in conformity with the applicable standards, and that up-to-date firewalls and anti-virus systems are employed against cyber-attacks, and that the third parties are selected carefully, and that our Privacy and Information Security Policies including the sets of administrative and technical measures such as ensuring access and authorization controls are observed internally.

9.Personal Data Owners Rights and Application In the event that you, as the personal data owners, submit your requests on your rights, provided under the section 11 of the PDP Law, with our Company using the methods set out hereinbelow, your requests shall be concluded in maximum thirty days free-of-charge depending on the nature thereof.

Moreover; as the applications with respect to personal data are required to be filed by the data owners themselves as per the applicable regulations, only the applications concerning you will be responded, and any application filed about your spouse, relative or friend will not be accepted.

Accordingly; you, as the personal data owners, are entitled to apply to our e-mail address provided by Birlesik Odeme hereunder, and to a) to inquire whether your personal data have been processed, or not; and b) to ask for information if the personal data have been processed, and c) to be informed about the purpose of processing of any such data, and also about the fact that whether such data have been used as appropriate to the purpose thereto, and d) to be informed about any third party to which any such data have been transmitted, either domestically or internationally, and e) to ask for correction of any imperfect or inaccurate data, in case of any imperfect or inaccurate processing thereof, and to ask for provision of information to the third persons, to whom/which such personal data have been transmitted, to that end, and f) to ask for deletion or disposal of any personal data if the reasons, requiring such data to be processed, have disappeared although they have been processed in accordance with the terms and conditions as prescribed under the PDP Law and the other related applicable laws, and to ask for provision of information to the third persons, to whom/which such personal data have been transmitted, to that end, and g) to raise an objection against any outcome in case of emergence of an outcome that is to the detriment of you upon the analysis of any such processed personal data solely by any automatic systems, and h) to claim for compensation of any and all damage and/or loss you might have incurred in case any such personal data have been processed in breach of the Law.