SECTION 1
PURPOSE AND SCOPE OF THE POLICY

The Law on the Protection of Personal Data No. 6698 (“LPPD”) was enacted to protect the principle of privacy and to prevent harm to fundamental rights and freedoms during the processing of personal data.

Altus Organizasyon ve Medya Hizmetleri A.Ş. (“Altus” / “the Company”) has adopted the protection, processing, security, and disposal of personal data as a fundamental principle within the scope of its activities.

This Policy covers the procedures and principles regarding the processing, storage, disposal, transfer, and protection of the personal data of all relevant persons, including Altus's employees, subcontractor/sub-employer employees, suppliers, customers, organization participants, artists, speakers, visitors, business partners, and third parties.

The Policy encompasses live broadcasting, media production, congress and event organizations, ticketing and accommodation processes, supplier relations, administrative affairs, human resources, security, information technology services, and all operational areas of Altus.

SECTION 2
DEFINITIONS

• Law (LPPD): Law on the Protection of Personal Data No. 6698.
• Board: The Personal Data Protection Board.
• Data Controller: Altus, which determines the purposes and means of processing personal data.
• Data Subject: The natural person whose personal data is processed.
• Special Categories of Personal Data: Sensitive data such as health information, biometric data, and information on criminal convictions.
• Recording Medium: Any electronic or physical medium where personal data is stored.
• Disposal: The deletion, destruction, or anonymization of personal data.
• Periodic Disposal: Disposal operations carried out by Altus in June and December.

SECTION 3
PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

All personal data processed by Altus is processed in accordance with the principles set forth in Article 4 of the LPPD:

• Compliance with the law and principles of honesty
• Being accurate and up-to-date when necessary
• Processing for specific, explicit, and legitimate purposes
• Being relevant, limited, and proportionate to the purpose
• Being retained for the period stipulated in the relevant legislation

SECTION 4
CONDITIONS FOR PROCESSING PERSONAL DATA

• Existence of the data subject's explicit consent,
• Being explicitly provided for by the laws,
• Being necessary for the establishment or performance of a contract,
• Being necessary for Altus to fulfill its legal obligations,
• Having been made public by the data subject himself/herself,
• Being necessary for the establishment, exercise, or protection of a right,
• Being necessary for the legitimate interests of Altus.

SECTION 5
CATEGORIES OF PROCESSED PERSONAL DATA

• Identity Data: Name-surname, TR identity no, date of birth, blood type, copy of ID.
• Contact Data: Phone number, e-mail, address.
• Financial Data: IBAN, credit card information, salary information.
• Personnel Data: Social Security Institution (SSI) records, employment contracts, health reports.
• Organization Data: Participant lists, name badge information, security check (GBT) result information.
• Visual/Auditory Data: Photograph, video, live broadcast recordings.
• Physical Space Security: Camera recordings, entry-exit records, vehicle license plates.
• Health Data: Employee health reports, workplace health records.
• Legal Transaction Data: Contracts, lawsuit files.

SECTION 6
DATA SUBJECT GROUPS

• Employees and subcontractors
• Participants
• Client organization employees
• Suppliers and business partners
• Visitors
• Altus administrative staff and managers

SECTION 7
METHODS OF COLLECTING PERSONAL DATA

• Physical medium: forms, contracts, ID photocopies, health reports.
• Electronic medium: e-mail, WhatsApp, phone calls, software systems.
• Media recordings: camera systems, live broadcast servers.
• Ticketing systems: flight tickets, reservations, credit card transactions.

SECTION 8
TRANSFER OF PERSONAL DATA

• Public institutions: Presidency, Ministries, Police (GBT), SSI.
• Suppliers: Hotels, airline companies, printing companies.
• Financial institutions: Banks, financial advisors.
• Legal authorities: Courts, lawyers.
• Abroad: Only when necessary, in accordance with Article 9 of the LPPD.

SECTION 9
STORAGE AND DISPOSAL OF DATA

Storage: Data is stored on secure servers, encrypted disks, and in archive rooms.

Disposal methods:

• Deletion: Making electronic data inaccessible.
• Destruction: Disposing of physical documents.
• Anonymization: Severing the link between the data and the person.
• Periodic Disposal: Twice a year, in June and December.

SECTION 10
TECHNICAL AND ADMINISTRATIVE MEASURES

• Providing LPPD training
• Confidentiality agreements
• Encryption and backup systems
• Authorization matrices and access controls
• Limited access to camera and media recordings
• Subcontractor audits
• Revoking access for former employees

SECTION 11
RIGHTS OF DATA SUBJECTS

• To learn whether their data is being processed
• To request information
• To learn if it is used for its intended purpose
• To know the third parties to whom it is transferred
• To request correction or deletion
• To object to processing
• To demand compensation in case of damage

SECTION 12
ENFORCEMENT AND UPDATE

This Policy has been approved by the Altus Board of Directors and entered into force on …/…/2025. It is regularly updated in line with legislative changes.