GLASSTECH FIRIN REFRAKTER ÇELİK İNŞAAT TURİZM SANAYİ VE TİCARET ANONİM ŞİRKETİ Company (hereinafter referred to as the “Company”) considers the protection of personal data obtained during the execution of our processes among our top priorities. We attach great importance to ensuring the security of your personal data and to its use and/or processing in compliance with the applicable legislation.

This disclosure text includes information on how we, as the data controller, process personal data within the scope of our relationships with our customers.

Website Visitor Information Text

This information text explains how Glasstech Furnace Refractory Steel Construction Tourism Industry and Trade Inc. (“GTR”) processes the personal data of visitors in accordance with the Law on the Protection of Personal Data No. 6698 (KVKK). Personal data such as name, visitor records, camera footage, and entry–exit information may be collected during visits to company premises or through website interactions for purposes including security, visitor management, and fulfilling legal obligations. These data are processed only for legitimate purposes, stored for the period required by applicable regulations, and protected through appropriate technical and administrative security measures. Visitors may exercise their rights regarding their personal data in accordance with the provisions of KVKK.

In order to ensure security within our company, we carry out personal data processing activities such as surveillance by security cameras in our company buildings and parking areas, and tracking of visitor entries and exits.

As GTR, we act in accordance with the Constitution and the Law No. 6698 on the Protection of Personal Data (“KVKK”) in the processing and storage of visitors’ personal data, and we take the highest level of security measures by exercising maximum diligence to ensure the security of personal data.

With this document, we aim to fulfill our obligation to inform visitors regarding the purposes, legal grounds, and rights related to the processing of personal data pursuant to Article 10 of the Law No. 6698 on the Protection of Personal Data (“KVKK”).

DEFINITIONS

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: Any operation performed upon personal data such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use, whether fully or partially automated or non-automated, provided that it forms part of a data recording system.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. Within the scope of this document, the data controller is GLASSTECH FIRIN REFRAKTER ÇELİK İNŞAAT TURİZM SANAYİ VE TİCARET ANONİM ŞİRKETİ Company, located at Çavuşoğlu, Çobanyıldızı Cd No:44, 34873 Kartal/İstanbul address.

Data Recording System (VERBIS): The recording system where personal data is processed by being structured according to certain criteria.

Explicit Consent: Freely given, specific, informed consent regarding a particular subject.

Board: Refers to the Personal Data Protection Board.

1- INFORMATION ABOUT THE DATA CONTROLLER

Pursuant to the Law No. 6698 on the Protection of Personal Data (“Law”), visitors’ personal data shall be processed by our company as the data controller, as explained below and within the limits prescribed by the legislation.

2- PROCESSED PERSONAL DATA

The following personal data of visitors may be processed by the Company: name, surname, signature, camera footage, entry and exit times.

• Purpose of Visit: The purpose of your visit, the company personnel visited, date and time of the visit, and, if applicable, meeting participant information.

• Security Information: If applicable, information related to an access card assigned during your visit, entry/exit date and time, and, when necessary, information about items/devices recorded or stored according to company policies.

• CCTV Records: Camera recordings made for security reasons in company buildings and premises (in areas where such recordings are made, warning signs are provided).

• Call/Meeting Records: Audio or meeting recordings made to measure service quality (if recordings are made, related warning notices are displayed). In EU member states, such recordings are not conducted.

• Your Requests and Feedback: Information regarding any requests, complaints, or feedback related to your visit.

• Other Information: HES code information.

• Visitor Visual Data: Closed-circuit security camera images.

• Other Visitor Data: Vehicle information, name of employer, and title.

3- METHODS AND LEGAL BASIS FOR COLLECTING PERSONAL DATA

Visitors’ personal data may be collected verbally, through license plate recognition, or via cameras within the company premises, based on the legal grounds of fulfilling legal obligations and the legitimate interests of the data controller.

4- PURPOSES OF PROCESSING PERSONAL DATA

Visitors’ personal data are collected and processed for the following purposes:

• Creation and tracking of visitor records,
• Ensuring the security of physical premises,
• Providing information to authorized persons, institutions, and organizations.

5- TRANSFER OF PROCESSED PERSONAL DATA AND PURPOSES OF TRANSFER

Our Company may transfer personal data, with explicit consent and in accordance with Articles 8 (“Transfer of Personal Data”) and 9 (“Transfer of Personal Data Abroad”) of the Law, within the framework of confidentiality and security principles and after taking necessary precautions. Such transfers may be made to fulfill legal obligations, establish or perform a contract, exercise or protect a right, or in cases where it is required for our Company’s legitimate interests, to authorized public institutions and organizations.

6- RETENTION PERIOD AND DESTRUCTION OF PERSONAL DATA

Processed personal data shall be stored for the legally determined period following the completion of the visit and for the purposes stated above. After the retention period expires, the data shall be destroyed in accordance with our Company’s Personal Data Retention and Destruction Policy.

7- RIGHTS OF THE DATA SUBJECT

Pursuant to Article 11 of the Law, the visitor as a data subject has the following rights:

1) To learn whether personal data is being processed,
2) To request information if personal data has been processed,
3) To learn the purpose of processing and whether data is used in accordance with this purpose,
4) To know the third parties to whom data is transferred domestically or abroad,
5) To request correction if data is incomplete or inaccurate,
6) To request deletion or destruction of data where the reasons for processing no longer exist,
7) To request that any corrections or deletions be notified to third parties to whom data has been transferred,
8) To object to a result arising to their detriment due to automated data analysis,
9) To claim compensation for damages incurred due to unlawful processing of personal data.

8- METHOD OF APPLICATION TO THE DATA CONTROLLER

Visitors, as data subjects, must first apply to the data controller to exercise their rights concerning their personal data. According to Article 14 of the Law, a complaint cannot be directly submitted to the Personal Data Protection Board without first applying to the data controller.

Applications submitted to us will be answered within thirty (30) days from the date of receipt, free of charge, in accordance with Article 13/2 of the Law. Our responses will be delivered to you in writing or electronically as per Article 13 of the Law. However, if the Personal Data Protection Board stipulates a fee, the Company may charge the amount determined by the Board.

Within this framework, you can submit your application to our Company clearly and understandably, including your identity and address information, by:

• Delivering a signed written copy in person to Çavuşoğlu, Çobanyıldızı Cd No:44, 34873 Kartal/İstanbul address, or
• Sending it via a notary public, or
• Sending it to our registered electronic mail (KEP) address with a secure electronic signature or mobile signature.

For detailed information on procedures and principles regarding applications, please refer to the “Communiqué on the Procedures and Principles of Application to the Data Controller” issued by the Personal Data Protection Authority.

Applications submitted to us will be answered within thirty (30) days, in accordance with Article 13/2 of the Law. Responses will be sent in writing or electronically as stipulated by the Law.

[Name Surname]

[Turkish ID Number]

[Address]

[Phone]

[E-mail Address]

[Signature] [Date]