I. PURPOSE AND SCOPE OF THE POLICY

This Privacy Policy (“Policy”) has been prepared by Green Aura Blooms Çiçekçilik ve Seracılık Anonim Şirketi (“Green“), as the Data Controller, in order to determine the general framework regarding the personal data processing activities carried out by Green Aura Blooms Çiçekçilik ve Seracılık Anonim Şirketi (“Green“) in accordance with the Personal Data Protection Law No. 6698 (“Law“) and the relevant legislation and to make explanations about the principles adopted for the protection of personal data, thus ensuring transparency and transparency towards the persons whose personal data are processed by Green.

II. GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

Green is based on the following principles in its personal data processing activities:

• Compliance with the law and good faith,
• Ensuring that personal data is accurate and, where necessary, up to date,
• Processing for specific, explicit and legitimate purposes,
• Being relevant, limited and proportionate to the purpose for which they are processed,
• Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

In accordance with the above-mentioned principles, personal data belonging to users, employees, employee candidates, potential product and service buyers, suppliers and supplier officials/employees, visitors, online visitors, shareholders/partners, business partners and third parties with whom Green has a relationship as service providers and buyers are processed and destroyed securely in physical or electronic media in accordance with the Law and relevant legislation in accordance with the relevant legislation and this Policy

III. LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

There are regulations on the processing of personal data in various laws. First and foremost, the Law No. 6698 on the Protection of Personal Data sets out the principles for the protection of personal data. In addition, in terms of Green’s current activities; Personal data is processed by Green based on the Law No. 6502 on Consumer Protection, Regulation on Distance Contracts, Law No. 6563 on the Regulation of Electronic Commerce, Regulation on Commercial Communication and Commercial Electronic Messages, Turkish Criminal Code No. 5237 and Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through These Publications.

IV. GREEN’S DISCLOSURE OBLIGATION

In order to fulfill the disclosure obligation under Article 10 of the Law and the Communiqué on the Procedures and Principles to be Applied in Fulfilling the Disclosure Obligation (“Communiqué”), Green provides disclosure texts and, if necessary, explicit consent texts to the data subjects on the basis of the process and the persons whose data are processed.

Within the framework of the said disclosure obligation, the Data Subjects are informed on the following issues in accordance with the Law:

• Identity of the data controller and its representative, if any,
• The purpose for which Personal Data will be processed,
• To whom and for what purpose the processed Personal Data may be transferred,
• The method and legal reason for collecting Personal Data,
• Other rights listed in Article 11 of the LPPD.

V. CATEGORIES OF PERSONAL DATA

a) Members

Your Identity Data: Name, surname, identity card information, date of birth, gender, Turkish ID number

Your Contact Data: Address, e-mail, cell phone number, landline phone number

Your Location Data: Location data

Your Marketing Data: Cookie records, records of users’ past actions, targeting, habits and likes

Your Legal Transaction Data: Request and complaint records, attachment and alimony information, commercial electronic message permission, legal action file records, dunning notices, information in correspondence with judicial and administrative authorities

Your Transaction Security Data: IP Address, password information, traffic data, website login and exit information, username information

Risk Management Data: IP address, password and username information

b) Users

Your Identity Data: First name, last name, Turkish ID number

Your Contact Data: Address, e-mail, mobile phone number, landline phone number, postal code

Location Data: City, district

Your Marketing Data: Cookie records, targeting, habit and liking records

Your Legal Transaction Data: Request and complaint records, commercial electronic message permission, legal action file records, information in correspondence with judicial and administrative authorities

Your Transaction Security Data: Password information, traffic data, website login and exit information

Risk Management Data: IP address

c) Online visitor data

Your Transaction Security Data: Password information, traffic data, website login and exit information

Risk Management Data: IP address

Your Legal Action Data: Request and complaint records, legal action file records, information in correspondence with judicial and administrative authorities

d) Data of the Person on Whose Behalf the Purchased Product will be Delivered

Your Identity Data: First name, last name, Turkish ID number, date of birth, gender

Your Contact Data: Address, e-mail, mobile phone number, landline phone number, postal code

Location Data: City, district

Your Financial Data: Invoice information

e) Personal Data of Dealer / Dealer Candidate / Seller / Supplier / Seller Candidate / Seller or Supplier Employee or Official

Your Identity Data: First name, last name, Turkish ID number

Your Contact Data: Address, e-mail, mobile phone number, landline phone number, postal code

Location Data: City, district

Your Legal Transaction Data: Request and complaint records, signature circular, signature declaration, certificate of activity, trade registry gazette

VI. PURPOSES AND LEGAL REASONS FOR PROCESSING YOUR PERSONAL DATA

We provide below information about the purposes and legal grounds for which we process your personal data:

a) Member Data

• Confirming the identity information of our members who make transactions through the website, realizing membership transactions and benefiting from membership rights
• Fulfillment of the obligations undertaken under the relevant articles of the membership agreement, contacting our members regarding the conditions and current status of the agreements, providing the necessary information
• Preparation of all records and documents that will be the basis of the transaction in electronic (internet/mobile etc.) or paper environment
• Improving and developing our services offered to our members, conducting business development processes
• Responding to information requests from competent authorities
• Carrying out advertising, marketing and promotional activities for the special preferences and interests of our members by conducting market analysis, targeting, profiling and analysis studies, sending commercial electronic messages to our members for promotional, marketing, advertising, campaign and celebration purposes
• Improving the experience of members using the website, carrying out the loyalty processes of products and services, carrying out activities to ensure the satisfaction of members and organizing surveys in electronic and/or physical environment through contracted organizations
• Evaluating the requests, suggestions and complaints of our members
• Ensuring information and transaction security when using our services
• Follow-up and execution of legal affairs
• Execution and supervision of our business activities, improvement and development of our services
• Fulfillment of our legal obligations and exercising our rights arising from the legislation in force

b) User Data

• Confirming the identity information of our users who make transactions through the website
• Contacting our users regarding the conditions and current status of the contracts we have concluded under the distant sales contract and the relevant articles of the Law on the Protection of Consumers, and providing the necessary information
• Creating invoices and accounting records for orders
• Preparation of all records and documents that will be the basis of the transaction in electronic (internet/mobile etc.) or paper environment
• Improving and developing our services offered to our users, conducting business development processes
• Responding to information requests from competent authorities
• Carrying out advertising, marketing and promotional activities for the preferences and interests of our users by conducting market analysis, targeting, profiling and analysis studies, sending commercial electronic messages to our users for promotional, marketing, advertising, campaign and celebration purposes
• Improving the experience of our users who use the website, conducting loyalty processes of products and services, conducting activities to ensure user satisfaction and conducting surveys in electronic and/or physical environment through contracted organizations
• Evaluating users’ requests, suggestions and complaints
• Ensuring information and transaction security when using our services
• Follow-up and execution of legal affairs
• Execution and supervision of our business activities
• Fulfillment of our legal obligations and exercising our rights arising from the legislation in force

c) Potential product or service buyer / online visitor data

• Carrying out advertising, marketing and promotion activities targeting the specific preferences and interests of potential product or service buyers by conducting market analysis, targeting and analysis studies
• Evaluating requests, suggestions and complaints
• Ensuring information and transaction security when using our services
• Execution and supervision of our business activities
• Fulfillment of our legal obligations and exercise of our rights arising from the legislation in force

d) Data of the Person on Whose Behalf the Purchased Product will be Delivered

• Execution of delivery processes of products purchased through the website
• Execution of invoice and accounting transactions
• Ensuring information and process security
• Execution and supervision of our business activities
• Fulfillment of our legal obligations and exercise of our rights arising from the legislation in force

e) Personal Data of Dealer / Dealer Candidate / Seller / Supplier / Seller Candidate / Seller or Supplier Employee or Official

• Execution of contractual processes, fulfillment of obligations undertaken and exercise of rights pursuant to the contracts concluded
• Creation of invoice and accounting records
• Preparation of all records and documents that will be the basis of the transaction in electronic (internet/mobile etc.) or paper environment
• Responding to information requests from competent authorities
• Evaluating requests, suggestions and complaints
• Ensuring information and process security
• Follow-up and execution of legal affairs
• Execution and supervision of our business activities
• Fulfillment of our legal obligations and exercise of our rights arising from the legislation in force

VII. LEGAL GROUNDS FOR PROCESSING AND DELETION/ANONYMIZATION OF PERSONAL DATA

Legal Reasons Requiring Processing: The legal reasons requiring the processing of personal data are as follows:

• Explicit consent of the Data Subject in terms of processing activities that require the explicit consent of the Data Subject.
• It is clearly stipulated in the laws.
• It is mandatory for the protection of the life or physical integrity of the Data Subject or another person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
• Provided that it is directly related to the establishment or performance of a contract, it is necessary to process the personal data of the parties to the contract.
• It is mandatory for Green to fulfill its legal obligation.
• It has been made public by the Data Subject himself/herself.
• Data processing is mandatory for the establishment, exercise or protection of a right.
• Data processing is mandatory for Green’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of the Data Subject.

Legal Reasons Requiring Deletion/Anonymization: The legal reasons requiring the destruction of personal data are as follows:

• Amendment or repeal of the provisions of the relevant legislation stipulating the processing or storage of personal data,
• The disappearance of the conditions requiring the processing of personal data under Articles 5 and 6 of the Law,
• The purpose requiring the processing and/or storage of personal data disappears,
• In cases where explicit consent is required for the processing of personal data, withdrawal of consent by the Data Subject,
• Green’s acceptance of the application made by the Data Subject regarding the deletion, destruction or anonymization of his/her Personal Data within the framework of his/her rights under paragraphs (e) and (f) of Article 11 of the Law,
• In the event that the application made by the Data Subject requesting the destruction of his/her personal data is rejected by Green, a complaint is filed to the Personal Data Protection Board (“Board”) and this request is approved by the Board,
• Although the maximum period required for the storage of personal data has expired, in the event that there are no conditions that justify the storage of personal data for a longer period, the personal data of the Data Subjects are destroyed by Green ex officio or upon the request of the Data Subject, as the case may be.

VIII. PERSONAL DATA RETENTION PERIODS

Green retains the personal data it processes in accordance with the Law for the periods stipulated in the relevant legislation or required by the purpose of processing.

Data Category	Data Retention Period	Rationale
Identity	10 years from the date of termination of the legal relationship	Law No. 6098
Contact	10 years from the date of termination of the legal relationship	Law No. 6563 and related secondary legislation
Location	10 years from the date of termination of the legal relationship	Law No. 6098
Legal Action	10 years from the date of termination of the legal relationship
User Operation	10 years from the date of termination of the legal relationship	Law No. 6563, Law No. 6102, Law No. 6098, Law No. 213, Law No. 6502
Process Security	10 Years
Risk Management	10 Years
Finance	10 years from the date of termination of the legal relationship	Law No. 6102, Law No. 213
Marketing	10 years from the date of termination of the legal relationship
Audio and Visual Recordings	10 Years	Law No. 6563 and related secondary legislation

IX. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE SECURE STORAGE OF PERSONAL DATA, PREVENTION OF UNLAWFUL PROCESSING AND ACCESS TO PERSONAL DATA

Personal data shared with Green is under the supervision and control of Green. In accordance with the provisions of the relevant legislation in force, Green has assumed the responsibility as the data controller to establish the necessary organization and to take and adapt technical measures to protect the confidentiality and integrity of personal data. Being aware of our obligation in this regard, necessary measures are taken to ensure the level of security in accordance with international and national technical standards on data privacy. We bring to your attention the measures taken by Green to ensure the security of personal data below:

• Network security and application security are provided.
• Closed system network is used for personal data transfers through the network.
• Key management is applied.
• Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
• There are disciplinary regulations that include data security provisions for employees.
• Training and awareness raising activities on data security for employees are carried out at regular intervals.
• An authorization matrix has been established for employees.
• Access logs are kept regularly.
• Data masking measures are applied when necessary.
• Confidentiality undertakings are made.
• The authorizations of employees who change their duties or leave their jobs are removed.
• Up-to-date anti-virus systems are used.
• Firewalls are used.
• Signed contracts contain data security provisions.
• Personal data security policies and procedures are defined.
• Personal data security issues are reported quickly.
• Personal data security is monitored.
• Necessary security measures are taken for entry and exit to physical environments containing personal data.
• Physical environments containing personal data are secured against external risks (fire, flood, etc.).
• Security of environments containing personal data is ensured.
• Personal data is minimized as much as possible.
• Personal data is backed up and the security of backed up personal data is also ensured.
• User account management and authorization control system is implemented and monitored.
• Internal periodic and/or random audits are carried out and conducted.
• Log records are kept without user intervention.
• Existing risks and threats have been identified.
• If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using KEP or corporate mail account.
• Intrusion detection and prevention systems are used.
• Penetration testing is applied.
• Cyber security measures have been taken and their implementation is constantly monitored.
• Encryption is performed.
• Data processing service providers are periodically audited on data security.
• Awareness of data processing service providers on data security is ensured.

X. RIGHTS OF DATA SUBJECTS

By applying to Green, Relevant Persons may exercise the rights set out in Article 11 of the Law and below:

a) Learn whether personal data is being processed,

b) Request information if personal data has been processed,

c) To learn the purpose of processing personal data and whether they are used in accordance with their purpose,

ç) To know the third parties to whom personal data are transferred domestically or abroad,

d) To request correction of personal data in case of incomplete or incorrect processing,

e) To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7,

f) To request notification of the transactions made pursuant to subparagraphs (d) and (e) to third parties to whom personal data are transferred,

g) To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,

ğ) In the event that personal data is damaged due to unlawful processing of personal data, it has the right to demand the compensation of the damage.

Pursuant to the Communiqué on the Procedures and Principles of Application to the Data Controller, requests within the scope of Article 11 of the KVKK regulating the “Rights of the Data Subject” may be made to Esentepe Mah. Kasap Sk. Eser İş Merkezi B Blok No: 18 İç Kapı No: 56 Şişli / İstanbul in writing (for example, by means of a notice or registered letter with return receipt or by hand delivery through a notary public or in person) or by using the registered electronic mail (KEP) address, secure electronic signature, mobile signature or the electronic mail address previously notified to us and registered in our system.

At the same time, if the Relevant Persons wish, they may submit their requests within the scope of Article 11 of the KVKK regulating the “Rights of the Relevant Person” by filling out the Green İnternet Hizmetleri A.Ş. Application Form and submit a signed copy of the form together with the documents identifying their identity to Esentepe Mah. Kasap Sk. Eser İş Merkezi B Blok No: 18 İç Kapı No: 56 Şişli / İstanbul address with the methods explained above.

If the requests are forwarded to Green, Green will finalize the request free of charge within 30 (thirty) days at the latest. However, in the event of an additional cost, Green reserves the right to charge you a fee according to the tariff to be determined by the Personal Data Protection Board.

In addition, Data Subjects may contact Green at any time via e-mail address [email protected] for any questions and opinions regarding their personal data.

Green may make changes to this Privacy Policy at any time. These changes will take effect immediately upon the publication of the new amended Privacy Policy.