Login

Cart

Your cart is empty

Security of Personal Data

ENTRANCE

GENERAL DESCRIPTION

PROVISIONS REGARDING THE PROTECTION OF PERSONAL DATA PROVISIONS REGARDING THE PROCESSING OF PERSONAL DATA CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY, PURPOSES OF PROCESSING THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED BY MYRAANG AND THE PURPOSES OF TRANSFER PROCESSING OF PERSONAL DATA BASED ON AND LIMITED BY THE PROCESSING CONDITIONS IN THE LAW PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT AT MYRAANG HEAD OFFICE AND STORES AND WITHIN THESE BUILDINGS RIGHTS OF PERSONAL DATA SUBJECTS AND THE EXERCISE OF THESE RIGHTS BY MYRAANG EVALUATION OF MYRAANG'S OTHER INTERNAL POLICIES ON THE PROTECTION AND PROCESSING OF PERSONAL DATA, ABBREVIATIONS AND DEFINITIONS.

1. GENERAL DESCRIPTION

MYRAANG TEXTILE INDUSTRY AND TRADE LTD. ("MYRAANG" and/or "the Company") takes the necessary care in protecting personal data and applies this as a company policy to all natural and legal persons. Within this scope, with this Personal Data Processing and Data Security Policy ("Policy"), we aim to protect the personal data of our Customers, the Authorized Personnel and Employees of the Institutions We Cooperate With, the Authorized Personnel and Employees of Our Suppliers, the Authorized Personnel and Employees of Our Business Partners, Our Visitors, Website Users, Job Applicants, and other Third Parties.

At MYRAANG, we take the necessary administrative and technical measures to protect personal data processed in accordance with the Law No. 6698 on the Protection of Personal Data.

In processing personal data, we adopt the following principles: (i) processing personal data in accordance with the law and principles of fairness, (ii) keeping personal data accurate and up-to-date when necessary, (iii) processing personal data for specific, explicit and legitimate purposes, (iv) processing personal data in a manner that is relevant, limited and proportionate to the purpose for which it is processed, (v) retaining personal data for the period stipulated in the relevant legislation or necessary for the purpose for which it is processed, (vi) informing and educating personal data owners, (vii) creating the necessary technical and administrative infrastructure for personal data owners to exercise their rights, (viii) taking the necessary technical and administrative measures in the preservation of personal data, (ix) acting in accordance with the relevant legislation and the regulations of the Board when transferring personal data to third parties in line with the requirements of the processing purpose, (x) showing the necessary sensitivity to the processing and protection of special categories of personal data. This Policy provides detailed explanations regarding these fundamental principles.

1.1. Purpose and Scope of the Policy

The purpose of this Policy is to explain the methods MYRAANG applies and adopts when processing personal data in accordance with the law, and the security measures and precautions it has taken to protect the processed data, and to inform individuals whose personal data is processed by MYRAANG. In this context, this Policy has been prepared to inform the public about the processing and protection of personal data collected by MYRAANG, whether automatically or non-automatically as part of a data recording system, from our Customers, Officials and Employees of Institutions with which we cooperate, Officials and Employees of Suppliers, Officials and Employees of Business Partners, Visitors, Website Users, Job Applicants, and other Third Parties, primarily within the scope of the Law on the Protection of Personal Data and other relevant legislation.

1.2. Implementation of the Policy and Related Legislation

The relevant legal regulations in force regarding the processing and protection of personal data will have primary application. In the event of any inconsistency between the current legislation and this Policy, MYRAANG agrees to apply the current legislation.

2. MATTERS RELATING TO THE PROTECTION OF PERSONAL DATA 2.1. Ensuring the Security of Personal Data

MYRAANG, within the scope of Article 12 of the Law, takes the necessary measures and precautions to prevent the unlawful processing of personal data, to ensure the preservation of personal data, and to prevent unauthorized access to personal data, and conducts and commissions the necessary audits.

In this context, the Personal Data Guide (Technical and Administrative Measures) published by the Board explains the following as technical measures that can be taken by data controllers: (i) Authorization Matrix, (ii) Authorization Control, (iii) Access Logs, (iv) User Account Management, (v) Network Security, (vi) Application Security, (vii) Encryption, (viii) Penetration Testing, (ix) Intrusion Detection and Prevention Systems, (x) Log Records, (xi) Data Masking, (xii) Data Loss Prevention Software, (xiii) Backup, (xiv) Firewalls, (xv) Up-to-date Anti-Virus Systems, (xvi) Deletion, Destruction and Anonymization, (xvii) Key Management. Similarly, the aforementioned Personal Data Guide (Technical and Administrative Measures) includes (i) the preparation of a Personal Data Inventory, (ii) the preparation and implementation of Corporate Policies (Access, Information Security, Use, Storage and Destruction, etc.), (iii) the conclusion of contracts (between Data Controller and Data Controller, Data Controller and Data Processor), (iv) the signing of Confidentiality Undertakings, (v) the conduct of Random or Periodic Internal Audits, (vi) the conduct of Risk Analysis, (vii) the addition of provisions in accordance with the Law to the Employment Contract and Disciplinary Regulation, (viii) the alignment of Corporate Communication Principles with the Law (Crisis Management, Board and Data Subject Information Processes, Reputation Management, etc.), (ix) the conduct of Training and Awareness Activities (within the framework of Information Security and the Law), and (x) the Data Controllers Registry Information System. (VERBIS) has explained the creation of the notification process as one of the administrative measures that can be taken.

MYRAANG has taken the following administrative and technical measures in light of the Personal Data Guide (Technical and Administrative Measures) described above and published by the Board:

Current risks and threats are identified, MYRAANG employees are trained and awareness campaigns are conducted, personal data security policies and procedures are determined, the amount of personal data processed by MYRAANG is minimized as much as possible, a contract is concluded between MYRAANG and Data Processors within the scope of the Law, administrative and technical measures are taken to ensure cybersecurity (e.g., deleting unused software and services, creating firewalls, patch management and software updates, access restrictions, creating an access authorization and control matrix, using antivirus products, establishing SSL connections, etc.), personal data security is monitored (e.g., log records are kept, a formal reporting procedure is established for reporting security issues, vulnerability scans and penetration tests are conducted), personal data is stored in the cloud in encrypted form and the encryption key is used, and data backup strategies are developed. 2.1.1. Technical and Administrative Measures Taken to Ensure the Lawful Processing of Personal Data

MYRAANG takes the necessary technical and administrative measures, within the limits of its technological and financial capabilities, to ensure the lawful processing of personal data. In this context;

Personal data processing activities carried out within MYRAANG are monitored through established technical systems, technical measures taken are reported to the relevant parties when necessary, technically knowledgeable personnel are employed, clauses are included in the contracts and documents governing the legal relationship between MYRAANG and its employees that impose an obligation not to process, disclose, or use personal data, except for exceptions provided by law, and awareness of MYRAANG employees in this regard is increased, MYRAANG employees are periodically informed and trained on personal data protection law and the lawful processing of personal data, business processes are regularly analyzed to create a data inventory, and the personal data processing activities carried out by business units are monitored; To ensure compliance with the law for these activities, the requirements to be fulfilled are determined for each process; policies are implemented to ensure legal compliance, raise awareness within the Company, ensure the continuity of practices, and conduct regular audits; periodic training is provided to individuals with access rights to MYRAANG's corporate systems (including, but not limited to, other individuals as deemed necessary); and clauses are included in contracts and documents governing the legal relationship between MYRAANG and the Institutions, Suppliers, Business Partners, Visitors, Website Users, Job Applicants, and other Third Parties with whom we cooperate, imposing a mutual obligation not to process, disclose, or use personal data, except for exceptions provided by law, and employees are made aware of this. 2.1.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

MYRAANG takes the necessary technical and administrative measures, within its technological and material capabilities, to prevent the unauthorized disclosure, access, transfer, or any other unlawful access to personal data due to negligence or lack of authorization. Accordingly;

Technical measures are taken in line with developments in technology, and these measures are updated and renewed as needed; technical solutions regarding access and authorization are implemented in accordance with legal compliance requirements determined on a process basis; access rights are restricted, authorizations are regularly reviewed; technical measures taken are reported to the relevant person when necessary; issues posing risks are re-evaluated and necessary technological solutions are produced; software and hardware including virus protection systems and firewalls are installed; technically knowledgeable personnel are employed; software and hardware including virus protection systems and firewalls are installed; MYRAANG employees are trained on technical measures to be taken to prevent unlawful access to personal data; access and authorization processes for personal data are designed and implemented within the Company in accordance with legal compliance requirements for personal data processing on a process basis; MYRAANG employees are informed that they cannot disclose personal data they have learned to others in violation of the law and cannot use it for purposes other than the processing purpose, and that this obligation will continue even after they leave their positions, and the necessary commitments are obtained from them accordingly; personal data by MYRAANG Contracts concluded with persons to whom personal data is lawfully transferred include provisions stating that those persons will take the necessary security measures to protect personal data and ensure compliance with these measures within their own organizations. 2.1.3. Storage of Personal Data in Secure Environments

MYRAANG takes the necessary technical and administrative measures, within its technological and financial capabilities, to ensure that personal data is stored securely and to prevent its destruction, loss, or alteration for unlawful purposes. Accordingly;

To ensure the secure storage of personal data, systems in line with technological advancements are used, expert personnel in technical matters are employed, technical security systems are established for storage areas, technical measures taken are reported to the relevant person when necessary, issues posing risks are re-evaluated and necessary technological solutions are produced, backup programs are used in accordance with the law to ensure the secure storage of personal data, access to data storage areas containing personal data is logged, and inappropriate accesses or access attempts are instantly communicated to the relevant parties, MYRAANG employees are trained to ensure the secure storage of personal data, and if MYRAANG obtains an external service for the storage of personal data due to technical requirements, the contracts concluded with the relevant companies to which personal data is transferred legally include provisions stating that the persons to whom personal data is transferred will take the necessary security measures for the protection of personal data and ensure compliance with these measures in their own organizations. 2.1.4. Auditing of Measures Taken Regarding the Protection of Personal Data

MYRAANG conducts or commissions necessary internal audits in accordance with Article 12 of the Law. The results of these audits are reported to the relevant unit within MYRAANG's internal operations, and necessary activities are carried out to improve the measures taken.

2.1.5. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

MYRAANG ensures that if personal data processed in accordance with Article 12 of the Law is obtained by others through unlawful means, this situation is reported to the relevant personal data owner and the Board as soon as possible.

2.2. Establishing an Application Channel for Data Subjects' Requests to be Considered by MYRAANG, While Respecting Data Subject Rights, and the Process of Evaluating Applications Made by MYRAANG

MYRAANG implements the necessary channels, internal procedures, and administrative and technical arrangements in accordance with Article 13 of the Law to evaluate the rights of personal data owners and to provide them with the necessary information. If personal data owners submit their requests regarding the rights listed below in writing to MYRAANG, MYRAANG will process the request free of charge within a maximum of thirty days, depending on the nature of the request. However, if a fee is stipulated by the Board, MYRAANG will charge the fee specified in the tariff determined by the Board. Personal data owners have the following rights:

Individuals have the right to: learn whether their personal data is being processed; request information regarding the processing of their personal data if it has been processed; learn the purpose of the processing of their personal data and whether it is being used in accordance with its purpose; know the third parties to whom their personal data has been transferred, domestically or internationally; request the correction of their personal data if it is incomplete or inaccurate, and request that this correction be notified to the third parties to whom their personal data has been transferred; request the deletion or destruction of their personal data if the reasons requiring its processing have ceased to exist, even if it has been processed in accordance with the law and other relevant legal provisions, and request that this action be notified to the third parties to whom their personal data has been transferred; object to a result that is detrimental to them arising from the analysis of their processed data exclusively through automated systems; and demand compensation for damages incurred as a result of the unlawful processing of their personal data. 2.3. Protection of Special Categories of Personal Data

The law introduces specific regulations regarding the processing and protection of certain types of personal data, as some data are considered special categories. According to the law, data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, are considered special categories of personal data. As a company operating in the retail sector, and due to the nature of our business, we place particular importance and care on the lawful processing and protection of special categories of personal data. In this context, MYRAANG takes technical and administrative measures to protect personal data and conducts periodic audits as necessary.

2.4. MYRAANG Increasing awareness and monitoring of the protection and processing of personal data among our customers, company officials, officials and employees of institutions we cooperate with, officials and employees of suppliers, officials and employees of business partners, visitors, website users, job applicants and other third parties.

At MYRAANG, we organize training sessions for our employees and company officials to raise awareness about preventing the unlawful processing and access to personal data, and ensuring data preservation. When necessary, we collaborate with experts in the field of personal data protection. These training sessions for MYRAANG employees and company officials are repeated periodically. We update and renew our training programs in line with current legislation.

3. MATTERS RELATING TO THE PROCESSING OF PERSONAL DATA 3.1. Processing of Personal Data

MYRAANG, in accordance with Article 20 of the Constitution on the Right to Privacy and Articles 4 and 6 of the Law, processes personal data in a lawful and fair manner, accurately and, when necessary, up-to-date; pursuing specific, clear, and legitimate purposes; and in a manner that is relevant to the purpose, limited, and proportionate. MYRAANG retains personal data for the period stipulated in the laws or required by the purpose of personal data processing and/or accepted on a sectoral basis, and in light of the following principles.

Processing in Accordance with the Law and the Rule of Honesty: MYRAANG acts in accordance with the principles established by legal regulations and general rules of trust and honesty in the processing of personal data. In this context, MYRAANG does not process or use personal data beyond what is required by the "purpose of processing personal data". Ensuring the Accuracy and Timeliness of Personal Data: MYRAANG ensures that the personal data it processes is accurate and up-to-date and takes the necessary measures as explained in this Policy. Processing for Specific, Clear and Legitimate Purposes: MYRAANG clearly and precisely defines the legitimate and lawful purpose of personal data processing. MYRAANG processes personal data only to the extent necessary for and related to its commercial activities. MYRAANG clearly defines the purpose for which personal data will be processed before any personal data processing activity begins. Relevance, Limitation, and Proportionality to the Purpose: MYRAANG processes personal data in a manner suitable for achieving the defined purposes and avoids processing personal data that is not related to or needed for the achievement of the purpose. Retention for the Period Stipulated in Relevant Legislation or Necessary for the Purpose: MYRAANG retains personal data only for the period specified in the relevant legislation or for the period accepted in the sector, or for the period necessary for the purpose for which it is processed. In this context, MYRAANG first determines whether a retention period for personal data is stipulated in the relevant legislation; if a period is specified, it complies with that period; if no period is specified, it retains personal data for the period necessary for the purpose for which it is processed and/or for the period accepted in the sector and/or for the periods specified in its Deletion Policy. Personal data is deleted, destroyed, or anonymized by MYRAANG upon expiration of the processing period or the cessation of the reasons requiring its processing.

The protection of personal data is a constitutional right. Fundamental rights and freedoms may only be restricted by law, without prejudice to their essence, and only for the reasons specified in the relevant articles of the Constitution. According to the third paragraph of Article 20 of the Constitution, personal data may only be processed in cases stipulated by law or with the explicit consent of the individual. MYRAANG, in accordance with both the third paragraph of Article 20 of the Constitution and Article 5 of the Law, processes personal data based on one or more of the conditions listed in the relevant article of the Law, and only processes personal data in cases stipulated by law or with the explicit consent of the individual. Furthermore, in accordance with Articles 8 and 9 of the Law, MYRAANG transfers personal data in accordance with the regulations stipulated in the Law and published by the Board. In accordance with Article 10 of the Law, MYRAANG informs personal data owners about the personal data being processed and provides the necessary information if personal data owners request it. In this context, MYRAANG provides information regarding the identity of its representative (if any), the purpose for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal basis for collecting personal data, and the rights of the personal data owner. Article 11 of the Law includes the right to "request information" among the rights of the personal data owner. In accordance with Article 11 of the Law, MYRAANG provides the necessary information when the Personal Data Owner requests information.

3.2. Processing of Special Categories of Personal Data

As a company operating in the retail sector, we are sensitive to and comply with the regulations stipulated in the Law regarding the lawful processing of special categories of personal data, given the nature of our business. Article 6 of the Law defines certain personal data as "special categories" because their unlawful processing carries the risk of causing harm or discrimination to individuals. These data include: race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. Special categories of personal data are processed by MYRAANG in accordance with the Law, provided that the measures determined in the Personal Data Security Guide (Administrative and Technical) published by the Board and the Board decision numbered 2018/10 dated 3.01.2018, published in the Official Gazette numbered 30356 on 13.03.2018, regarding "Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data" are taken, under the following conditions:

Personal data may be processed, with or without the explicit consent of the data subject, in cases stipulated by law, excluding special categories of personal data relating to the data subject's health and sexual life. Special categories of personal data relating to the data subject's health and sexual life may only be processed by persons or authorized institutions and organizations under an obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing. 3.3. Transfer of Personal Data

MYRAANG may transfer personal data and sensitive personal data of the data subject to third parties in accordance with lawful personal data processing purposes and by taking the necessary security measures. In this regard, MYRAANG acts in accordance with the regulations stipulated in Article 8 of the Law. Detailed information on this subject is provided in Section 6 of this Policy.

3.3.1. Transfer of Personal Data

MYRAANG may transfer personal data to third parties in accordance with legitimate and lawful personal data processing purposes, based on one or more of the personal data processing conditions listed below and specified in Article 5 of the Law, and in a limited manner:

Personal data may be transferred if: the data subject has given explicit consent; there is an explicit provision in the laws regarding the transfer of personal data; it is necessary for the protection of the life or physical integrity of the data subject or another person, and the data subject is unable to express their consent due to factual impossibility or their consent is not legally valid; it is necessary to transfer personal data belonging to the parties of a contract, provided that it is directly related to the establishment or performance of the contract; it is necessary for MYRAANG to fulfill its legal obligations; it is necessary for the establishment, exercise, or protection of a right; it does not harm the fundamental rights and freedoms of the data subject; it does not harm the fundamental rights and freedoms of the data subject; or it is necessary for MYRAANG's legitimate interests. 3.3.2. Transfer of Special Categories of Personal Data

MYRAANG may transfer the personal data of the data subject to third parties in accordance with legitimate and lawful personal data processing purposes, by exercising due diligence, taking necessary security measures, and implementing adequate measures published by the Board, in the following cases:

Personal data may be transferred abroad only if the data subject has given explicit consent, or if the data subject has not given explicit consent; special categories of personal data other than the data subject's health and sexual life (such as race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, data relating to criminal convictions and security measures, and biometric and genetic data) may be transferred abroad only in cases stipulated by law, and special categories of personal data relating to the data subject's health and sexual life may be transferred abroad only for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, by persons or authorized institutions and organizations under an obligation of confidentiality. 3.4. Transfer of Personal Data Abroad

MYRAANG may transfer personal data and sensitive personal data of the data subject to third parties in accordance with lawful personal data processing purposes and by taking the necessary security measures. MYRAANG may transfer personal data to foreign countries declared by the Board to have adequate protection ("Foreign Country with Adequate Protection") or, in cases where adequate protection is not available, to foreign countries where the data controllers in Türkiye and the relevant foreign country have provided a written commitment of adequate protection and have the permission of the Board ("Foreign Country with a Data Controller Committing to Adequate Protection"). MYRAANG acts in accordance with the regulations stipulated in Article 9 of the Law in this regard. MYRAANG may transfer personal data to foreign countries with data controllers providing adequate protection or committing to adequate protection, in accordance with legitimate and lawful personal data processing purposes, with the explicit consent of the data subject, or, if the data subject has not given explicit consent, in the presence of one of the following conditions:

Personal data may be transferred abroad if: the data subject has given explicit consent; there is an explicit provision in the laws regarding the transfer of personal data; it is necessary for the protection of the life or physical integrity of the data subject or another person, and the data subject is unable to express their consent due to factual impossibility or their consent is not legally valid; it is necessary to transfer personal data belonging to the parties of a contract, provided that it is directly related to the establishment or performance of the contract; it is necessary for MYRAANG to fulfill its legal obligations; the personal data has been made public by the data subject; it is necessary for the establishment, exercise, or protection of a right; or it is necessary for MYRAANG's legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject. 3.4.1. Transfer of Special Categories of Personal Data Abroad

MYRAANG may transfer special categories of personal data to foreign countries where the Data Controller Provides or Commits to Provide Adequate Protection, in line with legitimate and lawful personal data processing purposes, with the explicit consent of the personal data subject, or, if the personal data subject has not given explicit consent, under one of the following circumstances:

Personal data may be disclosed, with or without the explicit consent of the data subject, in cases stipulated by law, except for special categories of personal data (such as race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, data relating to criminal convictions and security measures, as well as biometric and genetic data) excluding data relating to the health and sexual life of the data subject, and only by persons or authorized institutions and organizations under an obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.

4. CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND THE PURPOSES OF PROCESSING.

4.1. Categorization of Personal Data

At MYRAANG, personal data is processed in accordance with MYRAANG's legitimate and lawful purposes for processing personal data, based on one or more of the conditions for processing personal data specified in Article 5 of the Law, and in compliance with the general principles specified in the Law, primarily the principles specified in Article 4 regarding the processing of personal data, and all obligations stipulated in the Law, and limited to the subjects within the scope of this Policy (Our Customers, Officials and Employees of Institutions We Cooperate With, Officials and Employees of Suppliers, Officials and Employees of Business Partners, Our Visitors, Website Users, Job Applicants and other Third Parties), in the categories of personal data specified below, by informing the relevant individuals in accordance with Article 10 of the Law.

Disclosure of Personal Data or Special Categories of Personal Data

Identity Information

Documents such as driver's licenses, national identity cards, and passports containing information such as name, surname, Turkish Republic identity number, nationality information, mother's name and surname, father's name and surname, place of birth, date of birth, and gender, as well as other documents containing this information, tax number, social security number, signature information, vehicle license plate number, etc.

Contact Information

Phone number, address, email address, fax number, IP address, etc.

Special Category Personal Data

Prescription information, doctor's reports, test and radiology results, health reports, blood type, genetic data, etc., as well as religious affiliation, membership in associations, etc., and all other types of health data.

Physical Space Security Information

Personal data relating to records and documents obtained during stays within the physical premises owned or leased by MYRAANG (MYRAANG Headquarters and/or MYRAANG Stores): camera recordings, security checkpoint recordings, etc.

Financial Information

Personal data processed includes information, documents, and records showing all kinds of financial results created according to the type of legal relationship established with suppliers, business partners, and other third parties or other personal data owners, as well as bank account numbers, IBAN numbers, credit card information, financial profiles, asset data, income information, etc.

Visual/Auditory Information

All types of photographs and video recordings, audio recordings.

Personal Information

Information forming the basis of the personal rights of individuals who have or will have a working relationship with MYRAANG (e.g., Employees of Suppliers and/or Employees and/or Job Applicants of Business Partners, but excluding MYRAANG Employees) (CV, health report, bank account statement, social security statement, passport photo, proof of residence, copy of identity card, etc.)

Request/Complaint Management Information

Data relating to the receipt and evaluation of all requests or complaints directed to MYRAANG.

Transaction Security Information

Personal data processed by MYRAANG to ensure the technical, administrative, legal and commercial security of both the data subject and the Company while conducting its business activities.

Risk Management Information

Personal data processed for the management of commercial, technical and administrative risks through methods used in accordance with generally accepted legal, commercial practices and principles of good faith in these areas.

Legal Procedure Compliance Information

Personal data processed for the purpose of identifying, determining, tracking, and fulfilling MYRAANG's legal receivables and rights, as well as complying with legal obligations and MYRAANG policies.

Audit and Inspection Information

Personal data processed by MYRAANG in accordance with its legal obligations and company policies.

Reputation Management Knowledge

Personal data associated with an individual and collected for the purpose of protecting MYRAANG's business reputation (e.g., posts related to MYRAANG)

4.2. Purposes of Processing Personal Data

MYRAANG processes personal data only for the purposes and under the conditions specified in Article 5, paragraph 2 and Article 6, paragraph 3 of the Law. These purposes and conditions are:

MYRAANG's processing of your personal data is subject to the relevant provisions of the law.

The processing of your personal data by MYRAANG is directly related to and necessary for the establishment or performance of a contract.

The processing of your personal data is necessary for MYRAANG to fulfill its legal obligations.

Provided that you have made your personal data public, MYRAANG may process it only for the purpose of that public disclosure.

The processing of your personal data by MYRAANG is necessary for the establishment, exercise or protection of the rights of MYRAANG, you, or third parties.

Personal data processing is necessary for MYRAANG's legitimate interests, provided that it does not harm your fundamental rights and freedoms.

MYRAANG may process personal data only if it is necessary to protect the life or physical integrity of the data subject or another person, and in this case, the data subject is unable to express their consent due to factual or legal incapacity.

For special categories of personal data other than the health and sexual life of the data subject, processing is permitted only if provided for in the laws. For special categories of personal data relating to the health and sexual life of the data subject, processing is permitted only if carried out by persons or authorized institutions and organizations under an obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing.

In this context, MYRAANG processes your personal data for the following purposes:

The company's internal operations,

conducting business activities and ensuring the security of company operations,

Carrying out the necessary activities for conducting analyses of the effectiveness, efficiency, and appropriateness of business activities.

Management of strategic planning activities and business partner/supplier relationships,

Managing customer relationship processes and customer satisfaction activities.

Conducting marketing and sales activities,

Executing processes to establish and/or increase loyalty to the products and/or services offered by the Company,

Conducting market research activities for the sale and marketing of products and services.

Execution of activities related to events, execution of production and/or operation processes,

Banking operations and the conduct of finance/accounting activities,

Conducting activities with legal, technical and administrative consequences, providing information to authorized institutions as required by legislation, handling legal claims and conducting legal affairs.

Ensuring business continuity and operating the processes required for corporate governance activities,

Conducting activities related to the sales processes and after-sales support services of products and/or services.

Ensuring that data is accurate and up-to-date, and taking necessary actions to ensure that company operations are conducted in accordance with company procedures and/or relevant legislation.

Ensuring the security of company premises and/or facilities, creating and tracking visitor records, planning and executing logistics activities,

Conducting information security processes and activities related to information technology infrastructure,

Planning and execution of emergency management processes, implementation of occupational health and/or safety processes,

Planning of human resources processes,

Conducting activities related to the sales processes and after-sales support services of products and/or services.

Keeping data accurate and up-to-date,

Planning of building or construction works, execution of activities related to group companies, ensuring employees' access to information,

Planning and executing internal appointment/promotion and termination processes, planning and executing personnel exit procedures, planning and executing talent and career development activities, recruitment/employment, and managing personnel supply processes.

Planning and implementing employee benefits and advantages, conducting wage management activities, planning employee salary increases,

Monitoring and/or supervising employees' work activities, planning and monitoring employee performance appraisal processes, planning and executing employee satisfaction and/or engagement processes,

To assess the candidate's qualifications, experience, and interests in relation to the open position.

Contacting third parties to research the Job Candidate,

To contact the Job Applicant regarding the application and recruitment process.

To contact the Job Candidate if a position opens up later.

To meet the requirements of the relevant legislation and/or the requests of the competent authorities and organizations.

The processing activity carried out for the aforementioned purposes,

If you do not meet any of the conditions stipulated by law, your explicit consent is obtained by MYRAANG regarding the relevant processing procedure.

In this context, employee profiles are collected for a predetermined purpose through (i) digital application forms published in written or electronic format, (ii) resumes submitted to MYRAANG via email, mail, references, etc., and (iii) through employment and/or consulting companies, (iv) during video conference or face-to-face interviews, (v) through recruitment tests conducted by experienced experts that identify skills and personality traits and whose results are reviewed, (vi) during the recruitment process, and (vii) after recruitment.

Job applicants may, if they wish, submit their requests regarding their rights arising from their status as Data Subjects and enshrined in law, using the method described in Article 10 of this Policy.

5. THIRD PARTIES TO WHOM MYRAANG TRANSFERRED PERSONAL DATA AND THE PURPOSES OF THE TRANSFER

In accordance with Articles 8 and 9 of the MYRAANG Law, the personal data of data subjects governed by this Policy may be transferred to the following categories of individuals:

MYRAANG shares data with its business partners, MYRAANG suppliers, MYRAANG affiliates (MYRAANG TEXTILE INDUSTRY AND TRADE LTD.), legally authorized public institutions and organizations, and authorized private legal entities, as well as other third parties in accordance with the data transfer terms.

The scope of the individuals involved in the data transfer and the purposes of data transfer are specified below:

DEFINITION OF PERSONS TO WHOM DATA CAN BE TRANSFERRED PURPOSE OF DATA TRANSFER

Business Partner

MYRAANG's partners with whom it establishes business partnerships for purposes such as conducting its commercial activities.

limited to ensuring the fulfillment of the purposes for which the business partnership was established.

Supplier

Parties providing services to MYRAANG in accordance with MYRAANG's orders and instructions and on a contractual basis, within the scope of conducting MYRAANG's commercial activities.

The services that the Company procures from suppliers through outsourcing and that are necessary for the Company to carry out its commercial activities are limited to these services.

Affiliates

Companies in which the company is a shareholder

Limited to ensuring the conduct of the company's commercial activities which require the participation of its subsidiaries.

Legally Authorized Public Institutions and Organizations

Public institutions and organizations authorized to receive information and documents from the Company in accordance with the relevant legislation.

Limited to the purpose requested by the relevant public institutions and organizations within their legal authority.

Legally Authorized Private Persons

Private legal entities authorized to obtain information and documents from the Company in accordance with the relevant legislation.

limited to the purpose requested within the legal authority of the relevant private legal entities.

MYRAANG's communications are conducted in accordance with the provisions set out in Sections 2 and 3 of the Policy.

6. PROCESSING OF PERSONAL DATA BASED ON AND LIMITED BY THE PROCESSING CONDITIONS IN THE LAW 6.1. Processing of Personal Data and Special Categories of Personal Data 6.1.1. Processing of Personal Data

Although the legal grounds for processing personal data by MYRAANG vary, all personal data processing activities are carried out in accordance with the general principles set forth in Article 4 of the Law. The basis for a personal data processing activity may be only one of the conditions listed below, or more than one of these conditions may serve as the basis for the same personal data processing activity.

i. Obtaining the Explicit Consent of the Data Subject: One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject must be given freely, based on informed knowledge, and relating to a specific matter. Explicit consent can be obtained verbally or in writing. If any of the conditions listed below (ii), (iii), (iv), (v), (vi), (vii), (viii) exist, explicit consent is not required, and MYRAANG does not obtain explicit consent if one or more of these conditions exist.

ii. Explicit Provision in Law: Personal data of the data subject may be processed lawfully if explicitly provided for in the law. MYRAANG informs the data subject about the personal data it processes in accordance with Article 10 of the Law. For example, MYRAANG invoices contain personal information (name, surname, and if an individual, their tax identification number) in accordance with Article 230 of the Tax Procedure Law.

iii. Inability to Obtain Explicit Consent Due to Factual Impossibility: If a person is unable to express their consent due to factual impossibility, or if their consent cannot be considered valid, and the processing of their personal data is necessary to protect the life or physical integrity of that person or another person, then the data subject's personal data may be processed. For example, if a MYRAANG visitor suddenly falls ill and loses consciousness, and a MYRAANG employee has to disclose the visitor's identification information to a healthcare professional, this constitutes an example of the inability to obtain the data subject's explicit consent due to factual impossibility.

iv. Direct Relevance to the Establishment or Performance of a Contract: Personal data may be processed if it is directly related to the establishment or performance of a contract and is necessary for processing the personal data of the parties to the contract. For example, the bank account number of the landlord in the lease agreement for the business premises rented by MYRAANG is personal data processed for the purpose of making the payment for the performance of the contract.

v. MYRAANG's Fulfillment of Legal Obligations: MYRAANG, as the data controller, may process personal data of the data subject if processing is necessary for fulfilling its legal obligations. For example, providing information requested by a court is a legal obligation.

vi. Public Disclosure of Personal Data by the Data Subject: Personal data may be processed if the data subject has made their personal data public. For example, a data subject makes their personal data public by disclosing it on their own website.

vii. Necessity of Data Processing for the Establishment or Protection of a Right: Personal data of the data subject may be processed if data processing is necessary for the establishment, exercise, or protection of a right. For example, MYRAANG may process data to store the personnel file of a former MYRAANG employee and use it when necessary (e.g., in the event of a lawsuit for reinstatement or payment of outstanding wages).

vii. Necessity of Data Processing for MYRAANG's Legitimate Interests: Personal data of the data subject may be processed if it is necessary for MYRAANG's legitimate interests, provided that this does not harm the fundamental rights and freedoms of the data subject. Example: Recording security footage with cameras in the MYRAANG building is a situation where data processing is necessary for MYRAANG's legitimate interests.

6.1.2. Processing of Special Categories of Personal Data

MYRAANG processes special categories of personal data only if the data subject's explicit consent is not obtained, and only under the following conditions, in accordance with the measures specified in the "Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data" published in the Official Gazette dated 13.03.2018 and numbered 30356, pursuant to the Board decision dated 01.2018 and numbered 2018/10:

Special categories of personal data other than the health and sexual life of the data subject may be processed only in cases stipulated by law. Special categories of personal data relating to the health and sexual life of the data subject may only be processed by persons or authorized institutions and organizations under an obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing. 7. MYRAANG HEAD OFFICE AND STORES AND PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT WITHIN THESE BUILDINGS 7.1. Personal Data Processing Activities Carried Out in MYRAANG Head Office and Stores

For security purposes, MYRAANG operates security camera surveillance at its Head Office and Stores (“Buildings”) and processes personal data to track visitor entry and exit.

MYRAANG conducts camera surveillance at the entrances and inside buildings to protect the interests of the Company and other individuals in ensuring their security. In this context, MYRAANG acts in compliance with the Law and other relevant legislation. Specifically, camera surveillance is compliant with the Law on Private Security Services and related legislation, and MYRAANG acts in accordance with the regulations contained in the Law when conducting camera surveillance for security purposes. Accordingly, within the framework of Article 10 of the Law, the personal data owner is informed. As part of its obligation to inform, MYRAANG publishes this Policy on its website and posts notification notices in the areas where surveillance is conducted.

MYRAANG processes personal data in accordance with Article 4 of the Law, in a manner that is relevant, limited, and proportionate to the purposes for which it is processed, and conducts video surveillance activities within the scope of its purpose. Accordingly, MYRAANG determines the surveillance areas and number of security cameras, and the storage duration of video recordings, in a manner that is limited and does not exceed the purpose of security. Furthermore, it should be noted that video recording activities are conducted in a way that does not infringe upon the privacy of the individual.

MYRAANG takes the necessary technical and administrative measures to ensure the security of personal data obtained as a result of monitoring activities conducted through video recording. In this context, only a limited number of MYRAANG employees have access to these video recordings, and these employees are also required to sign a confidentiality agreement.

7.2. Website Visitors

MYRAANG has taken the necessary security measures for the transactions (site visits, membership registrations, shopping transactions) carried out by MYRAANG on its websites, in accordance with the nature of the information and transaction, using appropriate technical and administrative methods within the scope of technological possibilities and cost factors, by the third-party company and/or the relevant organization with which the third-party company has an agreement, which provides the software, installation, hosting and maintenance services of the website through a contract, is responsible for the management and operation of the e-commerce system and all e-commerce activities carried out with this system, and also collects and processes personal data directly through the website by providing consignment services to visitors and customers as a data controller. MYRAANG bears no legal responsibility for the processing of internet activity within the site and/or application by third-party companies using technical methods (e.g., cookies) to ensure that visitors' visits are aligned with their purposes, to display personalized content, and to conduct online advertising activities. Detailed explanations regarding these activities and the protection and processing of personal data are provided in the "Privacy Policy" section of the respective website.

8. RIGHTS OF DATA SUBJECTS, THE EXERCISE OF THESE RIGHTS, AND MYRAANG'S EVALUATION OF THEM 8.1. Rights of the Data Subject

According to Article 10 of the Law, the rights of the personal data owner are as follows:

The right to: learn whether personal data is being processed; request information regarding the processing of personal data if it has been processed; learn the purpose of the processing of personal data and whether it is being used in accordance with its purpose; know the third parties to whom personal data has been transferred, domestically or abroad; request the correction of personal data if it has been processed incompletely or incorrectly, and request that this action be notified to the third parties to whom the personal data has been transferred; request the deletion or destruction of personal data if the reasons requiring its processing have ceased to exist, even if it has been processed in accordance with the law and other relevant laws, and request that this action be notified to the third parties to whom the personal data has been transferred; object to a result that is detrimental to the individual arising from the analysis of processed data exclusively through automated systems; demand compensation for damages incurred as a result of the unlawful processing of personal data. 8.2. Cases Where the Personal Data Subject Cannot Assert Their Rights

In accordance with Article 28 of the Law, personal data owners cannot exercise the rights listed in Article 10.1.1 of this Policy in the following cases, as these are excluded from the scope of the Law. Namely:

In accordance with Article 28, paragraph 2 of the Law, personal data owners cannot exercise the rights listed in Article 8.2 of this Policy, except for the right to claim compensation for damages, in the following cases:

Processing of personal data for purposes such as research, planning, and statistics through official statistics and anonymization. Processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights, or constitute a crime. Processing of personal data by public institutions and organizations authorized by law to carry out preventive, protective, and intelligence activities aimed at ensuring national defense, national security, public security, public order, or economic security. Processing of personal data by judicial authorities or enforcement agencies in relation to investigation, prosecution, trial, or execution proceedings. Processing of personal data when it is necessary for the prevention of crime or for criminal investigation. Processing of personal data that has been made public by the data subject. Processing of personal data by authorized public institutions and organizations, and professional organizations with the status of public institutions, based on the authority granted by law, for the performance of their supervisory or regulatory duties, and for disciplinary investigations or prosecutions. 8.3. Exercise of Personal Data Subject Rights

Data subjects may submit their requests regarding the rights listed in Article 8.1 of this Policy to MYRAANG free of charge by filling out and signing the Data Subject Application Form, along with information and documents that will identify them, using the methods specified below or other methods determined by the Board:

Furthermore, for third parties to submit applications on behalf of Data Subjects, a special power of attorney, notarized by a notary public, must be provided by the Data Subject to authorize the person submitting the application. Data Subjects must submit their applications in Turkish, and the following information will be requested from you:

1. After filling out the form found at www.mamulier.com, it must be sent with a wet signature -- via a notary public -- to the following address: Merkez Mahallesi Kazım Orbay Cad. No:33/2 Şişli, İstanbul, or

2. After filling out the form located at www.mamulier.com and signing it with your secure electronic signature in accordance with the Electronic Signature Law No. 5070, send the securely signed or mobile-signed form to rsctagidavetekstil@hs03.kep.tr via registered electronic mail.

Name, surname and signature if the application is in writing, Turkish Republic identity number for Turkish citizens, nationality, passport number or identity number if available for foreigners, residential or business address for notification purposes, e-mail address, telephone and fax number for notification purposes if available, subject of the request, additional information and documents related to the subject if available. 8.4. Right of the Personal Data Owner to File a Complaint with the Board

If the application is rejected within the time limit in accordance with Article 14 of the Law, or if the answer given is deemed insufficient, or if MYRAANG fails to respond to the application within the time limit, the Data Subject may file a complaint with the Board within thirty (30) days from the date of learning of MYRAANG's answer and in any case within sixty (60) days from the date of the application.

8.5. MYRAANG's Application Response Process

Applications to MYRAANG should only be made in cases where MYRAANG is considered a data controller under the Law. This may be the case if MYRAANG directly collects personal data from the data subject or if the data sharing between MYRAANG and its affiliates constitutes a data transfer from one data controller to another under the Law. Apart from these, applications regarding personal data processing activities where MYRAANG affiliates are considered data controllers should be made to the relevant MYRAANG affiliate, not to MYRAANG itself. If the personal data owner submits their request to MYRAANG in accordance with the procedure described in Article 8.3 of this Policy, MYRAANG will process the request free of charge within a maximum of thirty (30) days, depending on the nature of the request. However, if a fee is prescribed by the Board, MYRAANG will collect the fee from the applicant according to the tariff determined by the Board. In accordance with Article 7 of the "Notification on the Procedures and Principles for Applications to the Data Controller" published in the Official Gazette No. 30356 dated March 10, 2018, if the response to the Data Subject's request is given in writing, a fee of 1 Turkish Lira may be charged for each page if the response is 10 (ten) pages or more. If the response is given on a recording medium such as a CD or flash drive, the fee requested by MYRAANG will not exceed the cost of the recording medium. MYRAANG may request information from the relevant person to determine whether they are the data subject and may ask questions regarding their application. MYRAANG may reject the application of the applicant, explaining the reasons, in the following cases:

1. Processing of personal data for purposes such as research, planning, and statistics through official statistics and anonymization. 2. Processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights, or constitute a crime. 3. Processing of personal data by public institutions and organizations authorized by law to carry out preventive, protective, and intelligence activities aimed at ensuring national defense, national security, public security, public order, or economic security. 4. Processing of personal data by judicial authorities or enforcement agencies in relation to investigation, prosecution, trial, or execution proceedings. 5. Processing of personal data when it is necessary for the prevention of crime or for criminal investigation. 6. Processing of personal data that has been made public by the data subject. 7. 8. When the processing of personal data is necessary for the performance of supervisory or regulatory duties, or for disciplinary investigations or prosecutions, by authorized and competent public institutions and organizations, and professional organizations with the status of public institutions, based on the authority granted by law. 9. When the processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters. 10. When the request of the personal data owner may infringe upon the rights and freedoms of other individuals. 11. When the requests require disproportionate effort. 9. MYRAANG'S OTHER DOMESTIC POLICIES ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

MYRAANG establishes internal sub-policies regarding the protection and processing of personal data, which are related to the principles set forth in this Policy.

9.1. MYRAANG Personal Data Protection and Processing Policy Management

MYRAANG has established a management team to ensure compliance with legal regulations and the implementation of its Personal Data Protection and Processing Policy. Within this scope, MYRAANG has appointed a Data Protection Board consisting of three members: a data controller representative, a contact person, and an information technology expert, to ensure the implementation and management of this Policy and other related policies specified in Article 11. The duties of the Data Protection Board are as follows:

To prepare and implement the basic policies regarding the protection and processing of personal data, and any necessary amendments, and to submit them to the Company Management for approval.

To decide how the policies regarding the protection and processing of personal data will be implemented and monitored, and to submit the matters of internal assignment and coordination within this framework to the approval of the Company Management.

To identify the necessary actions to ensure compliance with the law and relevant regulations, submit them to the Company Management for approval, oversee their implementation, and coordinate their management.

To raise awareness within MYRAANG and among the organizations with which MYRAANG collaborates regarding the protection and processing of personal data.

To identify potential risks in MYRAANG's personal data processing activities and ensure that necessary precautions are taken; and to submit improvement suggestions to the Company Management for approval.

To ensure that data subjects are informed about personal data processing activities and their legal rights regarding the protection of personal data and the implementation and dissemination of policies, training sessions are organized.

To forward the data subjects' applications to the Company Management for a decision.

To monitor developments and regulations regarding the protection of personal data; and to communicate suggestions to Company Management regarding what needs to be done within MYRAANG in accordance with these developments and regulations.

To manage relations with the Board and Institution under the coordination of the Company Management.

To perform other duties assigned by Company Management regarding the protection of personal data.

ABBREVIATIONS AND DEFINITIONS

Law: Refers to the Law on the Protection of Personal Data No. 6698 dated March 24, 2016, published in the Official Gazette No. 29677 dated April 7, 2016.

Board: Refers to the Personal Data Protection Board.

Institution: Refers to the Personal Data Protection Authority.

The company is MYRAANG TEXTILE INDUSTRY AND TRADE LTD.

Personal data is any information relating to an identified or identifiable natural person. Therefore, the processing of information relating to legal entities is not covered by the Law.

Data subject: The natural person whose personal data is being processed.

Special categories of personal data include data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Processing of personal data: This refers to any operation performed on personal data, whether wholly or partly automated or non-automated, provided that it is part of a data recording system, including obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of such data.

Explicit consent: Consent given freely and based on informed knowledge regarding a specific matter.

Anonymization: This is the process of altering personal data in such a way that it loses its personal data status and this alteration is irreversible. (For example, using techniques such as masking, aggregation, data distortion, etc., to make personal data impossible to link to a specific individual.)

Destruction: This refers to the deletion, destruction, or anonymization of personal data.

Data processor: A natural or legal person who processes personal data on behalf of the data controller, based on the authorization given by the data controller. (For example, the cloud computing company that holds MYRAANG's data, etc.)

Data controller: The person who determines the purposes and means of processing personal data and manages the data recording system in which the data is systematically stored.

Contact Person: The natural person notified by the data controller during registration with the Registry for communication with the Authority regarding the obligations of legal entities established in Türkiye and the representatives of legal entities not established in Türkiye, within the scope of the Law and secondary regulations to be issued based on this Law.

Third Party: Any natural person whose personal data is processed within the scope of this Policy.

Data Subject Application Form: This is the application form, accessible on the MYRAANG website, that personal data owners or their representatives must submit to the Data Controller in accordance with the law, to exercise their rights.

MYRAANG Group Companies: These are all companies (affiliates, partners, etc.) directly or indirectly affiliated with MYRAANG TEKSTİL SAN VE TİC.LTD.ŞTİ, including MYRAANG TEKSTİL SAN VE TİC.LTD.ŞTİ itself.

Job Applicant: Individuals who have applied for a job at MYRAANG in any way or who have submitted their resumes and related information for MYRAANG's review.

Our Partners: These are the natural persons, including shareholders, officials, and employees of institutions (such as hospitals and ministries, but not limited to them) with whom MYRAANG has any kind of business relationship.

Supplier: Legal entities or natural persons who provide services to MYRAANG on a contractual basis, in accordance with MYRAANG's orders and instructions, while conducting MYRAANG's commercial activities.

Supplier Representatives and Employees: These are natural persons, including shareholders, representatives, and employees of suppliers.

Business Partners: These are parties with whom MYRAANG establishes business partnerships for purposes such as conducting its commercial activities.

Partner Officers and Employees: These are natural persons, including shareholders, officers, and employees of the Business Partners.

Visitor: Real persons who have been physically present at MYRAANG's premises for various purposes or who have visited its websites.

Website Users: These are real people who visit MYRAANG's websites.

MYRAANG Headquarters: MYRAANG's business premises are located at Hürriyet Mah. Akçaağaç Sk. No:3/3 KAĞITHANE / İSTANBUL / Türkiye.

MYRAANG Stores: These are the stores located in Türkiye.

Company Representatives: MYRAANG board members and other authorized individuals.

SSL stands for Secure Sockets. It is a certificate that enables the security and integrity of data exchanged between the server and the client.

Secure Electronic Signature: An electronic signature that is exclusively linked to and controlled by the signatory, created using a secure electronic signature creation tool, and based on a qualified electronic certificate, enabling the identification of the signatory and the detection of any subsequent changes to the signed electronic data.