MUSICHOOL PERSONAL DATA PROTECTION AND PROCESSING POLICY

TABLE OF CONTENTS

OBJECTIVE AND SCOPE

DATA CONTROLLER

DEFINITIONS

DATA SECURITY BOARD

- 4.1. ROLES AND DUTIES

- 4.2. PREPARATION OF POLICIES, PROCEDURES, GUIDES AND MANUALS

POLICY PRINCIPLES

- 5.1. FUNDAMENTAL PRINCIPLES

- 5.2. LAWFUL PROCESSING ACTIVITIES

- 5.3. LAWFUL DATA TRANSFER

OBLIGATIONS

- 6.1. Obligation to Implement Decisions Issued by the PDPA Board

- 6.2. Data Subject Relations Obligation

- 6.3. Obligation to Register with and Notify the Data Controllers Registry

- 6.4. Obligation to Inform the Data Subject

- 6.5. Obligation to Ensure the Security of Personal Data

ENSURING THE SECURITY OF PERSONAL DATA

- 7.1. ADMINISTRATIVE MEASURES

- 7.2. TECHNICAL MEASURES

- 7.3. PERSONAL DATA BREACH

DESTRUCTION OF PERSONAL DATA

REVISION

1. OBJECTIVE AND SCOPE

Having earned a reputable position in the sector in which it operates, Musichool OU ("Musichool") has adopted the principle of exercising the utmost care in complying with the legal order. Accordingly, it is establishing all necessary systems for compliance with the legislation on the protection of personal data.

The Musichool Personal Data Processing and Protection Policy (hereinafter referred to as the "Musichool PDPP Policy") sets out the principles and fundamentals adopted by Musichool in the processing of personal data.

In line with the importance Musichool attaches to the protection of personal data, the Musichool PDPP Policy establishes the fundamental principles regarding the compliance of the activities carried out by Musichool with the provisions of the Personal Data Protection Law No. 6698 (hereinafter referred to as the "PDPL"), and within this scope, the obligations to be fulfilled by Musichool are set forth. Through this policy, the personal data security principles adopted by Musichool shall be made sustainable.

The Musichool PDPP Policy is intended to serve as guidance for the implementation of the regulations set forth by the PDPL and other legislation by Musichool.

2. DATA CONTROLLER

Musichool holds the title of "data controller" in the personal data processing activities for which it determines the purposes and means in accordance with the PDPL, and through this policy, it announces to the public the obligations it has acquired due to its status as data controller.

3. DEFINITIONS

The important definitions contained in the Musichool PDPP Policy and the legislation are provided below together with their meanings:

Term	Definition
Personal Data	Any information relating to an identified or identifiable natural person
Special Category Personal Data	Data concerning race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and clothing, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data
Data Subject	The identified or identifiable natural person whose personal data is processed (relevant person)
Explicit Consent	Consent relating to a specific matter, based on being informed, and expressed through free will
Anonymization	Rendering personal data in such a way that it can under no circumstances be associated with an identified or identifiable natural person, even when matched with other data
Processing of Personal Data	Any operation performed on data such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use of personal data
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system
Data Processor	The natural or legal person outside the organization who processes personal data on behalf of the data controller based on the authority granted by the data controller
PDPL (Law)	The Personal Data Protection Law No. 6698, dated March 24, 2016, published in the Official Gazette dated April 7, 2016 and numbered 29677
PDPA Board	The Personal Data Protection Board
PDPA Institution	The Personal Data Protection Authority
VERBIS	The Data Controllers Registry kept publicly under the supervision of the PDPA Board, under the Presidency of the Personal Data Protection Authority
Musichool (Company)	Musichool OU
Musichool Personal Data Retention and Destruction Policy	The policy prepared by Musichool regulating the processes of retention, deletion, destruction and anonymization of personal data held within its structure
Musichool Data Breach Procedure	The procedure regulating the processes to be followed in the event of a possible data breach within Musichool
Musichool Data Subject Relations Guide	The guide regulating the application procedures to be made by data subjects and the processes for responding to these applications
Musichool PDPP Policy	Musichool Personal Data Processing and Protection Policy
Personal Data Processing Inventory	The inventory created by data controllers by associating the personal data processing activities they carry out in connection with their business processes with the purposes and legal basis of personal data processing, the data category, the recipient group to which data is transferred, and the data subject group, and detailing the maximum retention period necessary for the purposes for which personal data is processed, the personal data envisaged to be transferred to foreign countries, and the measures taken regarding data security
Regulation on Data Controllers Registry	The Regulation on Data Controllers Registry published in the Official Gazette dated December 30, 2017 and numbered 30286, which entered into force on January 1, 2018

4. DATA SECURITY BOARD

The Data Security Board is the unit responsible for the protection of personal data processed within Musichool and for monitoring the compliance process with personal data protection legislation. It consists of representatives from the Human Resources, Administrative Affairs and Information Technology departments.

Necessary meetings are held when deemed necessary by the Board or upon request. The revision of policies and compliance with legislation is controlled by the Data Security Board. In this context, the fundamental activities to be carried out by the relevant unit or person are listed below:

• Making the necessary role assignments in the field of personal data protection,
• Ensuring the implementation of relevant documents in terms of compliance with legislation and conducting the necessary audits,
• Monitoring relations with the PDPA Institution, PDPA Board and relevant persons.

4.1. ROLES AND DUTIES

The "Contact Person" who shall perform the duties of VERBIS registration and data entry operations by the data controller for communication to be established with the Institution, and 'control of data subject relations and the operability of related mechanisms' in accordance with the "Musichool Data Subject Relations Guide," is appointed by a decision of the Data Security Board.

In addition to the minimum duties specified above, certain additional duties and responsibilities may be assigned to appointed personnel due to the needs that may arise for ensuring personal data privacy compliance.

4.2. PREPARATION OF POLICIES, PROCEDURES, GUIDES AND MANUALS

In order to ensure compliance with personal data protection legislation, the following documents are prepared and published by the Data Security Board on behalf of Musichool in its capacity as data controller.

• Musichool Personal Data Protection and Processing Policy
• Musichool Personal Data Retention and Destruction Policy
• Musichool Personal Data Breach Procedure
• Musichool Data Subject Relations Guide

5. POLICY PRINCIPLES

5.1. FUNDAMENTAL PRINCIPLES

The following fundamental principles shall be adopted by Musichool during the processing of personal data.

5.1.1. Processing personal data in compliance with the law and the principle of good faith

Musichool conducts personal data processing activities in accordance with data privacy legislation and the principle of good faith, primarily the Constitution of the Republic of Turkey and the PDPL.

5.1.2. Ensuring the accuracy and currency of processed personal data

Musichool ensures the accuracy and currency of the personal data it processes, takes the necessary administrative and technical measures within this framework, and continues to monitor the process.

5.1.3. Processing personal data in connection with, limited to and proportionate to the purpose

Musichool must process personal data in connection with and to the extent necessary for the fulfillment of data processing conditions and these services. In this context, it is required that the purpose of personal data processing be determined before commencing the personal data processing activity. In other words, personal data must not be processed merely on the assumption that it may be used in the future (the retention of personal data is also a data processing activity). Within this framework, Musichool takes into account the fundamental rights of data subjects and its own legitimate interests.

5.1.4. Retaining personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed

Musichool retains the personal data it processes for a period limited to the period stipulated in the relevant legislation or required by the purpose of data processing. Musichool may delete, destroy or anonymize personal data upon the expiration of the period stipulated in the legislation or the cessation of the reasons requiring the processing of personal data. In this regard, the Musichool Personal Data Retention and Destruction Policy that has been established is complied with.

5.2. LAWFUL PROCESSING ACTIVITIES

While carrying out personal data processing activities, Musichool acts in accordance with the data processing conditions determined in Articles 5 and 6 of the PDPL and the "data processing purposes" determined by the Company, subject to compliance with the fundamental principles.

Musichool designs the necessary mechanisms within its internal systems for the lawful processing of personal data. Furthermore, it ensures personnel awareness on data privacy through internal training and carefully maintains the continuity of the process.

In the context of processing personal data, Musichool operates in parallel with the rules set forth primarily in the Constitution of the Republic of Turkey, the Turkish Penal Code No. 5237, the PDPL and other legislation, and the Musichool PDPP Policy.

5.3. LAWFUL DATA TRANSFER

By Musichool, in the sharing of personal data with third parties or in making personal data available for sharing by third parties, the personal data transfer conditions regulated in Articles 8 and 9 of the PDPL are complied with.

6. OBLIGATIONS

Musichool must comply with the obligations stipulated by the PDPL for data controllers. Within this scope, the principal matters that Musichool is obliged to comply with in this policy are listed below:

6.1. Obligation to Implement Decisions Issued by the PDPA Board

Musichool immediately implements the decisions notified by the PDPA Board, which is the executive body of the PDPA Institution that is our country's administrative authority regulating and overseeing personal data protection activities, as a result of examinations conducted upon complaint or ex officio. Furthermore, it adopts the principle decisions established by the PDPA Board as data privacy rules.

6.2. Data Subject Relations Obligation

Musichool, in its capacity as data controller, finalizes the requests of data subjects regarding their personal data in the shortest time possible and within thirty (30) days at the latest, depending on the nature of the request, in accordance with Article 13 of the PDPL.

Pursuant to Article 11 of the PDPL, personal data subjects may apply to data controllers and make requests regarding themselves on the following matters:

• To learn whether their personal data is being processed,
• To request information if their personal data has been processed,
• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
• To know the third parties to whom personal data has been transferred domestically or abroad,
• To request correction of personal data if it has been incompletely or incorrectly processed and to request notification of such correction to the third parties to whom the personal data has been transferred,
• To request the deletion or destruction of personal data if the reasons requiring their processing have ceased to exist despite having been processed in accordance with the PDPL and other relevant laws, and to request notification of such action to the third parties to whom the personal data has been transferred,
• To object to any result arising against the person through analysis of the processed data exclusively by automatic systems,
• To claim compensation for damages if they suffer damage due to the unlawful processing of personal data.

6.3. Obligation to Register with and Notify the Data Controllers Registry

Musichool must register with the Data Controllers Registry in accordance with Article 16 of the PDPL and the procedures and principles of the regulation, provided that it meets the criteria mentioned in the Regulation on Data Controllers Registry. The Registry is maintained publicly and may be examined by the relevant person or persons.

6.4. Obligation to Inform the Data Subject

Musichool carries out the necessary processes to ensure that data subjects are informed by its authorized persons at the time of obtaining personal data, in accordance with Article 10 of the PDPL and the Communique on the Procedures and Principles to be Observed in the Fulfillment of the Obligation to Inform.

6.5. Obligation to Ensure the Security of Personal Data

Musichool, in accordance with Article 12 of the PDPL, being conscious of the importance of ensuring the security of personal data and protecting the fundamental rights and freedoms of data subjects;

• To prevent the unlawful processing of personal data,
• To prevent unlawful access to personal data, and
• To ensure the preservation of personal data,

takes all necessary technical and administrative measures to ensure an appropriate level of security for these purposes. Furthermore, it conducts or has conducted the necessary audits within the scope of operating the mechanisms aimed at ensuring data security.

7. ENSURING THE SECURITY OF PERSONAL DATA

Musichool takes all necessary measures, within its means and according to the nature of the data to be protected, in order to prevent the unlawful processing of personal data, unlawful access to personal data or other security deficiencies that may occur, and to ensure the safe preservation of personal data.

In this context, Musichool complies with Article 12 of the Law and the Data Security Guide prepared and published on its website by the PDPA Board. The following administrative and technical measures are taken by Musichool for the purpose of personal data security.

7.1. ADMINISTRATIVE MEASURES

• Disciplinary regulations containing data security provisions are in place for employees.
• Training and awareness activities on data security are conducted for employees at regular intervals.
• Institutional policies on access, information security, usage, retention and destruction have been prepared and implemented.
• Confidentiality commitments are made.
• Signed contracts contain data security provisions.
• Personal data security policies and procedures have been established.
• Personal data security issues are reported promptly.
• Personal data security is monitored.
• Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
• The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
• The security of environments containing personal data is ensured.
• Personal data is minimized as much as possible.
• Periodic and/or random internal audits are conducted and commissioned.
• Existing risks and threats have been identified.
• Protocols and procedures for the security of special category personal data have been established and implemented.
• Data processor service providers are audited on data security at regular intervals.
• Awareness of data processor service providers on data security is ensured.

7.2. TECHNICAL MEASURES

• Network security and application security are ensured.
• Closed system networks are used for personal data transfers over the network.
• Security measures within the scope of procurement, development and maintenance of information technology systems are taken.
• The security of personal data stored in the cloud is ensured.
• An authorization matrix has been created for employees.
• Access logs are kept regularly.
• Data masking measures are applied when necessary.
• The authorizations in this area of employees who have changed positions or left the company are revoked.
• Up-to-date anti-virus systems are used.
• Firewalls are used.
• Personal data is backed up and the security of backed-up personal data is also ensured.
• User account management and authorization control systems are implemented and monitored.
• Log records are kept in a manner that prevents user intervention.
• If special category personal data is to be sent via electronic mail, it is always sent in encrypted form using registered electronic mail or corporate mail accounts.
• Intrusion detection and prevention systems are used.
• Cyber security measures have been taken and their implementation is continuously monitored.
• Special category personal data transferred via portable memory, CD, DVD media is transferred in encrypted form.
• Data loss prevention software is used.

7.3. PERSONAL DATA BREACH

Musichool notifies the PDPA Board and the relevant data subjects of the situation within 72 hours in the event that processed personal data is unlawfully obtained by unauthorized persons. For this reason, the Musichool Data Breach Procedure has been established; within the scope of this procedure, all breach drills within Musichool are designed by the Data Security Board.

8. DESTRUCTION OF PERSONAL DATA

Musichool has established all necessary internal systems for the destruction of personal data in accordance with its Musichool Personal Data Retention and Destruction Policy, which it created for the deletion, anonymization or destruction of personal data whose processing reason has ceased to exist despite having been lawfully processed, in accordance with Article 7 of the PDPL.

9. REVISION

This policy enters into force from the moment it is approved by the Data Security Board. Except for the matter of repealing this policy, the Data Security Board is also authorized regarding the changes to be made within the document and how they will be put into effect.

This policy is reviewed at least once a year in all cases, and if there are necessary changes, it is updated by submitting it for the approval of the Data Security Board. In case of conflict between the legislation in force, primarily the PDPL, and the regulations contained in this Policy, the provisions of the legislation shall apply.

In parallel with the legal regulations to be made by the PDPA Institution, which is the administrative authority, Musichool reserves the right to make changes to its Personal Data Retention and Destruction Policy. Revisions that may occur in this policy or the legislation will be added to the policy by specifying the date and subject, and after the necessary announcements are made, they will be accepted as an integral part of the policy.