PERSONAL DATA STORAGE AND DESTRUCTION POLICY

1.The purpose of this policy is to determine the procedures and principles regarding the deletion, destruction or anonymization of personal data processed by fully or partially automated or non-automated means provided that it is part of any data recording system.
2. This policy has been prepared in accordance with the Regulation on Deletion, Destruction or Anonymization of Personal Data prepared based on the third paragraph of Article 7 of Law No. 6698 and subparagraph (e) of the first paragraph of Article 22.
3. The Company has prepared this Personal Data Storage and Destruction Policy in accordance with its personal data processing inventory.
4. Definitions
4.1. Receiving group:
The category of natural or legal person to whom personal data is transferred by the data controller.
4.2. Related user:
Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.
4.3. Destruction:
It is the process of deleting, destroying or anonymizing personal data.
4.4. Recording medium:
It refers to all kinds of media in which personal data are processed by fully or partially automated or non-automated means, provided that they are part of any data recording system.
4.5. Personal Data:
Kimliði belirli veya belirlenebilir gerçek kiþiye iliþkin her türlü bilgi.
4.6.Personal data processing inventory:
Veri sorumlularýnýn iþ süreçlerine baðlý olarak gerçekleþtirmekte olduklarý kiþisel verileri iþleme faaliyetlerini; kiþisel verileri iþleme amaçlarý, veri kategorisi, aktarýlan alýcý grubu ve veri konusu kiþi grubuyla iliþkilendirerek oluþturduklarý ve kiþisel verilerin iþlendikleri amaçlar için gerekli olan azami süreyi, yabancý ülkelere aktarýmý öngörülen kiþisel verileri ve veri güvenliðine iliþkin alýnan tedbirleri açýklayarak detaylandýrdýklarý envanterdir.
4.6. Personal data processing inventory:
It is the inventory that data controllers create by associating the personal data processing activities they carry out depending on their business processes with the purposes of processing personal data, data category, transferred recipient group and data subject group, and detail the maximum time required for the purposes for which personal data are processed, the personal data envisaged to be transferred to foreign countries and the measures taken regarding data security.
4.7. Personal data retention and destruction policy:
It is the policy on which data controllers rely for the process of determining the maximum period of time required for the purpose for which personal data are processed and the process of deletion, destruction and anonymization.
4.8.Periodic extermination:
It refers to the deletion, destruction or anonymization process to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy in the event that all of the conditions for processing personal data specified in the law disappear.
4.9. Registry:
The registry of data controllers kept by the Personal Data Protection Authority.
4.10. Data recording system:
It refers to the recording system where personal data is structured and processed according to certain criteria.
4.11. Data Supervisor:
It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
4.12. Destruction of personal data: Deletion of personal data is the process of making personal data inaccessible and non-reusable in any way for the relevant users. 4.13.Destruction of personal data: Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.
4.14. Anonymization of personal data: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. In order for personal data to be anonymized; personal data must be rendered unassociable with an identified or identifiable natural person, even through the use of techniques appropriate for the recording medium and the relevant field of activity, such as retrieval and matching of data with other data by the data controller, recipient or groups of recipients.
5. Recording media regulated by the personal data retention and destruction policy:
5.1.Paper media
5.2. Electronic media
6. Explanations regarding the legal, technical or other reasons that require the storage and destruction of personal data:
6.1.In the event that all of the conditions for the processing of personal data disappear, personal data must be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject.
6.2. As regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVK Law, personal data shall be deleted, destroyed or anonymized upon the Company's own decision or upon the request of the personal data owner, if the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVK Law.
6.3. Pursuant to Article 23 of the Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, the documents and records arising from the business and transactions within the scope of the business are kept domestically for at least ten years in a secure manner that allows access by the Central Bank at any time.
6.4.When the relevant person requests the deletion or destruction of his/her personal data by applying to the Company, this request is immediately evaluated to be fulfilled.
6.5.If all the conditions for processing personal data have disappeared; the Company deletes, destroys or anonymizes the personal data subject to the request. The Company shall finalize the relevant person's request within thirty days at the latest and inform the relevant person.
6.6.If all of the conditions for processing personal data have disappeared and the personal data subject to the request have been transferred to third parties, the Company notifies the third party of this situation and ensures that the necessary actions are taken within the scope of this policy before the third party.
6.7. If all the conditions for processing personal data have not disappeared, this request may be rejected by the Company by explaining the reason and the rejection response shall be notified to the data subject in writing or electronically within thirty days at the latest.
6.8. Processing purposes that require retention; ;
6.8.1. To carry out human resources processes,
6.8.2To ensure corporate communication,
6.8.3. To be able to do statistical studies,
6.8.4.To be able to perform works and transactions as a result of signed contracts and protocols,
6.8.5. To ensure that legal obligations are fulfilled as required or mandated by legal regulations,
6.8.6.To liaise with real/legal persons who have a business relationship with the organization,
6.8.7. Managing call center processes,
6.8.8. The burden of proof as evidence in future legal disputes.
6.9.Reasons for destruction;
6.9.1. Amendment or abolition of the provisions of the relevant legislation that constitute the basis for the processing of personal data,
6.9.2. The purpose requiring the processing or storage of personal data disappears,
6.9.3. In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject's withdrawal of explicit consent,
6.9.4.Acceptance by the Company of the application made by the data subject for the deletion and destruction of his/her personal data within the framework of his/her rights,
6.9.5.In cases where the company rejects the application made by the person concerned with the request for the deletion, destruction or anonymization of his personal data, finds the answer insufficient or does not respond within the period stipulated in the Law; In case he makes a complaint to the Personal Data Protection Board and this request is approved by the Board,
6.9.6. The maximum period for retaining personal data has expired and there are no circumstances that would justify retaining personal data for a longer perio
7. Technical and administrative measures taken for the secure storage of personal data and the prevention of unlawful processing and access
7.1. Technical Measures
7.1.1. Network security and application security are ensured.
7.1.2.Closed system network is used for data transfers through the network.
7.1.3.Key management is in place.
7.1.4. Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
7.1.5.Authorization matrix has been created for employees.
7.1.6.Access logs are kept regularly.
7.1.7. Corporate policies on access, information security, use, storage and disposal have been prepared and implemented.
7.1.8. Data masking is applied when necessary.
7.1.9. Personal data security issues are reported quickly.
7.1.10. Personal data security is monitored.
7.1.11. Necessary security measures for entering and exiting physical environments containing personal data it's being taken.
7.1.12. Security of physical environments containing personal data against external risks (fire, flood, etc.) is provided.
7.1.13. Security of environments containing personal data is ensured.
7.1.14. Personal data is backed up and the security of backed up personal data is also ensured.
7.1.15. User account management and authorization control system are implemented and monitored.
7.1.16. Internal periodic and/or random audits are conducted and commissioned.
7.1.17. Log records are kept without user intervention.
7.1.18. Existing risks and threats have been identified.
7.1.19. If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using a KEP or corporate mail account.
7.1.20. Secure encryption/cryptographic keys are used for sensitive personal data and managed by different units.
7.1.21. Intrusion detection and prevention systems are used.
7.1.22. Penetration test is applied.
7.1.23.Cyber security measures have been taken and their implementation is constantly monitored.
7.1.24. Encryption is performed.
7.1.25. Data processing service providers are periodically audited on data security.
7.1.26. Awareness of data processing service providers on data security is ensured
7.1.27. Data loss prevention software is used.
7.2. Administrative Measures
7.2.1. There are disciplinary regulations for employees that include data security provisions.
7.2.2. Training and awareness raising activities on data security are carried out at regular intervals for employees.
7.2.3. Corporate policies on access, information security, use, storage and disposal have been prepared and implemented.
7.2.4. Confidentiality commitments are made.
7.2.5. The signed contracts contain data security provisions.
7.2.6. Extra security measures are taken for personal data transferred via paper and the relevant document is sent in the format of a confidential document.
7.2.7. Personal data security policies and procedures have been determined.
7.2.8. Security of environments containing personal data is ensured.
7.2.9. Personal data is minimized as much as possible.
7.2.10 Internal periodic and/or random audits are conducted and commissioned.
7.2.11. Protocols and procedures for the security of sensitive personal data are in place.
8. Technical and administrative measures taken for the destruction of personal data in accordance with the law:
8.1. All transactions related to the deletion, destruction and anonymization of personal data are carried out and recorded by authorized persons in accordance with policies and procedures.
8.2. Such records shall be kept for at least three years, excluding other legal obligations.
9. Destruction of personal data
9.1. Techniques for Deletion of Personal Data
9.1.1. Deletion of Personal Data in Electronic Media:
9.1.1.1. Secure Deletion from Software: When deleting/destroying data processed by fully or partially automated means and stored in digital media; methods are used to delete the data from the relevant software in a way that is very likely to be unrecoverable.
9.1.1.2.Deletion of Personal Data in Databases: The relevant rows containing personal data are deleted with database commands (DELETE etc.). While performing the aforementioned operation, it is ensured that the relevant user is not also the database administrator.
9.1.2. Deletion of Personal Data on Portable Media:
Personal data in cloud and flash-based storage media are stored encrypted and deleted using software suitable for these media.
9.1.3. Deletion of Personal Data on Servers:
For the data that has expired due to legal obligation, the system administrator removes the access authorization of the relevant users and deletes them.
9.1.4. Secure Deletion by an Expert:
In some cases, the Company may engage a specialist to delete personal data on its behalf. In this case, the personal data will be securely deleted/destroyed in a way that cannot be recovered by the person specialized in this field.
9.2. Techniques for Destruction of Personal Data
9.2.1 Destruction of Personal Data in the Physical Environment:
Personal data may also be processed by non-automatic means, provided that they are part of any data recording system. When such data is deleted/destroyed, the system of physically destroying the personal data in such a way that it cannot be used later is applied. Example: Shredding the relevant file or document and throwing it away.
9.2.2. Destruction of Personal Data on Optical/Magnetic Media:
9.2.2.1. De-magnetized and destroyed: By passing the magnetic media through a special device and exposing it to a very high magnetic field, the data on it is distorted in an unreadable way. Example: It is used for hard drives.
9.2.2.2.Physical destruction: Data is rendered inaccessible by processes such as melting, burning, pulverizing or grinding optical and magnetic media.
9.2.2.3. Destruction by overwriting: It is the process of writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media to prevent the recovery of old data. This is done using specialized software.
9.3. Techniques for anonymizing personal data:
9.3.1.Anonymization of personal data refers to making personal data impossible to be associated with an identified or identifiable natural person even by matching it with other data. The Company may anonymize personal data when the reasons requiring the processing of personal data processed in accordance with the law disappear.
9.3.2. In accordance with Article 28 of the KVK Law; anonymized personal data may be processed for purposes such as research, planning and statistics. Such transactions are outside the scope of the KVK Law. Since personal data processed by anonymization will be outside the scope of the KVK Law, the rights set out in section 10 of the policy will not apply to this data.
9.3.3.Masking:Data masking is a method of anonymizing personal data by removing the basic identifying information of personal data from the data set. Example: The removal of information such as name, TR ID No, first name, last name, etc., which enables the identification of the personal data owner, transforming it into a data set where it becomes impossible to identify the personal data owner.
9.3.4. Aggregation:With the data aggregation method, many data are aggregated and personal data cannot be associated with any individual. Example: To show that there are 100 customers born in 1975 without showing the birth year of the customers individually.
9.3.5. Data Derivation:
With the data derivation method, a more general content is created from the content of the personal data and it is ensured that the personal data cannot be associated with any person. Example: Specify ages instead of dates of birth; specify district or city of residence instead of street address.
10.Titles, units and job descriptions of those involved in personal data storage and destruction processes:
10.1.IT Unit Manager ; manages all IT processes of the Company.
10.2. The Legal Unit Manager manages all legal transaction processes of the Company.
10.3. Human Resources Manager (Personnel related issues) manages all personnel processes of the Company.
10.4.Sales and Marketing Manager (in matters related to customer information); Manages all sales and marketing processes of the company.
11. Periodic destruction periods,
11.1. The Company destroys personal data whose retention period has expired within 180 days at the latest from the date of expiration of the retention period.
11.2. The Company deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.
11.3. The time interval for periodic destruction is determined by the data controller in accordance with the personal data retention and destruction policy, procedures and the company's workflow. In any case, this period cannot exceed six months.
11.4. The Company shall delete, destroy or anonymize personal data within three months following the date on which the obligation to delete, destroy or anonymize personal data arises.
12. Table showing storage and disposal periods: