EN
FR TR




PERSONAL DATA RETENTION AND DESTRUCTION POLICY

1. PURPOSE

The purpose of this Personal Data Retention and Destruction Policy ("Policy") is to determine the procedures and principles regarding the retention and destruction of personal data processed by the Company, in accordance with the Personal Data Protection Law No. 6698 (“Law”) and relevant legislation.

2. SCOPE

This Policy applies to all personal data processed by the Company concerning employees, employee candidates, customers, suppliers, visitors, and third parties, regardless of whether the data is processed in whole or in part by automatic means or by non-automatic means as part of any data recording system.

3. DEFINITIONS

Explicit Consent: Freely given, specific and informed consent regarding a particular issue.
Anonymization: Making personal data impossible to be associated with an identified or identifiable natural person, even if matched with other data.
Relevant Person: The natural person whose personal data is processed.
Destruction: Deletion, destruction, or anonymization of personal data.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing of Personal Data: Any operation performed on personal data such as collection, recording, storage, retention, alteration, rearrangement, disclosure, transfer, acquisition, making available, classification, or prevention of use.
Board: Personal Data Protection Board.
Institution: Personal Data Protection Authority.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Regulation: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

4. LEGAL BASIS

This Policy has been prepared based on the Personal Data Protection Law No. 6698, the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, and other relevant legislation.

5. RECORDING MEDIA

Personal data within the scope of this Policy are stored by the Company in the following environments:

  • Computers/servers (internal or cloud)
  • Paper files
  • Flash drives
  • Mobile devices
  • CD/DVD
  • Software used in company operations (ERP, CRM, etc.)

6. REASONS FOR RETENTION AND DESTRUCTION

Personal data are retained by the Company for the following purposes:

  • Fulfillment of legal obligations
  • Execution and performance of contracts
  • Ensuring legal and commercial security
  • Management of human resources processes
  • Financial and accounting requirements
  • Compliance with regulatory requirements

Personal data are destroyed by the Company for the following reasons:

  • Elimination of the legal basis for processing
  • Withdrawal of explicit consent (in data processed based on consent)
  • Expiry of the legal retention period
  • Fulfillment of the purpose of processing
  • Receipt of a request for deletion from the data subject and confirmation of eligibility

7. TECHNICAL AND ADMINISTRATIVE MEASURES

The Company implements appropriate technical and administrative measures to securely retain personal data and prevent unlawful access, including but not limited to:

Technical Measures:

  • Use of firewalls and antivirus software
  • Encryption and masking
  • Access controls and authorization management
  • Regular backup of data

Administrative Measures:

  • Limiting internal access based on job roles
  • Regular training and awareness activities
  • Contracts with data processors including data security provisions
  • Regular audits and risk assessments

8. METHODS OF DELETION, DESTRUCTION, OR ANONYMIZATION

Deletion: Making personal data inaccessible and unusable for relevant users.

Destruction: Rendering personal data inaccessible, irretrievable, and unusable by anyone.

Anonymization: Making personal data unidentifiable, even when matched with other data, in a way that the identity of the data subject cannot be determined.

The Company selects the appropriate method based on the nature of the data and the systems in which it is stored.

9. RIGHTS OF THE DATA SUBJECT AND EXERCISE OF RIGHTS

Pursuant to Article 11 of the Law, data subjects have the right to:

  • Learn whether their personal data is processed
  • Request information regarding the processing
  • Learn the purpose of processing and whether it is used in accordance with that purpose
  • Know the third parties to whom the data is transferred, domestically or abroad
  • Request correction of incomplete or inaccurate data
  • Request deletion or destruction of personal data
  • Request notification of correction/deletion/destruction to third parties
  • Object to any unfavorable result arising from automated data analysis
  • Request compensation in case of damages due to unlawful processing

Requests to exercise these rights can be submitted via the communication channels indicated in the Company’s Data Subject Application Form. The Company responds to such requests within the legal period stipulated in the Law.

 

10. PERIODIC DESTRUCTION PERIOD

The Company deletes, destroys, or anonymizes personal data during the first periodic destruction process following the date when the obligation to delete, destroy, or anonymize personal data arises.

In accordance with Article 11 of the Regulation, the periodic destruction period has been determined as 6 months. At the end of this period, personal data for which the processing purposes have ceased are destroyed ex officio by the Company.

11. PUBLICATION AND STORAGE OF THE POLICY

This Policy is published on the Company's website and is also stored within the Company in physical and/or electronic formats.

12. POLICY REVIEW AND UPDATE PERIOD

This Policy is reviewed at least once a year or whenever deemed necessary. Updates come into force upon the decision of the Personal Data Protection Committee.

13. EFFECTIVENESS AND TERMINATION OF THE POLICY

This Policy enters into force on the date of its approval by the Company's Board of Directors. Termination of the Policy is also subject to a decision by the Board of Directors.