Personal Data Retention And Disposal Policy

1.  Recipient group:  It is the natural or legal person category to which personal data is transferred by the data controller.
2.  Relevant user:  Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
3. Destruction:  It is the process of deletion, destruction or anonymization of personal data.
4. Recording medium:  It refers to any medium in which personal data is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.
5. Personal data processing inventory:  Personal data processing activities carried out by data controllers depending on their business processes; It is the inventory that they create by associating personal data with the processing purposes, data category, transferred recipient group and data subject group, and detailing the maximum period required for the purposes for which personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security.
6. Personal data retention and destruction policy: It is the policy  on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization.
7. Periodic destruction:  It refers to the deletion, destruction or anonymization process that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the conditions for processing personal data in the law are no longer valid.
8. Registry:  It refers to the registry of data controllers kept by the Presidency of the Personal Data Protection Authority.
9. Data registration system:  It refers to the registration system in which personal data is processed and structured according to certain criteria.
10. Data  controller: It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
11. Deletion  of personal data Deletion of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way.
12. Destruction of  personal data Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.
13. Anonymization of  personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. In order for personal data to be anonymized; Personal data must be rendered incapable of being associated with an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning and matching the data with other data by the data controller, recipient or recipient groups.

1. paper media
   1. Paper
   2. Manual data recording systems (forms visitor entry book)
   3. Written, printed, visual media
2. Electronic media
   1. Servers (Domain, backup, email,
   2. database, web, file sharing, etc.)
   3. software
   4. Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)
   5. Personal computers (Desktop, laptop)
   6. Mobile devices (phone, tablet, etc.)
   7. Optical discs (CD, DVD, etc.)
   8. Removable memories (USB, Memory Card etc.)
   9. Printer, scanner, copier

1. Law No. 6698 on the Protection of Personal Data,
2. Turkish Code of Obligations No. 6098,
3. Public Procurement Law No. 4734,
4. Civil Servants Law No. 657,
5. Social Insurance and General Health Insurance Law No. 5510,
6. Arrangement of Publications on the Internet No. 5651 and These Publications
7. Law on Combating Crimes Committed by
8. Public Financial Management Law No. 5018,
9. Occupational Health and Safety Law No. 6331,
10. Law on Access to Information No. 4982,
11. Law No. 3071 on the Use of the Right to Petition,
12. Labor Law No. 4857,
13. Higher Education Law No. 2547,
14. Retirement Health Law No. 5434,
15. Social Services Law No. 2828,
16. Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Attachments,
17. Regulation on Archive Services,
18. It is stored as long as the storage periods stipulated in the framework of other secondary regulations in force in accordance with these laws .

1. Execution of Emergency Management Processes
2. Execution of Information Security Processes
3. Execution of Employee Candidate / Intern / Student Selection and Placement Processes
4. Execution of Application Processes of Employee Candidates
5. Execution of Employee Satisfaction and Loyalty Processes
6. Fulfillment of Employment Contract and Legislative Obligations for Employees
7. Execution of Benefits and Benefits Processes for Employees
8. Conducting Audit / Ethical Activities
9. Conducting Educational Activities
10. Execution of Access Authorizations
11. Execution of Activities in Compliance with the Legislation
12. Execution of Finance and Accounting Affairs
13. Execution of Company / Product / Service Loyalty Processes
14. Providing Physical Space Security
15. Execution of Assignment Processes
16. Follow-up and Execution of Legal Affairs
17. Carrying out Internal Audit / Investigation / Intelligence Activities
18. Execution of Communication Activities
19. Planning of Human Resources Processes
20. Execution / Supervision of Business Activities
21. Execution of Occupational Health / Safety Activities
22. Receiving and Evaluating Suggestions for Improvement of Business Processes
23. Conducting Business Continuity Ensuring Activities
24. Execution of Logistics Activities
25. Execution of Goods / Services Procurement Processes
26. Execution of Goods / Services After-Sales Support Services
27. Execution of Good / Service Sales Processes
28. Execution of Goods / Services Production and Operation Processes
29. Execution of Customer Relationship Management Processes
30. Execution of Activities for Customer Satisfaction
31. Organization and Event Management
32. Conducting Marketing Analysis Studies
33. Execution of Performance Evaluation Processes
34. Execution of Advertising / Campaign / Promotion Processes
35. Execution of Risk Management Processes
36. Execution of Storage and Archive Activities
37. Conducting Social Responsibility and Civil Society Activities
38. Execution of Contract Processes
39. Execution of Sponsorship Activities
40. Execution of Strategic Planning Activities
41. Follow-up of Requests / Complaints
42. Ensuring the Security of Movable Property and Resources
43. Execution of Supply Chain Management Processes
44. Execution of Wage Policy
45. Execution of Marketing Processes of Products / Services
46. Ensuring the Security of Data Controller Operations
47. Foreign Personnel Work and Residence Permit Procedures
48. Execution of Investment Processes
49. Execution of Talent / Career Development Activities
50. Providing Information to Authorized Persons, Institutions and Organizations
51. Execution of Management Activities
52. Creating and Tracking Visitor Records

1. In the event that all the conditions for the processing of personal data are eliminated, the personal data must be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject.
2. Although it has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVK Law, in the event that the reasons requiring its processing are eliminated, the personal data is deleted, destroyed or destroyed, at the request of the personal data owner or at the Company’s own decision. is made anonymous.
3. When the person concerned requests the deletion or destruction of his personal data by applying to the Company, this request is immediately taken into consideration in order to fulfill it.
4. If all the conditions for processing personal data have disappeared; The company deletes, destroys or anonymizes the personal data subject to the request. The company finalizes the request of the person concerned within thirty days at the latest and informs the person concerned.
5. If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, the Company notifies the third party; ensures that the necessary actions are taken within the scope of this policy before the third party.
6. If all the conditions for processing personal data have not been eliminated, this request may be rejected by the Company by explaining the reason, and the refusal will be notified to the relevant person in writing or electronically within thirty days at the latest.

1. Network security and application security are provided.
2. A closed system network is used for personal data transfers via the network.
3. There are disciplinary regulations that include data security provisions for employees.
4. Training and awareness activities are carried out periodically for employees on data security.
5. An authorization matrix has been created for employees.
6. Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
7. Confidentiality commitments are made.
8. The authorizations of employees who have a change in duty or quit their job in this field are removed.
9. Current anti-virus systems are used.
10. Firewalls are used.
11. The signed contracts contain data security provisions.
12. Personal data security policies and procedures have been determined.
13. Personal data is reduced as much as possible.
14. Personal data is backed up and the security of the backed up personal data is also ensured.
15. User account management and authorization control system is implemented and these are also followed.
16. In-house periodic and/or random audits are conducted and made.
17. Existing risks and threats have been identified.
18. Protocols and procedures for special quality personal data security have been determined and implemented.
19. If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using KEP or corporate mail account.
20. Data processing service providers are periodically audited on data security.
21. Awareness of data processing service providers on data security is provided.

1. All transactions regarding the deletion, destruction and anonymization of personal data are carried out and recorded by authorized persons in accordance with policies and procedures.
2. These records are kept for at least three years, excluding other legal obligations.

1. Physical Destruction  Personal data can also be processed non-automatically, provided that it is part of any data recording system. While such data is being deleted/destroyed, a system of physical destruction of personal data is applied so that it cannot be used later. Example: Disposing of the relevant file by shredding the document.
2. Secure Deletion from Software  While data processed by fully or partially automated means and stored in digital media are being deleted/destroyed; methods are used to delete the data from the relevant software in a way that it is very likely that it cannot be recovered again.
3. Secure Deletion by Expert  In some cases, the company may hire an expert to delete personal data on its behalf. In this case, personal data is securely deleted/destroyed by the person who is an expert in this field, in a way that cannot be recovered.
4. Techniques to Anonymize Personal Data
   1. Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person, even by matching them with other data. The company can anonymize personal data when the reasons that require the processing of personal data processed in accordance with the law are eliminated.
   2. In accordance with Article 28 of the KVK Law; Anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the KVK Law. Since personal data processed by anonymization will be outside the scope of the KVK Law, the rights set out in section 10 of the policy will not be valid for this data.
   3. Masking  Data masking is a method of anonymizing personal data by removing the basic identifier information of personal data from the data set. Example: Name, TR Identity Number, name, surname, etc., which enables the identification of the personal data owner. converting the personal data into a data set where it becomes impossible to identify the owner of the personal data by extracting the information.
   4. Aggregation  With the data aggregation method, many data are aggregated and personal data is rendered incapable of being associated with any person. Example: Revealing that there are 100 customers born in 1975 without showing individual customer’s birth years.
   5. Data Derivation With the  data derivation method, a more general content is created than the content of personal data and it is ensured that personal data cannot be associated with any person. Example: Specifying ages instead of birth dates; specifying the county or city of residence instead of the full address.
   6. Data Shuffle (Data Shuffling, Permutation)  With the data hashing method, the values ​​in the personal data set are mixed and the bond between the values ​​and individuals is broken. Example: Changing the quality of the voice recordings so that the voices and the data owner cannot be associated or recognized.

1. IT Unit Manager;  Manages all IT processes of the company.
2. Human Resources Manager  (Personnel-related matters) manages all personnel processes of the Company.
3. Sales and Marketing Manager  (In matters related to customer information); Manages all sales and marketing processes of the company.

*The above periods start from the date of termination of the employment contract for employees, from the date of termination of the contract for suppliers and customers, or from the date of the last transaction if there is no contract, and from the date of obtaining personal data for other relevant persons.

1. The company destroys the personal data whose storage period has expired, within 180 days at the latest from the date of the expiry of the storage period.
2. Company; deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.
3. The time interval for periodic destruction is determined by the data controller in accordance with the personal data storage and destruction policy, procedures and the company’s workflow. This period cannot exceed six months in any case.