Personal Data Storage and Destruction Policy

This Personal Data Storage and Destruction Policy (‘Policy’) is prepared by Kimetsan (The company) as data controller to meet the obligations and give information about processes of erasure, destruction and anonymization, determine duration of the storage period  in compliance with Law No.6698 on the Protection of Personal Data Law (‘Law’) or Destruction or Anonymization of Personal Data (‘Guidelines’) that constitutive secondary regulations

Definitions

Explicit Consent:  Freely given, specific and informed consent

Relevant User: Except those who are responsible for the technical storage, preservation and backup of the data, those who process personal data within the organization of the data controller or with the authority given by the data controller.

Destruction: The deletion, destruction or anonymization of personal data

Recording Medium: Any medium in which personal data is recorded to be processed fully or partially by automatic ways as apart of ant data recording system

Personal Data: Any information relating to an identified or identifiable natural person

Processing of personal data : Any operation which is performed on personal data, wholly or partially by automated means or non-aoutomated means which provided that form part of a data filling system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof

Anonymization: Rendering personal data impossible to link with an identified or identifiable natural person, even though matching them with other data

Deletion of personal data:  Deletion of personal data he processes of making personal data inaccessible to and not-usable by the relevant user

Destruction of personal data: Deletion of personal data is the process of making personal data inaccessible to and not-usable by anyone

Periodic Destruction: Periodic destruction, deletion or anonymization of personal data that is no longer processed validly, as described in the personal data retention and destruction policy

Data subject (natural person concerned): The natural person, whose personal data are processed

Principles

The company act about stored and erasure of the personal data under the following conditions

•  Personal data shall only be deleted, destructed and anonymized with in compliance with procedures and principles
• All processes related to deletion, destruction and anonymization of personal data are recorded by the company and related records are stored 3 (three) years except for other legal obligations
• Most adequate method of erased, destructed or anonymized is chosen by company in the any case that against decision by board. In addition to reasons of choosing the adequate method shall be explained if relevant user wants.
• According to 5. and 6. articles of PDRL personal data shall be erased, destructed or anonymized by the company, ex officio or on the request of the data subject, in the event that the reasons for the processing no longer exist. Relevant user has the right to request to the company if and to the extent;

       - The requests shall be concluded at the latest within 30(thirty) days

       - In case of transferring the data to third parties, this case is informed third parties, necessary process is applied in the presence of third parties.

Explanations of Reasons Required to be Storage and Deletion of Personal Data

The personal data is stored by company especially for i) maintain of commercial activities, (ii) Perform one’s legal obligations, iii) Plan the rights and side benefits of the employees within relevant legislation

The reasons that require storing are as follows;

• Directly related to establishment and execution of contracts,
• Establishment, exercise or protection of any right
• Necessary for the legitimate interests pursued by company provided that this processing shall not violent the fundamental rights and freedom of the data subject,
• For compliance with legal obligation by the company
• Expressly provided fort the related legislation
• Need in with regard to activities that need explicit consent of the data subjects with explicit consent of data subjects

Under the relevant laws, the personal data are erased, destructed or anonymized ex officio or the request of the data subject in following cases;

• If to change and repel of the legislation related processed or stored of personal data is necessary
• If the reason of processing is no longer exist,
• If processing of the personal data in 5. And 6. Articles of the law are no longer exist
• If processing of the personal data in the case referring to explicit consent of the data subject, recall explicit consent of data subject,
• The request of the data subject related to erasure, destruction or anonymization is accepted by data controller under 11. Article of PDRL
• The request is refused, the response is found insufficient or the request is not responded within the specified time period, the data subject lodges a complaint with board if the complaint is accepted by the Board
• Although the maximum storage period necessary for the purpose for which personal data are processed expires, there is no condition to justify storing personal data for longer.

Storage and Destruction Durations

Following steps are used that determined storage and destruction durations of the data by the company according to following steps in compliance with procedures;

• If there is a certain duration about storage period provided for in the legislation, this duration is respected. If the mentioned duration is expired, following steps are applied;
• If expiration of the term that related storing of personal data mentioned in the legislation is done or there is no information about expiration of the term in related legislation, respectively,

   - The personal data are subjected to classification as the personal data and special qualified personal data according to 6. Article of PDRL. The personal data are determined have special qualified are destructed. Destruction method of these data is determined according to qualified of data and importance of storing this data for the company.

- Suitable of storing of data is questioned according to 4. Article of PDRL, for example; there is legitimate purpose of the company exists or not is questioned. The data that store of data is illegal pursuant to 4. Article of PDRL is erased, destructed or anonymized.

  - Storing of data is evaluated with which one of the exception/exceptions according to 5. And 6. Article of PDRL. According the exceptions, convenience time of storing the data is determined. In case of expiration, the data are erased, destructed or anonymized

The duration of storage and periodic destruction is determined by the company is available in the appendix of this policy. The personal data which duration’s is expired are anonymized or destruction period of 6 (six) months according to duration time is mentioned in the appendix in compliance with this policy. The processes about erasure, destruction or anonymization of the personal data are recorded and these records (except for other legal obligations) is preserved at least 3 (three) years.

Procedures, Technic and Administrative Measures Related to Storage and Destruction of the Personal Data

If there is a necessary case that our company is able to meet the obligations that it must fulfill within the scope of employment, data processing is compulsory for the establishment of a right, you can benefit from customer services, consumer rights and other opportunities and/or to fulfill commercial financial legal responsibilities related to it, to endure the safety of our company or to legitimate purposes of our company, the personal data are collected the system. In addition, all data stored as digital copies are saved on the company’s server.

All administrative and technic measurements determined by the company according to 12. Article of Law to storage of the personal data, process illegally, protect of accessing the data, and destruct the data legally are listed below.

Within the scope of the company administrative the company;

• Accessing kept personal data is limited employees that need to access because of his/her job description in the company. Also, the data is special qualified or not and degree of importance are paid attention
• If processed personal data is obtained by others unlawfully, this case is informed the Board as soon as possible,
• A frame contract related to protection of the personal data and security of data is signed with the person who personal data is shared or the data protection is provided by adding provisions to the contraction.
• Experienced and well informed about processing of the personal data personal is employed, personal data protection law and security of data training is studied this personal
• Necessary inspections are carried out and made it to provide applying provisions of law in his/her her own personality. If there is any lack of security or privacy, these are corrected
• Security necessary measures are provided taking (against to leakage of electricity, fire, flood, robbery etc.) where the personal data are and entrance and exit without permission is prevented.

Technic Measures:

Within the scope of the company administrative the company;

• Checks internal controls within the scope of the established systems
• Processes activities for evaluating of information technology risk assessment within the scope of the establish systems
• Provides technical infrastructures that prevent or observe information leakage out of the company and provides writing related matrix
• Controls weakness of the system regularly with leakage test service when need arises
• Keeps under control accessing the personal data authority of information technologies employees.
• Provides destruction of the personal data absolutely (non-recycling) without leaving an audit trail
• Conserves digital media of keeping personal data with password or cryptographic methods pursuant to 12. Article of PDRL to meet information security requirements
• Provides secure logging of transaction records all transactions on special quality personal data
• Follows security updates continuously and provides testing required security tests regularly
• Authorizes special quality person in the case of accessing personal data by a software program and provides security tests regularly.
• Provides identity authentication has two steps at least In the case of accessing of special quality personal data is needed
• In the case of transferring special qualified personal data;

   - If the data need to be transferred via e-mail, the data are transferred by institutive e-mail with password or using KEP,

   - If the data need to be transferred by flash memory like CD, DVD, the data access by creating password with cryptographic method,

   - If the data need to be transferred between different servers, the data are transferred by using VPN or sFTP,

   - If the data need to be transferred as paper work, the paper is transferred in the format of ‘Classified Information’

Duties of The Personal Data Protection Authority

The Committee on Protection of Personal Data is responsible for announcing the Policy to related persons and following meeting the requirements or not. Alteration of legislations about protection of personal data, decision of organizing and processing of Authority, court decisions or change in processing and the system with decision and process are announced related units to follow and update job processes if necessary. The committee determines the processes within decision and updating of the Authority, considering, following and be conclude of court decisions and decisions and/or requests of other authorities and the information is announced to related units.

Be Entered into Force of Policy Violated Situations and Sanctions 

• The Policy is entered into force, announced to all employees. In consideration of entering the Policy, the policy is binding for all jab units, advisers, external service suppliers and every person that processes the personal data.
• Following whether the policy meets the requirements is supervisors’ responsibility. If there is an illegal behavior, the case will be immediately reported to the superior which is affiliated by the supervisor of the relevant employee
• In the case of important illegal behavior is discussed the committee is informed by the supervisor without loss of time
• Necessary administrative act is taken about employee has illegal behavior after evaluation of Human Resources Department

Title, Department and Duty of Personal List

Duration of Destruction and Storage of The Personal Data Table

The personal data is stored according to 4. Article of PDRL, period of store is mentioned in following table, and the personal data destructed or anonymized end of the period;

If the purpose of using of the related personal is not finished, duration of the storage of the personal data according to related legislation is more than value in the table or the period of limitation of the case is more than period of storage of the data, the values in the table are used. Duration of storage of the  personal data is applied which of the special legislation or period of limitation of the case ends later is applied.