Personal Data Protection Law

1. Purpose

Our personal data storage and destruction policy is within the scope of the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”), which entered into force in the Official Gazette No. 30224 and in accordance with the Law on the Protection of Personal Data No. 6698; It has been prepared in order to determine the procedures and principles regarding the operation of the storage and destruction activities carried out within our company and to be known by our parties. In this context, this Policy, Our Customers, Authorities and Employees of the Institutions We Collaborate with, Supplier Authorities and Employees, Business Partners Authorities and Employees, Visitors, Website Users, Employee Candidates and the Law on the Protection of Personal Data of Persons and other legislation, in particular the Third Constitution. It has been prepared in order to inform the public about the processing and protection of personal data collected by our Company, either automatically or non-automatically provided that it is a part of any data recording system.

2.Scope

It covers personal data belonging to Company employees, employee candidates, service providers, visitors and other third parties, including all recording environments and activities where personal data managed in our company are processed.

3.Abbreviations and Definitions

Company:	Our company
Personal Data:	Any information relating to an identified or identifiable natural person. Therefore, the processing of information regarding legal persons is not within the scope of the Law.
Special Qualified Personal Data:	Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Processing of Personal Data	Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using Personal Data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. It is any operation performed on the data, such as blocking.
Personal Data Owner/Relevant Person	Company Authorities, Business Partners/Suppliers, Employees, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers Third parties shared with the Company by the institutions/companies with which the Company is in cooperation and/or obtained by the Company on behalf of these institutions/companies, and Third people.
Data Recording System	It refers to the registration request in which personal data is structured and processed according to certain criteria.
Data Controller	It is the natural or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system.
Data Processor	It is a natural or legal person who processes personal data on behalf of the data controller based on the authority given by them.
Explicit consent:	It is the consent that is based on information and expressed with free will regarding a particular subject.
Making it anonymous:	It is the making of personal data that cannot be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Electronic environment:	Call server/HR software/Project Software/barrier system server/File sharing common area(NAS),Company computers and phones
Non-electronic environment:	Locked file cabinets defined by numbering/Archive
Service provider:	Internet Service provider/Customer-based call service provider Real or legal person providing services under a specific contract with the Personal Data Protection Authority
Destruction:	It is the deletion, destruction or anonymization of personal data.
Law:	Refers to the Law on Protection of Personal Data No. 6698
Regulation	Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224
Recording environment:	Any environment where personal data is processed wholly or partially automatically or non-automatically provided that it is a part of any data recording system.
Buyer Group	Natural or legal person category to whom personal data is transferred by the data controller
Employee	Our company employees
Related person	Natural person whose personal data is processed
Related User	Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
Personal Data Processing Inventory	Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data with the processing purposes and legal reason, the data category, the transferred recipient group and the data subject group, explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security.
Board	Personal Data Protection Board
Periodic Destruction	In the event that all of the personal data processing conditions in the law are eliminated, the deletion, destruction or anonymization process to be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy.
Policy	Personal Data Retention and Disposal Policy
Data Controllers Registry Information System	An information system created and managed by the Presidency, accessible over the internet, to be used by data controllers in the application to the Registry and other related transactions related to the Registry.
VERBİS	Data Controllers Registry Information System

4.Recording Environment

The table below shows in which environments the personal data stored by OUR COMPANY is recorded. The personal data stored by our company is stored in the most appropriate recording environment according to its nature and legal status.

Data Recording Environment	Explanation
Elektronic Environment	• Servers (Backup, File Sharing, local server, domestic cloud system, etc.) • Our Company’s Computers (Desktop, Laptop, etc.)
Non-electronic Environment	• Paper, File, Folder, Notebook

5. Responsibilities and Task Distributions

Pursuant to subparagraph f of Article 6 of the Regulation, it is regulated that the titles, duties and units of the persons involved in the storage and destruction of personal data must be specified. In this context, the titles, duties and units of the persons within our company are specified in the areas of data security, management of storage and destruction processes, technical and administrative measures in order to prevent the illegal processing and access of personal data, and to ensure that personal data is stored in accordance with the law.

To direct all kinds of planning, analysis, research and risk determination studies in the projects carried out during the compliance process within the scope of each department; Managing the processes that must be carried out in accordance with the Law, Personal Data Processing and Protection Policy, Personal Data Retention and Disposal Policy and other regulated policies and procedures, deciding and responding to the requests of the persons concerned, auditing the storage and destruction processes and reporting these audits to the Personal Data Manager; It is responsible for the execution of storage and destruction processes and the implementation of storage and destruction policies. Business and transactions involving more than one department will be coordinated by the IT department. Quality Manager and Data Processing Department Personal Data Manager.

Her departman amiri, kendi departmanı kapsamında uyumluluk sürecinde yürütülen projelerde her türlü planlama, analiz, araştırma, risk belirleme çalışmalarını yönlendirmek; Kanun, Kişisel Verilerin İşlenmesi ve Korunması Politikası ve Kişisel Veri Saklama ve İmha Politikası ve düzenlenen diğer politika ve prosedürler uyarınca yürütülmesi gereken süreçleri yönetmek ve ilgili kişilerce gelen talepleri karara bağlamak ve cevaplamakla, saklama ve imha süreçlerinin denetiminin yapılmasından ve bu denetimlerin Kişisel Veri Yöneticisine raporlanmasından; saklama ve imha süreçlerinin yürütülmesinden ve saklama ve imha politikalarının uygulanmasından sorumludur. Birden fazla departmanı ilgilendiren iş ve işlemler Bilgi İşlem departmanı tarafından koordine edilecektir. Kalite Yöneticisi ve Bilgi İşlem Departmanı Kişisel Veri Yöneticisidir.

6. Processing of Personal Data

Our company, in accordance with Article 20 of the Constitution, Confidentiality of Private Life and Article 4 and Article 6 of the Law, regarding the processing of personal data; in accordance with the law and the rules of honesty, accurate and up-to-date when necessary; for specific, clear and legitimate purposes; engages in personal data processing activities in a connected, limited and measured manner for this purpose. Our company preserves personal data for the period stipulated in the law or required by the purpose of processing personal data and/or for the period accepted on a sectoral basis and in the light of the following principles.

a) In accordance with the law and the rules of honesty,

b) Keeping accurate and up-to-date when necessary,

c) To be processed for specific, explicit and legitimate purposes,

d) In connection with the purpose for which they are processed, limited and measured even though they are needed,

e) By keeping them for the time required by the relevant legislation or for the purpose for which they are processed.

7. Conditions for Processing Personal Data

Personal data is not processed without the explicit consent of the person concerned. However, in the presence of one of the following conditions specified by law, it is possible to process personal data without seeking the explicit consent of the person concerned. Namely;

a) It is clearly stipulated in the laws.
b) It is compulsory for the protection of life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not given legal validity.
c) It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
d) It is mandatory for the data controller to fulfill its legal obligation.
e) The person concerned has been made public by himself.
f) Data processing is mandatory for the establishment, exercise or protection of a right.
g) Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

8. Conditions of Processing of Special Quality Personal Data

As a company operating in the technology sector, due to the nature of our work, we pay attention to the regulations stipulated in the Law and act in accordance with the lawful processing of personal data of special nature. In Article 6 of the Law, a set of personal data that carries the risk of causing victimization or discrimination when processed unlawfully is determined as “special quality”. These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. Our company does not process sensitive personal data without the explicit consent of the person concerned.
If the person has consent or personal data related to health and sexual life, only persons or authorized institutions and organizations that are under the obligation of confidentiality for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. may be processed without seeking the explicit consent of the person concerned.
In these cases, while processing sensitive personal data, it is necessary to take adequate measures determined by our KVK Board.

9. Transfer of Personal Data / Transfer of Personal Data Abroad

Personal data cannot be transferred without the explicit consent of the person concerned. However, if one of the conditions specified in Articles 5 and 6 is met, it can be transferred without seeking the explicit consent of the person concerned. The necessary confidentiality conditions and security measures can be taken by the data controller and transferred to third parties in the transfer process. Personal Data by our company; Personal data for the legitimate interests of our company, provided that it does not harm the fundamental rights and freedoms of the personal data owner, where the data controllers in Turkey and the relevant foreign country undertake in writing to provide adequate protection. It can be transferred to foreign countries if its transfer is mandatory.

If the person has consent or personal data related to health and sexual life, only persons or authorized institutions and organizations that are under the obligation of confidentiality for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. may be processed without seeking the explicit consent of the person concerned.
In these cases, while processing sensitive personal data, it is necessary to take adequate measures determined by our KVK Board.

10. Legal Grounds Requiring Concealment

Personal data processed within the framework of our company’s activities are kept for the period stipulated in the relevant legislation. In this context, personal data;

Labor Law No. 4857.
Turkish Commercial Code No. 6102.
Turkish Code of Obligations No. 6098.
Law on Consumer Protection No. 6502.
Occupational Health and Safety Law No. 6331.
Tax Procedure Law No. 213.
It is kept within the scope of Social Insurance and General Health Insurance Law No. 5510 and other relevant legislation.

11. Processing Purposes Requiring Storage

Our company stores the personal data it processes within the framework of its activities for certain purposes. In this context, the objectives are listed below:

Managing human resources processes.
To provide corporate communication.
Ensuring corporate security,
To be able to do statistical studies.
To be able to perform work and transactions as a result of signed contracts and protocols.
Within the scope of VERBIS, to determine the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors, to organize the services provided accordingly and to update them if necessary.
To ensure the fulfillment of legal obligations as required or mandated by legal regulations.
To liaise with real / legal persons who have a business relationship with the Institution.
Managing call center processes.
Obligation of proof as evidence in legal disputes that may arise in the future
Execution of Emergency Management Processes
Execution of Information Security Processes
Execution of Employee Candidate / Intern / Student Selection and Placement Processes
Execution of Application Processes of Employee Candidates
Fulfillment of Employment Contract and Legislative Obligations for Employees
Execution of Benefits and Benefits Processes for Employees
Conducting Educational Activities
Execution of Activities in Compliance with the Legislation
Execution of Finance and Accounting Affairs
Providing Physical Space Security
Execution of Assignment Processes
Follow-up and Execution of Legal Affairs
Carrying out Internal Audit / Investigation / Intelligence Activities
Execution of Communication Activities
Planning of Human Resources Processes
Execution / Supervision of Business Activities
Execution of Occupational Health / Safety Activities
Conducting Business Continuity Ensuring Activities
Execution of Goods / Services Procurement Processes
Execution of Goods / Services After-Sales Support Services
Execution of Goods / Services Sales Processes
Execution of Customer Relationship Management Processes
Execution of Performance Evaluation Processes
Execution of Risk Management Processes
Execution of Storage and Archive Activities
Execution of Contract Processes
Ensuring the Security of Movable Property and Resources
Execution of Wage Policy
Providing Information to Authorized Persons, Institutions and Organizations

12. Reasons for Destruction

Personal data is deleted, destroyed or ex officio deleted, destroyed or anonymized by our company upon the request of the person concerned in these cases:

Changing or repealing the provisions of the relevant legislation, which is the basis for processing,
The disappearance of the purpose that requires processing or storage,
In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject withdraws his explicit consent, Our company accepts the application made by the relevant person regarding the deletion and destruction of his personal data, pursuant to Article 11 of the Law,
In cases where our company rejects the application made by the person concerned for the deletion, destruction or anonymization of his personal data, finds the answer insufficient or does not respond within the time stipulated in the Law;
Making a complaint to the Personal Data Protection Authority and this request being approved by the Authority, The maximum period for keeping personal data has passed and there are no conditions to justify keeping personal data for a longer period of time,
The expiry of the storage periods in the relevant legislation,

13. Technical measures

Network security and application security are provided.
A closed system network is used for personal data transfers via the network.
Key management is implemented.
Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
The security of personal data stored in the cloud is ensured.
Training and awareness activities are carried out periodically for employees on data security.
Access logs are kept regularly.
Data masking is applied when necessary.
The authorizations of employees who have a change of job or quit their job in this field are removed.
Current anti-virus systems are used.
Firewalls are used.
Personal data is reduced as much as possible.
Personal data is backed up and the security of the backed up personal data is also ensured.
User account management and authorization control system is implemented and these are also followed.
In-house periodic and/or random audits are conducted and made.
Log records are kept without user intervention.
Existing risks and threats have been identified.
Protocols and procedures for special quality personal data security have been determined and implemented.
If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using a KEP or corporate mail account.
Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units.
Intrusion detection and prevention systems are used.
Encryption is done.
Personal data transferred in portable memory, CD and DVD media are encrypted and transferred.
Personal data processing activities are periodically tested and audited by established technical systems.
The test and audit results are also periodically reported to the relevant person and the Risk Board.
The provision of technical controls is carried out with the employment of competent personnel.
It is updated periodically by taking technical measures in accordance with technological developments.
Users are given the minimum required authorization.
Access and authorization technical solutions are implemented within the framework of legal requirements on the basis of our units.
Access rights are limited and regularly reviewed.
Access to data storage areas containing personal data is logged, and inappropriate access or access attempts are detected and reported to the senior management.
Software and hardware containing virus protection and firewall systems are used.
Technical and administrative measures are taken according to the cost of technological possibilities and applications in order to store personal data in secure environments and to prevent their destruction or alteration for unlawful purposes.
Technical security systems for storage areas are established, security tests and research are carried out to detect security vulnerabilities on information systems, existing or potential risky issues identified as a result of the tests and researches are eliminated.
The technical measures taken are periodically reported to the relevant person and senior management as required by the internal audit mechanism.
Backup programs are used in accordance with the law to ensure that Personal Data is stored securely.

14. Administrative Measures

Periodic information and awareness training is provided to our employees.
All personal data activities carried out in our company are analyzed specifically for the processing unit and other interacting units, and processing activities are revealed.
In these activities, activities are determined by the units that process and interact with the conditions required by the law.
In order to ensure legal compliance requirements, awareness is created by the units, rules of practice are determined and policies, procedures, instructions, tables, etc. implemented through documents and trainings.
Contract/s and approved instructions are put into practice in order to manage the legal relationship with our employees and customers.

15. Supervision of Personal Data Protection Activities

With internal audits, in accordance with Article 12 of the Law, implementation processes such as personal data processing, storage, storage and destruction are controlled and reported to the senior management, and necessary technological and administrative solutions are taken immediately for risky factors. Improvements are identified and long-term investments are planned.

16. Protection of the Legal Rights of Personal Data Owners and Measures to be Taken in Case of Disclosure of Personal Data

This policy and our activities, law enforcement and all data of personal data owners, especially for sensitive data, take all necessary measures to protect the rights by observing all legal rights. In the event that the Personal Data processed in accordance with Article 12 of the Law are obtained by others illegally, the system is in place to notify the relevant Personal Data Owner and the KVK Board as soon as possible. If deemed necessary by the KVK Board, this situation may be announced on the website of the KVK Board or by any other method.

17. Classification of Personal Data

Credentials

Name-surname, T.C. Documents including identity number, nationality information, mother’s name-surname, father’s name-surname, place of birth, date of birth, gender such as driver’s license, identity card and passport and other documents containing this information, tax number, SGK number, signature information , license plate, etc.

Communication information

Telephone number, address, e-mail address, fax number, IP address, etc.

Special Qualified Personal Data

Prescription information, doctor’s report, test and radiology results, health report, blood group, genetic data, etc. All kinds of health data such as religion, membership association data, etc.

Physical Space Security Information

Personal data regarding the records and documents taken during the stay in the physical space that belongs to our company or is a tenant: camera records, records taken at the security point, etc.

Financial Information

Personal data processed for information, documents and records showing all kinds of financial results created according to the type of legal relationship established with Suppliers, Business Partners and other 3rd parties or other personal data owners, bank account number, IBAN number, credit card information, financial profile , asset data, income information data etc.

Request/Complaint Management Information

Data regarding the receipt and evaluation of all kinds of requests or complaints directed to our company.

Transaction Security Information

Personal data processed in order to ensure the technical, administrative, legal and commercial security of both the data owner and our company while carrying out the commercial activities of our company.

Legal Compliance Information

Personal data processed within the scope of determination of legal receivables and rights, determination, follow-up and performance of debts to our company and compliance with legal obligations and policies of our company

18. Data Controller's Obligation to Clarify

Our company informs the personal data owners of our related parties with the “Clarification text in accordance with the protection of personal data (TA.KY.02)”. This text provides information on the identity of the data controller and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and other rights listed in Article 11.

In cases where the application made to our Company by the personal data owner is rejected by our Company, the response given is insufficient or the application is not answered in due time; The data owner has the right to file a complaint with the KVK Board within thirty days from the date of learning the answer and in any case within sixty days from the date of application.

19. Update and Application of Changes

Our company reserves the right to make changes in this policy and other related policies due to changes in the Law, in accordance with the decisions of the KVK Board or in line with the developments in the sector or in the field of informatics. Actions are taken to revise the changes immediately in the legal updates that occur.

20. Transaction security

All necessary technical and administrative measures are taken to protect the personal data collected by OUR COMPANY, to prevent it from falling into the hands of unauthorized persons and to prevent our customers and prospective customers from being victims. In this framework, it is ensured that the software complies with the standards, that the third parties are carefully selected and that the data protection policy is complied with within our company. Safety measures are constantly being renewed and improved.

21. Personal Data Disposal Techniques

Personal Data is stored based on one or more of the personal data processing conditions specified in Articles 5 and 6 of the Law, and within this scope, personal data is stored during the validity of the conditions specified for the processing of personal data, when the said processing conditions expire or the application of the relevant person to our Company. Upon request (after checking other legal obligations that our company must comply with), the personal data stored are deleted, destroyed or anonymized. The deletion, destruction and anonymization techniques used are listed below.

a.Deletion Methods

Personal data is deleted by the methods given in the table below.

Deletion Methods for Personal Data Held in Physical Environment
Black-out	Personal data in the physical environment are deleted using the blackout method. The blackening process is done by cutting the personal data on the relevant document when possible, and in cases where it is not possible, making it invisible by using fixed ink, which is irreversible and cannot be read with technological solutions.
Deletion Methods for Personal Data Held in Cloud and Local Digital Media/Software
Secure deletion from software	The personal data kept in the cloud or local digital media is deleted by digital command and rendered unusable, in a way that cannot be accessed in any way by other relevant employees, except the database administrator, upon the expiry of the period that requires storage.
Personal Data on Servers
Deletion by deauthorizing	The system administrator removes the access authorization of the relevant users and deletes the personal data on the servers for those whose period of time has expired.

b. Methods of destruction/destruction

Personal data is destroyed by the methods given in the table below.

Destruction Methods for Personal Data Held in Physical/Printed Media
Physical destruction	Documents kept in printed media are destroyed in a way that they cannot be reassembled with document shredders. If there is no machine, it is torn by hand, wetted and made into dough in such a way that it cannot be put together again.
Destruction Methods for Personal Data Held in Local Digital Media and Servers
Physical destruction	It is the process of physically destroying optical and magnetic media containing personal data, such as melting, burning or pulverizing. Data is rendered inaccessible by processes such as melting, incinerating, pulverizing, or passing through a metal grinder to optical or magnetic media.
De-magnetizing (degauss)	It is the process of unreadable corruption of the data on the magnetic media by exposing it to a high magnetic field.
Owerwrite	Random data consisting of 0s and 1s is written on magnetic media and rewritable optical media at least seven times, preventing the reading and recovery of old data.
Deletion by deauthorizing	For those whose personal data on the servers have expired, the access authorization of the relevant users is revoked by the system administrator and the destruction is done so that they cannot be accessed again.
Destruction Methods for Personal Data Held in the Cloud
Secure deletion from software	Personal data kept in the cloud is irrecoverably deleted by digital command, and when the cloud computing service relationship ends, all copies of encryption keys required to make personal data usable are destroyed. Data deleted in this way cannot be accessed again.

c. Anonymization Methods

OUR COMPANY makes personal data cannot be associated with an identified or identifiable natural person, even through the use of appropriate techniques.

It makes personal data anonymous with the methods given in the table below.

Anonymization Methods for Personal Data Held in Physical/Printed Media
Subtracting variables	It is the removal of one or more of the direct identifiers included in the personal data of the data subject and which will help to identify the person concerned in any way. This method can be used for anonymization of personal data, as well as for deletion of personal data if there is information that is not suitable for the purpose of data processing.
Regional hiding	It is the process of deleting the information that may be distinctive about the exceptional data in the data table in which the personal data is collected in an anonymous form.
Generalization	It is the process of bringing together the personal data of many people and turning them into statistical data by removing their distinctive information.
Lower and upper bound coding / Global coding	For a certain variable, the ranges of that variable are defined and categorized. If the variable does not contain a numeric value, then close data in the variable are categorized. Values within the same category are combined.
Micro-joining	With this method, all records in the data set are first arranged in a meaningful order, and then the whole set is divided into a certain number of subsets. Then, by taking the average of the value of each subset of the determined variable, the value of that variable of the subset is replaced with the mean value. In this way, since the indirect identifiers in the data will be corrupted, it is difficult to associate the data with the relevant person.
Data hashing and tampering	Direct or indirect identifiers in personal data are mixed with other values or their relationship with the person concerned is broken and they lose their descriptive qualities.
Anonymization Methods for Personal Data Held in Digital Media/Servers/Cloud
Masking (Encryption, tokenization, blurring, obfuscation, override)	Data masking is making personal data unintelligible in order to prevent access by unauthorized persons. This method is used to prevent confidential and sensitive information in the institution from leaking into and out of the institution and being seized by malicious people. In data masking, the data format is not changed, only the values are changed, but this change is made in a way that is not detected and returned in any way. In addition, by determining who can access which data, only authorized people can see the information they need to see and other information is masked.

22. Periods of Retention and Disposal of Personal Data

Regarding the personal data processed by OUR COMPANY within the scope of its activities;

Identity Data; The data processed within the scope of employment contracts are kept for 15 years from the end of the employment contract if they are related to occupational health and safety, otherwise for 10 years from the end of the employment contract. Moreover; Data-contracts arising from the contract of work are kept for 20 years. The data of the unaccepted worker candidates are kept for 1 year.

Communication Data; The data processed within the scope of employment contracts are kept for 15 years from the end of the employment contract if they are related to occupational health and safety, otherwise for 10 years from the end of the employment contract. Moreover; Data-contracts arising from the contract of work are kept for 20 years. The data of the unaccepted worker candidates are kept for 1 year.

Location Data: It is kept for 5 years

Personal Data: The data processed within the scope of employment contracts are kept for 15 years from the end of the employment contract if they are related to occupational health and safety, otherwise for 15 years from the end of the employment contract. Moreover; Data-contracts arising from the contract of work are kept for 20 years. The data of the unaccepted worker candidates are kept for 1 year.

Legal Transaction Data: Data processed within the scope of employment contracts are stored for 10 years from the end of the employment contract.

Physical Location Security Data: Camera records are kept for 20 days. However; The records to be submitted to the judicial-administrative authorities and the records based on the disciplinary action are kept for 10 years from the end of the employment contract of the relevant worker.

Finance Data: The data processed within the scope of employment contracts are kept for 10 years from the end of the employment contract. Moreover; Data-contracts arising from the contract of work are kept for 20 years.

Professional Experience Data: It is kept for 10 years. However, the data processed within the scope of employment contracts are kept for 15 years from the end of the employment contract if they are related to occupational health and safety, otherwise for 10 years from the end of the employment contract. Moreover; Data-contracts arising from the contract of work are kept for 20 years. The data of the unaccepted worker candidates are kept for 1 year.

Visual and Audio Records: The data processed within the scope of employment contracts are kept for 10 years from the end of the employment contract. The data of the unaccepted worker candidates are kept for 1 year.

Health Information : It is kept for 15 years from the date of termination of the employment contract.

Criminal Conviction Data: It is kept for 10 years from the date of termination of the employment contract.

Digital Trace Data: It is stored for 10 years.

Training Data, Military Service Data: Data processed within the scope of employment contracts are kept for 15 years from the end of the employment contract if they are related to occupational health and safety, otherwise for 10 years from the end of the employment contract. The data of the unaccepted worker candidates are kept for 1 year.

Service-Product Information: It is stored for 10 years. In case of originating from the contract of work, it is kept for 20 years.

Commercial Information: Room registration and billing information are kept for 10 years. Moreover; Data-contracts arising from the contract of work are kept for 20 years.

Vehicle Information : It is kept for 10 years. However, the data processed within the scope of employment contracts are kept for 10 years from the end of the employment contract. Moreover; Data-contracts arising from the contract of work are kept for 20 years.

Immovable Information : IT IS STORED FOR 20 YEARS.

The data, whose storage periods are specified above, are destroyed in the first destruction period following the expiry of the period.

23. Periodic Disposal Period

In the event that all the conditions for processing personal data in the law are eliminated; OUR COMPANY deletes, destroys or anonymizes the personal data whose processing conditions have been eliminated, through a process to be carried out ex officio at repetitive intervals and specified in this Personal Data Retention and Disposal Policy.