PERSONAL DATA STORAGE AND DESTRUCTION POLICY

1. INTRODUCTION

1.1. Goal

The Personal Data Storage and Disposal Policy (“Policy”) has been prepared in order to determine the procedures and principles regarding the storage and disposal activities carried out by YÜKLÜ CAM (the “Company”).

YÜKLÜ Glass; Personal data belonging to company employees, employee candidates, customers, visitors and other third parties are T.C. Constitution, international conventions, Personal Data Protection Law No.6698 (“Law”) and other relevant legislation, and ensuring that the relevant persons exercise their rights effectively is a priority.

The work and transactions regarding the storage and destruction of personal data are carried out in accordance with the “Policy” prepared by the Company in this direction.

1.2. Scope

Personal data belonging to Company employees, employee candidates, service providers, visitors and other third parties are within the scope of this Policy, and this Policy is applied in all recording environments where personal data owned or managed by the Company are processed and in activities related to personal data processing.

2. PRINCIPLES

YÜKLÜ CAM acts within the framework of the following principles in the storage and destruction of personal data:

4. In the deletion, destruction and anonymization of personal data, the principles listed in Article 4 of the Law and Article 12 of the Law and 5.2. It is fully complied with the technical and administrative measures specified in the article, relevant legislation provisions, Board decisions and this Policy.
5. All transactions regarding the deletion, destruction and anonymization of personal data are recorded by the Company and the records of these transactions are kept for at least 3 years, excluding other legal obligations.

III. Unless a contrary decision is taken by the Board, the appropriate method of deleting, destroying or anonymizing personal data is selected by us. However, upon the request of the Relevant Person, the appropriate method will be selected by explaining the reason.

5. In the event that all the conditions for processing personal data in Articles 5 and 6 of the Law are eliminated, the personal data are deleted, destroyed or anonymized by the Company, either ex officio or upon the request of the Relevant Person. In case of an application to the Company by the Related Person in this matter;
6. Submitted requests are concluded within 30 (thirty) days at the latest and the Relevant Person is informed,
7. In the event that the data subject to the request is transferred to third parties, this situation is notified to the third party to whom the data was transferred and necessary actions are taken at the third parties.

3. EXPLANATIONS ON REASONS REQUIRING STORAGE AND DISPOSAL

Personal data belonging to data owners are securely collected by the Company within the limits specified in KVKK and other relevant legislation 5.1. It is stored in physical or electronic environments specified in the article, especially for the purposes listed below.

1. To be able to continue commercial activities.
2. Planning and execution of employee rights and benefits.

III. Managing customer relations and providing better service to customers.

1. Ensuring company security.
2. To establish contact with real / legal persons who have business relations with the institution.
3. Storage of personal data because it is directly related to the establishment and execution of contracts.

VII. Storing personal data for the purpose of establishing, exercising or protecting a right.

VIII. It is mandatory to keep personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the persons.

1. Storage of personal data in order to fulfill any legal obligations of the Company.
2. The storage of personal data is clearly stipulated in the legislation.
3. Obligation to prove as evidence in legal disputes that may arise in the future.

Pursuant to the Regulation, in the cases listed below, personal data belonging to data owners are deleted, destroyed or anonymized by the Company either ex officio or upon request.

1. The provisions of the relevant legislation that constitute the basis for the processing or storage of personal data

   its replacement or abolition.

2. No longer the purpose requiring the processing or storage of personal data.

III. Elimination of the conditions that require the processing of personal data in Articles 5 and 6 of the Law.

1. In cases where the processing of personal data takes place only on the condition of express consent, the Relevant Person withdraws her consent.
2. In cases where the Data Supervisor rejects the application made by the Relevant Person for deletion, destruction or anonymization of his personal data, his response is found insufficient or does not respond within the period stipulated in the Law; Complaining to the Board and approval of this request by the Board.
3. Acceptance of the application made by the relevant person for the deletion, destruction or anonymization of personal data within the framework of the rights in clauses (e) and (f) of Article 11 of the Law.

VII. Although the maximum period for the storage of personal data has passed, there is no requirement to justify the storage of personal data for a longer period of time.

4. PRINCIPLES REGARDING STORAGE AND DESTRUCTION PERIOD

The following criteria are used in determining the storage and destruction periods of your personal data obtained by the company in accordance with the provisions of KVKK and other relevant legislation:

2. If a period is stipulated in the legislation regarding the storage of personal data, this period is respected. Following the expiration of the said period, action is taken regarding the data within the scope of the 2nd paragraph below.
3. In the event that the period stipulated in the legislation regarding the storage of the personal data in question expires or there is no period stipulated for the storage of the said data in the relevant legislation, respectively;
4. Personal data are classified as personal data and special quality personal data, based on the definition in Article 6 of the KVKK. All personal data determined to be of special nature are destroyed. The method to be used in the destruction of the said data is determined according to the nature of the data and the importance of its storage to the Company.
5. The compliance of data storage with the principles specified in article 4 of the KVKK (for example, whether the Company has a legitimate purpose in the storage of data) is questioned. The data that is determined to be stored in violation of the principles in article 4 of the KVKK is deleted, destroyed or anonymized.
6. It is determined which one (s) of the exceptions foreseen in articles 5 and 6 of the KVKK can be considered within the scope of data storage. Reasonable periods of storage of data are determined within the framework of exceptions identified. If the said periods expire, the data is deleted, destroyed or anonymized.

All transactions regarding the deletion, destruction and anonymization of personal data are recorded and the said records are kept for at least three years, excluding other legal obligations.

5. PROCEDURES OF STORAGE AND DISPOSAL OF PERSONAL DATA BY THE COMPANY

5.1. RECORDING MEDIA

Personal data belonging to data owners are securely stored by the Company in the environments listed in the table below in accordance with the relevant legislation, especially the provisions of KVKK, and within the framework of international data security principles:

1. Electronic Media

• Servers
• Software (office software)
• Information security devices (firewall, intrusion detection and prevention, log file,
• antivirus etc. )
• Personal computers (desktop, laptop)
• Mobile devices (phone, tablet, etc.)
• Optical discs (CD, DVD, etc.)
• Removable sticks (USB, memory card, etc.)

1. Non-electronic media

• Paper
• Manual data recording systems
• Written, printed and visual media

5.2. TECHNICAL AND ADMINISTRATIVE MEASURES

All administrative and technical measures taken by the Company within the framework of the principles in Article 12 of the KVKK in order to keep your personal data securely, to process it illegally, to prevent access and to destroy the data in accordance with the law are listed below:

5.2.1. Administrative Measures:

YÜKLÜ CAM takes the following administrative measures.

• It limits the internal access to stored personal data to the personnel required to access it as per the job description. In restricting access, whether the data is of special nature and its importance are also taken into account.
• In case the processed personal data is obtained by others illegally, it will notify the relevant person and the Board as soon as possible.
• Regarding the sharing of personal data, it signs a framework contract with the persons with whom personal data is shared, or the provisions added to the existing contract regarding the protection of personal data and data security. It employs knowledgeable and experienced personnel about the processing of personal data and provides its personnel with the necessary training within the scope of personal data protection legislation and data security.
• It carries out the necessary inspections and has it done in order to ensure that the provisions of the Law are implemented before its own legal entity. It removes the privacy and security weaknesses that arise as a result of the audits.

5.2.2. Technical Measures:

The company takes the following technical measures.

• As a result of real-time analysis with information security event management, risks and threats that will affect the continuity of information systems are constantly monitored.
• Access to information systems and authorization of users are done through access and authorization matrix and security policies over the corporate active directory.
• Necessary measures are taken for the physical security of the company’s information systems equipment, software and data.
• In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 monitoring system, etc.) and software (firewalls, attack prevention systems, network access control, malware prevention systems etc.) measures are taken.
• Risks to prevent unlawful processing of personal data are identified, technical measures are taken in accordance with these risks, and technical controls are carried out for the measures taken.
• By establishing access procedures within the company, reporting and analysis studies regarding access to personal data are carried out.
• Access to storage areas with personal data are recorded and inappropriate access or access attempts are kept under control.
• The company takes the necessary measures to ensure that the deleted personal data are inaccessible and unavailable for the relevant users.
• In case of unlawful acquisition of personal data by others, a suitable system and infrastructure has been established by the Company in order to notify the Related Person and the Board.
• Security vulnerabilities are followed and appropriate security patches are installed and information systems are kept up-to-date.
• Strong passwords are used in electronic environments where personal data are processed.
• Secure record keeping (logging) systems are used in electronic environments where personal data are processed.
• Data backup programs are used that ensure the safe storage of personal data.
• Access to personal data stored in electronic or non-electronic media is limited according to access principles.
• A separate policy has been determined for the security of personal data of special nature.
• Special quality personal data security trainings have been provided for employees involved in special quality personal data processing processes, confidentiality agreements have been made, and the authorizations of users with access to data have been defined.
• Adequate security measures are taken in physical environments where personal data of special nature are processed, stored and / or accessed, and unauthorized entry and exit are prevented by ensuring physical security.

6. RESPONSIBILITY AND DISTRIBUTION OF DUTY

You can find the titles, units and job descriptions of the personnel involved in the personal data storage and destruction process from the list in Annex-1 of this Policy.

7. DISPOSAL PROCEDURES OF PERSONAL DATA

Personal data obtained by the Company in accordance with the KVKK and other relevant legislation, in case the personal data processing purposes listed in the Law and Regulation are eliminated, will be collected by the Company, either ex officio or upon the application of the Relevant Person, again in accordance with the provisions of the Law and the relevant legislation, with the following techniques. will be destroyed.

7.1 Deletion of Personal Data

1. Personal Data on Servers

For those who have expired from the personal data on the servers, the system administrator removes the access authorization of the relevant users and deletes them.

1. Personal Data in Electronic Environment

Those who have expired from personal data in electronic environment are made inaccessible and unavailable in any way for other employees (relevant users), except for the database administrator.

III. Personal Data in the Physical Environment

Except for the department manager responsible for the document archive, for those who have expired from the personal data kept in a physical environment, they are made inaccessible and unavailable in any way. In addition, the process of darkening is also applied by scratching / painting / wiping it in an illegible way.

1. Personal Data on Portable Media

Of the personal data kept in Flash-based storage media, those that have expired are stored in secure environments with encryption keys, encrypted by the system administrator and the access authorization is given only to the system administrator.

7.2 Destruction of Personal Data

1. Personal Data in the Physical Environment

Those who have expired from the personal data in the paper environment, are irreversibly destroyed by paper trimming machines or other appropriate methods.

1. Personal Data on Optical / Magnetic Media

Those who have expired from the personal data in optical media and magnetic media are destroyed by irrecoverable deletion of the data in question or by making the media physically unusable, as required by the situation.

7.3 Anonymizing Personal Data

The anonymization of personal data is to render personal data in no way associated with an identified or identifiable natural person, even if they are matched with other data. In order for personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording medium and the relevant field of activity, such as the return of personal data by the Data Controller or third parties and / or matching the data with other data.

8. STORAGE AND DESTRUCTION PERIODS

Regarding the personal data being processed by YÜKLÜ CAM within the scope of its activities;

• Storage periods based on personal data related to all personal data within the scope of activities carried out in connection with processes. In the Personal Data Processing Inventory;
• Storage periods based on data categories are registered to VERBIS;
• Process-based retention periods are included in the Personal Data Retention and Destruction Policy.

For personal data whose retention periods have expired, the process of ex officio deletion, destruction or anonymization is carried out by the Relevant Unit of the Company.

9. PERIODIC DESTRUCTION TIME

In accordance with Article 11 of the Regulation, the Company has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out every year in March and September in the Company.

10. PUBLISHING AND STORAGE OF THE POLICY

The policy is published in two different media as wet signed (printed paper) and electronically, and is publicly disclosed on the website.

11. UPDATE PERIOD OF THE POLICY

The policy is reviewed as needed and the required sections are updated.

12. ENFORCEMENT AND TERMINATION OF THE POLICY

The policy is deemed to have entered into force after being published on the website of LOADED CAM.

13. OTHER ISSUES

In case of inconsistency between the provisions of the KVKK and other relevant legislation and this Policy, the provisions of the KVKK and other relevant legislation will be applied first.

This Policy prepared by the Company entered into force on 08.10.2019. In case of a change in the policy, the effective date of the Policy and related articles will be updated accordingly.