Personal Data Storage and Destruction Policy

GLASSTECH COMPANY
PERSONAL DATA STORAGE AND DESTRUCTION POLICY

This storage and destruction policy has been prepared to determine the procedures and principles to be applied by GLASSTECH COMPANY (hereinafter referred to as "GLASSTECH" and/or "Company") regarding the storage, deletion, destruction, or anonymization of personal data held by the Company in its capacity as data controller, in accordance with Personal Data Protection Law No. 6698 and other legislation. In this context, the personal data of employees, job candidates, customers, visitors, and all other natural persons whose personal data is held by the Company for any reason are managed in accordance with the law within the framework of the Personal Data Protection and Processing Policy and this Personal Data Storage and Destruction Policy.

Personal Data Storage and Destruction Policy

This policy explains how Glasstech Furnace Refractory Steel Construction Tourism Industry and Trade Inc. (“GTR”) stores and manages personal data in line with the Law on the Protection of Personal Data No. 6698 (KVKK). It covers the retention of personal data belonging to employees, candidates, customers, visitors, and other related persons, as well as the rules for deleting, destroying, or anonymizing such data when the legal or operational need no longer exists. The policy also outlines the storage environments used, retention periods, periodic destruction practices, and the technical and administrative measures applied to ensure data security and legal compliance.

This policy; This policy covers company partners, company shareholders, company officials, employees, employee candidates, interns, intern candidates, company customers, company customer representatives and employees, potential product or service buyers, supplier employees, supplier representatives, visitors, consultants, third parties, and all natural persons whose personal data is held by the Company for any reason, and their personal data.

The Company, this policy… By publishing it on its website, it has fulfilled its obligations stipulated in Article 16 of the Personal Data Protection Law and Article 5 of the Regulation on the Deletion, Destruction or Anonymization of Personal Data. By fulfilling these obligations, the Company informs the data subjects of these obligations.

This Policy applies to all recording environments where personal data is processed within the Company, and to all activities aimed at processing personal data, whether fully or partially automated, or non-automated, provided that it is part of any data recording system.

DEFINITIONS

Explicit Consent: This refers to consent based on information and given freely on a specific subject.
Recipient Group: This refers to the category of natural or legal persons to whom personal data is transferred by the data controller.
Non-Electronic Media: All written, printed, visual, etc. media other than electronic media. refers to other media.
Electronic Media: Means media where personal data can be created, read, changed, and written using electronic devices.
Relevant Person: Refers to the natural person whose personal data is processed.
Destruction: Means the deletion, destruction, or anonymization of personal data.
Law: Means the Personal Data Protection Law No. 6698.
Recording Media: Any media containing personal data processed by fully or partially automatic means, or non-automatic means, provided that it is part of any data recording system. It refers to various environments.
Personal Data Processing Inventory: It refers to the inventory created by data controllers by associating the personal data processing activities they carry out in accordance with their business processes with the purposes of processing personal data, data category, recipient group to which the data is transferred, and the data subject group, and which details the maximum period required for the purposes for which personal data is processed, personal data envisaged to be transferred to foreign countries, and the measures taken for data security.
Personal Data: It refers to any data relating to an identified or identifiable natural person. refers to information.
Anonymizing Personal Data: This refers to the process of making personal data incapable of being associated with an identified or identifiable natural person, even by matching it with other data.
Personal Data Processing and Protection Policy: This refers to the policy, accessible on the website, that determines the procedures and principles for managing personal data held by the Company. It refers to the policy that data controllers rely on to determine the maximum period necessary for the purpose for which personal data is processed and to perform deletion, destruction, and anonymization operations.
Processing of Personal Data: This refers to any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, acquiring, making available, classifying, or blocking the use of personal data, whether fully or partially by automatic means, or non-automated means provided that it is part of any data recording system.
Deletion of Personal Data: This refers to rendering personal data inaccessible and reusable by any means for the relevant users.
Destruction of Personal Data: This refers to the process of destroying personal data by any means, including but not limited to automatic means. It refers to the process of rendering personal data inaccessible, irretrievable, and reusable by anyone.
Board: The Personal Data Protection Board.
Special Personal Data: Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, membership in associations, foundations, or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
Periodic Destruction: In the event that all of the processing conditions for personal data stipulated in the law cease to be fulfilled, personal data is automatically destroyed at recurring intervals specified in the retention and destruction policy. refers to the deletion, destruction, or anonymization process to be performed.
Policy: refers to this policy called the Personal Data Storage and Destruction Policy.
Registry: refers to the Data Controllers Registry maintained by the Personal Data Protection Authority.
Company: GLASSTECH COMPANY
VERBIS: Refers to the Data Controllers Registry Information System.
Data Processor: Refers to the natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.
Data Recording System: Refers to the recording system in which personal data is structured and processed according to certain criteria.
Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Regulation: Refers to the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette dated October 28, 2017. For definitions not included in this Policy, the definitions in the Law and the Regulation apply.

Policy’ For definitions not included in this Law, the definitions in the law and legislation apply.

PERSONAL DATA STORAGE MEDIUMS

In accordance with Article 12 of Law No. 6698 on the Protection of Personal Data, the Company, acting as the Data Controller, takes all technical and administrative measures to prevent the unlawful processing of personal data, prevent unlawful access to personal data, ensure the preservation of personal data, and fulfill its obligations regarding data security in other matters. Personal data is stored securely by the Company in accordance with the law in the environments specified below.

Electronic Environments: Network Devices, Shared/Unshared Disk Drives Used for Data Storage on the Network, Software (Office Software), Information Security Devices (Firewall, Intrusion Detection and Prevention, Log File, Antivirus, etc.), Removable Disks (USB, Memory Card, etc.), Personal Computers (Desktop, Laptop), Mobile Devices (Phone, Tablet, etc.), Optical Disks (CD, DVD, etc.), Servers (Domain, Backup, Email, Database, Web, File Sharing, etc.), Printer, Scanner, Photocopier, Software (Office Software), Software, Cloud, Central Server, Removable Media, Database, etc., other media.

Physical Media: Archives, Paper, Manual Data Recording Systems (Survey Forms), Written, Printed, and Visual Media, Company Cabinets, Network Devices, Flash-Based Media, Magnetic Tape, Magnetic Disk, Mobile Phone, Optical Disks (CD, DVD, etc.), Peripheral Systems Such as Printers, Gate Entry/Security Systems.

STORAGE AND DESTRUCTION

The company shall notify the company partners, shareholders, company officials, and/oremployees, employee candidates, interns, intern candidates, company customers, customer candidates, customer representatives and employees, potential product or service buyers, suppliers, supplier employees, supplier representatives, visitors, consultants and third parties. The personal data of individuals, business partners, product or service recipients, and all natural persons whose personal data is held by the Company for any reason may be processed, stored, and destroyed in accordance with the procedures and principles set forth in the Law, the Regulation, and relevant legislation.

Article 3 of the KVKK defines the concept of processing personal data. Article 4 stipulates that the personal data processed must be relevant, limited, and proportionate to the purpose for which it is processed, and must be retained for the period stipulated in the relevant legislation or necessary for the purpose for which it is processed. Articles 5 and 6 list the conditions for processing personal data. Accordingly, personal data is stored within the scope of the Company's activities for the period stipulated in relevant legislation or compatible with the processing purposes.

LEGAL REASONS REQUIRING THE DESTRUCTION OF PERSONAL DATA

Personal data processed within the scope of the Company's activities is stored for the period stipulated in relevant legislation. Personal data is processed in accordance with the KVKK. Data may be processed for the following legal reasons specified in Articles 5 and 6 of the Turkish Commercial Code.

Explicit consent of the person concerned.
Explicitly provided for in laws (Law No. 6698 on the Protection of Personal Data, Turkish Code of Obligations No. 6098, Law No. 6502 on the Protection of Consumers, Banking Law No. 5411, Regulation on the Employment of Disabled Persons, Former Convicts, and Victims of Terrorism, Turkish Commercial Code No. 6102) Law No. 213 on Tax Procedure, Regulation on Internet Mass Use Providers, Execution and Bankruptcy Law No. 2004, Social Security and General Health Insurance Law No. 5510, Occupational Health and Safety Law No. 6331, Occupational Health and Safety Services Regulation, Labor Law No. 4857, Law No. 5651 on Regulation of Publications Made on the Internet and Combating Crimes Committed by Means of These Publications, Law No. 6563 on Regulation of Electronic Commerce, International Labor Force Law No. 6735, Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes, About Archive Services (Regulation, Other Regulations in Force Pursuant to These Laws).
It is necessary for the protection of the life or physical integrity of a person who is unable to give his consent due to a physical impossibility or whose consent is not legally valid, or of another person.
Processing personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of a contract.
The legal obligations of the data controller liability It is mandatory for the data controller to perform its duties.
It is made public by the data subject.
Data processing is mandatory for the establishment, exercise, or protection of a right.
Data processing is mandatory for the legitimate interests of the data controller, provided that it does not prejudice the fundamental rights and freedoms of the data subject.

PURPOSES REQUIRING STORAGE OF PERSONAL DATA

The Company processes personal data within the scope of its activities for the following purposes:

Execution of Emergency Management Processes
Execution of Information Security Processes
Execution of Candidate Employee / Intern / Student Selection and Placement Processes
Execution of Candidate Employee Application Processes Implementation
Implementation of Employee Satisfaction and Loyalty Processes
Fulfillment of Employee Obligations Arising from Employment Contracts and Legislation
Friday Benefits and Benefits Processes for EmployeesExecution of Audit/Ethics Activities
Execution of Audit/Ethics Activities
Ensuring Warehouse Management
Execution of Training Activities
Execution of Electronic Sales Processes
Execution of Access Authorizations
Executing Activities in Compliance with Legislation
Executing Finance and Accounting Affairs
Executing Company/Product/Service Loyalty Processes
Ensuring Physical Space Security
Executing Assignment Processes Execution
Following up and carrying out legal affairs
Fulfillment of legal obligations
Internal Conducting Audit/Investigation/Intelligence Activities
Conducting Communication Activities
Planning Human Resources Processes
Conducting/Auditing Business Activities
Conducting Occupational Health/Safety Activities
Improving Business Processes Receiving and Evaluating Recommendations
Executing Business Continuity Activities
Ensuring Quality Standards
Controlling Entrance and Exit to the Institution Building and Preventing Unauthorized Entry
Executing Logistics Activities
Procurement Processes for Goods/Services Execution
Execution of After-Sales Support Services for Goods/Services
Execution of Goods/Service Sales Processes
Execution of Goods/Service Production and Operation Processes
Ensuring the Security of Goods Resources
Customer Relations Executing Management Processes
Executing Activities Aimed at Customer Satisfaction
Increasing Customer Credibility
Organization and Event Management
Executing Marketing Analysis Studies
Performance Evaluation Execution of Processes
Execution of Advertising / Campaign / Promotion Processes
Execution of Risk Management Processes
Execution of Storage and Archive Activities
Execution of Purchasing Processes Execution
Execution of Social Responsibility and Civil Society Activities
Execution of Contract Processes
Execution of Strategic Planning Activities
Follow-up of Requests/Complaints
Ensuring the Security of Movable Property and Resources
Executing Supply Chain Management Processes
Executing Supplier Relationship Management Processes
Executing Compensation Policy
Executing Product/Service Marketing Processes
Issuing Product Invoices
Implementing Product Policy
Work and Residence Permit Procedures for Foreign Personnel
Implementing Talent / Career Development Activities
Providing Information to Authorized Persons, Institutions, and Organizations
Executing Management Activities
Creating and Tracking Visitor Records

DESTRUCTION OF PERSONAL DATAREASONS FOR THIS

The circumstances under which the Company may delete, destroy, or anonymize personal data, either ex officio or upon the request of the relevant person, are set out below. The Data Subject's application regarding this matter will be responded to in accordance with the procedures and principles specified in the Request Management Procedure.

Amendment or repeal of relevant legislative provisions that form the basis for the processing or storage of personal data,
The elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law,
The Company's acceptance of the Data Subject's application for the deletion, destruction, or anonymization of personal data, in accordance with the rights stipulated in the relevant subparagraphs of Article 11 of the Law,
In cases where the Company rejects the application made by the Relevant Person requesting the deletion, destruction or anonymization of his/her personal data, the response is found insufficient or does not respond within the period stipulated in the Law; Filing a complaint with the Board and the Board's approval of this request,
The purpose requiring the processing or storage of personal data is eliminated,
In cases where the processing of personal data is carried out solely on the basis of explicit consent, the data subject withdraws their consent,
Although the maximum period for which personal data must be stored has passed, there are no circumstances that would justify storing personal data for a longer period.

PERSONAL DATA DESTRUCTION TECHNIQUES

Deletion of personal data is the process of deleting personal data by the relevant It is the process of making personal data inaccessible and reusable for users.
To delete personal data, the Company performs the deletion process as described below, depending on the medium in which the data is stored.

Personal Data on Servers: For personal data on servers whose storage period has expired, the system administrator removes access authorization from the relevant users and deletes it.
Application-as-a-Service Cloud Solutions (Office365, etc.): Data is deleted by issuing a delete command in the cloud system. When performing this process, particular attention will be paid to the fact that the relevant user does not have the authority to recover deleted data on the cloud system.
Personal Data in Electronic Media: Personal data held in electronic media whose retention period has expired will be rendered inaccessible and non-reusable by any employees (relevant users) except the database administrator.
Personal Data in Physical Media: Personal data held in physical media whose retention period has expired will be rendered inaccessible and non-reusable by any personnel (relevant users) except the unit manager responsible for the document archive. It is made inaccessible and unusable by any means for other employees. In addition, a process of obscuring the data is also applied by drawing/painting/erasing it so that it cannot be read.
Personal Data on Removable Media: Personal data stored on Flash-based storage media whose storage period has expired is encrypted by the system administrator and stored in secure environments with encryption keys, with access authorization granted only to the system administrator.
Personal Data in the Database: The relevant rows containing personal data are deleted using database commands (e.g., DELETE).
Personal Data on Company Computers: Access to personal data is provided through authentication and access is accessed using operating system commands. Deletion of personal data will result in the inability to access and use other data within the system.

However, if the deletion of personal data will result in the inability to access and use other data within the system, personal data will also be deemed deleted if the personal data is archived and rendered incapable of being associated with the relevant person, provided that the following conditions are met:

It is not accessible to any other institution, organization, or person.
All necessary technical and administrative measures are taken to ensure that personal data are only accessible by authorized persons.

DESTRUCTION OF PERSONAL DATA

Destruction of personal data is the process of rendering personal data inaccessible, irretrievable, and reusable by anyone.
The company may use one or more of the following methods to destroy personal data, depending on the medium on which the data is recorded:

Demagnetization: This is a method of damaging magnetic media by passing it through special devices that expose it to high magnetic fields, rendering the data on it unreadable. It should be noted that if this method of destruction is not successful, the destruction process can only be completed by physically destroying the media.
Physical Destruction/Destruction with a Paper Shredder: Personal data can also be processed by non-automated means, provided that it is part of a data recording system. When destroying such data, a system of physically destroying the personal data in a manner that prevents its subsequent use is implemented. Data on paper and microfiche media must be destroyed in this way, as they cannot be destroyed in any other way.
Overwriting: Overwriting is a data destruction method that makes it impossible to read and recover old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media using special software.

ANONYMOUSATION OF PERSONAL DATA

Anonymizing personal data means not combining personal data with other data. is to make it impossible to associate it with an identified or identifiable natural person in any way, even if it is matched. In order for personal data to be anonymized, personal data must be transferred to the third party to which the Company has transferred the data. The data must be rendered inaccessible to an identified or identifiable natural person, even through techniques appropriate to the recording medium and relevant field of activity, such as retrieving the data by a person or persons and matching the data with other data.

To anonymize personal data, the company uses "Variable Extraction, Record Extraction, Lower and Upper Bound Coding, Regional Cloaking, Sampling, Micro-aggregation, Data Exchange, Noise Insertion, Anonymity, Diversity, Proximity." The Company may use one or more of the following methods:
As the Data Controller, the Company determines which method to apply in the relevant processes by determining characteristics such as the storage medium, nature, size, intended benefit, and processing purpose of the relevant data.

Regional Removal: This is the process of deleting information that may be distinctive regarding data that is an exception within a data table containing collectively anonymous personal data.
Removal of Variables: The removal of one or more direct identifiers contained in the personal data of the relevant person that would allow the data subject to be identified in any way. is the removal of a few. This method can be used to anonymize personal data, or it can be used to delete information that is not compatible with the purpose of data processing.
Generalization: This is the process of combining personal data belonging to many individuals and converting it into statistical data by removing distinguishing information.
Masking: Data masking is a method of anonymizing personal data by removing the key identifiers from the data set.
Data Exchange: Direct or indirect identifiers within personal data are combined with other values or corrupted, severing their relationship with the relevant individual. and they are ensured to lose their identifying characteristics.

STORAGE AND DESTRUCTION PERIOD

When determining the retention period of personal data, the Company takes into account the obligations imposed by legal regulations. In addition to legal regulations, the retention period is determined by taking into account the purposes for which personal data is processed and the Company's legitimate interest in processing such personal data.In this context, first of all, it is determined whether the relevant legislation specifies a period for the storage of personal data. If a period is specified in the relevant legislation, personal data is stored until this period. If no period is specified in the relevant legislation, personal data is stored until the period necessary for the purpose for which they are processed. Unless the Board decides otherwise, the Company shall choose the appropriate method for deleting, destroying, or anonymizing personal data.

The Company has provided the storage and destruction periods for data processed by the Company based on its general processes in the table below.

PERIOD	STORAGE PERIOD	DESTRUCTION TIME PERIOD
Employee Identity, Contact, Location, Personnel, Legal Process, Physical Premises Security, Process Security, Professional Experience, Audiovisual Records, Job and Title Data, Faith Employee Relative Information.	Stored for 10 (ten) years from the termination of the employment contract.	In the first periodic destruction period following the end of the storage period.
Employee Health	Stored for 15 (fifteen) years from the termination of the employment contract. (Occupational Health and Safety Services Regulation, Article 7)	During the first periodic destruction period following the end of the storage period
Employee Candidate; Identity, Contact, Legal Transaction, Professional Experience, Audiovisual Records, Position and Title Data.	6 months from the date of application, 10 years from the termination of the employment contract	During the first periodic destruction period following the end of the storage period
E-Commerce Information; E-Commerce Membership Information	1 year from the creation of the record in accordance with Law No. 6563 on the Regulation of Electronic Commerce.	During the first periodic destruction period following the end of the storage period
Website Visitor; Transaction Security	2 years from the creation of the record.	During the first periodic destruction period following the end of the storage period.
Product/Service User; Identity, Contact, Transaction Security, Customer Transaction	Each product/service purchased by the service recipient is stored for a period of 10 (ten) years, starting from the date of provision, in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.	During the first periodic destruction period following the end of the storage period
Product/Service Recipient, Supplier, Employee, Intern; Physical Premises Security	3 Months from the Date of Registration in Ordinary Times, Statute of Limitations in Legal Cases	During the first periodic destruction period following the end of the storage period
Institutions/Companies with which the Company cooperates (Suppliers); Identity, Contact Information, Financial Information	Stored for 10 years during and after the end of the business/commercial relationship, in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.	During the first periodic destruction period following the end of the storage period.
Directory records, corporate communication activities, planning, and execution.	10 years from the end of the business relationship.	During the first periodic destruction period following the end of the storage period. During the periodic destruction period
Sharing meeting notes with participants	10 years	In the first periodic destruction period following the end of the retention period
General accounting processes, payment and collection transactions	10 years from the end of the business relationship	In the first periodic destruction period following the end of the retention period
Personnel financing processes	10 years from the end of the employment relationship	During the first periodic destruction period following the end of the storage period
KVK Processes (Information, Explicit Consent, Applications and Complaints)	10 years from the end of the relevant period	The storage period During the first periodic destruction period following the end of the storage period
Deletion, destruction, and anonymization recording period	3 years from the transaction date	During the first periodic destruction period following the end of the storage period
Workplace camera recordings	30 days	During the first periodic destruction period following the end of the storage period
Log records	2 years	During the first periodic destruction period following the end of the storage period
Shipping records (shipping, delivery notes, etc.), supply and sales processes, technical information requests, response to customer complaints	During the duration of the business/commercial relationship and after its termination, pursuant to Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code, for a period of 10 years In the first periodic destruction period following the end of the storage period
General assembly and board of directors proceedings, information regarding company partners and board members	10 years	In the first periodic destruction period following the end of the storage period
Execution of contracts	Following the termination of the contract 10 years	During the first periodic destruction period following the end of the retention period
Execution of human resources processes	10 years from the end of the employment contract	During the first periodic destruction period following the end of the retention period
Identification, allocation, and access authorization of employees to systems and software (e-mail address, username, password, (e.g., password)	3 months from the end of the employment contract	During the first periodic destruction period following the end of the retention period
Information on activities related to general quality processes, internal/external training records of employees	10 years from the end of the employment contract	During the first periodic destruction period following the end of the retention period
Data related to employee candidates	6 months from the date of application, 10 years from the termination of the employment contract	During the first periodic destruction period following the end of the storage period
Occupational health and safety practices	Stored for 15 (fifteen) years from the termination of the employment contract. (Occupational Health and Safety Services Regulation, Article 7)	During the first periodic destruction period following the end of the storage period
Responding to information requests from courts, enforcement, and administrative authorities	10 years from the date of transaction	During the first periodic destruction period following the end of the storage period
Data collected pursuant to other relevant legislation	In the relevant legislation Until the stipulated period	During the first periodic destruction period following the end of the storage period

If a longer period is stipulated by legislation or if there are limitations, preclusion periods, storage periods, etc. If a longer period is stipulated for the data, the periods stipulated in the legislation shall be considered the maximum retention period.

DESTRUCTION PERIODS

The Company shall comply with the KVKK, relevant legislation, the Personal Data Processing and Protection Policy, and this Personal Data Storage and Destruction Policy.In accordance with its policy, the Company deletes, destroys, or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy, or anonymize personal data arises. When the relevant person applies to the Company pursuant to Article 13 of the Personal Data Protection Law and requests the deletion or destruction of their personal data;

If all the conditions for processing personal data have ceased to exist, the Company will delete, destroy, or anonymize the personal data subject to the request using an appropriate destruction method within 30 (thirty) days of receiving the request, explaining the reason for the request. For the Company to be deemed to have received the request, the relevant person must have made the request in accordance with the Company's Personal Data Processing and Protection Policy, which is published on its official website. The Company will, in any case, inform the relevant person of the action taken.
If all the conditions for processing personal data have not been fulfilled, the request may be rejected by the Company, stating the reason in accordance with the third paragraph of Article 13 of the KVKK. The rejection will be notified to the relevant person at the latest. Personal data that has expired will be destroyed in writing or electronically within thirty days.

PERIODIC DESTRUCTION

Personal data whose retention period has expired will be destroyed at six-month intervals, based on the information in the table in Article 6.3 of this Policy. The Company will carry out periodic destruction processes in January and June.
All processes related to the deletion, destruction, and anonymization of personal data are recorded, and the relevant records are kept for the full extent of the liability arising from other legal obligations.
Storage periods, statute of limitations, or statute of limitations, etc., may apply in accordance with legislation. If a longer period is stipulated for personal data, the periods stipulated in the legislation will be considered the maximum retention period.

TECHNICAL AND ADMINISTRATIVE MEASURES

Article 12 of the KVKK and the fourth article of Article 6 of the KVKK are required to ensure the secure storage of personal data, to prevent unlawful processing and access, and to ensure the lawful destruction of personal data. In accordance with the provisions of this article, the Company takes technical and administrative measures within the framework of adequate measures determined and announced by the Board for special personal data.

ADMINISTRATIVE MEASURES

The administrative measures taken by the Company regarding the personal data it processes are set out below.

Employees and third-party In contracts to be concluded with individuals, in addition to provisions protecting the confidentiality of data, the purposes, scope, and duration of processing of Personal Data are determined, the responsibilities of the parties are clearly regulated, and provisions imposing sanctions for processing activities contrary to the law and contractual provisions are added.
If the processed personal data is obtained by others through unlawful means, the person concerned and the Board are notified of this as soon as possible.
Within its own legal entity, the Law It carries out or has carried out the necessary inspections in order to ensure the implementation of its provisions. It addresses confidentiality and security vulnerabilities revealed as a result of audits.
A personal data processing inventory has been prepared.
Personal data is reduced as much as possible.
Regarding the sharing of personal data, it signs a framework agreement regarding the protection of personal data and data security with the persons with whom personal data is shared, or ensures data security through provisions added to existing agreements.
It provides its personnel with personal data protection legislation and data security. provides the necessary training.
Internal access to stored personal data is limited to personnel whose job description requires access. The sensitive nature of the data and its importance are also taken into account when limiting access.
Employees are required to sign confidentiality agreements regarding the activities carried out by the Company.
Obligation to inform Data Subjectsare fulfilled.

TECHNICAL MEASURES

The technical measures taken by the Company regarding the personal data it processes are specified below.

Network and application security are ensured, a closed system network is used, and security measures are taken within the scope of information technology systems procurement, development, and maintenance.
Network and application security are ensured.
A closed system network is used for personal data transfers via the network.
Key management are implemented.
The IT security unit ensures that employees' access rights to personal data are kept under control.
Security measures are taken within the scope of the procurement, development, and maintenance of information technology systems.
An authorization matrix has been created for employees.
Access logs are kept regularly.
Corporate policies have been prepared and implemented regarding access, information security, usage, storage, and destruction.
Data masking measures are applied when necessary.
Employees who change their duties or leave their jobs have their authorizations revoked in this area.
Up-to-date anti-virus systems are used.
Up-to-date anti-virus systems and firewalls are used.
Firewalls are used.
Pursuant to Article 12 of the Law, all types of storage of personal data are subject to the following conditions: The digital environment is protected with encrypted or cryptographic methods to meet information security requirements.
Personal data is backed up, and the security of the backed up personal data is also ensured.
Personal data is backed up, and the security of the backed up personal data is also ensured.
Access to the environments where personal data is stored is restricted, allowing only authorized individuals to access the data limited to the purpose for which it was stored, and all access is recorded.
Destruction of personal data is irreversible and leaves no audit trail. This is provided in the following manner.
A user account management and authorization control system is implemented and monitored.
A user account management and authorization control system is implemented and monitored.
Conducts necessary internal checks within the scope of the installed systems.
Periodic and/or random internal audits are conducted and requested to be conducted.
Log records are kept in a manner that prevents user intervention.
Log records are kept in a manner that prevents user intervention. Intrusion detection and prevention systems are used.
Current risks and threats have been identified.
Intrusion detection and prevention systems are used.
Penetration testing is being conducted.
Cybersecurity measures have been taken, and their implementation is continuously monitored.
Encryption is being implemented.
Special personal data transferred on portable drives, CDs, or DVDs is encrypted.
Data processing service providers are periodically audited for data security.
Data processing service providers are made aware of data security.
Data loss prevention software is used.
Provides the technical infrastructure and creates relevant matrices to prevent data leakage outside the organization.

TITLES, UNITS, AND JOB DEFINITIONS OF PERSONAL DATA STORAGE AND DESTRUCTION PROCESSES

The Company All units and employees involved in the activities it carries out are responsible for the proper implementation of technical and administrative measures taken regarding personal data, creating and increasing awareness, and ensuring data security in all environments where data is processed.aesthetics. The titles, duties, and responsibilities of the personnel involved in the personal data storage and destruction process are listed below.

TITLE	DUTY	RESPONSIBILITY
Personal Data Protection Commission	Ensuring the implementation of the personal data storage and destruction policy	Responsible for the preparation, development, implementation and updating of the policy. In cases of non-compliance with the policy, the Commission shall make the necessary notifications to the Board of Directors.
General Director (President of the Commission)	Supervision of the implementation activities of the personal data storage and destruction policy	As President of the Commission, the Commission is responsible for the execution of its duties, ensuring that employees implement the policy in accordance with their duties, determining sanctions for non-compliance with regulations, and overseeing the implementation. Responsible for supervising unit/employees.
Quality Department Manager (Deputy Chairman of the Commission)	Supervision of implementation activities under the personal data storage and destruction policy	As Deputy Chairman of the Commission, he/she is responsible for the execution of the Commission's duties, ensuring that employees implement the policy in accordance with their duties, communicating with legal advisors, monitoring policy and procedure updates, and keeping records of actions taken within the scope of the Law.
Human Resources Department Manager (Deputy Commission President)	Personal data storage and destruction policy implementation manager	As the Deputy Commission President, responsible for the execution of duties, the internal distribution of current documents and their notification to new employees, ensuring the up-to-dateness of personal data, and the implementation of duties specific to the task. responsible for ensuring that processes comply with the retention periods.
IT Officer/IT Department Officer	Policy’ Ensuring the technical applicability of the Policy	Responsible for taking and implementing the necessary technical measures for policy compliance, publishing up-to-date documents on the website, conducting and auditing deletion, destruction, and anonymization processes in electronic record media, and managing the personal data destruction process in accordance with the periodic destruction period.
Employees of the Finance-Accounting, Sales, Marketing, and Customer Services, Warehouse, Import, and Shipping Departments within the Commission	Ensuring the implementation of processes within their scope of activity ensuring	Each department monitors the compliance of processes within the scope of its duties with the retention periods and ensures their implementation.

POLICY UPDATE REVIEW PERIOD

The policy is reviewed and updated in necessary sections when necessary. Changes to this Personal Data Storage and Destruction Policy are immediately incorporated into the text, and explanations regarding the changes are provided at the end of the policy. Updates to the Company's Personal Data Storage and Destruction Policy will be published online at ….

PUBLICATION AND STORAGE OF THE POLICY

The Policy is published in two different formats: signed (printed) and electronically, and is made publicly available on the website. The printed copy is also kept on file by the Contact Person/Personal Data Protection Committee.

Snacks

Detailed information regarding our Company's Cookie Policy can be accessed via the website: ……………………………..

EFFECTIVENESS AND UPDATES

This Policytika entered into force on the date it was approved by our Company. The Policy is published indefinitely on the Company's website and can be communicated directly to the requesting personal data owner by sharing a text or access link. Any changes to the Policy will enter into force after the approval of our Company. The Policy is normally reviewed and updated once a year. However, our Company may revise this Policy in line with changes in legislation, changes in a referenced technical standard, the actions and/or decisions of the Personal Data Protection Board, and court decisions. reserves the right to review the policy and, if necessary, update, change, or eliminate it and create a new policy. Our Company has the authority to decide whether to revoke the policy. If a decision is made to revoke the policy, the old, signed copies of this Policy will be cancelled and signed by the relevant unit and will be kept for 5 years.