PERSONAL DATA STORAGE AND DESTRUCTION POLICY

EFELER POLYMER INDUSTRY AND TRADE LIMITED COMPANY

1. PURPOSE

This Personal Data Storage and Destruction Policy (“Policy”), Efeler Polimer Sanayi ve Ticaret Limited Şirketi (“Our Company” or “Efeler Polimer” It has been prepared to determine the procedures and principles regarding the storage and subsequent deletion, destruction or anonymization of personal data processed and stored by .

2. SCOPE

This Policy covers our storage and destruction activities of the personal data we obtain from the following persons:

  • Our company’s employees, employee candidates, interns, former employees and family relatives of these people,
  • Company representative, proxies and shareholders,
  • Employee, representative and attorney of our business partners,
  • Our customers, our customers’ employees and officials
  • Our potential customers,
  • Employees of public/private institutions and organizations,
  • Legally authorized persons,
  • Our visitors,
  • Other third parties.

Explanations regarding the definitions of this person group are given in ANNEX-1.

This Policy will cover all personal data we obtain through electronic, physical and other media and stored in electronic, physical or similar media.

3. AUTHORITIES AND RESPONSIBILITIES

Company Management: Responsible for ensuring and managing the compliance of personal data with the retention period and the coordination of periodic destruction.

Information Technologies Department Responsible: Responsible for carrying out the destruction of personal data in electronic environment.

Administrative Affairs Department Supervisor: Responsible for the destruction of personal data in the physical environment and the execution of this Policy in accordance with his duties.

4. DEFINITIONS AND ABBREVIATIONS

Personal Data Any information regarding an identified or identifiable natural person.
Special Personal Data Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Contact Person The real person whose personal data is processed.
Processing of Personal Data Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system or any action performed on the data, such as preventing its use.
Explicit Consent Consent regarding a specific issue, based on informed consent and expressed with free will.
Anonymization Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.
Delete The process of making personal data inaccessible to the relevant users and making them unusable.
Destroy Making all physical recording media suitable for storing information irretrievable and unusable.
Destruction The process of deleting, destroying or anonymizing personal data.
Periodic Destruction The deletion, destruction or anonymization process specified in the personal data storage and destruction policy, which will be carried out ex officio at recurring intervals, in case all the conditions for processing personal data specified in the law are eliminated.
Recording Media Any environment containing personal data processed by fully or partially automated means or by non-automatic means provided that it is part of any data recording system.
Data Recording System Recording system where personal data is structured and processed according to certain criteria.
Law Personal Data Protection Law No. 6698, dated 24 March 2016, published in the Official Gazette No. 29677, dated 7 April 2016.
Regulation Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette No. 30224 dated 28 October 2017.
Board Personal Data Protection Board.
Institution Personal Data Protection Authority.
Policy Personal Data Storage and Destruction Policy.
General Policy Personal Data Protection and Processing Policy.
Data Controller The person who determines the purposes and means of processing personal data and manages the place where the data is systematically kept.
Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authority given by him/her.
Personal Data Processing Inventory The personal data processing activities carried out by data controllers depending on their business processes; The inventory they create and detail by associating the purposes of processing personal data with the data category, the transferred recipient group and the data subject group of persons.
Data Controllers Registry Data controllers registry to be established by the Personal Data Protection Authority in accordance with the Regulation on Data Controllers Registry.
Electronic Media Environments where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Media All written, printed, visual, etc. except electronic media. other media.

5. REASONS AND DURATIONS WHICH REQUIRE STORAGE AND DESTRUCTION OF PERSONAL DATA

As Efeler Polimer, we keep the personal data we process while providing our services for legal and reasonable periods in accordance with the Law, Regulation and relevant legislation, and destroy them after these periods have passed.

5.1 Reasons Requiring Storing Personal Data

5.1.1 Legal Reasons Requiring Storage

Personal data processed within the framework of Efeler Polimer’s activities are retained for the period stipulated in the relevant legislation. In this context, personal data is not limited to the following;

  • Personal Data Protection Law No. 6698,
  • Turkish Code of Obligations No. 6098,
  • Social Insurance and General Health Insurance Law No. 5510,
  • Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications,
  • Occupational Health and Safety Law No. 6331,
  • Labour Law No. 4857,
  • Turkish Commercial Code No. 6102,
  • Tax Procedure Law No. 213,
  • Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Extensions,
  • Regulation on the Procedures and Principles of Occupational Health and Safety Training,
  • Regulation on Bulk Internet Service Usage Providers,
  • Regulation on Commercial Electronic Messages and Commercial Communication,
  • Other secondary regulations in force under these laws

It is stored for the specified storage period.

Efeler Polimer stores personal data in accordance with the processing conditions in Articles 5 and 6 of the Law, if there are reasons that require the processing and storage of personal data. The storage activities carried out by Efeler Polimer in line with the processing conditions are explained below with examples.

PROCESSING TERMS DESCRIPTIONS
Obtaining explicit consent from the relevant persons Personal data will be stored if the relevant person gives explicit consent for the storage activity that requires explicit consent.
Clearly prescribed by law Personal data for which the storage and/or retention period is clearly stipulated by law are stored. For example, in accordance with Article 7 of the Occupational Health and Safety Services Regulation, Efeler Polimer is obliged to keep the personal health files of its employees for at least 15 years from the date of termination of employment.
Establishment or execution of the contract Efeler Polimer keeps the personal data necessary to fulfill its contractual obligations throughout the contractual relationship.
Efeler Polimer fulfills its legal obligation feler Polimer stores personal data in order to fulfill its legal obligations in accordance with the legal legislation. For example, personal data is stored in order to meet the requests of official and administrative authorities and to enable these authorities to carry out their inspections.
Establishment, use or protection of a right Efeler Polimer stores the relevant personal data in order to establish and protect its rights in case of disputes or disputes that may arise in the future. For example, personal data of employees is stored for 10 years after the termination of the employment contract.
Publicization by oneself Efeler Polimer, if it has a legitimate interest, keeps the personal data made public by the person for the duration of the publicization.
The company has a legitimate interest Efeler Polimer stores personal data in order to carry out its commercial activities and relationships, provided that it does not harm the fundamental rights and freedoms of the person concerned.

5.1.2 Processing Purposes Requiring Laundering

Efeler Polimer stores the personal data it processes within the scope of its activities for the following purposes.

  • Executing human resources processes.
  • To carry out commercial activities.
  • Carrying out marketing activities.
  • To ensure corporate communication.
  • Ensuring institutional security.
  • To ensure that Efeler Polimer can respond to legal disputes that may arise in the future and to create evidence.
  • To be able to carry out work and transactions as a result of signed contracts and protocols.
  • To ensure that legal obligations are fulfilled as required or required by legal regulations.
  • To contact real/legal persons who have business relations with Efeler Polimer.
  • To carry out activities to ensure data security

5.1.3 Reasons Requiring Destruction of Personal Data

Efeler Polimer will be obliged to delete, destroy or anonymize personal data in the following cases. Efeler Polimer will be able to carry out this destruction activity in the first periodic destruction process following the end of these periods.

In the following cases, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by Efeler Polimer upon the request of the relevant person;

  • Efeler Polimer does not have a legitimate purpose for processing personal data,
  • Amendment or abolition of the relevant legislative provisions that constitute the basis for its processing,
  • The purpose requiring processing or storage is eliminated,
  • In cases where personal data is processed only on the basis of explicit consent, the relevant person may withdraw his/her explicit consent.
  • Acceptance by the Institution of the application made by the relevant person regarding the deletion and destruction of his personal data within the framework of his rights in accordance with Article 11 of the Law,
  • In cases where Efeler Polimer rejects the application made to it by the relevant person requesting the deletion, destruction or anonymization of his personal data, finds the answer given insufficient, or does not respond within the period stipulated in the Law; The relevant person submits a complaint to the Board and this request is approved by the Board,
  • The maximum period requiring personal data to be stored has passed and there are no conditions that justify storing personal data for a longer period.

5.2 Storage and Disposal Periods

Within the scope of the conditions specified in this Section, the Storage and Destruction Periods Table (Annex-2) has been created, which includes the storage and destruction periods of personal data. Efeler Polimer will store and destroy personal data in accordance with these storage and destruction periods.

Efeler Polimer has determined the periodic destruction period as 6 (six) months. In this context, Efeler Polimer evaluates the stored personal data every 6 months and destroys the personal data after the specified storage period has expired. After this period expires, data whose retention period has expired will be destroyed in the next first periodic destruction period.

For example, Efeler Polimer will be able to keep the records of the employee candidate who applied for a job on November 12, 2023, for 1 year, which it determines as a reasonable period. With the expiration of this period on November 12, 2024, Efeler Polimer is obliged to destroy this information in its first periodic destruction process. In this context, if the last periodic destruction was carried out on October 10, 2024, this information should be destroyed at the latest six months later, on April 10, 2025.

6. PERSONAL DATA STORAGE ENVIRONMENT

6.1 Non-Electronic Media

Personal data can be stored in non-electronic media as paper, forms, documents, contracts or any printed entity. The environments in which printed assets are stored are stated below.

  • Locked cabinets in Efeler Polimer offices,
  • Boards in Efeler Polimer offices,
  • Archive room located in Efeler Polimer offices,
  • Drawers and folders in Efeler Polimer offices.

In this context, it is accepted that all personal data that we obtain electronically but then store by printing or writing on paper, form or document is also stored in physical environment.

6.2 Electronic Media

Personal data is stored in the following electronic environment;

  • Desktop and laptop computers,
  • Mobile devices,
  • E-mail servers,
  • Cloud environment,
  • Software and the databases it is connected to,
  • Portable media (USB Memory, CD and DVD etc.),
  • Disk drives used to store data on the network.

7. PRECAUTIONS REGARDING THE STORAGE OF PERSONAL DATA

Efeler Polimer keeps personal data safe, prevents unlawful processing and prevents unlawful access to personal data is obliged to labor. The administrative and technical measures taken by Efeler Polimer within the framework of this obligation are listed below:

7.1 Administrative Measures

  • Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in confidential document format.
  • Necessary training and awareness activities are carried out for employees to ensure the security of personal data and not to disclose or share it unlawfully.
  • Training and awareness activities are carried out for employees on data security at regular intervals.
  • Confidentiality commitment is taken from employees regarding the activities carried out by Efeler Polimer and confidentiality agreements are signed regarding specific activities. The signed contracts contain data security and disciplinary provisions.
  • Contracts signed with third parties contain data security provisions.
  • A disciplinary procedure is applied against employees who do not comply with internal procedures, policies and instructions regarding personal data security.
  • Before starting to process personal data, Efeler Polimer fulfills its obligation to inform the relevant persons.
  • A personal data processing inventory is prepared and changes in data processing processes are updated.
  • Personal data security policies and procedures are determined. Compliance with personal data security policies and procedures is monitored.
  • Periodic and random audits are carried out within the institution.
  • Technical measures taken are reported periodically in accordance with the internal audit mechanism.
  • The use of personal data is reduced as much as possible for business purposes.
  • Contracts regarding the processing, protection and security of personal data are signed with the persons with whom personal data is shared, or provisions regarding this are added to the existing contract.
  • Data processing service providers are made aware of data security and protective provisions are included in the contracts signed in this context.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • The risks that Efeler Polimer may face and the existing risks have been identified and precautions have been taken.
  • Personal data processing activities carried out within Efeler Polimer are analyzed specifically for business units, ensuring that business units process personal data only for the purpose of carrying out their activities.
  • A separate policy has been determined for the security of sensitive personal data.
  • Employees involved in the processing of special personal data have been provided with training on special personal data security, confidentiality agreements have been made, and the powers of users who have access to data have been defined.

7.2 Technical Measures

  • Special qualified personal data transferred on portable memory, CD, DVD media are stored encrypted and, if necessary, transferred encrypted.
  • Network security and application security are ensured, and a closed system network is used for personal data transfers via the network.
  • Security measures are taken within the scope of supply, development and maintenance of information technology systems.
  • The security of personal data stored in the cloud is ensured.
  • An authority matrix has been created for employees. The authorities of employees who change their duties or leave their jobs in this area are removed. User account management and authorization control system is implemented and these are also monitored.
  • Access logs are kept regularly.
  • Log records are kept without user intervention.
  • Up-to-date anti-virus systems are used.
  • Personal data security problems are reported quickly and solutions are taken immediately.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • If sensitive personal data is to be sent via e-mail, it must be sent encrypted and using a KEP or corporate mail account.
  • Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units.
  • Penetration test is applied.
  • Intrusion detection and prevention systems are used.
  • Data loss prevention software is used and tests are performed.
  • Data processing service providers are audited at regular intervals regarding data security, and data processing service providers are made aware of data security.
  • Cyber security measures have been taken and their implementation is constantly monitored.
  • Personal data is backed up and the security of the backed up personal data is ensured.
  • Consultancy regarding technical security is received from expert external sources.

8. PRECAUTIONS FOR DESTRUCTION OF PERSONAL DATA

8.1 Destruction Procedures

8.1.1 Deletion of Personal Data

Deletion of personal data refers to the process of making personal data inaccessible and unusable for the relevant users in any way. For this purpose, Efeler Polimer creates an access authorization and control matrix at the user level and implements it within the framework of a policy. It takes the necessary measures to perform deletion in the database.

8.1.2 Destruction of Personal Data

Destruction of personal data refers to the process of making personal data inaccessible, irretrievable and unusable by anyone.

8.1.3 Anonymization of Personal Data

Anonymization of personal data means making personal data impossible to associate with an identified or identifiable natural person in any way, even if it is matched with other data.

8.2 Destruction Techniques to Use

Efeler Polimer will destroy personal data in accordance with the Deletion, Destruction and Anonymization of Personal Data Guide published by the Institution. Below, some of the destruction techniques that Efeler Polimer will apply are given as examples.

8.2.1 Deletion Techniques

Deletion with Delete Command: It is the deletion of personal data with the delete command in the electronic data environment. Deleted data will become inaccessible and unusable in any way. Deletion via Software: Deletion of personal data with appropriate software to ensure secure deletion.

8.2.2 Destruction Techniques

De-magnetization: It is the process of passing the magnetic media through a special device and exposing it to a very high magnetic field, thus corrupting the data on it in an unreadable way.

Physical Destruction: It is the process of physically destroying optical media and magnetic media. Overwriting: It is the process of preventing the recovery of old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media. This process is done using special software. This process is done using special software.

8.2.3 Anonymization Techniques

Masking: Closing, crossing out, asterisking, electronically removing personal data and similar methods. For example, instead of Ahmet Yıldırım, A***** **Y*** or an asterisk can be placed over the name.

Generalization: It is the process of converting relevant personal data from a specific value to a more general value.

9. REFERENCES AND BASIS

Regulation on Deletion, Destruction and Anonymization of Personal Data

ANNEX-1 PERSON GROUPS

PERSON GROUPS DESCRIPTIONS
Product or Service Recipient People who have already purchased or committed to purchase products/services from Efeler Polimer.
Potential Product or Service Buyer People who have not currently purchased the relevant product/service from Efeler Polimer, but are likely to purchase it.
Company Representative or Deputy Persons who represent or represent Efeler Polimer (lawyers from whom Efeler Polimer receives consultancy, member of the board of directors authorized to represent and bind Efeler Polimer).
Shareholder Real persons who have shares in Efeler Polimer.
Supplier Employee / Supplier Representative Employee or official of the companies from which Efeler Polimer receives service.
Business Partner Employee, employee candidate, representative or attorney of the companies that Efeler Polimer works with in its activities.
Employee Persons employed by Efeler Polimer as employers and with whom they have an employment contract.
Employee Candidate Real persons who have applied for a job at Efeler Polimer by any means or who have made their CV and relevant information available for Efeler Polimer’s review.
Visitor People who visit Efeler Polimer company campuses and websites.
Legally Authorized Person Persons working in legally authorized public institutions and organizations or private individuals and organizations.
Delivery Recipient Real persons who receive the delivery as part of Efeler Polimer’s business activities.
Eyewitness People who witnessed the accident when a work accident occurred.
Survivor Persons injured as a result of work accidents.
Customer Company Representative Company, which is a legal entity customer of Efeler Polimer
Third Party Other natural persons not mentioned here

ANNEX-2 STORAGE AND DISPOSAL PERIOD TABLE

The retention periods for the processes in the table below are determined based on the legislation on the date of entry into force of this Policy. These periods will be interrupted if a lawsuit is filed by the relevant person, and the personal data subject to the lawsuit will be stored based on the legal reason of protecting a right, at least until the case is finalized.

PERSONAL DATA CATEGORY STORAGE PERIOD DESTRUCTION PERIOD
In contractual relations
(TBK general statute of limitations)
10 years from the end of the contractual relationship In the first periodic transaction that occurs every 6 months after the expiration of the period
Providing goods/services to customers 10 years from the end of the contractual relationship In the first periodic transaction that occurs every 6 months after the expiration of the period
Part of the contract process and maintenance of the contract 10 years from the end of the employment relationship In the first periodic transaction that occurs every 6 months after the expiration of the period
Job applications of employee candidates 1 year from the date of job application In the first periodic transaction that takes place every 6 months after the expiration of the period
Planning human resources processes 10 years from the end of the employment relationship In the first periodic transaction that occurs every 6 months after the expiration of the period
Occupational health and safety activities 10 years from the end of the employment relationship, health files 15 years from the end of the employment relationship In the first periodic transaction that occurs every 6 months after the expiration of the period
Carrying out employee leave and compensation processes 5 years from the end of the employment relationship In the first periodic transaction that occurs every 6 months after the expiration of the period
Personal data regarding employees’ rights regarding wages 5 years In the first periodic transaction that occurs every 6 months after the expiration of the period
Access / Log Records 2 years In the first periodic transaction that occurs every 6 months after the expiration of the period
General Assembly Transactions 10 years In the first periodic transaction that occurs every 6 months after the expiration of the period
Information about company partners and board members 10 years In the first periodic transaction that occurs every 6 months after the expiration of the period
Commercial books and TCC art. Other documents listed in 82/1 10 years In the first periodic transaction that occurs every 6 months after the expiration of the period
Employee Transaction Information 10 years from the end of the legal relationship In the first periodic transaction that occurs every 6 months after the expiration of the period
Incident Detection Information 10 years from the end of the employment relationship In the first periodic transaction that occurs every 6 months after the expiration of the period
Family Members Information 10 years from the end of the employment relationship In the first periodic transaction that occurs every 6 months after the expiration of the period
Customer Request and Complaint Information 10 years from the end of the contractual relationship In the first periodic transaction that occurs every 6 months after the expiration of the period
Foundation Membership Information If the person does not withdraw his/her express consent: In terms of CVs, it is kept for 1 year if the candidate employees indicate it in their CVs, and for 10 years from the contractual relationship in the personnel file of the employees. In the first periodic transaction that takes place every 6 months after the expiration of the period or withdrawal of express consent
Association Membership Information If the person does not withdraw his/her express consent: In terms of CVs, it is kept for 1 year if the candidate employees indicate it in their CVs, and for 10 years from the contractual relationship in the personnel file of the employees. In the first periodic transaction that takes place every 6 months after the expiration of the period or withdrawal of express consent