KCS GLASS PLASTIC PAINT PACKAGING TRANSPORT METAL MAKİNE İNŞAAT TAAHHÜT SANAYİ VE DIŞ TİCARET ANONİM ŞİRKETİ PERSONAL DATA STORAGE AND DESTRUCTION POLICY 1. INTRODUCTION a. Purpose b. Scope c. Abbreviations and Definitions 2. RESPONSIBILITY AND DISTRIBUTIONS OF DUTY 3. RECORD MEDIA 4. EXPLANATIONS ON STORAGE AND DISPOSAL a. Explanations on Storage i. Legal Reasons Requiring Storage ii. Legal Transactions Requiring Custody b. Reasons Requiring Destruction 5. TECHNICAL AND ADMINISTRATIVE MEASURES a. Technical Measures b. Administrative Measures 6. PERSONAL DATA DISPOSAL TECHNIQUES a. Deletion of personal data b. Destruction of personal data c. Anonymizing personal data 7. STORAGE AND DESTRUCTION PERIODS 8. PERIODIC DESTRUCTION TERMS 9. PUBLISHING AND STORAGE OF THE POLICY 10. UPDATE PERIOD OF THE POLICY 11. ENFORCEMENT AND TERMINATION OF THE POLICY 1. INTRODUCTION a. Purpose The purpose of this policy is; The 5th and 6th articles of the Regulation on the Deletion, Destruction or Anonymization of Personal Data (Regulation), which was issued based on the Law on the Protection of Personal Data No.6698 (Law) and published in the Official Gazette numbered 30224 on 28.10.2017 To determine the rules and roles and responsibilities to be applied throughout the Company in order to fulfill the obligations regarding the storage and destruction of personal data and other obligations specified in the Regulation. b. Scope The personal data of the employee, candidate employees, managers, visitors, employees of third parties, managers and other third parties with whom we cooperate, fully or partially automated or processed by non-automatic means provided that they are part of any data recording system. relates to. Page 2/9 In this context, the whole of this Policy can be applied to the groups of personal data owners mentioned above, as well as only some of its provisions. c. Abbreviations and Definitions Relevant person The real person whose personal data is processed, All kinds of information regarding a natural person whose personal data is identified or identifiable, Explicit consent, the consent of a specific subject based on information and free will, Data controller Determining the purposes and means of processing personal data, natural or legal person responsible for the establishment and management of the registration system (referred to as the 'Company'), Destruction Deletion, destruction or anonymization of personal data, Personal data processing inventory Personal data processing activities carried out by data controllers depending on their business processes; Personal data processing purposes, the data category, the transferred recipient group and the data subject group, and the maximum time required for the purposes for which the personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security Deletion of personal data the process of making the personal data inaccessible and unusable for users in any way, The destruction of personal data, the process of making the personal data inaccessible and unavailable in any way by anybody. Page 3/9 and making it unusable again. In the event that all the conditions for processing personal data in the periodic destruction law are eliminated, personal data storage and destruction policies The data recording system refers to the recording system in which personal data are structured and processed according to certain criteria, the Board refers to the Personal Data Protection Board. 2. RESPONSIBILITY AND DISTRIBUTIONS OF DUTY All units and employees of the company, the responsible departments of the policy take technical and administrative measures as required, the training and awareness of the employees of the unit, monitoring and continuous supervision, preventing the unlawful processing of personal data, It actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data are processed in order to prevent access to the data and to ensure the legal storage of personal data. 3. RECORDING MEDIA Personal data are securely stored by the COMPANY in the media listed below in the form of a table in accordance with the law. Electronic media Non-electronic media o Servers (Domain, backup, e-mail, database, web, file sharing, etc.) o Information security devices (security o Paper, o Unit cabinets, o Archive, o Forms, Page 4/9 wall, antivirus, etc.) o Computers, o Biometric data readers, o Mobile devices ar, o Shared / non-shared disk drives used for data storage on the network, o CD, DVD, USB, external disk, memory card o Office Software. o Guest Entry Book. 4. EXPLANATIONS ON STORAGE AND DISPOSAL a. Explanations on Custody By the company; Personal data belonging to employees, candidates for employees, visitors and employees of third parties, institutions or organizations with whom we deal as service providers are stored and destroyed in accordance with the Law. In this context, detailed explanations regarding storage and disposal are given below, respectively. The concept of processing personal data has been defined in Article 3 of the Law, it is stated in Article 4 that personal data processed must be related, limited and measured with the purpose for which they are processed, and must be kept for the period stipulated in the relevant legislation or for the purpose for which they are processed, and in Articles 5 and 6, the processing conditions of personal data. has been counted. Accordingly, within the framework of our Company's activities, personal data are stored for a period stipulated in the relevant legislation or in accordance with our processing purposes. I. Legal Reasons Requiring Preservation Personal data processed by the Company within the scope of its activities are kept for the period stipulated in the relevant legislation. In this context, personal data:  Law on Protection of Personal Data No. 6698,  Turkish Code of Obligations No. 6098,  Turkish Commercial Law No. 6102,  Law No. 5651 on the Regulation of Publications Made on the Internet and Fight Against Crimes Committed Through These Publications,  Work No. 6361 Health and Safety Law,  Social Insurance and General Health Insurance Law No. 5510, Law on Right to Information No. 4982,  Labor Law No. 4857, Law No. 3071 on the Exercise of Petition Right and Page 5/9  secondary legislation on these laws, Data are stored in accordance with the retention periods stipulated within the scope of ii. Processing Purposes Requiring Preservation The Company stores the personal data it processes within the framework of its activities for the following purposes.  Conducting emergency processes,  Managing application and complaint processes,  Planning, executing and auditing information security activities,  Fulfilling obligations based on employment contracts and legislation for employees,  Ensuring the safety of employees, employee candidates, guests and our company, and their entry and exit Conducting audit and follow-up activities,  Carrying out training activities,  Conducting financial and accounting transactions, denetimi Auditing and following up legal affairs,  Fulfilling the burden of proof in future legal disputes, yürütül Carrying out occupational health / safety activities,  Business activities Planning and execution of the company's human resources operations, sağlanması Ensuring business continuity within the scope of the company's commercial activities, managing contract processes,  Ensuring the security of all kinds of operational activities of the company Determining and applying the strategies regarding the business processes of the company,  Ensuring the accuracy and up-to-dateness of personal data,  Ensuring corporate communication,  Carrying out strategic planning and management activities,  Carrying out storage and archive activities, hizmet Suppliers, business partners, service To be able to carry out business processes with providers and to communicate with these persons,  Managing the processes regarding wage management, fringe benefits and benefits,  To establish contact with real / legal persons who have a commercial business relationship with the company, To fulfill legal and contractual obligations,  Authorized institution and informing the institutions regarding the relevant legal regulations, Page 6/9 b. Reasons Requiring Disposal Personal data; Changing or abolishing the provisions of the relevant legislation that constitutes the basis of the processing, ortadan The purpose of processing is abolished,  In cases where the processing of personal data takes place only on the condition of express consent, the person concerned withdraws his express consent,  In accordance with Article 11 of the Law, personal data is deleted within the framework of the rights of the data subject. The Company refuses the application made by the person concerned with the request for deletion, destruction or anonymization of his personal data, finds his answer inadequate or fails to respond within the period stipulated in KVKK numbered 6698 in possibilities; During the first periodic destruction to be carried out in cases where the person concerned complains to the Board and this request is deemed appropriate by the Board  The maximum period requiring the storage of personal data has passed and there are no conditions that would justify the storage of personal data for a longer period, it is deleted, destroyed or ex officio deleted upon request, no are made or anonymized. All transactions regarding the deletion, destruction and anonymization of personal data are recorded with a report and the said records are kept for at least three years from the date of destruction. 5. TECHNICAL AND ADMINISTRATIVE MEASURES a. Technical Measures  In environments where personal data are kept, only up-to-date and secure systems in line with technological developments are used.  Security systems are used for the environments where personal data are kept.  Security tests and researches are carried out to detect security vulnerabilities on information systems, and any existing or potential risk issues identified as a result of the tests and researches are eliminated.  By restricting access to data to the environments where personal data are kept, only authorized persons are allowed to access these data, limited to the purpose of storing personal data, and all access is recorded.  The company employs sufficient technical personnel to ensure the security of the environments where personal data are kept.  In order to ensure the security of the archive room containing documents containing personal data and the rooms where the cabinets are located, a security camera system has been installed to see these points. Page 7/9  Secure record keeping (logging) systems are used in electronic environments where personal data are processed.  If personal data of special nature needs to be transferred via e-mail, they are transferred using a corporate e-mail address or a REM account. b. Administrative Precautions çalışan In order to ensure the security of personal data, in order to prevent the unlawful disclosure and sharing of personal data and to raise awareness about KVKK, regular trainings are given to employees and managers.  Confidentiality agreements are signed by employees regarding the activities carried out by the company.  Before starting to process personal data, the Company fulfills the obligation to inform the relevant persons.  Personal data processing inventory has been prepared.  Contracts made between third parties and the company were revised in accordance with the Law on Protection of Personal Data and additional protocols were prepared.  Clauses within the scope of KVKK have been added to the mails.  Periodic and random inspections are carried out within the company.  Information security trainings are provided for employees. 6. PERSONAL DATA DISPOSAL TECHNIQUES At the end of the period foreseen in the relevant legislation or the storage period required for the purpose for which they are processed, the personal data are destroyed by the Company, either personally or upon the application of the relevant person, again in accordance with the provisions of the relevant legislation. a. Deletion of personal data For those who require storage of Personal Data on Servers, the system administrator removes the access authority of the relevant users and deletes them. Those who expire from the Personal Data in the Electronic Environment, are made inaccessible and unavailable in any way for other employees (relevant users) except the database administrator. It is made inaccessible and unavailable in any way for other employees, except for the department manager responsible for the document archive, for those who have expired from the Personal Data kept in the Physical Environment. In addition, the blackening process is also applied by scratching / painting / wiping it in an illegible way. Page 8 of 9 b. Destruction of Personal Data Those who require the storage of Personal Data on Paper Media (Physically) expire, are irreversibly destroyed in paper trimming machines or by burning. Physical destruction such as melting, burning or pulverizing of the Personal Data in Optical Media and Magnetic Media, such as melting, burning or pulverizing, is applied. c. Anonymization of personal data Anonymization of personal data is making personal data unrelated to an identified or identifiable natural person under any circumstances, even if they are matched with other data. 7. STORAGE AND DESTRUCTION TERM  In the event that the period stipulated in the legislation regarding the storage of the said data expires or there is no specified period for the storage of the said data in the relevant legislation, you can reach the destruction and periodic destruction periods of the said records from the Company's Main Inventory for Processing Personal Data.  All transactions regarding the deletion, destruction and anonymization of Personal Data are recorded and the said records are , except for other legal obligations, a separate storage period has been determined for each activity, and you can access these periods from the Company's Main Inventory on Processing Personal Data. 8. PERIODIC DISPOSAL TIMES  According to the regulation, the Company has determined the periodic destruction period as 6 months. The data to be destroyed will be destroyed in accordance with the procedures set out in this Policy. 9. PUBLISHING AND STORING THE POLICY This policy, which is prepared by the company, has been published on the website of our company and made available to the relevant persons. Page 9/9 10. UPDATE PERIOD OF THE POLICY This policy is reviewed and the relevant sections are updated when needed. 11. EFFECTIVENESS OF THE POLICY This policy is deemed to have entered into force after it is published on the Company's website. Click http://kcscam.com.tr/ http://kcscam.com.tr for Data Owner Application Form for the Clarification text prepared by our company.