Data Retention and Destruction Policy

ESTUZ ESKİŞEHİR TUZ GIDA SANAYİ VE TİCARET ANONİM ŞİRKETİ

POLICY OF STORAGE, DISPOSAL AND ANONYMIZATION OF PERSONAL DATA

PURPOSE AND SCOPE

The Personal Data Storage and Destruction Policy (“Policy”) has been prepared by Estuz Eskişehir Tuz Gıda Sanayi ve Ticaret Anonim Şirketi (referred to as “Estuz” or “the Company”) in order to determine the procedures and principles regarding the operations and transactions for the storage and disposal activities carried out. As a company, our basic principle is to process personal data belonging to company customers, employees, employee candidates, service providers, visitors and other third parties in accordance with the Turkish Constitution, international agreements and the Personal Data Protection Law No.6698 (“Law”) and other relevant legislation. In this context, it has been determined as a priority that the relevant persons do not lose their rights and use their rights effectively.

Hereby Personal Data Retention and Disposal Policy has been prepared in accordance with the Law on the Protection of Personal Data No.6698, the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”) entered into force in the Official Gazette dated 28.10.2017 and numbered 30224 and other legislation provisions.

DEFINITIONS

Buyer Group	The category of natural or legal persons to whom personal data is transferred by the data controller.
Open Consent	Consent on a specific subject, based on information and expressed with free will.
Anonymization	Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching other data.
Employee	Estuz staff.
Electronic environment	Media where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Environment	All written, printed, visual, etc. media other than electronic media.
Service provider	A natural or legal person providing services within the framework of a specific contract with Estuz.
Related person	The natural person whose personal data is processed.
Related User	Except for the person or unit responsible for the technical storage, protection and backup of the data, persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller.
Destruction	Deletion, destruction or anonymization of personal data.
Law	Personal Data Protection Law No. 6698.
Recording Media	Any medium containing personal data that is fully or partially automated or processed in non-automatic ways, provided that it is part of any data recording system.
Personal Data	Any information that makes a person specific or identifiable.
Personal Data Processing Inventory	Personal data processing activities carried out by data controllers depending on the business processes; The inventory that they have created by associating with the data category, the recipient group and the data subject group of personal data processing purposes and the legal reason, explaining the maximum retention period required for the purposes for which the personal data is processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.
Processing of Personal Data	Provided that personal data are fully or partially automated or part of any data recording system, any transaction performed on data such as non-automatic acquisition, recording, storage, storage, modification, rearrangement, disclosure, transfer, taking over, making available, classifying or preventing its use.
Board	Personal Data Protection Board.
Special Quality Personal Data	Individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Periodic Destruction	The deletion, destruction or anonymization process to be carried out ex officio at repetitive intervals specified in the personal data storage and destruction policy in case all the conditions for processing personal data in the law are eliminated.
Policy	Personal Data Retention and Destruction Policy.
Data Processor	The natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
Data Record System	A recording system in which personal data are structured and processed according to certain criteria.
Data Supervisor	Natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry Information System	The information system that data controllers will use in the application to the Registry and in other relevant transactions related to the Registry, accessible on the internet, created and managed by the Presidency.
VERBIS	Data Controllers Registry Information System.
Regulation	Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

RECORDING MEDIA

The table below shows the environments in which personal data stored by Estuz are recorded. Personal data stored by our company are stored in the most appropriate recording environment according to their nature and legal status.

Data Recording Media

Description

Electronic Media

· Servers (Domain, backup, e-mail, database, web, file sharing, etc.)

· Software (Office software, Intranet Portal, ERP software, “Netsis” etc.)

· Information security devices (Firewall, intrusion detection and blocking, log file, anti virus, etc.)

· Company computers (Desktop, laptop)

· Company-owned mobile devices (Phone, tablet, etc.)

· Optical discs (CD, DVD, etc.)

· Removable sticks (USB, memory card, etc.)

Non-Electronic Environments

· Paper

· Manual data recording systems (Notebooks, phone books, etc.)

· Written, printed, visual media

RESPONSIBILITY AND TASK DISTRIBUTON

It is regulated that the titles, duties and units of persons involved in the storage and destruction processes of personal data must be specified in accordance with subparagraph f of Article 6 of the Regulation. In this context, the titles, duties and units of the persons within the company in the matters of data security, management of storage and disposal processes, and taking technical and administrative measures in order to prevent the illegal processing and access of personal data, to ensure the legal storage of personal data.

Title	Job Description
Personal Data Manager	To direct all kinds of planning, analysis, research, risk determination studies in the projects carried out in the process of compliance with the law; The Law is obliged to manage the processes to be carried out in accordance with the Personal Data Processing and Protection Policy and the Personal Data Storage and Destruction Policy and other regulated policies and procedures and to decide on the requests from the relevant persons.
Estuz Personal Data Protection Specialist	From the requests of the relevant persons to be examined and reported to the Personal Data Manager for evaluation; It is responsible from the fulfillment of the processes regarding the requests of the relevant person evaluated and decided by the Personal Data Manager in accordance with the decision of the Personal Data Manager; auditing the storage and disposal processes and reporting these controls to the Personal Data Manager; the execution of storage and disposal processes.
(Technical and Administrative)	It is responsible for the execution of policies in accordance with the job descriptions and controls on the protection, storage and destruction of personal data.

EXPLANATIONS ON STORAGE AND DISPOSAL

Within the company, personal data of the persons served are processed in accordance with the provisions of the Law and are stored in the recording media specified in this policy, but also destroyed as specified in this policy. In addition, our company stores and destroys personal data regarding its personnel.

Personal Data is stored based on one or more of the personal data processing conditions specified in Articles 5 and 6 of the Law, in this context, personal data are stored during the validity of the conditions specified for the processing of personal data and when the processing conditions are terminated or upon the application of the relevant person to our Company (after checking the other legal obligations that our Company must comply with), personal data stored upon request are deleted, destroyed or anonymized.

Legal Reasons Requiring Storage

The personal data processed within the framework of the company’s activities are kept for the period stipulated in the relevant legislation. In this context, personal data;

Labor Law No. 4857,
Turkish Commercial Code No. 6102,
Turkish Code of Obligations No. 6098,
Law No. 6502 on Consumer Protection,
Vocational Education Law No. 3308,
Occupational Health and Safety Law No. 6331,
Law No. 6698 on Protection of Personal Data,
Tax Procedure Law No. 213,
Social Insurance and General Health Insurance Law No. 5510,
Law No. 6563 on the Regulation of Electronic Commerce,
Occupational Health and Safety Services Regulation, Regulation on Commercial Communication and Commercial Electronic Messages,
It is kept for the storage periods stipulated in the framework of other secondary regulations in force pursuant to these laws.

Processing Purposes Requiring Preservation

The company stores the personal data processed within the framework of its activities for certain purposes. In this context, the purposes are listed below:

Execution of Emergency Management Processes
Execution of Information Security Processes
Execution of Employee Candidate / Intern / Student Selection and Placement Processes
Execution of Employee Candidates’ Application Processes
Execution of Employee Satisfaction and Loyalty Processes
Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees
Execution of Benefits and Benefits Processes for Employees
Conducting Audit / Ethical Activities
Conducting Training Activities
Execution of Access Authorities
Conducting Activities in Compliance with Legislation
Execution of Finance and Accounting Affairs
Execution of Loyalty Processes to Company / Products / Services
Ensuring Physical Space Security
Execution of Assignment Processes
Follow-up and Execution of Legal Affairs
Conducting Internal Audit / Investigation / Intelligence Activities
Conducting Communication Activities
Planning of Human Resources Processes
Execution / Supervision of Business Activities
Conducting Occupational Health / Safety Activities
Receiving and Evaluating Suggestions for the Improvement of Business Processes
Conducting Business Continuity Activities
Execution of Logistics Activities
Execution of Goods / Service Purchase Processes
Execution of Goods / Service After Sales Support Services
Execution of Goods / Service Sales Processes
Execution of Goods / Service Production and Operation Processes
Execution of Customer Relationship Management Processes
Conducting Activities for Customer Satisfaction
Organization and Event Management
Conducting Marketing Analysis Studies
Performance Evaluation Processes
Execution of Advertising / Campaign / Promotion Processes
Execution of Risk Management Processes
Execution of Custody and Archive Activities
Social Responsibility and Execution of Civil Society Activities
Execution of Contract Processes
Conducting Sponsorship Activities
Conducting Strategic Planning Activities
Tracking of Requests / Complaints
Ensuring the Security of Movable Goods and Resources
Execution of Supply Chain Management Processes
Execution of Wage Policy
Execution of Marketing Process of Products / Services
Ensuring the Security of Data Controller Operations
Execution of Investment Processes
Conducting Talent / Career Development Activities
Informing Authorized Persons, Institutions and Organizations
Conducting Management Activities
Creating and Tracking Visitor Records

Reasons for Destruction:

The amendment or abolition of the relevant legislation provisions that form the basis for processing
The disappearance of the purpose requiring processing or storage,
In cases where the processing of personal data takes place only on the condition of express consent, the person concerned withdraws his express consent,
Acceptance of the application made by the Company for the deletion and destruction of personal data within the framework of the rights of the person concerned in accordance with Article 11 of the Law,
In the event that the company rejects the application made by the person concerned with the request for deletion, destruction or anonymization of his personal data, finds the answer inadequate or does not respond within the period stipulated by the Law; Making a complaint to the Personal Data Protection Authority and approving this request by the Agency,
The maximum period for the storage of personal data has passed and there are no conditions to justify the storage of personal data for a longer period,
The expiry of the storage periods specified in the relevant legislation,

for the aforementioned cases, subject data is deleted, destroyed or ex officio deleted, destroyed or anonymized by the Company at the request of the person concerned.

TECHNICAL AND ADMINISTRATIVE MEASURES FOR THE SECURE STORAGE OF PERSONAL DATA, ILLEGAL PROCESSING AND PREVENTION OF ACCESS

Estuz takes all necessary technical and administrative measures in accordance with the characteristics of the environment in which it is kept with the relevant personal data in order to protect personal data safely and to prevent unlawful processing and access. In addition, our company takes technical and administrative measures within the framework of adequate measures determined and announced by the Personal Data Protection Authority for special quality personal data in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law.

Hereby measures include, but are not limited to, the following administrative and technical measures to the extent that they are in line with the nature of the relevant personal data and the environment in which it is stored.

Technical Measures

Estuz takes the following technical measures in accordance with the characteristics of the environment where the personal data is stored and the relevant data is stored:

Network security and application security are provided.
Closed system network is used for personal data transfers via network.
Key management is implemented.
Employees who have a change of position or leave their jobs are removed from their authority in this area.
Current anti-virus systems are used.
Firewalls are used.
Necessary security measures are taken for entering and exiting physical environments containing personal data.
Personal data are backed up and the security of backed up personal data is also ensured.
User account management and authorization control system is applied and their follow-up is also performed.
If personal data of special nature will be sent via e-mail, they are necessarily sent in encrypted form using KEP or corporate mail account.
Intrusion detection and prevention systems are used.
Data loss prevention software is used.

Administrative Measures

Estuz takes the following administrative measures in accordance with the characteristics of all environments where personal data are stored, relevant data and the environment in which data is stored:

There are disciplinary regulations that include data security provisions for employees.
Training and awareness activities on data security are carried out periodically for employees.
Corporate policies on access, information security, use, storage and disposal issues have been prepared and implemented.
Confidentiality commitments are made.
The signed contracts contain data security provisions.
Extra security measures are taken for personal data transferred via paper, and the relevant documents are sent in a confidential document format.
Personal data security policies and procedures have been determined.
Personal data security problems are reported quickly.
Personal data security is monitored.
Physical environments containing personal data are secured against external risks (fire, flood, etc.).
The security of environments containing personal data is ensured.
Personal data is reduced as much as possible.
Current risks and threats have been identified.
Protocols and procedures for special quality personal data security have been determined and implemented.
The awareness of data processing service providers on data security is ensured.

TECHNIQUES FOR THE DESTRUCTION OF PERSONAL DATA

For Personal data stored by Estuz in accordance with the Law and other legislation and the Personal Data Processing and Protection Policy, in the event that the reasons requiring the processing of the data disappear, it is ex officio deletion, destruction or anonymization in accordance with the request of the relevant person or within the periods specified in this Personal Data Storage and Destruction Policy.

The deletion, destruction and anonymization techniques used by Estuz are listed below:

Methods for Deletion

Deletion of personal data is the process of making personal data inaccessible and unavailable in any way for the relevant users.

Personal data are deleted by using one or more of the methods given in the table below.

Deletion Methods for Personal Data Retained in Physical Environment
Blackout	Personal data in the physical environment are deleted using the blackout method. The blackout process is done by cutting the personal data on the relevant document whenever possible, and making it invisible by using fixed ink, which is irreversible and cannot be read with technological solutions.
Deletion Methods for Personal Data Retained in Cloud and Local Digital Environment / Software
Safe deletion from software	Personal data kept in cloud or local digital environments are deleted by digital command and made unavailable again, in a way that cannot be accessed by other relevant employees, except the database manager, at the end of the period that requires storage.
Personal Data on Servers
Deleting by removing access authorization	For those who have expired from the personal data on the servers, the access authorization of the relevant users is removed by the system administrator and the deletion is performed.

Methods for Destruction

The destruction of personal data is the process of making personal data inaccessible, retrieved and reusable in any way.

Personal data are destroyed by using one or more of the methods given in the table below.

Destruction Methods for Personal Data Stored in Physical / Printed Environment
Physical Destruction	It is the physical destruction of optical and magnetic media that contain personal data, such as melting, burning or pulverizing. It is ensured that data is made inaccessible by processes such as melting, burning, powdering or passing the optical or magnetic media through a metal grinder.
Degaussing	It is the process of unreadable degradation of the data on magnetic media by exposing it to a high magnetic field.
Rewriting	By writing random data consisting of 0 and 1 at least seven times on magnetic media and rewritable optical media, reading and recovering old data is prevented.
Destroying access by deauthorizing	For those who have expired from the personal data on the servers, the access authorization of the relevant users is removed by the system administrator and the process of destruction is performed in such a way that it cannot be accessed again.
Destruction Methods for Personal Data Held in the Cloud
Safe deletion from software	Personal data kept in the cloud is deleted by digital command so that it cannot be recovered again, and when the cloud computing service relationship ends, all copies of the encryption keys required to make personal data usable are destroyed. Data deleted in this way cannot be accessed again.

Anonymization Methods

The anonymization of personal data is the rendering of personal data that cannot be associated with an identified or identifiable natural person under any circumstances, even if they are matched with other data.

Personal data are anonymized by using one or more of the methods given in the table below.

Anonymization Methods for Personal Data Stored in Physical / Printed Media
Subtracting variables	It is the removal of one or more of the direct identifiers that are included in the personal data of the relevant person and will serve to identify the person concerned in any way. This method can be used to anonymize personal data, or to delete information if there is information that is not suitable for the purpose of data processing.
Regional concealment	It is the process of deleting any distinctive information regarding the data that is exceptional in the data table in which personal data are collectively anonymous.
Generalization	It is the process of bringing together personal data belonging to many people and transforming them into statistical data by removing their distinctive information.
Lower and upper limit coding / Global coding	For a certain variable, the ranges of that variable are defined and categorized. If the variable does not contain a numeric value, then the data close to each other in the variable are categorized. Values in the same category are combined.
Micro merging	With this method, all records in the data set are first arranged in a meaningful order and then the whole set is divided into a certain number of subsets. Then, the average value of each subset of the specified variable is taken and the value of that variable of the subset is replaced with the average value. In this way, as the indirect identifiers in the data will be corrupted, it becomes difficult to associate the data with the relevant person.
Data Mixing and Distortion	By mixing or distorting direct or indirect identifiers in personal data with other values, their relationship with the relevant person is broken and they lose their descriptive qualities.
Anonymization Methods for Personal Data in Digital Environment / Servers / Cloud
Masking (Encrypt, use icons, blur, shuffle, override)	Data masking is making personal data incomprehensible to prevent unauthorized access. This method is used to prevent confidential and sensitive information in the institution from leaking inside and outside the institution and being seized by malicious people. In data masking, the data format is not changed, only the values are changed, but this change is made in a way that it will not be detected and returned in any way. In addition, by determining who can access which data, it is ensured that only authorized persons can see the information they need to see and other information is masked.

STORAGE OF PERSONAL DATA AND DESTRUCTION PERIODS

Regarding the personal data being processed by Estuz within the scope of its activities;

Storage periods based on personal data related to all personal data within the scope of activities carried out depending on processes In Estuz Personal Data Processing Inventory,
Storage periods based on data categories are registered to VERBIS,
Process-based retention periods are included in the Personal Data Retention and Destruction Policy. Updates are made by Estuz, if necessary, on the storage periods in question.

Storage and Destruction Processes

PROCESS	STORAGE DURATION
Execution of Human Resources Processes	10 years after the end of the activity
Execution of Processes Regarding Personnel Personal Health Files Regarding Occupational Health and Safety Processes	15 years following the date of quitting
Execution of Hardware and Software Access Processes	2 years following the end of the activity
Visitor Registration	1 year following registration
Camera Recordings	1 month
Preparation of Contracts and Execution Activity	10 years following the termination of the contract
Conducting Corporate Communication Activities	10 years after the end of the activity

Data Destruction Durations

In the first periodic destruction process following the date when the obligation to delete, destroy or anonymize the personal data that Estuz is responsible for in accordance with the Law, relevant legislation, Personal Data Processing and Protection Policy, other policies and this Personal Data Storage and Destruction Policy, it deletes, destroys or anonymizes personal data.

When the relevant person requests the deletion or destruction of his personal data by applying to Estuz pursuant to Article 13 of the Law;

If all the conditions for processing personal data have disappeared; Estuz deletes, destroys or anonymizes the personal data subject to the request within 30 (thirty) days from the day it receives the request, by explaining its justification, with the appropriate disposal method. In order for Estuz to be deemed to have received the request, the person concerned must have made his request in accordance with the Personal Data Processing and Protection Policy and the Personal Data Application and Response Procedure.

In any case, Estuz informs the person concerned about the procedure.

If all the conditions for processing personal data are not eliminated, this request may be rejected by Estuz by explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the rejection response is notified to the relevant person in writing or electronically within thirty days at the latest.

PERIODIC DESTRUCTION DURATION

In the event that all the conditions for processing personal data in the law are eliminated; Estuz deletes, destroys or anonymizes the personal data whose processing conditions have ceased to be carried out ex officio at repetitive intervals specified in this Personal Data Storage and Destruction Policy.

Periodic destruction processes start on ……………… for the first time and repeat every 6 (six) months.

PUBLISHING AND STORING AND UPDATING THE POLICY

The policy is published in two different media as wet signed (printed paper) and electronically and is publicly disclosed on Estuz’s website. The printed paper copy is kept in the file by the Company Board of Directors or the Personal Data Manager.

The policy is reviewed as needed, and the required sections are updated.

CONFORMITY AND AMENDMENTS

Estuz reserves the right to make changes in the storage and disposal policy of personal data as per the provisions of the legislation or company policy.

This protocol has been published on… /… /… and no changes have been made.