LEGAL NOTICE

It is forbidden to copy, reproduce, use, publish and distribute all content contained in this Policy text, in whole or in part, without permission, except for individual use. Legal action will be taken against those who do not comply with this prohibition in accordance with the Law No. 5846 on Intellectual and Artistic Works. All rights of the product are reserved.

1.INTRODUCTION

1.1 Objective

Personal Data Storage and Destruction Policy (“Policy”) has been prepared in line with the decisions of the Personal Data Protection Board and the Personal Data Protection Law No. 6098 in order to determine the procedures and principles regarding the works and transactions regarding the storage and destruction activities carried out by “Karayel Arge Dış Ticaret Hizmetleri” (“Karayel Arge” or “Institution”). The Company has prioritized the processing of personal data belonging to its employees, employee candidates, suppliers, service providers, visitors and other third parties in accordance with the Constitution of the Republic of Turkey, international conventions, the Law No. 6698 on the Protection of Personal Data (“Law”) and other relevant legislation and ensuring that the relevant persons effectively exercise their rights.

The works and transactions regarding the storage and destruction of personal data are carried out in accordance with the Policy prepared by the Company in this direction.

1.2 Scope

Personal data belonging to Company employees, employee candidates, service providers, visitors and other third parties are within the scope of this Policy and this Policy is applied in all recording environments where personal data owned or managed by the Company are processed and in activities for personal data processing.

1.3 Abbreviations and Definitions

Open Consent	Consent on a specific issue, based on information and freely given.
Buyer Group	The category of natural or legal person to whom personal data is transferred by the data controller.
Anonymization	Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Employee/Staff/Laborer	An employee of Karayel Arge Foreign Trade Services under the supervision and control of Karayel Arge Foreign Trade Services within the scope of insurance and labor contract.
EBYS	Electronic Document Management System
Electronic Media	Environments where personal data can be created, read, modified and written with electronic devices.
Non-Electronic Environment	All written, printed, visual, etc. media other than electronic media.
Service Provider	A natural or legal person who provides services under a specific contract with Karayel Arge Foreign Trade Services.
Contact Person	The natural person whose personal data is processed.
Related User	Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.
Destruction	Deletion, destruction or anonymization of personal data.
Law	Law No. 6698 on the Protection of Personal Data.
Kayıt Ortamı	Tamamen veya kısmen otomatik olan ya da herhangi bir veri kayıt sisteminin parçası olmak kaydıyla otomatik olmayan yollarla işlenen kişisel verilerin bulunduğu her türlü ortam.
Personal Data	Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory	Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes of processing personal data, the data category, the group of recipients transferred and the group of data subjects, and by explaining the maximum period required for the purposes for which personal data are processed, the personal data envisaged to be transferred to foreign countries and the measures taken regarding data security.
Processing of Personal Data	Any operation performed on personal data such as obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Board	Personal Data Protection Board
Sensitive Personal Data	Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Periodic Disposal	Deletion, destruction or anonymization to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy in the event that all of the conditions for processing personal data specified in the law disappear.
Politics	Personal Data Retention and Destruction Policy.
Data Processor	A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.
Data Recording System	A recording system where personal data is structured and processed according to certain criteria.
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry Information System	The information system created and managed by the Presidency of the Data Protection Board, accessible via the internet, which data controllers will use in the application to the Registry and other related transactions regarding the Registry.
VERBIS	Data Controllers Registry Information System.
Regulation	Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

2.DISTRIBUTION OF RESPONSIBILITIES AND TASKS

All units and employees of the Company actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law, with the proper implementation of the administrative and technical measures taken by the responsible units within the scope of the Policy, training and awareness of the unit employees, monitoring and continuous supervision. In cases where it is not possible to employ within the Company, the Company provides such support through service providers.

Title	Job Description
In the projects carried out in the process of compliance with the Law, it is obliged to carry out / have carried out / direct all kinds of planning, analysis, research, risk identification studies; to manage the processes to be carried out in accordance with the Law, Personal Data Processing and Protection Policy and Personal Data Storage and Destruction Policy and to resolve the requests received by the relevant persons. The Authority provides legal support in this regard through service providers.
KVK Legal Compliance Specialist	It is responsible for examining the requests of the data subjects and reporting them to the Personal Data Committee Manager for evaluation; fulfillment of the transactions regarding the requests of the data subjects evaluated and decided by the Personal Data Committee Manager in accordance with the decision of the Personal Data Committee Manager; legal compliance regarding storage and destruction processes; and the Personal Data Unit Manager and the PDP Technical and Administrative Implementation Specialist to act in accordance with the Law. The Authority provides legal support in this regard through service providers.
KVK Technical and Administrative Application Specialist	It is responsible for auditing the storage and destruction processes and reporting these audits to the Personal Data Committee Manager; conducting technical and administrative audits in accordance with the instructions of the KVK Legal Compliance Specialist regarding legal compliance; and carrying out the storage and destruction processes. The Authority provides technical support in this regard through service providers.

3.RECORDING MEDIA

Personal data is securely stored by the Company in accordance with the law in the environments listed in Table 2.

3.1. AUTOMATED DATA STORAGE METHODS

Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)

Floppy disk

Harddisk (Fixed Permanent System inside the Computer)

Memory Card (Portable)

Personal Computers (Desktop, Laptop, Tablet)

Manual data recording systems [survey forms, visitor logbook]

Optical Disks [CD- DVD]

SSD (Solid State Drive with up to 2 TB of data storage)

Server Storage [Domain, backup, email, database, web, web, file sharing

Portable Hard Disk (up to 3 TB)

USB-Flash Memory

Software [office software, portal, EBYS, VERBIS]

Printer, scanner, copier (with digital memory card)

3.2. PHYSICAL RECORDING METHOD

Archive, Physical Recording, Manual Recording

4.EXPLANATIONS ON STORAGE AND DISPOSAL

Personal data belonging to employees, employee candidates, visitors and employees of third parties, institutions or organizations with whom the Company has a relationship as a service provider are stored and destroyed in accordance with the Law.

In this context, detailed explanations on retention and destruction are given below respectively:

4.1 EXPLANATIONS ON CUSTODY

Article 3 of the Law defines the concept of “Processing of Personal Data”, Article 4 states that the personal data processed must be relevant, limited and proportionate to the purpose for which they are processed and must be retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and Articles 5 and 6 list the conditions for processing personal data.

Accordingly, within the framework of the Company's activities, personal data are stored for the period stipulated in the relevant legislation or in accordance with our processing purposes.

4.1.1 Legal Grounds for Retention

Personal data processed within the framework of the Company's activities are retained for the period stipulated in the relevant legislation. In this context, personal data;

Turkish Constitution
Law No. 6698 on the Protection of Personal Data,
Turkish Code of Obligations No. 6098,
Turkish Commercial Code No. 6102,
Tax Procedure Law and related secondary legislation,
Law No. 5510 on Social Security and General Health Insurance,
Law No. 6361 on Occupational Health and Safety,
Labor Law No. 4857,
Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes, Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through These Publications,
They are retained for the retention periods stipulated under other secondary regulations in force pursuant to these laws.

4.1.2 Processing Purposes Requiring Retention

The Company stores the personal data it processes within the framework of its activities for the following purposes.

To carry out human resources processes.
To ensure corporate communication.
Ensuring company security,
To be able to do statistical studies.
To be able to perform works and transactions as a result of signed contracts and protocols.
Within the scope of VERBIS, to determine the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors, to organize the services provided accordingly and to update them if necessary.
To ensure that legal obligations are fulfilled as required or mandated by legal regulations.
To liaise with real/legal persons who have a business and service relationship with the Company.
Making legal reports.
Managing call center processes.
The burden of proof as evidence in future legal disputes.

4.2 REASONS REQUIRING DESTRUCTION

Personal data;

Amendment or abolition of the relevant legislation provisions that constitute the basis for processing,
The purpose requiring processing or storage disappears,
In cases where the processing of personal data is carried out only on the basis of explicit consent, the data subject may withdraw his/her explicit consent,
Pursuant to Article 11 of the Law, in cases where the Company accepts the application made by the data subject regarding the deletion and destruction of his/her personal data within the framework of his/her rights, the Company rejects the application made by the data subject with the request for the deletion, destruction or anonymization of his/her personal data, finds the answer insufficient or does not respond within the period stipulated in the Law, he/she makes a complaint to the Data Protection Board and this request is approved by the Board,
In the event that the maximum period required for the retention of personal data has expired and there are no conditions that justify the retention of personal data for a longer period of time, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by the Company upon the request of the person concerned.

5.TECHNICAL AND ADMINISTRATIVE MEASURES

Technical and administrative measures are taken by the Company within the framework of adequate measures determined and announced by the Board for special categories of personal data in accordance with Article 12 of the Law and Article 6, paragraph four of the Law for the safe storage of personal data, prevention of unlawful processing and access and destruction of personal data in accordance with the law.

5.1 TECHNICAL MEASURES

The technical measures taken by the Company regarding the personal data it processes are listed below:

Through penetration tests, risks, threats, vulnerabilities and vulnerabilities, if any, against the Company's information systems are revealed and necessary measures are taken.
Risks and threats that will affect the continuity of information systems are continuously monitored as a result of real-time analysis with information security incident management.
Access to information systems and authorization of users are carried out through access and authorization matrix and security policies through the corporate active directory.
Necessary measures are taken for the physical security of the Company's information systems equipment, software and data.
In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 monitoring system, ensuring the physical security of the edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, network access control, malware prevention systems, etc.) measures are taken.
Risks to prevent unlawful processing of personal data are identified, technical measures are taken in accordance with these risks and technical controls are carried out for the measures taken.
Access procedures are established within the Company and reporting and analysis studies are carried out regarding access to personal data.
Access to storage areas containing personal data is recorded and inappropriate access or access attempts are kept under control.
The Company takes necessary measures to ensure that deleted personal data is inaccessible and non-reusable for the relevant users.
In the event that personal data is unlawfully obtained by others, an appropriate system and infrastructure has been established by the Company to notify the relevant person and the Board.
Security vulnerabilities are monitored, appropriate security patches are installed and information systems are kept up-to-date.
Strong passwords are used in electronic environments where personal data is processed.
Secure logging systems are used in electronic environments where personal data is processed.
Data backup programs are used to ensure that personal data is stored securely.
Access to personal data stored in electronic or non-electronic media is restricted according to access principles.
Access to the company website is encrypted with SHA 256 Bit RSA algorithm using secure protocol (HTTPS).
Separate policy has been determined for the security of sensitive personal data.
Trainings on special categories of personal data security were provided for employees involved in special categories of personal data processing processes, confidentiality agreements were made, and the authorizations of users authorized to access data were defined.
Electronic media where sensitive personal data are processed, stored and/or accessed are maintained using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of the environments are constantly monitored, necessary security tests are regularly carried out / conducted, and test results are recorded,
Adequate security measures are taken for the physical environments where special categories of personal data are processed, stored and/or accessed, and unauthorized entry and exit are prevented by ensuring physical security.
If sensitive personal data needs to be transferred via e-mail, it is transferred encrypted with a corporate e-mail address or using a KEP account. If it needs to be transferred via media such as portable memory, CD, DVD, etc., it is encrypted with cryptographic methods and the cryptographic key is kept on different media. If transfer is carried out between servers in different physical environments, data transfer is performed by setting up a VPN between servers or using the sFTP method.
If the document must be transferred via paper media, necessary precautions are taken against risks such as theft, loss or unauthorized viewing of the document and the document is sent in “confidential” format.

5.2 ADMINISTRATIVE MEASURES

The administrative measures taken by the Company regarding the personal data it processes are listed below:

In order to improve the quality of employees, trainings are provided on preventing unlawful processing of personal data, preventing unlawful access to personal data, ensuring the protection of personal data, communication techniques, technical knowledge skills, Law No. 6698 and other relevant legislation.
Confidentiality agreements are signed by employees and service providers regarding the activities carried out by the Company.
A disciplinary procedure has been prepared for employees who do not comply with safety policies and procedures.
Before starting to process personal data, the Company fulfills its obligation to inform the data subjects.
Person-based and unit-based personal data processing inventory was prepared.
Internal periodic and random audits are conducted.
Information security trainings are provided for employees.

6.PERSONAL DATA DESTRUCTION TECHNIQUES

At the end of the period stipulated in the relevant legislation or at the end of the retention period required for the purpose for which they are processed, personal data shall be destroyed by the Company ex officio or upon the application of the person concerned by the following techniques in accordance with the provisions of the relevant legislation.

6.1 DELETION OF PERSONAL DATA

Personal Data on Servers	For the personal data on the servers, deletion is made by the system administrator by removing the access authorization of the relevant users for those whose retention period has expired.
Personal Data in Electronic Media	The personal data stored in electronic media that expire after the period of time required for their retention are rendered inaccessible and non-reusable in any way for employees (relevant users) other than the database administrator.
Personal Data in Physical Environment	For the personal data kept in physical environment, those whose period of storage has expired are rendered inaccessible and non-reusable in any way for employees other than the unit manager responsible for the document archive. In addition, the blackout process is also applied by scratching/painting/erasing in such a way that it cannot be read.
Personal Data on Portable Media	The personal data kept in Flash-based storage media and those whose retention period has expired are encrypted by the system administrator and access authorization is given only to the system administrator and stored in secure environments with encryption keys.

6.2 DESTRUCTION OF PERSONAL DATA

Personal Data in Physical Environment	The personal data on paper media that expire after the expiration of the retention period are irreversibly destroyed in paper shredding machines.
Personal Data on Optical / Magnetic Media, Portable Media	The personal data contained in optical media and magnetic media that expire after the period of time required to be retained is first destroyed in a way that cannot be physically reassembled, such as deletion, melting, incineration or pulverization.

6.3 ANONYMIZATION OF PERSONAL DATA

Anonymization of personal data is the process of making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data.

In order for personal data to be anonymized, personal data must be rendered unrelated to an identified or identifiable natural person, even through the use of techniques appropriate for the recording medium and the relevant field of activity, such as the reversal of personal data by the data controller or third parties and/or the matching of data with other data. Therefore, in practice, data sets are rendered “irreversible” through the methods of “obfuscation”, “de-identification”, “interruption and prevention of connection with the person” used for the anonymization of personal data. With the anonymization of the data, the Company prevents access to the data of the real person with one or more information.

7.STORAGE AND DESTRUCTION PERIODS

Regarding the personal data processed by the Company within the scope of the Company's activities;

All personal data (personal data, special categories of personal data) within the scope of the activities carried out depending on the processes and the retention periods on the basis of personal data in the Personal Data Processing Inventory of the Company,
Retention periods based on data categories are recorded in VERBIS,
Process-based retention periods are included in the Personal Data Retention and Destruction Policy.
Such retention periods shall be updated by the Company as and when required.
Ex officio deletion, destruction or anonymization of personal data whose retention periods have expired shall be carried out by the Company and the company employee or a representative of the company who has been authorized to represent the destruction of data in accordance with the law and signed a confidentiality agreement.

STORAGE PERIODS

Board Operations	10 year	At the first periodic destruction following the end of the storage period
Preparation of contracts	10 years following the end of the contract	At the first periodic destruction following the end of the storage period
Execution of Company Communication Activities	10 years after the end of the activity	At the first periodic destruction following the end of the storage period
Human Resources Processes	10 years after the end of the activity	At the first periodic destruction following the end of the storage period
Log Recording Tracking Systems	10 year	At the first periodic destruction following the end of the storage period
Execution of Hardware and Software Access Processes	2 year	At the first periodic destruction following the end of the storage period
Registration of Visitors and Meeting Participants	2 years following the end of the event	At the first periodic destruction following the end of the storage period
Camera Recordings	27 day	Automatically at the end of the storage period and at the first subsequent periodic disposal period

9.PERIODIC DESTRUCTION PERIOD

Pursuant to Article 11 of the Regulation on Deletion, Destruction or Anonymization of Personal Data, the Company has determined the periodic destruction period as 6 months. Accordingly, the Company performs periodic destruction in December of the year in which it registers to the Data Controllers Registry Information System (VERBIS), and in June and December of each subsequent year.

10.PUBLICATION AND STORAGE OF THE POLICY

The Policy is published in two different media, wet signed (printed paper) and electronic media, and disclosed to the public on the website. Everyone has the right to obtain information on how their data is processed, stored, security measures and destruction policies within the limits stipulated by the Law. In this way, all groups of persons receiving services from our Company can access our Company's “Data Processing Policy” and “Data Storage and Destruction Policy”. The printed paper copy is also kept under record in the Company's Archive Documentation System.

11.PERIOD FOR UPDATING THE POLICY

The Policy is reviewed at regular intervals and the necessary sections are updated in line with the decisions of the Data Protection Board and to ensure data security.

12.ENFORCEMENT AND REPEAL OF THE POLICY

The Policy shall be deemed to have entered into force upon its publication on the Company's website. In the event that the Company decides to amend, update or repeal the Policy, the old wet-signed copies of the Policy shall be signed by the Company by stamping or writing cancellation.

The Application to the Data Controller is kept under record in the Company's Archive Documentation System for at least 5 (five) years in order to be submitted in case of audit, request or investigation by the Data Protection Board.

Approved by: (Lawyer)	Preparation Date: 24.05.2025
Revision Date: 01.06.2024

PERSONAL DATA STORAGE AND DESTRUCTION POLICY FOR THE PROTECTION OF PERSONAL DATA