Personal Data Retention and Destruction Policy

  1. ARTICLE - INTRODUCTION
    • 1.1. Introduction

      With the Regulation on Deletion, Destruction or Anonymization of Personal Data (“Regulation”)data controllers who are obliged to register with the Data Controllers Registry are obliged to prepare a personal data storage and destruction policy in accordance with the personal data processing inventory. Headquarters address Beylikdüzü OSB Mah. Hürriyet Bulvarı No:10/9, 34524 Beylikdüzü Istanbul, Ekom Elektrik Elektronik Sanayi ve Ticaret Anonim Şirketi (“Company or "EKOM”)registered in the Istanbul Trade Registry, fulfills the relevant obligations arising from the law and secondary legislation with sensitivity and regulates the storage and destruction processes and details of the personal data it processes for this purpose with this Personal Data Storage and Destruction Policy (“Policy”).

    • 1.2. Purpose and Scope
      • 1.2.1. Objective

        The Policy has been prepared in order to fulfill the processes of storing, deleting, destroying or anonymizing the personal data processed by the Company during its activities within the scope of the maximum periods determined or arising from the law, to ensure that the periodic destruction processes are carried out in accordance with the applicable legislation through the designated persons at the prescribed time and to ensure transparency about the methods to be applied in the process by informing the data owners. In addition to all these issues, the Policy also includes the purpose of preparation, the recording media of personal data, definitions of legal and technical terms, technical and administrative measures taken for the safe storage of personal data and the prevention of unlawful processing and access to personal data and the destruction of personal data in accordance with the law, the titles, duties and responsibilities of the personnel involved in the personal data storage and destruction processes, and if the existing personal data storage and destruction policy has been updated, such changes are also included.

      • 1.2.2. Scope

        The Policy covers all personal data and special categories of personal data defined by the Law, as well as employees, employee candidates and visitors, managers and consultants working within the company, affiliates in cases where personal data sharing is in question, third parties with whom cooperation is made, and all natural and legal persons with whom other legal relations are established. The above-mentioned data subject groups subject to the Policy are specified in detail in the "Policy on Processing and Protection of Personal Data" prepared by the Company.

    • 1.3. Policy and Applicable Law

      This Policy aims to ensure that the obligations imposed by the Law and the relevant legislation on personal data processing are fulfilled in a systematic manner. Since the priority and sensitivity of our Company is "to act in accordance with the legislation in order to protect the right of individuals to protect their personal data arising from the Constitution of the Republic of Turkey", in case of a conflict between this Policy and the provisions of the Applicable Law, our Company will work for the implementation of the Applicable Law.

    • 1.4. Enforcement and Amendment of the Policy

      This Policy has been prepared under the meticulous work and leadership of the Company's Personal Data Protection Commission and has entered into force upon approval by the authorized body.
      It will be audited by the Personal Data Protection Commission every 6 monthsand, if necessary, relevant changes will be made to comply with the relevant current legislation. These changes will be published on the Website with the approval of the authorized body of the Company. In case of request, in the light of the legislative limits and at the initiative of the Company, it may be presented to the information of the Data Subject through different channels.

  2. ARTICLE - DEFINITIONS
    Abbreviation Definition
    Anonymization It refers to making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.
    Destruction It refers to the deletion, destruction or anonymization of personal data.
    Law Law No. 6698 on the Protection of Personal Data.(“LPPD”)
    Recording Media It refers to all kinds of media in which personal data are processed by fully or partially automated or non-automated means, provided that they are part of any data recording system.
    Deletion of Personal Data It refers to the process of making personal data inaccessible and non-reusable in any way for the relevant users.
    Destruction of Personal Data It refers to the process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way.
    Personal Data Retention Table It refers to the table showing the periods for which personal data will be kept by the company.
    Personal Data Processing Inventory It refers to the guidance document in which data controllers elaborate the personal data processing activities they carry out depending on their business processes by associating them with the purposes of processing personal data, data category, transferred recipient group and data subject group, and by explaining the maximum period required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.
    Personal Data Protection Commission It refers to the unit in charge of ensuring compliance with LPPD and other relevant legislation within the Company and managing the process.
    Board Personal Data Protection Board.
    Periodic Disposal It refers to the deletion, destruction or anonymization process to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy in the event that all of the conditions for processing personal data specified in the law disappear.
    Demand Management Procedure It refers to the guiding procedure that determines the details of the Data Subject's right to apply to the Data Controller recognized in Article 11 of the Law and the Company's response process regarding the application.
    Contact Person Refers to the real person whose personal data is processed.
    Data Controller It refers to the real or legal persons who determine the purposes and means of processing personal data, who are responsible for the establishment and management of the data recording system, and the Company responsible for this activity in this Policy.
    Data Processor The natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.
    Data Recording System It refers to the recording system where personal data is structured and processed according to certain criteria.
    VERBIS Data Controllers Registry Information System.
    Regulation Refers to the Regulation on Deletion, Destruction or Anonymization of Personal Data.

    In this Policy, unless otherwise explicitly stated, the expressions shown in Table-1 shall have the meanings written opposite them. For definitions not included in this Policy, the definitions in the "Personal Data Processing and Protection Policy" and the Law shall apply.

  3. ARTICLE - STORAGE MEDIA OF PERSONAL DATA

    Any medium in which personal data that is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system, falls within the scope of the recording medium. Personal data collected by the Company may be recorded in various media depending on principles such as the nature of the data, the purposes of processing and the frequency of use. The Company stores personal data securely in accordance with the relevant legislation and within the framework of international data security principles. The environments in which personal data are recorded are specified below.

    • 3.1. Electronic Mediums:

      Software, cloud, central server, portable media, database.

    • 3.2. Physical Environments:

      Peripheral systems such as unit cabinets, archives, paper, network equipment, flash-based media, magnetic tape, magnetic disk, mobile phone, optical disk, printer, door access/security system.

  4. ARTICLE - STORAGE MEDIA OF PERSONAL DATA
    • 4.1. Explanations on Data Security

      Pursuant to Article 12 of the 6698 Law on the Protection of Personal Data, our Company, as the Data Controller, takes all kinds of technical and administrative measures to prevent unlawful processing of personal data, to prevent unlawful access to personal data, to ensure the preservation of personal data and to fulfill its obligations regarding data security in other matters.

    • 4.2. Purposes for Storing Personal Data

      The Company stores personal data for specific and legitimate purposes in light of the principles detailed in the Law and the Policy. The primary reason for the Company to store personal data is the obligations arising from the laws in force and the secondary legislation processed in accordance with these laws. Personal data are primarily stored for the periods stipulated under the laws. In cases where there is no legal regulation regarding the duration, the Company retains the relevant personal data for the duration of the legal statute of limitations, taking into account the processing process and the evidential quality and statute of limitations defense in possible disputes. In processes that are unlikely to be subject to any dispute, the Company may retain the relevant data for a reasonable period of time as required by custom in light of the existence of reasons requiring the processing of personal data. The Company stores the personal data, which it includes and categorizes in detail in the Personal Data Processing Inventory, in physical or electronic media specified in Article 4 in the light of the principles and periods stipulated in the law and for the following purposes in order to fulfill legal obligations, to plan employee rights and fringe benefits, to manage customer relations and to maintain commercial activities.

      1. Ensuring that legal obligations are fulfilled as required or mandated by legal regulations,
      2. Personal data is directly related to the establishment and execution of contracts,
      3. Storing personal data for the purpose of establishing, exercising or protecting a right,
      4. Conducting the necessary statistical studies and legal reporting on issues such as sales ratios or performance evaluations
      5. It is mandatory to keep personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of individuals,
      6. Execution of human resources processes and liaison with real/legal persons within the company or in business relations with the company,
      7. Retention of personal data in order for the Company to fulfill any legal obligation of the Company or if the legislation explicitly stipulates the retention of personal data,
      8. Ensuring company security,
      9. Explicit consent of data subjects in terms of storage activities that require the explicit consent of data subjects,
      10. The obligation of proof as evidence in legal disputes that may arise in the future,
      11. Execution of emergency management processes,
      12. Execution of information security processes,
      13. Conducting employee candidate, intern and student selection and placement processes,
      14. Carrying out the application processes of employee candidates,
      15. Execution of employee satisfaction and loyalty processes,
      16. Fulfillment of employment contractual and regulatory obligations for employees,
      17. Execution of fringe benefits and benefits processes for employees,
      18. Conducting audit and ethics activities,
      19. Conducting training activities,
      20. Execution of access authorizations,
      21. Execution of activities in accordance with the legislation,
      22. Conducting financial and accounting affairs,
      23. Conducting commitment processes to the company, products and services,
      24. Ensuring physical space security,
      25. Execution of assignment processes,
      26. Follow-up and execution of legal affairs,
      27. Conducting internal audit, investigation and intelligence activities,
      28. Conducting communication activities,
      29. Execution and supervision of business activities,
      30. Conducting occupational health and safety activities,
      31. Receiving and evaluating suggestions for improving business processes,
      32. Carrying out activities to ensure business continuity,
      33. Execution of logistics activities,
      34. Execution of goods and service procurement processes,
      35. Providing after-sales support services for goods and services,
      36. Execution of goods and service sales processes,
      37. Execution of goods and services production and operation processes,
      38. Execution of customer relationship management processes,
      39. Conducting activities for customer satisfaction,
      40. Organization and event management,
      41. Conducting marketing analysis studies,
      42. Conducting performance evaluation processes,
      43. Execution of advertising, campaign and promotion processes,
      44. Execution of risk management processes,
      45. Carrying out storage and archive activities,
      46. Execution of contract processes,
      47. Conducting sponsorship activities,
      48. Carrying out strategic planning activities,
      49. Follow-up of requests and complaints,
      50. Ensuring the security of movable property and resources,
      51. Execution of supply chain management processes,
      52. Execution of the remuneration policy,
      53. Execution of marketing processes of products and services,
      54. Ensuring the security of data controller operations,
      55. Foreign personnel work and residence permit procedures,
      56. Execution of investment processes,
      57. Conducting talent/career development activities,
      58. Providing information to authorized persons, institutions and organizations,
      59. Conducting management activities,
      60. Creation and follow-up of visitor records.

  5. ARTICLE - DESTRUCTION OF PERSONAL DATA
    • 5.1. Reasons Requiring Destruction of Personal Data

      The conditions under which the deletion, destruction or anonymization of personal data will be carried out by the Company ex officio or upon the request of the data subject are specified below. The application of the Data Subject regarding this matter shall be responded according to the procedures and principles specified in the Request Management Procedure.

      1. Amendment or abolition of the provisions of the relevant legislation that constitute the basis for the processing or storage of personal data,
      2. The disappearance of the conditions requiring the processing of personal data under Articles 5 and 6 of the Law,
      3. The Company's acceptance of the application made by the Data Subject regarding the deletion, destruction or anonymization of his/her personal data within the framework of his/her rights under the relevant subparagraphs of Article 11 of the Law,
      4. In cases where the Company rejects the application made by the Data Subject with the request for deletion, destruction or anonymization of his/her personal data, the response is found insufficient or the Company does not respond within the period stipulated in the Law; filing a complaint to the Board and this request is approved by the Board,
      5. The purpose requiring the processing or storage of personal data disappears,
      6. In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject's withdrawal of consent,
      7. Although the maximum period for retaining personal data has elapsed, there are no circumstances that justify retaining personal data for a longer period.

    • 5.2. Personal Data Destruction Techniques

      The Company destroys personal data in accordance with the provisions of the relevant law in accordance with the provisions of the relevant law in the event that the period stipulated by law or the retention period required for the purpose for which they are processed expires.

      • 5.2.1. Deletion of Personal Data

        Deletion of personal data is the process of making personal data inaccessible and non-reusable in any way for the relevant users. In order to delete personal data, the Company performs the deletion process in the following manner depending on the medium in which the data is recorded.

        1. Personal Data on Servers: :For the personal data on the servers, deletion is made by the system administrator by removing the access authorization of the relevant users for those whose retention period has expired.
        2. Application Type Cloud Solutions as a Service (Office365 etc.): Data in the cloud system is deleted by issuing a delete command. While performing the aforementioned operation, special attention will be paid to the fact that the relevant user does not have the authority to restore the deleted data on the cloud system.
        3. Personal Data in Electronic Media:The personal data in electronic media that expire after the period of time required for their retention are rendered inaccessible and non-reusable in any way for employees (relevant users) other than the database administrator.
        4. • Personal Data in Physical Environment: For the personal data kept in physical media, those that have expired for the period required to be kept are rendered inaccessible and non-reusable in any way for other employees, except for the unit manager responsible for the document archive. In addition, the blackout process is also applied by scratching/painting/erasing in such a way that it cannot be read.
        5. Personal Data on Portable Media:Personal data stored on flash-based storage media, which expire after the period of time required for storage, are encrypted by the system administrator and stored in secure environments with encryption keys by giving access authorization only to the system administrator.

        However, if the deletion of personal data will result in the inability to access and use other data within the system, provided that the following conditions are met, personal data will also be deemed deleted if the personal data is archived by making it unassociated with the person concerned;

        1. Not accessible to any other institution, organization or person,
        2. Taking all necessary technical and administrative measures to ensure that personal data is accessed only by authorized persons.

      • 5.2.2. Destruction of Personal Data

        Destruction of personal data is the process of making personal data inaccessible, unrecoverable and non-reusable by anyone in any way.
        The Company may use one or more of the following methods to destroy personal data, depending on the environment in which the data is recorded:

        1. De-magnetization:: It is a method of distorting the data on magnetic media in an unreadable way by passing it through special devices where it will be exposed to high magnetic fields. It should be noted that if destruction by this method is not successful, the destruction process can only be completed by physically destroying the media.
        2. Physical Destruction/Destruction with Paper Destruction Machine:Personal data may also be processed by non-automatic means, provided that they are part of any data recording system. When destroying such data, the system of physically destroying the personal data in such a way that it cannot be used later is applied. Destruction of data on paper and microfiche media should also be carried out in this way, as it is not possible to destroy them in any other way.
        3. Overwriting: Overwriting is a data destruction method that makes it impossible to read and recover old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media through special software.

      • 5.2.3.Anonymization of Personal Data

        Anonymization of Personal Data is to make Personal Data impossible to be associated with an identified or identifiable natural person under any circumstances, even if Personal Data is matched with other data. In order for Personal Data to be anonymized; personal data must be made impossible to be associated with an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording environment and the relevant field of activity, such as reversal and matching of data with other data by the Company, third parties or persons to whom the data is transferred.
        The Company may use one or more of the following methods to anonymize personal data: "Removing Variables, Removing Records, Lower and Upper Boundary Coding, Regional Concealment, Sampling, Micro-Combining, Data Exchange, Noise Addition, K-Anonymity, L-Diversity, T-Closeness":
        The Company, as the Data Controller, decides which method to apply in the relevant processes by determining the characteristics such as the recording medium, nature, size, desired benefit and processing purpose of the relevant data.

  6. ARTICLE - STORAGE AND DESTRUCTION PERIODS
    • 6.1. Explanation on Retention and Destruction Periods of Personal Data

      Regarding the determination of the period of time in the storage and destruction processes of personal data obtained in accordance with the LPPD and secondary legislation; First of all, if a period is stipulated in the legislation, it complies with this period. In the event that the specified period expires or if no period is stipulated in the aforementioned legislation regarding storage; personal data are separated into personal data and personal data of special nature, taking into account Article 6 of the LPPD. All personal data determined to be of special nature shall be destroyed. The method of destruction of the relevant data is determined according to the nature of the data and its importance to the Company. Compliance with the principles specified by the law regarding the storage of data in the personal data class is questioned. Data that is determined that the Company does not have a legitimate purpose in storing the data or that may contradict the principles in Article 4 of the LPPD are deleted, destroyed or anonymized.
      If the storage of the data is within the scope of the exception stipulated in Articles 5 and 6 of the LPPD, the required reasonable periods are determined and the relevant data is deleted, destroyed or anonymized at the end of the reasonable period. The data-based retention periods of personal data processed by the Company in accordance with the law and other legislation are included in the "Personal Data Processing Inventory". Retention periods on the basis of data categories are recorded in "VERBIS". This Policy includes retention periods on a process basis.
      If it is necessary to update the retention periods, the relevant change is made by the Personal Data Protection Commission.

    • 6.2.Request for Deletion and Destruction of Personal Data of the Data Subject, Periods and Actions to be Taken

      The Data Subject submits his/her rights and requests arising from the Law to the Company in writing, preferably by using the "Company Application Form" or by other methods determined by the Board.
      The Company shall finalize the requests included in the application free of charge as soon as possible and within 30 days at the latest, depending on the nature of the request. The application and the subsequent process are carried out according to the procedures and principles in the "Request Management Procedure".
      When the Data Subject requests the deletion or destruction of his/her personal data by applying to the Company in this Policy; the Company deletes, destroys or anonymizes the personal data subject to the request if the conditions for storing the relevant data have completely disappeared. The method to be followed in this process and the unit to carry out the process are specified below:

      1. Transactions in electronic media (servers, backups, software, printers, etc. in main databases) are carried out by the member specified in the Personal Data Protection Commission under the supervision of the IT Unit by recording the transaction in question.
      2. In the Company's computer, phone, e-mail account, tablet, etc. environment, this process is carried out personally by the relevant data user employee by informing the Deputy General Manager, the Chairman of the Personal Data Protection Committee and the IT Unit Manager. Employees perform the deletion and destruction operations they will perform in these electronic media allocated to them for business purposes in accordance with the inventory. If the reason for destruction occurs before the expiration of the retention period, the opinion and instruction of the Chairman of the Commission is obtained and the process is completed in accordance with this instruction. The IT Unit Manager is responsible for providing the employee with the necessary technical equipment to record these deletion, destruction and anonymization operations in electronic media.
      3. The process of deletion, destruction or anonymization in paper media is carried out by the data user employee by informing the relevant unit manager and the President of the Personal Data Protection Commission, by recording it with a report.
      4. The Company finalizes the request of the Data Subject within 30 days at the latest and informs the Data Subject. If the personal data subject to the request has been transferred to third parties, the Company notifies this situation to the third party and ensures that the necessary actions are taken within the scope of this Policy before the third party..

    • 6.3 Storage and Destruction Periods Table

      In Table-2, the Company has included the retention and destruction periods of the data processed by the Company on the basis of general processes.

      Process Storage Time Destruction Period
      General assembly and board of directors procedures, information on shareholders and members of the board of directors 10 years At the first periodic destruction following the end of the storage period
      Conclusion of contracts 10 years following the end of the contract At the first periodic destruction following the end of the storage period
      Execution of processes related to human resources 10 years from the termination of employment At the first periodic destruction following the end of the storage period
      Assignment, allocation and access authorization of employees to systems and software (e-mail address, username, password, password, etc.) 3 months from the end of the employment contract At the first periodic destruction following the end of the storage period
      Information on activities related to general quality processes, internal/external training records of employees 10 years from the end of the employment contract At the first periodic destruction following the end of the storage period
      Allocation of vehicles to employees 10 years from the end of the employment contract At the first periodic destruction following the end of the storage period
      Data on prospective employees 1 year from the date of application At the first periodic destruction following the end of the storage period
      Occupational health and safety practices 10 years from the end of the employment contract At the first periodic destruction following the end of the storage period
      Responding to information requests of courts, enforcement and administrative authorities 10 years from the transaction date At the first periodic destruction following the end of the storage period
      Directory entries, corporate communication activities, planning and execution 10 years from the end of the employment relationship At the first periodic destruction following the end of the storage period
      Sharing the meeting notes with the participants 10 years At the first periodic destruction following the end of the storage period
      General accounting processes, payment and collection transactions 10 years from the end of the employment relationship At the first periodic destruction following the end of the storage period
      Personnel financing processes 10 years from the end of the employment relationship At the first periodic destruction following the end of the storage period
      PDP Processes (Disclosure, Explicit Consent, Applications and Complaints) 10 years from the end of the relevant period At the first periodic destruction following the end of the storage period
      Deletion, destruction, anonymization registration process 3 years from the transaction date At the first periodic destruction following the end of the storage period
      Workplace camera recordings 2 months At the first periodic destruction following the end of the storage period
      Log records 2 years At the first periodic destruction following the end of the storage period
      Shipment records (transportation, delivery note, etc.) 10 years from the transaction date At the first periodic destruction following the end of the storage period
      Supply and sales processes, technical information requests, responding to customer complaints 10 years from the end of the commercial relationship At the first periodic destruction following the end of the storage period
      Data collected pursuant to other relevant legislation For the period stipulated in the relevant legislation At the first periodic destruction following the end of the storage period

    • 6.4. Periodic Destruction

      Personal data whose retention period has expired shall be destroyed in 6-month periods based on the information in the table in Article 6.3 of this Policy.The Company will carry out periodic destruction processes in January and June. All transactions regarding the deletion, destruction and anonymization of personal data are recorded and the relevant records are kept for at least three years, excluding other legal obligations.
      If a longer period is stipulated for retention periods, statute of limitations or forfeiture period, etc. in accordance with the legislation, the periods in the provisions of the legislation will be accepted as the maximum retention period.

  7. ARTICLE - TECHNICAL and ADMINISTRATIVE MEASURES

    Within the framework of the principles set out in Article 12 of the LPPD, the Company has taken the following administrative and technical measures in order to store personal data securely, to prevent unlawful processing and access, and to destroy data in accordance with the law:

    1. The company is under administrative measures;
      1. In-house access to stored personal data is limited to the personnel who need to access it as per their job description. In limiting access, whether the data is of special nature and its degree of importance are also taken into consideration.
      2. A personal data processing inventory was prepared.
      3. In the event that the processed personal data is obtained by others through unlawful means, it shall notify the relevant person and the Board as soon as possible.
      4. Confidentiality agreements are signed by employees regarding the activities carried out by the Company.
      5. The obligation to inform Data Subjects is fulfilled.
      6. Regarding the sharing of personal data, it signs a framework agreement on the protection of personal data and data security with the persons with whom personal data is shared, or ensures data security with the provisions added to the existing agreement.
      7. Personal data is minimized as much as possible.
      8. Provides necessary trainings to its personnel within the scope of personal data protection legislation and data security.
      9. It shall conduct or have conducted the necessary audits to ensure the implementation of the provisions of the Law within its own legal entity. It eliminates the confidentiality and security weaknesses revealed as a result of the audits.
      10. In the contracts to be concluded with employees and third parties, in addition to the provisions protecting the confidentiality of data, the purposes, scope and duration of the processing of Personal Data are determined, the responsibilities of the parties are clearly regulated, and provisions sanctioning processing activities contrary to the law and contract provisions are added.
    2. The company is under technical measures;
      1. Network security and application security are ensured, closed system network is used and security measures are taken within the scope of procurement, development and maintenance of information technology systems.
      2. Up-to-date anti-virus systems and firewalls are used.
      3. Performs the necessary internal controls within the scope of the established systems.
      4. Ensures that the technical infrastructure to prevent the leakage of data outside the organization is provided and the relevant matrices are created.
      5. Ensures that the access authorizations of employees working in the unit related to information processing security to personal data are kept under control.
      6. Personal data is backed up and the security of backed up personal data is also ensured.
      7. User account management and authorization control system are implemented and monitored.
      8. Log records are kept without user intervention. Intrusion detection and prevention systems are used.
      9. Destruction of personal data is ensured in such a way that it cannot be recycled and leaves no audit trail.
      10. Pursuant to Article 12 of the Law, all kinds of digital media where personal data are stored are protected by encrypted or cryptographic methods to ensure information security requirements.
      11. Access to the media where personal data is kept is restricted and only authorized persons are allowed to access this data limited to the purpose of storing personal data and all accesses are recorded.

  8. ARTICLE - STAFF and DISTRIBUTION OF RESPONSIBILITIES
    • 8.1. Titles, Units and Job Descriptions of the Persons Taking Part in the Storage and Destruction Processes of Personal Data

      All units and employees involved in the activities carried out by the Company support the responsible units in the field of proper implementation of technical and administrative measures taken regarding personal data, raising and increasing awareness and ensuring data security in all data processing environments. The titles, duties and responsibilities of the personnel involved in the personal data storage and destruction process are given below.

      Title Mission Responsibility
      Personal Data Protection Commission Ensuring the implementation of the personal data retention and destruction policy Responsible for the preparation, development, execution and updating of the Policy. In cases contrary to the Policy, it makes the necessary notifications to the Board of Directors.
      General Manager (Chairman of the Commission) Supervision of implementation activities in the personal data retention and destruction policy As the Chairperson of the Commission, he/she is responsible for the execution of the Commission's duties, ensuring that employees execute the policy in accordance with their duties, determining sanctions and oversight in case of non-compliance with the regulations, and supervising the unit/employees.
      Quality Department Supervisor (Vice Chairperson of the Commission) Supervision of implementation activities in the personal data retention and destruction policy As the Vice Chair of the Commission, she is responsible for the execution of the Commission's duties, ensuring that employees execute the policy in accordance with their duties, communicating with legal advisors, following up on policy and procedure updates and keeping records of what is done under the Law.
      Human Resources Department Supervisor (Deputy Commission Chairperson) Personal data retention and destruction policy application responsible As the Vice Chairperson of the Commission, he/she is responsible for the execution of the tasks, internal distribution of the current document and notifying new employees, ensuring that personal data is up to date, and ensuring that the processes specific to his/her task comply with the retention period.
      Information Processing Officer/ IT Department Supervisor Ensuring the technical feasibility of the Policy It is responsible for taking and implementing the necessary technical measures for compliance with the policy, publishing up-to-date documents on the website, execution and supervision of deletion, destruction, anonymization processes in electronic recording media, and management of the personal data destruction process in accordance with the periodic destruction period.
      Employees of the Finance-Accounting, Sales Marketing and Customer Services, Warehouse Import and Shipment Departments who are on Commission Ensuring the implementation of processes within its area of activity Each department audits whether the processes within its scope of duty comply with the retention period and executes them.

  9. ARTICLE - UPDATE TABLE and OTHER MATTERS

    This Policy is audited by the Personal Data Protection Commission every 6 months as stated in Article 1.4 "Enforcement and Amendment of the Policy" and if necessary, the relevant current amendments are made. The changes made are given in the table below.