Personal Data Protection and Processing Policy
Table of Contents
- 1. Purpose
- 2. Scope
- 3. Policy
- 4. Principles To be Followed While Processing Data
- 5. Personal Data Collected
- 6. Purposes of Personal Data Processing
- 7. Methods and Legal Basis for Personal Data Processing
- 8. Retention and Disposal of Personal Data
- 9. Transfer of Personal Data
- 10. Measures to Ensure Data Security
- 11. Data Breach Management
- 12. Contact Person
- 13. Data Inventory
- 14. Rights of the Data Subject
- 15. Exercising the Rights of the Data Subject
- Personal Data Retention and Destruction Policy
1. Purpose
This Personal Data Protection and Processing Policy (“Policy”) has been prepared to define the principles and procedures governing the personal data processing activities carried out by Boss Yönetişim Hizmetleri A.Ş. and the independent legal entities within the CottGroup® network of companies ("CottGroup®"), in accordance with the Law on the Protection of Personal Data No. 6698 (“KVKK”), the European Union General Data Protection Regulation (“GDPR”), relevant secondary legislation, and the decisions and guidelines issued by the Personal Data Protection Authority (“Authority”).
This Policy is implemented in an integrated and consistent manner with the company's current Personal Data Retention and Destruction Policy, Data Purge Policy, Personal Data Inventory, and Cross-Border Data Transfer Procedures. It aims to ensure full compliance with the privacy, security, and legal requirements specific to service providers in business relations established with international clients.
2. Scope
CottGroup® is committed to ensuring transparency, auditability, and accountability in its data processing activities at both national and international levels. The provisions of this Policy apply to all relevant CottGroup® member companies, and all pages accessed through the company’s website are considered within the scope of this Policy.
3. Policy
The Company also maintains various other policies addressing the protection of personal data and the assurance of information security in relation to specific business activities and functions. Unless this Policy includes additional provisions or demands higher standards for the protection of personal data, it does not invalidate the data protection requirements set forth in the Company’s other applicable policies.
The provisions of the applicable personal data protection legislation in force shall prevail in all cases. In the event of a conflict between this Policy and the applicable legislation, the provisions of the most current legislation shall take precedence.
This Policy has been established in accordance with the rules and procedures set out in the KVKK and other applicable legislation concerning the protection of personal data. In this regard, the Data Controller, as defined under the KVKK, is obliged to take all necessary technical and administrative measures to prevent the unlawful processing of personal data, unauthorized access to such data, and to ensure their secure retention.
4. Principles to Be Observed During the Processing of Personal Data
In all Personal Data Processing activities, our Company acts in accordance with the general principles outlined below:
- Processing of personal data lawfully, fairly, and transparently,
- Collecting personal data for specified, explicit, and legitimate purposes only,
- Ensuring that personal data are relevant, limited, and proportionate to the purposes for which they are processed,
- Ensuring that personal data are accurate and, where necessary, kept up to date, and that they are promptly deleted or corrected when required,
- Retaining personal data only for the period prescribed by the relevant legislation or as necessary for the purposes for which they are processed,
- Processing personal data in a manner that ensures appropriate security.
5. Personal Data Collected
The types of Personal Data collected by our Company may vary depending on the nature of your relationship with the Company and our legal obligations. The following categories of Personal Data may be collected:
Identity | Full name, Turkish ID number, date and place of birth, gender, nationality, and information found on ID cards or similar documents. |
Contact | Email address, phone number, physical address, Registered Electronic Mail (KEP) address, and other contact details. |
Personnel | Recruitment documents, curriculum vitae, payroll and salary information, performance records, etc. |
Legal Transaction | Correspondence with judicial and administrative authorities, litigation file data, notary notifications, official notification records, etc. |
Customer Transaction | Call center audio recordings, order information, customer requests, correspondence with customers, service improvement records, documents and correspondence related to disputes, etc. |
Physical Space Security | Visitor logs, card access records, CCTV footage, etc. |
Transaction Security | IP address, log data, username/password, system login/logout timestamps, etc. |
Financial | Bank account details, payment documents, expense forms, financial reports, etc. |
Professional Experience | Diplomas, certificates, training and seminar participation records, transcripts. |
Health Data (Special Categories of Personal Data) | Information on disability status, health reports, medical status reports required under occupational health and safety regulations, etc. |
Criminal Convictions and Security Measures (Special Categories of Personal Data) | Criminal record certificate. |
Other Data – Signature | Signature samples collected from documents or official papers such as signature circulars. |
Marketing | Cookie records. |
Visual and Audio Recordings | Photographs and video footage, voice call recordings. |
Risk Management | Correspondence, documentation, and audit reports related to disputed matters. |
The types of Personal Data listed above do not cover all data processed; the Company may process additional types of Personal Data similar in nature to those specified above.
6. Purposes of Personal Data Processing
Our Company processes personal data in compliance with the KVKK and other applicable legislation and informs the data subjects at the time of data collection. In this context, the data subject is provided with clear information regarding the purpose of processing personal data, the recipients and purposes of data transfer, the method of data collection, and the legal basis for such collection.
The purpose of processing personal data varies depending on the nature of the relationship between the data subject and the Company, as well as the legal characteristics of the relevant business.
The purposes for which personal data are processed by the Company include the following:
- Execution of Emergency Management Processes
- Execution of Information Security Processes
- Execution of Recruitment and Placement Processes for Employee Candidates / Interns / Students
- Management of Application Processes for Employee Candidates
- Execution of Employee Satisfaction and Engagement Processes
- Fulfillment of Employment Contract and Legal Obligations for Employees
- Execution of Processes Related to Employee Benefits and Compensation
- Execution of Audit / Ethical Conduct Activities
- Execution of Training Activities
- Management of Access Authorizations
- Execution of Activities in Compliance with Legislation
- Execution of Finance and Accounting Processes
- Ensuring Physical Space Security
- Execution of Assignment Processes
- Legal Affairs Management and Execution
- Execution of Internal Audit / Investigation / Intelligence Activities
- Execution of Communication Activities
- Planning of Human Resources Processes
- Management and Supervision of Business Activities
- Execution of Occupational Health and Safety Activities
- Collection and Evaluation of Suggestions for Improving Business Processes
- Execution of Logistics Activities
- Execution of Procurement Processes for Goods / Services
- Execution of Sales Processes for Goods / Services
- Execution of Service Production and Operational Processes
- Execution of Customer Relationship Management Processes
- Execution of Marketing Analysis Activities
- Execution of Performance Evaluation Processes
- Execution of Risk Management Processes
- Execution of Data Retention and Archiving Activities
- Execution of Contractual Processes
- Tracking of Requests / Complaints
- Execution of Supply Chain Management Processes
- Execution of Product / Service Marketing Processes
- Execution of Talent / Career Development Activities
- Execution of Management Activities
- Creation and Tracking of Visitor Records
- Fulfilling the burden of proof in the event of potential legal disputes
7. Methods and Legal Basis for Personal Data Processing
Personal data may be obtained either directly from the data subject or from third parties authorized by the data subject through explicit consent. These personal data may be processed through methods such as collection, recording, organization, structuring, storage, adaptation, alteration, use, transfer, deletion, destruction, or anonymization.
Personal data may be processed using one or more of the above methods without the explicit consent of the data subject if one of the legitimate grounds listed in Article 5 of the KVKK exists, including:
- It is explicitly stipulated in laws and applicable legislation.
- It is necessary for the protection of life or physical integrity of the data subject or another person who is incapable of giving consent due to actual impossibility or whose consent is not legally valid.
- It is necessary to process the personal data of parties to a contract, provided that the processing is directly related to the establishment or performance of the contract.
- It is necessary for the data controller to fulfill its legal obligations.
- The personal data has been made public by the data subject.
- It is necessary for the establishment, exercise, or defense of a legal right.
- Provided that it does not harm the fundamental rights and freedoms of the data subject, it is necessary for the legitimate interests of the data controller.
Special categories of personal data may also be processed using one or more of the above methods without the explicit consent of the data subject, if one of the legitimate grounds set forth in Article 6 of the KVKK is present:
- It is explicitly permitted by law.
- It is necessary for the protection of life or physical integrity of the data subject or another person who is incapable of giving consent due to actual impossibility or whose consent is not legally valid.
- The personal data has been made public by the data subject and is processed in accordance with their intention to make it public.
- It is necessary for the establishment, exercise, or defense of a legal right.
- It is necessary for the purposes of public health protection, preventive medicine, medical diagnosis, treatment and care services, or the planning, management, and financing of health services, by persons or authorized institutions under the obligation of confidentiality.
- It is necessary for fulfilling legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance.
- It is processed by foundations, associations, or other non-profit organizations established for political, philosophical, religious, or trade union purposes, in accordance with their statutes and purposes, limited to their field of activity, and provided that it is not disclosed to third parties, and only for the benefit of their current or former members, employees, or individuals with whom they have regular contact.
8. Retention and Disposal of Personal Data
- Our Company determines the retention periods for personal data by considering the applicable legislation and the purposes for which the data is processed. In this context, legal obligations and statute of limitations related to the specific Personal Data Processing activity are carefully considered. Pursuant to Article 7 of the Law on the Protection of Personal Data and other relevant legislative provisions, when the reasons for processing personal data cease to exist, such data shall be deleted, destroyed, or anonymized upon the Company's decision, through periodic review, and/or upon the request of the data subject.
- In cases where personal data is incorrectly transmitted to us by any means, or it is understood that the data subject did not intend to give explicit consent, the data in question shall be immediately destroyed by our Company using methods compliant with the Law.
- Our Company retains personal data only for the period necessary to identify the data subject in relation to the purpose of collection. Once this period has expired, the data is deleted, destroyed, or anonymized.
- Our Company may retain personal data for longer periods solely for the purposes of public interest, scientific or historical research, or statistical analysis, provided that appropriate technical and organizational measures are taken to protect the rights and freedoms of the data subject and ensure data security.
- The retention period for each category of personal data, along with the legal obligations requiring the Company to retain such data, and the criteria used to determine these durations are explicitly outlined in the Company’s Personal Data Retention and Destruction Policy and Data Purge Policy and shall apply under all circumstances.
Additionally, in processes carried out with international business partners, any specific retention and disposal periods stipulated by contracts and/or communicated policies and procedures shall be adhered to in accordance with the relevant services and operations.
9. Transfer of Personal Data
a. Domestic Transfer
Except in cases where the transfer of personal data to administrative or judicial authorities is required by the KVKK or other applicable legislation, our Company does not transfer the personal data of individuals to third parties without obtaining their explicit consent. However, if one of the legal bases listed under Articles 5 and/or 6 of the KVKK applies, personal data may be transferred to relevant institutions and organizations without the need for explicit consent, provided that there is a lawful ground for such processing.
Our Company also fulfills its obligation to inform the Data Subject regarding such transfers. Accordingly, the institutions, organizations, and/or individuals to whom data may be transferred are explicitly identified and disclosed.
b. International Transfer
In the transfer of personal data abroad, our Company acts in accordance with Article 9 of the KVKK and the provisions of the “Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad.” Data transfers are carried out under the following conditions:
- Based on the explicit consent of the data subject,
- Transfer to a country listed by the Board as having adequate protection,
- In the absence of adequate protection, execution of standard contractual clauses approved by the Board or implementation of Binding Corporate Rules (BCR),
- Commitment of adequate protection with prior approval from the Board.
c. Principles of Data Transfer
All data transfer activities are carried out in accordance with the following fundamental principles:
- Compliance with Law and Principles of Good Faith: Transfers are performed in accordance with applicable legislation and contractual obligations.
- Purpose Limitation and Relevance: Personal data is shared solely for the defined purposes of transfer and within those limits.
- Data Minimization: Transferred data is relevant, limited, and proportionate to the purpose of processing.
- Transparency: Data subjects are clearly informed about data transfer activities.
- Accuracy and Currency: It is ensured that transferred data is accurate and, where necessary, kept up to date.
All data transfer activities are recorded in accordance with the Company’s Personal Data Inventory, Personal Data Retention and Destruction Policy, and Data Purge Policy. In line with the principle of transparency, data subjects are provided with relevant information upon request. Furthermore, compliance with the confidentiality and data security policies of our international business partners is ensured.
10. Measures to Ensure Data Security
The administrative measures applied within this scope are as follows;
- Key management is implemented.
- Security measures are taken within the scope of the procurement, development, and maintenance of information technology systems.
- Disciplinary regulations, including data security provisions are in place for employees.
- Periodic training and awareness activities are conducted for employees on data security.
- An authorization matrix has been created for employees.
- Corporate policies have been prepared and put into practice on access, information security, use, retention, and destruction.
- Confidentiality agreements are carried out.
- Access rights in this area are revoked for employees who change duties or leave the job.
- Signed contracts include data security provisions.
- Additional security measures are taken for personal data transferred via paper, and relevant documents are sent in classified/confidential document format.
- Personal data security policies and procedures have been established.
- Personal data security issues are reported promptly.
- Monitoring of personal data security is carried out.
- Necessary security measures are taken for entry and exit to physical environments containing personal data.
- The security of environments containing personal data is ensured.
- Personal data is minimized as much as possible.
- Personal data is backed up, and the security of backed-up personal data is also ensured.
- Existing risks and threats have been identified.
- Protocols and procedures regarding the security of special categories of personal data have been established and are implemented.
- Encryption is applied.
- Awareness on data security is ensured for data processor service providers.
- In departments with intense personal data transfer, the Four-Eyes Principle is applied.
- A labeling system is used to classify data and determine retention periods.
The technical measures are as follows;
- Network security and application security are ensured.
- A closed network system is used for the transfer of personal data over the network.
- Key management is implemented.
- Security measures are taken within the scope of the procurement,
- development, and maintenance of information technology systems.
- Security of personal data stored in the cloud is ensured.
- An authorization matrix has been created for employees.
- Access logs are regularly kept.
- Access rights in this area are revoked for employees who change duties or leave the job.
- Data masking measures are applied when necessary.
- Up-to-date antivirus systems are used.
- Firewalls are used.
- Monitoring of personal data security is carried out.
- The security of environments containing personal data is ensured.
- Personal data is backed up, and the security of backed-up personal data is also ensured.
- User account management and authorization control systems are applied and monitored.
- Log records are kept in a way that does not allow user intervention.
- Existing risks and threats have been identified.
- Intrusion detection and prevention systems are used.
- Penetration tests are applied.
- Cybersecurity measures are taken, and their implementation is continuously monitored.
- Encryption is applied.
- Sending data kept by the Company to addresses other than corporate email addresses is prevented.
- Printer logs are kept.
- USB ports on user computers are disabled for data transfer via portable drives.
- A labeling system is used to classify data and determine retention periods.
- Secure encryption/cryptographic keys are used for special categories of personal data and are managed by separate units.
- If special categories of personal data are to be sent via email, they are necessarily sent encrypted and via KEP or corporate email account.
- Special categories of personal data transferred via portable drives, CD, and DVD media are encrypted during transfer.
- Data loss prevention software is used.
11. Data Breach Management
Our Company takes all necessary technical and administrative measures to prevent the unlawful processing or unauthorized access of personal data. Nevertheless, the management and notification processes of possible data breaches are carried out within the framework of the KVKK, relevant legislation, ISO 27001 and ISO 27701 standards, the Personal Data Retention and Destruction Policy, the Data Breach Response Procedure, and other internal policies and procedures.
In the event of a data breach:
- The Company notifies the Personal Data Protection Authority and the affected individuals within a maximum of 72 hours from the moment the breach is discovered.
- The Personal Data Breach Notification Form is used in such notifications, and the processes are documented.
- If the notification to the Authority cannot be made within 72 hours for a justified reason, the reasons for the delay are explained.
- Affected individuals are informed as soon as possible either directly or through appropriate communication channels.
- Additionally, in processes carried out with international partners and business associates, contractual obligations within the scope of the business relationship and the data breach management policies of the partners are also considered; full compliance with the audit and compliance requirements of such partners is ensured.
All notification processes and the measures taken are regularly reviewed and documented.
12. Contact Person
Within our Company, a Contact Person has been appointed in accordance with the provisions of the Regulation on the Data Controllers’ Registry, for the purposes of managing personal data processing activities and ensuring compliance with the relevant legislation.
The Contact Person has been officially appointed by the resolution of the Company’s Board of Directors; the registration process before the Personal Data Protection Authority has been completed and reported to the VERBIS system.
The responsibilities of the Contact Person are as follows:
- To ensure compliance with relevant legislation and Authority decisions during the processing of personal data,
- To receive, evaluate, and conclude the applications of data subjects within the legal timeframe,
- To maintain communication between the Authority and the Company and carry out official notifications,
- To ensure the VERBIS registration remains up to date,
- To provide guidance to Company employees and business partners on data protection compliance,
- To submit necessary information and documents to the Authority within the scope of audits and legal requests.
- The Contact Person also works in coordination with the Company’s Personal Data Protection Committee and Information Security Committee to ensure that personal data protection and information security processes are conducted effectively.
Within our Company, there is no legal obligation to appoint a Data Protection Officer (DPO) as foreseen under the GDPR, and no formal DPO has been designated in this regard. However, the processes of personal data protection and privacy compliance are coordinated by the Contact Person together with the Personal Data Protection Committee and the Information Security Committee in accordance with the provisions of the KVKK, GDPR, and international standards. In this way, functions equivalent to the duties and responsibilities of a DPO are effectively fulfilled, and the audit and compliance requirements of both national legislation and international business partners are duly considered.
13. Data Inventory
As part of its approach to identifying risks and opportunities throughout the KVKK and GDPR compliance process, our Company has created a data inventory. The Company’s data inventory identifies the following:
- Business processes that use personal data,
- Processed personal data,
- Processed special categories of personal data,
- Personal data subjects,
- Method of collecting personal data – source of personal data,
- Purpose of processing personal data,
- Legal basis for personal data processing,
- Retention period of personal data,
- Environments where personal data is processed,
- Method of personal data destruction,
- All types of data transfers,
- Recipient/recipient group of transferred data,
- Method and purpose of transfer,
- Technical and administrative measures.
14. Rights of the Data Subject
Under Article 11 of the KVKK, the data subject has the following rights and may exercise these rights by contacting the data controller through the methods determined by the data controller:
- To learn whether personal data is being processed,
- To request information regarding the nature of the processed data and to learn to whom it has been disclosed,
- To learn the purpose of the processing of personal data and whether they are being used in accordance with that purpose,
- To know the third parties to whom personal data is transferred, domestically or abroad, and to request that the processing activities be notified to such third parties,
- To request the correction of personal data if it is incomplete or inaccurate and to request that such corrections be notified to third parties,
- To request the deletion or destruction of personal data if the reasons requiring its processing no longer exist, even though it has been processed in accordance with the law,
- To object to the occurrence of any result that is against the person himself/herself,
- To request compensation in case of damage due to unlawful processing of personal data.
15. Exercising the Rights of the Data Subject
In accordance with the regulations of the KVKK; if you wish to exercise your rights listed below, you may submit your request by filling out the Data Subject Application Form and delivering it with identity-verifying documents either in person or via signed mail to the address: Astoria Towers Kempinski Residences Büyükdere Caddesi No:127 B Kule Kat:8 34394 Şişli-İstanbul/Türkiye or by sending an email to This email address is being protected from spambots. You need JavaScript enabled to view it.. Your request will be concluded within a maximum of 30 days.
If the process incurs an additional cost, a fee may be charged as per the tariff set by the Personal Data Protection Board
The address of the joint website of CottGroup® is: https://www.cottgroup.com
Our Policy has been prepared in line with the KVKK and ISO 27001/27701 standards based on the principle of defining data responsibility at the level of legal entities. In this context, Boss Yönetişim Hizmetleri A.Ş. is explicitly identified as the data controller in the policy texts published on its website. This aims to ensure that the relevant individuals clearly identify the party responsible when exercising their rights and to maintain transparency.
Personal Data Retention and Destruction Policy
This Personal Data Retention and Destruction Policy (hereinafter referred to as the “Policy”) has been prepared in accordance with Article 7 titled “Deletion, Destruction or Anonymization of Personal Data” and Article 17 titled “Crimes” of the Law on the Protection of Personal Data No. 6698 (published in the Official Gazette No. 29677 dated April 7, 2016), (hereinafter referred to as the “LPPD” and/or the “Law”), as well as the provisions of the Regulation on the Deletion, Destruction or Anonymization of Personal Data.
The aim of this Policy is to assess the current practices of Boss Yönetişim Hizmetleri Joint Stock Company (hereinafter referred to as the “Company”) in light of the above-mentioned legal framework and, based on these assessments, to define the necessary actions to be taken within the scope of legal and administrative measures (hereinafter referred to as the “Retention and Destruction Processes”).
ALL CONTENT INCLUDED IN THIS POLICY TEXT IS STRICTLY PROHIBITED FROM BEING COPIED, REPRODUCED, USED, PUBLISHED, OR DISTRIBUTED IN WHOLE OR IN PART FOR NON-PERSONAL PURPOSES. LEGAL ACTION WILL BE TAKEN IN ACCORDANCE WITH THE LAW ON INTELLECTUAL AND ARTISTIC WORKS NO. 5846 AGAINST THOSE WHO FAIL TO COMPLY WITH THIS PROHIBITION.
1. INTRODUCTION
1.1. Purpose
In accordance with Article 7 titled “Deletion, Destruction or Anonymization of Personal Data” and Article 17 titled “Crimes” of the Law on the Protection of Personal Data No. 6698 (hereinafter referred to as the “LPPD” and/or the “Law”), as well as the provisions of the Regulation on the Deletion, Destruction or Anonymization of Personal Data, the Company shows the utmost sensitivity in ensuring the proper retention of personal data obtained during the execution of its activities carried out within the scope of applicable legislation, the Law, and secondary regulations to which it is subject, and, when necessary, in the destruction of such data by appropriate methods at the end of the period stipulated by the relevant legislation or required for the purpose of processing.
Accordingly, this Personal Data Retention and Destruction Policy (the “Policy”) has been prepared to define the procedures and principles of the process management concerning the Company’s activities of personal data retention and destruction.
Explanations regarding the methods followed for the retention and destruction of personal data obtained during Company activities are provided below, and the entire process related to the retention and destruction of personal data is carried out in accordance with this Policy.
1.2. Scope
This Policy, which governs the retention and destruction of personal data processed by the Company either through automated means or through non-automated means provided that they are part of a data recording system, and stored in any kind of electronic and/or physical medium, has been prepared in line with the LPPD, other applicable personal data legislation, international regulations, and guiding documents in the field.
This Policy applies to the personal data of the Company’s employees, employee candidates, customers, service providers, suppliers, business partners, visitors, and other third parties. It is implemented across all personal data recording media owned and/or managed by the Company, as well as all activities involving the processing of personal data.
1.3. Abbreviations and Definitions
Recipient Group | Refers to the category of natural or legal persons to whom personal data is transferred by the data controller. |
Explicit Consent | Consent that is related to a specific matter, based on information and expressed with free will. |
Anonymization | Rendering personal data impossible to associate with an identified or identifiable natural person, even when matched with other data. |
Employee | Refers to the employees of Boss Yönetişim Hizmetleri Joint Stock Company. |
Electronic Environment | Environments in which personal data can be created, read, modified, and written using electronic devices. |
Non-Electronic Environment | All written, printed, visual, and similar environments other than electronic ones. |
Service Provider | A natural or legal person that provides services to the Company within the framework of a specific contractual relationship. |
Data Subject / Personal Data Owner | Natural persons whose personal data is processed. As implied by the definition of personal data, the protection granted under the Law only pertains to natural persons, who are defined as “data subjects.” |
Authorized User | Refers to individuals who process personal data within the organization of the data controller or in line with the authorization and instructions received from the data controller, excluding those responsible for the technical storage, protection, and backup of the data. |
Destruction | Refers to the deletion, destruction, or anonymization of personal data. |
Law | Refers to the Law on the Protection of Personal Data No. 6698. |
Recording Medium | Any environment in which personal data processed fully or partially through automated means, or by non-automated means provided that it is part of a data recording system, is stored. |
Personal Data | Any information relating to an identified or identifiable natural person. Personal data includes any information suitable for identifying a person’s individual, professional, or familial attributes and distinguishing that person from others. This includes, but is not limited to, a person’s identity, ethnicity, physical characteristics, health, education, employment status, sexual life, family life, communications, residential address, credit card information, personal opinions and beliefs, association or union memberships, and shopping habits. |
Personal Data Processing Inventory | An inventory prepared by data controllers based on their business processes, in which they detail the personal data processing activities they carry out; the purposes and legal grounds for processing; the data categories; the recipient groups and the data subject groups; the maximum retention periods for the processing purposes; the personal data envisaged to be transferred abroad; and the technical and administrative measures taken for data security. |
Processing of Personal Data | Any operation performed on personal data, fully or partially through automated means, or through non-automated means provided that it is part of a data recording system, such as collection, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, retrieval, making available for use, classification, or prevention of use. |
Deletion of Personal Data | Making personal data inaccessible and unusable for the relevant users. |
Destruction of Personal Data | Making personal data inaccessible, unrecoverable, and unusable for anyone. |
Board | The Personal Data Protection Board. |
Authority | The Personal Data Protection Authority. |
Special Categories of Personal Data | Refers to data related to an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. |
Periodic Destruction | Refers to the deletion, destruction, or anonymization of personal data to be carried out ex officio and at recurring intervals, as specified in the personal data retention and destruction policy, in the event that all processing conditions under the Law no longer exist. |
Policy | The Personal Data Retention and Destruction Policy. |
Data Processor | Natural or legal persons who process personal data on behalf of the data controller based on the authority granted by the data controller. |
Data Recording System | A recording system in which personal data is processed by being structured according to specific criteria. |
Data Controller | A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
Data Controllers' Registry Information System (VERBIS) | The registry of data controllers maintained by the Personal Data Protection Authority. |
Regulation | The Regulation on the Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette dated 28.10.2017. |
2. RESPONSIBILITIES AND DUTY DISTRIBUTION
All Company employees and the departments to which they are affiliated fall within the scope of this Policy regarding the processing of personal data. They are responsible for the proper implementation of the technical, legal, and administrative measures stipulated under the Policy; for increasing awareness and training levels regarding data protection processes; for conducting audits either periodically or on a random basis; and for preventing unlawful processing and access to personal data as well as ensuring that personal data is retained in accordance with the law.
Title | Department | Job Description |
---|---|---|
Committee Chair Lawyer |
Legal Department | Responsible for implementing the Policy, publishing it in the relevant environments, updating it, ensuring administrative measures are taken, and reporting Committee decisions to Company Management. |
Committee Member Senior Management |
Executive | Responsible for ensuring and implementing technical solutions and measures needed for Policy enforcement, and for the coordination and execution of the compliance process. |
Committee Member Corporate Standards |
Corporate Standards and Development | Responsible for ensuring compliance with the relevant legislation. |
Committee Member Integrated Management System Team (EYSE) |
Business Development & Marketing | Responsible for ensuring that employees act in accordance with the Policy, monitoring compliance, and providing general coordination. |
Contact Person | Contact Person Registered with VERBIS | Responsible for establishing the necessary communication with the Authority, managing data subject applications, and keeping the VERBIS registration up to date. |
3. RECORDING MEDIA
In accordance with the commercial and legal regulations and secondary legislation to which it is subject, the Company stores personal data obtained during the execution of its activities in the following electronic and/or non-electronic media:
Recording Media
Electronic Recording Media
- Environmental and Local Systems
- Databases
- Central Servers
- Disaster Recovery System
- Portable Devices
Non-Electronic Recording Media
- Paper-Based Media
- Folders
- File Cabinets
4. EXPLANATIONS ON THE RETENTION AND DESTRUCTION OF PERSONAL DATA
The Company stores and destroys the personal data of its employees, employee candidates, customers, service providers, suppliers, business partners, visitors, and other third parties in accordance with the Law on the Protection of Personal Data and the provisions of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.
Throughout the entire retention and destruction process, the Company adheres to applicable legal regulations, secondary legislation, and binding opinions and notifications issued by the Personal Data Protection Authority.
As a matter of company policy, the Company aims to retain the most up-to-date personal data for the shortest possible period, and to minimize stored data to the greatest extent possible. However, as the data controller, the Company also observes its legal obligations and retains the personal data it processes for designated periods, based on processing purposes and legal grounds.
In cases where longer-term archiving is required for public interest, statistical purposes, or other justifiable reasons, the Company explicitly states such reasons and implements all appropriate technical and administrative measures to the extent possible. In such instances, additional precautions specific to the situation shall be set out in a separate protocol, which shall be considered an integral part of this Policy.
Detailed explanations regarding retention and destruction are provided below:
4.1 Explanations Regarding Retention
Article 3 of the Law defines the concept of personal data processing, while Article 4 states that data must be processed in a manner that is relevant, limited, and proportionate to the purpose for which it is processed, and that data should be retained only for as long as required by the relevant legislation or for the purpose of processing. Articles 5 and 6 enumerate the legal grounds for processing personal data.
4.1.1. Legal Grounds Requiring Retention
Personal data processed within the scope of Company activities is retained for the duration stipulated in applicable legislation, based on the following legal grounds:
- Law on the Protection of Personal Data No. 6698
- Turkish Code of Obligations No. 6098
- Social Insurance and General Health Insurance Law No. 5510
- Occupational Health and Safety Law No. 6331
- Labor Law No. 4857
- Regulation on Health and Safety Measures to Be Taken in Workplace Buildings and Annexes
- Law No. 5651 on the Regulation of Broadcasts on the Internet and Combating Crimes Committed through Such Broadcasts
- Other applicable secondary legislation in force pursuant to the above-mentioned regulations, and not limited to those explicitly listed
- If necessary for the establishment or performance of a contract to which the Company is a party
- Where processing is necessary to fulfill a legal obligation of the Company
- Where the data subject has made the personal data publicly available
- Where processing is necessary for the establishment, exercise, or defense of a legal claim
- Where processing is necessary for the Company’s legitimate interests, provided this does not violate the fundamental rights and freedoms of the data subject
4.1.2. Processing Purposes Requiring Retention
Personal data processed within the scope of the Company's activities, as detailed above, is retained for the following purposes:
- Execution of Emergency Management Processes
- Execution of Information Security Processes
- Execution of Recruitment / Intern / Student Placement Processes
- Execution of Job Application Processes for Candidates
- Execution of Employee Satisfaction and Engagement Processes
- Fulfillment of Employment Contract and Statutory Obligations for Employees
- Execution of Employee Benefits and Compensation Processes
- Execution of Audit / Ethical Compliance Processes
- Execution of Training Activities
- Management of Access Authorizations
- Execution of Activities in Compliance with Legislation
- Execution of Finance and Accounting Affairs
- Ensuring Physical Space Security
- Execution of Assignment Processes
- Pursuit and Execution of Legal Affairs
- Execution of Internal Audit / Investigation / Intelligence Activities
- Execution of Communication Activities
- Planning of Human Resources Processes
- Execution and Supervision of Business Activities
- Execution of Occupational Health and Safety Activities
- Collection and Evaluation of Suggestions for Improving Business Processes
- Execution of Logistics Operations
- Execution of Procurement Processes for Goods / Services
- Execution of Sales Processes for Goods / Services
- Execution of Service Production and Operational Processes
- Execution of Customer Relationship Management Processes
- Execution of Marketing Analysis Activities
- Execution of Performance Evaluation Processes
- Execution of Risk Management Processes
- Execution of Retention and Archiving Activities
- Execution of Contractual Processes
- Tracking Requests / Complaints
- Execution of Supply Chain Management Processes
- Execution of Marketing Processes for Products / Services
- Execution of Talent / Career Development Activities
- Execution of Management Activities
- Creation and Tracking of Visitor Records
- Fulfillment of burden of proof obligations in the event of potential legal disputes
4.2. Grounds Requiring Destruction
Personal data shall be deleted, destroyed, or anonymized by the Company, either ex officio or upon the request of the data subject, in the following circumstances:
- Amendments or repeals of the relevant legal provisions that form the basis for data processing,
- The purpose requiring the processing or retention of the data no longer exists,
- The data processed has become outdated or is no longer accurate,
- In cases where personal data is processed solely on the basis of explicit consent, the withdrawal of such consent by the data subject,
- Acceptance by the Company of a data subject’s request for the deletion or destruction of personal data, pursuant to the data subject rights outlined in Article 11 of the Law,
- If the Company rejects the data subject’s request for deletion, destruction, or anonymization, or if the response is found to be insufficient, or if no response is given within the timeframe set forth in the Law, and the data subject lodges a complaint with the Board and the request is deemed appropriate by the Board,
- The expiration of the maximum retention period required for storing personal data and the absence of any justifiable reason to retain the data for a longer period.
In all such cases, the personal data in question is deleted, destroyed, or anonymized by the Company either upon the request of the data subject or ex officio.
At the end of the retention period prescribed by relevant legislation or necessary for the processing purpose, personal data shall be destroyed by the Company using the technical methods specified below, either ex officio or upon the data subject’s application to the Company.
4.3 Methods of Destroying Personal Data
4.3.1. Deletion of Personal Data
Personal data processed by the Company is deleted as outlined below:
Data Recording Medium | Description |
---|---|
a. Electronic Recording Media |
Personal data stored in electronic media is deleted in accordance with data destruction policies when the retention period expires, or the purpose of processing no longer exists. In this scope:
|
Environmental and Local Systems | |
b. Non-Electronic Recording Media |
Personal data stored in physical environments and for which the retention period has expired is rendered completely inaccessible and unusable by Company personnel. In addition, a redaction process is applied by crossing out/painting over/erasing the data until it becomes illegible. Also, destruction may be performed via encryption techniques. |
***The Company may use one or more of the deletion methods listed above. In the case of different types of storage environments, new deletion methods may be developed, and such newly developed methods may be used either in addition to or instead of the existing ones. The Company may also employ specific deletion methods tailored to the needs of its clients. |
4.3.2. Destruction of Personal Data
Personal data processed by the Company is destroyed as follows:
Data Recording Medium | Description |
---|---|
a. Electronic Recording Media |
Physical Destruction Method: This involves the physical destruction of optical and magnetic media containing personal data, such as melting, incineration, pulverizing, or grinding the media using a metal shredder to make the data inaccessible. Degaussing: Data stored on magnetic media is destroyed by exposing the media to a strong magnetic field, which disrupts and renders the data unreadable and irrecoverable. Overwriting: Data on magnetic or rewritable optical media is overwritten at least seven times with random sequences of 0s and 1s to prevent recovery of the original data. |
Environmental and Local Systems | |
b. Non-Electronic Paper-Based Media | Personal data stored in paper format, for which the required retention period has expired, is destroyed using shredding machines in a way that makes it irretrievable. |
***The Company may employ one or more of the destruction methods listed above. In the case of using different storage environments, new destruction methods may be developed. These new methods may be used in addition to or in replacement of the existing ones. The Company may also apply client-specific destruction methods where required. |
4.3.3. Anonymization of Personal Data
Anonymization of personal data refers to rendering personal data unrelatable to an identified or identifiable natural person, even when matched with other data.
For data to be considered anonymized, it must be rendered unidentifiable by the data controller or any third party—even when combined with other datasets—through the application of appropriate techniques, depending on the medium and context in which the data is processed. For the anonymization process to be considered valid, it must be ensured that the data cannot be reversed or used to identify an individual by either the data controller or third parties using appropriate methods.
The Company may employ one or more of the following anonymization methods:
Top and Bottom Coding / Global Recoding | Data values for a given variable are grouped into defined intervals. If the variable is not numeric, similar data entries are categorized. Values within the same category are then combined. |
Regional Suppression | In datasets where personal data is aggregated, identifying information that may relate to outlier individuals is removed to prevent recognition. |
Removal of Variables | One or more direct identifiers contained in personal data that may lead to the identification of a data subject are removed. |
Generalization | Personal data from multiple individuals is aggregated and identifying details are eliminated, turning the dataset into a statistical summary. |
Microaggregation | All records in a dataset are first sorted in a meaningful order, then divided into subgroups of a specified size. The value of each variable within a subgroup is replaced by the average value of that variable in the subgroup. This distorts quasi-identifiers and reduces the risk of reidentification. |
Data Masking and Perturbation | Direct or indirect identifiers in personal data are altered or mixed with other values to sever their connection to the individual and strip them of identifying characteristics. |
In applying anonymization methods, the Company also observes the following key principles:
Principle Code | Principle Description |
---|---|
[UN1] | Data environments used for anonymization practices must be clearly defined. Only actively used environments are considered; unused or irrelevant environments are excluded from documentation. |
[UN2] | The risk of individuals becoming re-identifiable through specific combinations of quasi-identifiers is considered. Advanced statistical techniques are applied during anonymization to eliminate this risk. |
[UN3] | In cases where k-anonymity is insufficient, l-diversity is ensured by providing diversity in sensitive attributes across groups with the same identifier combinations. |
[UN4] | Where diversity is not sufficient to protect sensitive content, t-closeness is employed to ensure that the distribution of sensitive values in a group closely resembles their distribution in the entire dataset, reducing inference risks. |
The Company continuously monitors and improves its anonymization practices to ensure technical adequacy, maintain irreversibility guarantees, and maximize data security.
5. RETENTION AND DESTRUCTION PERIODS AND METHOD
Unless a longer period is prescribed by the Law and/or other relevant legislation and secondary regulations, or a longer period is stipulated due to statutes of limitations, forfeiture periods, or other legally mandated retention obligations as outlined under the Legal Grounds Requiring Retention, the personal data processed by the Company shall be retained and destroyed in accordance with the methods and periods specified in the Retention and Destruction Table attached to this Policy.
At the end of the relevant retention periods, personal data shall be destroyed using the specified methods. (Without being limited to the listed destruction methods, the Company reserves the right to use alternative destruction methods.)
(See Annex-1: Retention and Destruction Table)6. PERIODIC DESTRUCTION PERIOD
Within the scope of the Regulation on Deletion, Destruction or Anonymization of Personal Data, if all processing conditions for personal data as set forth in the Law cease to exist, the Company shall delete, destroy, or anonymize the relevant personal data ex officio at recurring intervals, as specified in this Personal Data Retention and Destruction Policy. The periodic destruction process is carried out once every six (6) months.
Personal data for which the purpose of processing no longer exists shall be destroyed in accordance with the procedures outlined in this Policy. The data shall be irreversibly deleted from systems and any physical media where such data may be stored—such as documents, files, CDs, diskettes, or hard drives—ensuring that they cannot be retrieved.
All transactions relating to the deletion, destruction, or anonymization of personal data are documented and such records are retained for a minimum of three (3) years, excluding other legal obligations.
Prior to initiating any personal data processing activity, the Company is responsible for registering with the Data Controllers' Registry (VERBIS) and ensuring that all administrative and technical measures are implemented throughout the entire process to ensure proper monitoring of periodic destruction.
7. TECHNICAL AND ADMINISTRATIVE MEASURES
In accordance with the Law, the Company is required to take structured, up-to-date, effective, and accountable technical and administrative measures to ensure the secure storage of personal data, to prevent unlawful processing and/or unauthorized access, and to ensure compliance with the Retention and Destruction Processes.
The Company implements the following administrative controls:
- Key management is implemented.
- Security measures are taken during the procurement, development, and maintenance of IT systems.
- Disciplinary regulations are in place, incorporating data security provisions for employees.
- Employees receive regular training and awareness programs on data security.
- An authorization matrix has been established for employees.
- Corporate policies on access, information security, usage, retention, and destruction have been prepared and implemented.
- Confidentiality agreements are signed.
- Access rights of employees who change roles or leave the Company are revoked.
- Contracts include provisions on data security.
- Additional security measures are applied for personal data transferred via physical (paper-based) means, and such documents are sent in classified document format.
- Personal data security policies and procedures have been defined.
- Personal data security issues are promptly reported.
- Monitoring of personal data security is conducted.
- Security measures are taken for entry and exit to physical environments where personal data is stored.
- The security of environments containing personal data is ensured.
- Data minimization principles are applied to reduce personal data to the necessary minimum.
- Backups of personal data are created and secured.
- Current risks and threats have been identified.
- Protocols and procedures are defined and applied for the security of sensitive personal data.
- Encryption is implemented.
- Awareness of data security is ensured among data processors and service providers.
- The Four-Eyes Principle is applied in departments with high volumes of personal data transfers.
- A labeling system is used to classify data and determine retention periods.
The Company has adopted the following technical controls:
- Network and application security are ensured.
- A closed-loop network is used for personal data transfers over networks.
- Key management is implemented.
- Security measures are taken during IT system procurement, development, and maintenance.
- Security of personal data stored in the cloud is ensured.
- An authorization matrix is created for employees.
- Access logs are regularly maintained.
- Access rights of employees who change positions or leave the Company are revoked.
- Data masking techniques are applied where necessary.
- Updated anti-virus software is used.
- Firewalls are implemented.
- Personal data security is monitored.
- Security of data-containing environments is ensured.
- Personal data is backed up, and the security of the backup copies is ensured.
- User account management and authorization control systems are in place and monitored.
- Log records are kept in a way that prevents user interference.
- Current risks and threats are identified.
- Intrusion detection and prevention systems are used.
- Penetration testing is performed.
- Cybersecurity measures are taken and regularly monitored for enforcement.
- Encryption is applied.
- Transmission of Company data to non-corporate email addresses is blocked.
- Printer logs are maintained.
- USB ports on employee computers are disabled to prevent data transfer to portable devices.
- A labeling system is used to classify data and define retention durations.
- Secure encryption/cryptographic keys are used for sensitive personal data and managed by separate units.
- Sensitive personal data sent via email is encrypted and transmitted using KEP (Registered Email System) or a corporate email account.
- Sensitive personal data transferred via portable media such as USB, CD, or DVD is encrypted.
- Data Loss Prevention (DLP) software is in use.
8. REQUESTS FROM DATA SUBJECTS
Pursuant to Article 13 of the Law on the Protection of Personal Data and Article 12 of the Regulation on the Deletion, Destruction or Anonymization of Personal Data, the data subject may submit a written application to the Company in accordance with the “Communiqué on the Principles and Procedures for Data Subject Requests to the Data Controller” to request the deletion or destruction of their personal data.
- a) If all conditions for processing personal data no longer exist, the data controller shall delete, destroy, or anonymize the personal data subject to the request. The data controller must conclude the request within thirty (30) days at the latest and inform the data subject accordingly.
- b) If the data in question has been transferred to third parties, and the processing conditions no longer exist, the data controller shall inform the third party and ensure that the necessary actions are taken by that third party in accordance with the Regulation.
- c) If not all conditions for processing personal data have ceased, the data controller may reject the request by stating its legal justification. The rejection shall be communicated to the data subject in writing or electronically within thirty (30) days at the latest.
- i. The data is processed for statistical purposes, provided that it is anonymized and used for research, planning, or statistical analysis.
- ii. The data is processed for artistic, historical, literary, scientific, or freedom of expression purposes, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy of private life, or personal rights, and does not constitute a criminal offense.
- iii. The data is processed by public institutions and organizations authorized by law to carry out preventive, protective, or intelligence activities for the purpose of ensuring national defense, national security, public safety, public order, or economic security.
- iv. The data is processed by judicial authorities or enforcement authorities in relation to investigations, prosecutions, trials, or execution proceedings.
- v. Data processing is necessary for preventing a crime or conducting a criminal investigation.
- vi. The data has been made public by the data subject.
- vii. Data processing is necessary for public institutions or professional organizations with public institution status to carry out supervisory or regulatory duties or for disciplinary investigations or proceedings, based on the authority granted by law.
- viii. Data processing is necessary to protect the State’s economic and financial interests, particularly in matters of budget, taxation, or finance.
- ix. The data subject’s request has the potential to restrict the rights and freedoms of others.
- x. The request requires disproportionate effort.
- xi. The information requested is already publicly available.
9. PUBLICATION AND RETENTION
This Policy is published in two formats: a hard copy (wet-signed) and an electronic version. The hard copy is retained in the files of the Information Technologies and Human Resources Departments.
10. UPDATE PERIOD
The Policy is reviewed as needed and at least once every six (6) months. Updates are made to the relevant sections as necessary.
11. ENFORCEMENT
- 11.1. This Policy shall be deemed to have entered into force on November 10, 2024. In the event of a decision to amend or repeal it, the existing version shall be canceled by a Board of Directors resolution (indicated by a red cancellation stamp or written cancellation note), and a newly signed version may be published on the Company’s website at its discretion. The new version will enter into force upon approval by the Board of Directors.
- 11.2. This Policy will be announced to all employees and, upon its effective date, shall be binding for all Company departments, consultants, external service providers, and all individuals involved in the processing of personal data.
- 11.3. Supervisors shall be responsible for monitoring their subordinates' compliance with the Policy. If a violation is detected, the matter shall be immediately reported by the supervisor to the next-level manager.
- 11.4. If the violation is of a serious nature, the relevant senior manager shall promptly inform the Personal Data Protection Committee.
- 11.5. In cases of non-compliance, an evaluation will be conducted by the Human Resources Department, and necessary administrative actions will be taken against the employee responsible.
12. INTERNAL CORPORATE GOVERNANCE ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
Within the Company, a Personal Data Protection Committee (the “Committee”) has been established to oversee and coordinate necessary actions for compliance with the Law No. 6698. The primary responsibilities of the Committee include:
- Drafting and, when necessary, revising key policies related to the protection and processing of personal data, and submitting them for senior management approval.
- Determining how data protection policies will be implemented and audited, assigning internal roles and ensuring coordination accordingly.
- Identifying the actions required to ensure compliance with the Law and related legislation, submitting them to senior management for approval, and overseeing their execution.
- Increasing awareness within the Company and among its business partners regarding data protection and processing.
- Identifying potential risks in the Company’s personal data processing activities and ensuring necessary measures are taken, submitting improvement proposals to senior management.
- Monitoring relevant data protection legislation and updating internal policies and documents accordingly.
- Designing and, upon approval, delivering training programs on data protection and policy implementation.
- Establishing and managing an effective mechanism to promptly address and resolve data subject requests.
- Coordinating communication and education efforts to inform data subjects about personal data processing activities and their legal rights.
- Monitoring developments and regulations related to personal data protection, and advising senior management on necessary actions in response.
- Coordinating relations with the Personal Data Protection Authority and the Personal Data Protection Board.
- Carrying out any other data protection-related tasks assigned by senior management.
- Identifying potential risks in personal data processing activities and ensuring the implementation of appropriate safeguards; submitting recommendations for improvement.
Annex 1 – Retention and Destruction Table
Data Category | Processed Personal Data | Data Retention Period |
---|---|---|
Identity | Full name, Turkish Republic ID number, date and place of birth, gender, nationality, information contained in identification documents such as ID card, driver’s license, passport, and similar documents | 15 Years |
Contact | Email address, phone number, physical address, registered email (KEP) address, and other information related to communication channels. | Other 10 years from the end of the business activity |
Personnel | Employment entry documents, resume, payroll and salary information, performance records, etc. | Other 10 years from the end of the business activity Within the scope of services conducted with ADP and only limited to the business relationship established with ADP, for data stored in live operational systems provided specifically for services delivered to customers whose contracts have been terminated: 13 months following ADP’s request |
Legal Transactions | Correspondence with judicial and administrative authorities, case file data, notary notifications, official notification records, etc. | Other 10 years from the end of the business activity Within the scope of services conducted with ADP and only limited to the business relationship established with ADP, following the termination of the customer account: 10 years |
Customer Transactions | Call center voice recordings, order information, customer requests, correspondence with customers, service development records, correspondence and documents related to disputed matters, etc. | Other 10 years from the end of the business activity Within the scope of services conducted with ADP and only limited to the business relationship established with ADP, for customers whose contracts have been terminated: 13 months following ADP’s request For information related to customers including KYC forms within ADP-managed processes: 7 years following the termination of the customer account |
Physical Space Security | Visitor records, card access data, security cameras, etc. | 2 Years |
Transaction Security | IP address, log data, log records, username/password, system login/logout times, etc. | 2 Years |
Finance | Bank account information, payment documents, expense forms, financial reports, etc. | 10 Years Within the scope of services conducted with ADP and only limited to the business relationship established with ADP, for customers whose contracts have been terminated: 13 months following ADP’s request |
Professional Experience | Diploma, certificate, education and seminar participation records, transcript | 10 Years |
Marketing | Cookie records | 2 Years |
Visual and Audio Records | Photo and video recordings, voice call recordings | Other 10 years from the end of the business activity |
Health Information | Disability status, health reports, health condition reports requested within the scope of occupational health and safety | 15 Years Within the scope of services conducted with ADP and only limited to the business relationship established with ADP, for customers whose contracts have been terminated: 13 months following ADP’s request |
Criminal Convictions and Security Measures | Criminal record | Other 10 years from the end of the business activity |
Other Information – Signature | Signature samples obtained from documents or from official documents such as signature circulars | Other 10 years from the end of the business activity |
Risk Management | Information obtained through correspondence, documents, audit reports, etc. related to disputed matters | 10 years from the end of the business activity Within the scope of services conducted with ADP and only limited to the business relationship established with ADP, following the termination of the customer account: 10 years |