Open menu

Personal Data Protection and Processing Policy

Table of Contents

1. Purpose

This Personal Data Protection and Processing Policy (“Policy”) has been prepared to establish the principles and procedures governing the personal data processing activities carried out by Boss Yönetişim Hizmetleri A.Ş. and the independent companies within the CottGroup® network (“CottGroup®”), each of which has a separate legal personality, in accordance with the Law on the Protection of Personal Data No. 6698 (“LPPD”), the European Union General Data Protection Regulation (“GDPR”), relevant secondary legislation, and the decisions and guidelines of the Turkish Personal Data Protection Authority (“Authority”).

The Policy is implemented in an integrated and harmonized manner together with the Company’s current Personal Data Retention and Destruction Policy, Personal Data Inventory, and the ADP Data Purge Instruction, and aims to ensure full compliance with the confidentiality, security, and legal requirements specific to service providers in business relationships with international clients.

Back to Top

2. Scope

CottGroup® is committed to ensuring transparency, auditability, and accountability in its data processing activities at both national and international levels. The provisions of this Policy apply to all CottGroup® member companies, and all pages accessed through the Company’s website fall within its scope.

Back to Top

3. Policy

The Company also maintains separate policies addressing the protection of personal data and the safeguarding of information security for specific business activities and functions. Unless this Policy contains additional requirements or prescribes a higher standard of data protection, it does not invalidate the data protection provisions in those separate policies.

Provisions of the applicable legislation concerning the processing and protection of personal data shall prevail and be directly applied. In cases where there is a conflict between the relevant legislation and this Policy, the provisions of the up-to-date legislation shall take precedence.

This Policy has been prepared in accordance with the rules and procedures set out under the LPPD and relevant legislation for the protection of personal data. In this respect, as the Data Controller, the Company is obligated under the LPPD to take all necessary technical and administrative measures to prevent the unlawful processing of personal data, prevent unlawful access to personal data, and ensure the secure retention of such data.

Back to Top

4. Principles Applicable to the Processing of Personal Data

Within the scope of all Personal Data Processing activities, our Company adheres to the following general principles:

  1. Processing personal data lawfully, fairly, and transparently.
  2. Collecting personal data only for specific, explicit, and legitimate purposes.
  3. Ensuring that personal data is relevant, limited, and proportionate to the purposes for which it is processed.
  4. Ensuring that personal data is accurate and kept up to date when necessary; deleting or rectifying inaccurate data without delay.
  5. Retaining personal data only for the period prescribed by the relevant legislation or required for the purposes for which it is processed.
  6. Processing personal data in a manner that ensures appropriate security.

Back to Top

5. Personal Data Collected

The Personal Data collected by our Company may vary depending on the nature of your relationship with our Company and our legal obligations. The Personal Data collected may include the following:

Identity Name and surname, Republic of Türkiye ID number, date and place of birth, gender, nationality, information contained in identity card and similar documents.
Contact E-mail address, telephone number, full address, KEP (registered e-mail) address, and other information related to communication channels.
Personnel Employment onboarding documents, resume, payroll and compensation information, performance records, etc.
Legal Transaction Correspondence with judicial and administrative authorities, case file information, notary notifications, official notification records, etc.
Customer Transaction Call center voice recordings, order information, customer requests, correspondence with customers, service development records, correspondence and documents relating to disputed matters, etc.
Physical Space Security Visitor records, card access data, security camera footage, etc.
Transaction Security IP address, log data, username/password, system login/logout times, etc.
Finance Bank account information, payment documents, expense forms, financial reports, etc.
Professional Experience Diploma, certificates, training and seminar participation information, transcript.
Health Information (Special Category Personal Data) Information on disability status, medical reports, health condition reports requested within the scope of occupational health and safety, etc.
Criminal Convictions and Security Measures (Special Category Personal Data) Criminal record.
Other Information – Signature Signature specimen obtained from documents or official records such as signature circulars.
Marketing Cookie records.
Visual and Audio Records Photographs and video recordings, audio call recordings.
Risk Management Correspondence, documents, audit reports regarding disputed matters, etc.
Location Location information obtained via assigned vehicles, if applicable.
Other Information – Business Travel Accommodation and Travel Details Accommodation and travel information in case of business travel arrangements.
Other – Military Service Status Information Information relating to military service status.

The listed categories of Personal Data do not cover all data processed; Personal Data similar to those listed may also be processed by our Company.

Back to Top

6. Purposes of Processing Personal Data

Our Company processes personal data in compliance with the LPPD and the relevant applicable legislation, and informs data subjects at the time personal data is obtained. In this context, the Company provides information to the data subject regarding the purpose for which personal data will be processed, to whom and for what purposes the processed data may be transferred, the method of personal data collection, and the legal basis for collecting personal data.

The purpose of processing personal data varies depending on the relationship between the Company and the personal data owner and the legal nature of the work.

The purposes for which personal data is processed by the Company are as follows:

  • Carrying Out Emergency Management Processes
  • Carrying Out Information Security Processes
  • Carrying Out Employee Candidate / Intern / Student Selection and Placement Processes
  • Carrying Out Employee Candidate Application Processes
  • Carrying Out Employee Satisfaction and Engagement Processes
  • Fulfillment of Employment Contract and Statutory Obligations for Employees
  • Carrying Out Fringe Benefit and Employee Benefit Processes for Employees
  • Carrying Out Audit / Ethical Activities
  • Carrying Out Training Activities
  • Carrying Out Access Authorization Processes
  • Ensuring Activities Are Conducted in Compliance with Legislation
  • Carrying Out Finance and Accounting Affairs
  • Ensuring Physical Space Security
  • Carrying Out Assignment Processes
  • Follow-up and Execution of Legal Affairs
  • Carrying Out Internal Audit / Investigation / Intelligence Activities
  • Carrying Out Communication Activities
  • Planning of Human Resources Processes
  • Carrying Out / Supervising Business Activities
  • Carrying Out Occupational Health / Safety Activities
  • Receiving and Evaluating Suggestions for the Improvement of Business Processes
  • Carrying Out Logistics Activities
  • Carrying Out Procurement Processes for Goods / Services
  • Carrying Out Sales Processes for Goods / Services
  • Carrying Out Service Production and Operational Processes
  • Carrying Out Customer Relationship Management Processes
  • Carrying Out Marketing Analysis Activities
  • Carrying Out Performance Evaluation Processes
  • Carrying Out Risk Management Processes
  • Carrying Out Retention and Archiving Activities
  • Carrying Out Contract Processes
  • Follow-up of Requests / Complaints
  • Carrying Out Supply Chain Management Processes
  • Carrying Out Marketing Processes of Products / Services
  • Carrying Out Talent / Career Development Activities
  • Carrying Out Management Activities
  • Creating and Tracking Visitor Records
  • Fulfilling the burden of proof for potential legal disputes

Back to Top

7. Methods of Processing Personal Data and Legal Grounds

Personal data may be obtained from the data subject or from third parties to whom the data subject has explicitly given consent. The personal data obtained may be processed through methods such as collection, recording, organization, structuring, storage, adaptation, alteration, use, transfer, deletion, destruction, and anonymization.

Personal data may be processed, without seeking the explicit consent of the data subject, through one or more of the methods listed above if one of the lawful grounds set out under Article 5 of the LPPD exists:

  • Where it is clearly prescribed by laws or any applicable legislation.
  • Where it is necessary to protect the life or physical integrity of the data subject or another person who is unable to express consent due to actual impossibility or whose consent is not legally valid.
  • Where it is necessary to process personal data belonging to the parties to a contract, provided that it is directly related to the establishment or performance of that contract.
  • Where it is necessary for the data controller to fulfil its legal obligation.
  • Where the personal data has been made public by the data subject.
  • Where data processing is necessary for the establishment, exercise, or protection of a right.
  • Where data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Special categories of personal data may also be processed, without seeking explicit consent, if one of the lawful grounds listed under Article 6 of the LPPD exists, through one or more of the methods listed above:

  • Where it is clearly prescribed by laws,
  • Where it is necessary to protect the life or physical integrity of the data subject or another person who is unable to express consent due to actual impossibility or whose consent is not legally valid,
  • Where the personal data is related to data that has been made public by the data subject, and the processing is consistent with the intention of public disclosure,
  • Where it is necessary for the establishment, exercise, or protection of a right,
  • Where it is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, or the planning, management, and financing of health services, and the processing is carried out by persons under an obligation of confidentiality or by authorized institutions and organizations,
  • Where it is necessary for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance,
  • Where processing is carried out by foundations, associations, or other non-profit organizations established for political, philosophical, religious, or trade-union purposes, provided that it is in accordance with their legislation and purpose, limited to their fields of activity, not disclosed to third parties, and relates only to their current or former members, staff, or persons who regularly engage with such bodies.

Back to Top

8. Retention and Destruction of Personal Data

  1. The Company determines the retention periods of personal data by taking into account the applicable legislation and the purposes for which the data are processed. In this context, any legal obligations and statutes of limitation arising from the Personal Data Processing activity are always considered. Pursuant to Article 7 of the Law on the Protection of Personal Data (“LPPD”) and other relevant legislation, once the reasons requiring the processing of personal data no longer exist—whether due to the Company’s decision, periodic review, the request of the data subject, or the expiry of the retention periods—the personal data are deleted, destroyed, or anonymized.
  2. In cases where personal data are transmitted to us incorrectly through any means, or where it is evident that the data subject did not intend to give explicit consent, such personal data are immediately destroyed by the Company using methods compliant with the Law.
  3. The Company retains personal data only for as long as necessary in relation to the purpose for which it was collected and for the period during which the identity of the data subject must remain identifiable. When such periods expire, the personal data are deleted, destroyed, or anonymized.
  4. The Company may retain personal data for a longer period solely for public interest, scientific or historical research, or statistical purposes, provided that appropriate technical and organizational measures are implemented to protect the rights and freedoms of the data subject and ensure data security.
  5. The retention period for each category of personal data and the criteria used to determine such period—including the Company’s legal obligations—are expressly set out in the Company’s Personal Data Retention and Destruction Policy, and shall apply in all cases. In addition, for processes carried out with international business partners, the Company complies with any special retention and destruction periods set forth in the relevant contracts and/or policies and procedures communicated to the Company for the specific process or service.

Back to Top

9. Transfer of Personal Data

a. Domestic Transfer

Except in cases where the transfer of personal data is mandatory under the LPPD or other applicable legislation to administrative or judicial authorities, the Company does not transfer personal data belonging to data subjects to third parties without explicit consent. However, if any of the lawful grounds listed under Articles 5 and/or 6 of the LPPD apply, personal data may be transferred without explicit consent due to the existence of a legal basis.

The Company also fulfills its obligation to inform the Data Subject regarding such transfers. Accordingly, the institutions, organizations, and/or persons to whom personal data may be transferred are listed below.

b. International Transfer

The Company carries out cross-border transfers of personal data in accordance with Article 9 of the LPPD and the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad.

Personal data may be transferred abroad provided that one of the legal grounds listed under Articles 5 and 6 of the LPPD exists and one of the following transfer conditions is met:

  • An adequacy decision has been issued by the Board regarding the country, the relevant sector within that country, or the international organization to which the personal data will be transferred;
  • In the absence of an adequacy decision, one of the appropriate safeguards stipulated under Article 9/4 of the LPPD is provided, ensuring that the data subject can exercise their rights and access effective legal remedies in the recipient country (e.g., standard contractual clauses, binding corporate rules, undertaking + Board approval, inter-institutional agreements + Board approval);
  • If neither an adequacy decision nor appropriate safeguards exist, one of the exceptional transfer conditions listed in Article 9/6 applies (e.g., explicit informed consent of the data subject, necessity for establishing or performing a contract, substantial public interest, establishment/exercise/protection of a right, protection of life or physical integrity, publicly available data, etc.).

The Company applies the safeguards under Article 9 of the LPPD to all onward transfers of personal data abroad and conducts all transfer processes in compliance with the Regulation.

d. Principles of Data Transfer

All personal data transfer activities are carried out in accordance with the following fundamental principles:

  • Lawfulness and fairness: Transfers are carried out in compliance with applicable legislation and contractual obligations.
  • Purpose limitation: Personal data are shared only for the specific transfer purposes.
  • Data minimization: The transferred personal data are relevant, limited, and proportionate to the transfer purpose.
  • Transparency: Data subjects are clearly informed about transfer activities.
  • Accuracy and up-to-dateness: The accuracy and, where necessary, currency of transferred data are ensured.

All transfer activities are recorded in accordance with the Company’s Personal Data Inventory, Personal Data Retention and Destruction Policy, and other internal procedures. Upon request, the necessary information is provided to data subjects in line with the transparency principle. Furthermore, compliance with the confidentiality and data security requirements of the Company’s international business partners is ensured.

Back to Top

10. Measures Taken to Ensure Data Security

Our Company implements administrative and technical measures to prevent data breaches and to ensure the security of personal data. Within this scope, the administrative measures applied by our Company are as follows:

  • Key management practices are implemented.
  • Security measures are taken within the scope of procurement, development, and maintenance of information technology systems.
  • Disciplinary regulations containing provisions on data security are in place for employees.
  • Regular training and awareness activities on data security are carried out for employees.
  • An authorization matrix has been established for employees.
  • Corporate policies regarding access, information security, use, storage, and destruction have been prepared and implemented.
  • Confidentiality undertakings are obtained.
  • Access rights of employees who change duties or leave the Company are removed.
  • Contracts signed with third parties include data security provisions.
  • Additional security measures are applied for personal data transferred in physical (paper-based) format, and related documents are sent as classified/confidential documents.
  • Data security policies and procedures have been established.
  • Personal data security incidents are reported promptly.
  • Monitoring of personal data security is conducted.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • The security of environments containing personal data is ensured.
  • Personal data is minimized to the extent possible.
  • Personal data is backed up, and the security of the backed-up data is also ensured.
  • Existing risks and threats are identified.
  • Protocols and procedures specific to the security of special categories of personal data are established and implemented.
  • Encryption is applied.
  • Awareness regarding data security is ensured for data processors and service providers.
  • The Four-Eyes Principle is applied in departments where intensive personal data transfers occur.
  • A labeling/classification system is used to define data categories and retention periods.

The Technical Measures applied within this scope are as follows:

  • Network and application security are ensured.
  • A closed network is used for personal data transfers conducted over the network.
  • Key management practices are implemented.
  • Security measures are applied within the scope of procurement, development, and maintenance of information technology systems.
  • Security of personal data stored in cloud environments is ensured.
  • An authorization matrix has been established for employees.
  • Access logs are regularly maintained.
  • Access rights of employees who change duties or leave the Company are removed.
  • Data masking is applied where necessary.
  • Up-to-date antivirus systems are used.
  • Firewalls are used.
  • Personal data security is continuously monitored.
  • The security of environments containing personal data is ensured.
  • Personal data is backed up, and the security of the backed-up data is ensured.
  • A user account and authorization control system is applied, and its monitoring is conducted.
  • Log records are kept in a manner that prevents user intervention.
  • Existing risks and threats are identified.
  • Intrusion detection and prevention systems (IDS/IPS) are used.
  • Penetration testing is performed.
  • Cybersecurity measures are implemented and continuously monitored.
  • Encryption is applied.
  • Sending Company-held data to email addresses other than corporate email accounts is restricted.
  • Printer logs are maintained.
  • USB ports on user computers are disabled to prevent transfer of data to portable storage devices.
  • A labeling/classification system is used to identify data categories and retention periods.
  • Secure encryption/cryptographic keys are used for special categories of personal data and are managed by separate units.
  • Special categories of personal data sent via email are always transmitted in encrypted form and via KEP or corporate email accounts.
  • Special categories of personal data transferred via portable media (USB, CD, DVD) are encrypted prior to transfer.
  • Data loss prevention (DLP) software is used.

Back to Top

11. Data Breach Management

The Company takes all necessary technical and administrative measures to prevent the unlawful processing of personal data and unauthorized access. Nevertheless, the management of potential personal data breaches and the related notification processes are carried out in accordance with the LPPD, applicable legislation, ISO 27001 and ISO 27701 standards, the Company’s Personal Data Retention and Destruction Policy, the Incident Response Procedure, and other internal company policies and procedures.

In the event of a personal data breach:

  • The Company notifies the Personal Data Protection Authority and the affected data subjects within a maximum of 72 hours from becoming aware of the breach.
  • The Personal Data Breach Notification Form is used for such notifications, and all processes are duly documented.
  • If, for a justified reason, the notification to the Authority cannot be made within 72 hours, the reasons for the delay are explained.
  • Data subjects are informed as soon as possible, either directly or through appropriate communication channels.
  • In addition, in processes carried out with international partners and business associates, the contractual obligations and the partners’ data breach management policies applicable within the scope of the business relationship are taken into account, and full compliance with such partners’ audit and compliance requirements is ensured.

All notification processes and the measures taken are regularly reviewed and recorded.

Back to Top

12. Contact Person

A Contact Person has been appointed within the Company in accordance with the provisions of the Regulation on the Data Controllers’ Registry, for the management of personal data processing activities and compliance with the relevant legislation.

The Contact Person has been officially appointed by a resolution of the Company’s Board of Directors, and the registration procedures before the Personal Data Protection Authority have been completed and notified through the VERBIS system.

The responsibilities of the Contact Person are as follows:

  • Ensuring compliance with the relevant legislation and Board decisions in personal data processing activities;
  • Receiving, evaluating, and responding to data subject applications within the legal time period;
  • Managing communication between the Company and the Personal Data Protection Authority, and carrying out official notifications;
  • Ensuring that the VERBIS registration is kept up to date;
  • Providing guidance to Company employees and business partners regarding data protection compliance;
  • Submitting the necessary information and documents to the Authority within the scope of audits and legal requests;
  • Working in coordination with the Company’s Personal Data Protection Committee and Information Security Committee to ensure the effective execution of personal data protection and information security processes.

There is no statutory obligation for the Company to appoint a Data Protection Officer (DPO) under the GDPR. Therefore, an official DPO appointment has not been made. However, personal data protection and privacy compliance processes are coordinated by the Contact Person together with the Personal Data Protection Committee and the Information Security Committee, in accordance with the LPPD, GDPR, and international standards. Through this structure, the functions equivalent to those of a DPO are effectively fulfilled, and compliance with national legislation as well as the audit and compliance requirements of international business partners is ensured.

Back to Top

13. Data Inventory

As part of its approach to identifying risks and opportunities throughout its LPPD and GDPR compliance processes, the Company has established a comprehensive data inventory. The Company’s data inventory identifies the following:

  • The business processes that use personal data;
  • The personal data being processed;
  • The special categories of personal data being processed;
  • The data subjects whose personal data are processed;
  • The method of collection and the source of personal data;
  • The purpose of processing personal data;
  • The legal grounds for processing personal data;
  • The retention period of personal data;
  • The environments in which personal data are processed;
  • The method of destruction of personal data;
  • All forms of data transfer;
  • The recipients or categories of recipients to whom personal data are transferred;
  • The method and purpose of transfer;
  • The technical and administrative measures applied.

Back to Top

14. Rights of the Data Subject

Pursuant to Article 11 of the LPPD, data subjects have the following rights, which may be exercised by contacting the data controller through the methods determined by the data controller:

  • To learn whether personal data are processed;
  • If personal data have been processed, to request information regarding such processing and to learn to whom the data have been disclosed;
  • To learn the purpose of processing personal data and whether they are used in accordance with that purpose;
  • To know the third parties, whether domestic or abroad, to whom personal data are transferred, and to request that such transfers be notified to the relevant third parties;
  • To request the correction of personal data if they are incomplete or inaccurate, and to request that such correction be notified to third parties;
  • To request the deletion or destruction of personal data if the reasons requiring processing no longer exist, even if the processing has been carried out in accordance with the relevant legal provisions;
  • To object to the emergence of a result against the data subject through the analysis of personal data exclusively by automated systems;
  • To request compensation for damages in case of suffering a loss due to the unlawful processing of personal data.

Back to Top

15. Exercising the Rights of the Data Subject

In accordance with the provisions of the LPPD, you may submit your requests regarding the exercise of your rights listed above by completing the Data Subject Application Form and delivering it:

  • In person or by post, together with identity-verifying documents, to the following address:
    Astoria Towers Kempinski Residences, Büyükdere Caddesi No:127 B Kule, Floor 8, 34394 Şişli – Istanbul / Turkey,
  • By sending an email to: This email address is being protected from spambots. You need JavaScript enabled to view it.,
  • Or by submitting your request to the Company’s KEP (Registered Electronic Mail) address: This email address is being protected from spambots. You need JavaScript enabled to view it..

Your request will be finalized within 30 days at the latest.

If the process requires an additional cost, the fee determined in the tariff set by the Personal Data Protection Board will be charged.

The common website of CottGroup® is: https://www.cottgroup.com

This Policy has been prepared in accordance with the LPPD and ISO 27001/27701 standards based on the principle that the data controller is defined at the legal entity level. In this context, Boss Yönetişim Hizmetleri A.Ş. is explicitly stated as the data controller in the policy texts published on the website. Thus, it is aimed to ensure clarity regarding the party to be contacted by data subjects when exercising their rights and to provide full transparency.

Back to Top

Personal Data Retention and Destruction Policy

This Personal Data Retention and Destruction Policy (hereinafter referred to as the “Policy”) has been prepared in order to assess the current situation of Boss Yönetişim Hizmetleri Anonim Şirketi (hereinafter referred to as the “Company”) and to determine the legal and administrative measures to be taken within this framework (hereinafter referred to as the “Retention and Destruction Processes”), in line with Article 7 titled “Deletion, Destruction or Anonymization of Personal Data” and Article 17 titled “Crimes” of the Law on the Protection of Personal Data No. 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677 (hereinafter referred to as the “LPPD” and/or the “Law”), as well as the provisions of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.

ALL CONTENT INCLUDED IN THIS POLICY TEXT IS PROTECTED BY LAW AND MAY NOT BE PARTIALLY OR FULLY COPIED, REPRODUCED, USED, PUBLISHED, OR DISTRIBUTED FOR PURPOSES OTHER THAN PERSONAL USE. LEGAL ACTION SHALL BE TAKEN UNDER THE LAW ON INTELLECTUAL AND ARTISTIC WORKS NO. 5846 AGAINST ANY PERSONS WHO VIOLATE THIS PROHIBITION.

1. INTRODUCTION

1.1. Purpose

In accordance with Article 7 titled “Deletion, Destruction or Anonymization of Personal Data” and Article 17 titled “Crimes” of the Law No. 6698 on the Protection of Personal Data (hereinafter the “LPPD” or the “Law”), as well as the provisions of the Regulation on the Deletion, Destruction or Anonymization of Personal Data, the Company exercises the utmost diligence in ensuring that personal data obtained during the conduct of its activities are retained properly and destroyed through appropriate methods when necessary, at the end of the period prescribed in the relevant legislation or required for the purpose of processing.

In line with this diligence, this Personal Data Retention and Destruction Policy (“Policy”) has been prepared to establish the principles and procedures regarding the management of the Company’s personal data retention and destruction activities.

Explanations regarding the methods followed for the retention and destruction of personal data obtained during the Company’s activities are provided below. The processes relating to the retention and destruction of personal data are carried out entirely in accordance with this Policy.

1.2. Scope

This Policy, which has been prepared in relation to the retention and destruction of personal data processed by the Company either through automated means or non-automated means provided that they form part of a data recording system, applies to all electronic and/or physical environments in which personal data are stored and destroyed. The Policy has been drafted by taking into account the LPPD, other applicable legislation relating to personal data, and international regulations and guiding documents in this field.

Personal data belonging to Company employees, employee candidates, customers, service providers, suppliers, business partners, visitors, and other third parties fall within the scope of this Policy. This Policy applies to all personal data recording environments owned and/or managed by the Company, as well as to all personal data processing activities carried out by the Company.

1.3. Abbreviations and Definitions

Recipient Group Refers to the category of natural or legal persons to whom personal data is transferred by the data controller.
Explicit Consent Means consent that is related to a specific subject, based on being informed, and declared with free will.
Anonymization Refers to rendering personal data impossible to associate with an identified or identifiable natural person in any manner, even when matched with other data.
Employee Employees of Boss Yönetişim Hizmetleri Anonim Şirketi.
Electronic Environment Environments in which personal data can be created, read, modified, and written using electronic devices.
Non-Electronic Environment All written, printed, visual, and similar environments other than electronic environments.
Service Provider A natural or legal person that provides services to the Company within the scope of a specific contractual relationship.
Data Subject / Personal Data Owner Natural persons whose personal data are processed. As understood from the definition of personal data, the protection provided by the Law applies only to natural persons, who are referred to as “data subjects.”
Authorized User Refers to persons who process personal data within the organization of the data controller or based on the authority and instructions received from the data controller, excluding the persons or units responsible solely for the technical storage, protection, and backup of data.
Destruction Refers to the deletion, destruction, or anonymization of personal data.
Law Law No. 6698 on the Protection of Personal Data.
Data Recording Environment Refers to any environment in which personal data processed wholly or partially by automated means, or non-automated means provided that it is part of any data recording system, is stored.
Personal Data Any information relating to an identified or identifiable natural person. Personal data includes all information that demonstrates the personal, professional, and familial characteristics of an individual, distinguishes that individual from others, and reveals their attributes. Such information includes, but is not limited to, a specific individual's identity, ethnic origin, physical characteristics, health, education, employment status, sexual life, family life, communications with others, residential address, credit card, personal opinions and beliefs, association and union memberships, and shopping habits.
Personal Data Processing Inventory The inventory created by data controllers by associating the personal data processing activities carried out depending on their business processes with the purpose of processing personal data, the legal basis of processing, the data category, the recipient group to whom the data is transferred, and the group of data subjects; and detailing the maximum retention period required for the purposes for which personal data is processed, the personal data foreseen to be transferred abroad, and the measures taken regarding data security.
Processing of Personal Data Any operation performed on personal data, fully or partially through automated means or non-automated means provided that they form part of a data recording system, such as obtaining, recording, storing, retaining, altering, rearranging, disclosing, transferring, acquiring, making available, classifying, or preventing the use of personal data.
Deletion of Personal Data The process of rendering personal data inaccessible and irretrievable for authorized users.
Destruction of Personal Data The process of rendering personal data inaccessible, irrevocable, and unusable by any person under any circumstances.
Board The Personal Data Protection Board.
Authority The Personal Data Protection Authority.
Special Categories of Personal Data Personal data relating to individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Destruction The deletion, destruction, or anonymization of personal data, to be carried out ex officio at recurring intervals as specified in the personal data retention and destruction policy, in cases where all the conditions for processing personal data set out in the Law no longer apply.
Policy The Personal Data Retention and Destruction Policy.
Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Data Recording System A recording system in which personal data are processed by being structured according to specific criteria.
Data Controller A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Data Controllers’ Registry Information System / VERBIS The registry of data controllers maintained by the Personal Data Protection Authority.
Regulation Refers to the Regulation on the Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette dated 28 October 2017.

2. RESPONSIBILITIES AND DUTY DISTRIBUTION

All Company employees and the departments to which they report fall within the scope of this Policy with respect to personal data processing activities. They are responsible for properly implementing the technical, legal, and administrative measures foreseen under this Policy, increasing their awareness and training levels on data protection processes, and ensuring that personal data are not processed or accessed unlawfully. They are also responsible for ensuring that personal data are retained in compliance with the Law and for participating in periodic or random audits conducted for this purpose.

All actions related to the deletion, destruction, and anonymization of personal data are recorded, and these records are retained for at least three (3) years, excluding other legal obligations.

The titles, departments, and responsibilities of those involved in the personal data retention and destruction processes are set out below:

Title Department Duty Description
Committee Chair
Legal Department (Attorney)		 Legal Department Responsible for the execution, publication, and updating of the Policy; ensuring the implementation of administrative measures; and reporting Committee decisions to Company Management.
Committee Member
Senior Management		 Senior Management Responsible for providing and implementing the technical solutions and measures required for the implementation of the Policy, and ensuring overall compliance.
Committee Member
Corporate Standards & Development		 Corporate Standards & Development Responsible for ensuring compliance with the relevant legislation.
Committee Member
Integrated Management System Team (EYSE) – Business Development & Marketing		 Business Development & Marketing Responsible for ensuring employee compliance with the Policy, conducting audits, and providing overall coordination.
Contact Person VERBIS–Registered Contact Person Responsible for establishing necessary communication with the Authority, managing data subject requests, and ensuring that the VERBIS registration is kept up to date.

3. RECORDING ENVIRONMENTS

Within the scope of the commercial and legal regulations and secondary legislation to which the Company is subject, personal data obtained during the conduct of its activities are stored in the following electronic and/ or non-electronic environments:

Recording Environment

1. Electronic Recording Environments

1.1. Environmental and Local Systems

  • Databases
  • Central Servers
  • Cloud Environment
  • Log Management Platforms

1.2. Disaster Recovery System

  • Portable Devices
  • Cloud Environment

2. Non-Electronic Recording Environments

  • Paper-Based Environments
  • Folders
  • Document Cabinets

4. EXPLANATIONS REGARDING THE RETENTION AND DESTRUCTION OF PERSONAL DATA

Personal data belonging to employees, employee candidates, customers, service providers, suppliers, business partners, visitors, and other third parties are retained and destroyed by the Company in accordance with the provisions of the Law and the Regulation on the Deletion, Destruction or Anonymization of Personal Data. Throughout all retention and destruction processes, the Company takes into account the legal regulations to which it is subject, secondary legislation, and the binding opinions and notifications of the Authority.

As a matter of Company policy, the Company aims to retain the most up-to-date personal data only for the shortest period necessary for the relevant processing period and to minimize the personal data stored to the greatest extent possible. However, as a data controller, the Company retains the personal data it processes for specific periods by considering its legal obligations within the framework of its data processing purposes and legal grounds.

In cases where longer-term archiving activities are carried out for public interest, statistical purposes, or other justified reasons, the Company takes all adequate and necessary technical and administrative measures by clearly explaining these reasons. In such cases, additional information regarding further measures to be taken for the specific situation shall be provided through a protocol, and this protocol shall be deemed an integral part of this Policy.

Detailed explanations regarding the retention and destruction of personal data are set out below in sequence.

4.1. Explanations Regarding Retention

Article 3 of the Law defines the concept of processing of personal data, while Article 4 stipulates that processing activities must be related, limited, and proportionate to the purpose for which the personal data are processed, and that personal data must be retained for the period prescribed in the relevant legislation or for the period required for the purpose of processing. Articles 5 and 6 set out the conditions for processing personal data.

4.1.1. Legal Grounds Requiring Retention

Personal data processed within the scope of the Company’s activities are retained for the period prescribed in the relevant legislation. In this context, personal data are retained based on the following legal grounds:

  • Law No. 6698 on the Protection of Personal Data
  • Turkish Code of Obligations (Law No. 6098)
  • Social Insurance and General Health Insurance Law (Law No. 5510)
  • Occupational Health and Safety Law (Law No. 6331)
  • Labor Law (Law No. 4857)
  • Regulation on Health and Safety Measures to Be Taken in Workplace Buildings and Their Annexes
  • Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through Such Publications
  • Other secondary legislation in force under the above-mentioned regulations and, without being limited to these, other legislative provisions that explicitly require retention
  • Cases where retention is directly related to the establishment or performance of contracts to which the Company is a party
  • Situations where retention is necessary for the Company to fulfill its legal obligations
  • Cases where the personal data have been made public by the data subject
  • Situations where processing is necessary for the establishment, exercise, or protection of a right
  • Cases where processing is necessary for the legitimate interests of the Company, provided that the fundamental rights and freedoms of the data subject are not harmed

4.1.2. Purposes Requiring Retention

Within the scope of the Company’s activities explained in detail above, personal data are processed solely for the following purposes:

  • Conducting Emergency Management Processes
  • Conducting Information Security Processes
  • Conducting Recruitment Processes for Employee Candidates / Interns / Students
  • Conducting Application Processes of Employee Candidates
  • Conducting Employee Satisfaction and Engagement Processes
  • Fulfilling Employment and Statutory Obligations for Employees
  • Conducting Processes Related to Employee Benefits and Entitlements
  • Conducting Audit / Ethical Compliance Activities
  • Conducting Training Activities
  • Managing Access Authorizations
  • Ensuring Compliance of Activities with Legislation
  • Conducting Finance and Accounting Operations
  • Ensuring Physical Space Security
  • Conducting Assignment Processes
  • Following and Managing Legal Affairs
  • Conducting Internal Audit / Investigation / Intelligence Activities
  • Conducting Communication Activities
  • Planning Human Resources Processes
  • Conducting / Supervising Business Activities
  • Conducting Occupational Health and Safety Activities
  • Receiving and Evaluating Suggestions for the Improvement of Business Processes
  • Conducting Logistics Operations
  • Conducting Procurement Processes for Goods / Services
  • Conducting Sales Processes for Goods / Services
  • Conducting Service Production and Operational Processes
  • Conducting Customer Relationship Management Processes
  • Conducting Marketing Analysis Activities
  • Conducting Performance Evaluation Processes
  • Conducting Risk Management Processes
  • Conducting Retention and Archiving Activities
  • Conducting Contract Management Processes
  • Tracking Requests / Complaints
  • Conducting Supply Chain Management Processes
  • Conducting Marketing Processes for Products / Services
  • Conducting Talent / Career Development Activities
  • Conducting Management Activities
  • Creating and Tracking Visitor Records
  • Fulfilling the burden of proof for potential legal disputes

4.2. Reasons Requiring Destruction

Personal data are deleted, destroyed, or anonymized by the Company, either upon the request of the data subject or ex officio, in the following situations:

  • Amendment or repeal of the relevant legislative provisions forming the basis for the processing of personal data;
  • Disappearance of the purpose requiring the processing or retention of personal data;
  • Loss of currency or accuracy of the processed personal data;
  • Withdrawal of explicit consent by the data subject in cases where the processing of personal data relied solely on explicit consent;
  • Acceptance by the Company of the data subject’s request for the deletion or destruction of personal data within the scope of Article 11 of the Law;
  • Rejection by the Company of the data subject’s request for deletion, destruction, or anonymization of personal data, or the data subject’s dissatisfaction with the response, or failure to respond within the statutory period; and subsequent approval of the data subject’s complaint by the Board;
  • Expiry of the retention period of the personal data and the absence of any condition justifying longer retention.

At the end of the period prescribed in the relevant legislation or required for the purpose of processing, personal data are destroyed by the Company ex officio and/or upon the data subject’s request, using the technical methods specified below.

4.3. Methods of Destruction of Personal Data

4.3.1. Deletion of Personal Data

Personal data processed by the Company are deleted using the methods described below:

Recording Environment Description
a. Electronic Recording Environments
Environmental and Local Systems		 Personal data stored in electronic recording environments are deleted when the retention period expires or when the purpose of processing no longer exists, in accordance with the Company’s data destruction policies. In this context:
  • Technical methods such as data deletion commands, encryption, cryptographic erasure, and remote deletion over the network are used.
Practices are carried out in line with ISO 27001 controls A.8.10.2 and A.11.2.7, as well as Article 7 of the LPPD.
b. Non-Electronic Recording Environments Personal data kept in physical environments that have reached the end of their retention period are rendered completely inaccessible and unusable for employees. In addition:
  • Black-out methods such as crossing out, smudging, painting over, or erasing the information to make it unreadable are applied.
  • Destruction through encryption may also be applied where applicable.
***The Company may use one or more of the deletion methods listed above. In case different storage environments are used, the Company may develop new deletion methods, use them in addition to existing methods, or apply deletion methods specifically determined for its customers.

4.3.2. Destruction of Personal Data

Personal data processed by the Company are destroyed as follows:

Recording Environment Description
a. Electronic Recording Environments
Environmental and Local Systems		 Physical Destruction Method:
This involves the physical destruction of optical and magnetic media containing personal data, such as melting, incineration, pulverizing, or grinding the media using a metal shredder to make the data inaccessible.

Degaussing:
Data stored on magnetic media is destroyed by exposing the media to a strong magnetic field, which disrupts and renders the data unreadable and irrecoverable.

Overwriting:
Data on magnetic or rewritable optical media is overwritten at least seven times with random sequences of 0s and 1s to prevent recovery of the original data.
b. Non-Electronic Paper-Based Media Personal data stored in paper format, for which the required retention period has expired, is destroyed using shredding machines in a way that makes it irretrievable.
***The Company may employ one or more of the destruction methods listed above. In the case of using different storage environments, new destruction methods may be developed. These new methods may be used in addition to or in replacement of the existing ones. The Company may also apply client-specific destruction methods where required.

4.3.3. Anonymization of Personal Data

Anonymization of personal data refers to rendering personal data impossible to associate with an identified or identifiable natural person in any manner, even when matched with other data.

In order for personal data to be considered anonymized, such data must be rendered non-attributable to any identified or identifiable natural person through techniques appropriate for the paper environment and the specific field of activity, such as preventing reversibility by the data controller or third parties and/or preventing re-identification through matching with other data. For an anonymization process to be deemed valid, the data must not be reversible or capable of enabling identification by either the data controller or third parties using appropriate techniques.

The Company may apply one or more of the anonymization methods listed below:

Lower and Upper Bound Coding / Global Coding For a given variable, ranges are defined and categorized. If the variable does not contain numerical values, similar data points within the variable are categorized. Values falling within the same category are combined.
Regional Suppression A method in which distinguishing information relating to exceptional data within a dataset containing anonymized grouped data is removed.
Removal of Variables Removal of one or more direct identifiers contained within the personal data that may be used to identify the data subject.
Generalization Combining personal data belonging to multiple individuals and removing distinguishing information so that the dataset becomes statistical in nature.
Micro-Aggregation All records in the dataset are first sorted in a meaningful order, then divided into subgroups of a certain size. The average value of the chosen variable within each subgroup is calculated, and the subgroup’s value for that variable is replaced with the average. This distorts indirect identifiers and reduces the likelihood of associating the data with the data subject.
Data Shuffling and Perturbation Direct or indirect identifiers within the personal data are mixed or altered with other values to break the connection with the data subject and remove identifiable characteristics.

When applying anonymization methods, the Company observes the following fundamental principles:

Principle Code Principle Description
[UN1] Data environments used in anonymization practices are clearly defined. Only actively used environments are considered; unused or out-of-scope environments are removed from documentation.
[UN2] The risk of indirect identifiers becoming re-identifiable when combined in certain ways is taken into account. Advanced statistical methods are applied during anonymization to mitigate this risk.
[UN3] When the K-Anonymity method is insufficient, the L-Diversity principle is applied by ensuring diversity in sensitive attributes among groups with identical identifier combinations.
[UN4] When diversity is not adequate for protecting sensitive attributes, the T-Closeness method is used by ensuring that the distribution of sensitive values in the dataset is sufficiently close across groups, reducing inference-based identifiability risk.

The Company conducts continuous monitoring and improvement activities to maintain technical adequacy, ensure irreversibility, and maximize data security when applying the above anonymization methods.

5. RETENTION AND DESTRUCTION PERIODS AND METHOD

Without prejudice to cases where a longer period is prescribed under the Law, the relevant legislation or secondary regulations, or where a longer period is foreseen due to statutes of limitation, forfeiture periods, or other Legal Grounds Requiring Retention, personal data processed by the Company are retained using the methods and for the periods specified in the Retention and Destruction Table annexed to this Policy.

At the end of the applicable retention period, personal data are destroyed using the destruction methods indicated in the table (without being limited to the listed destruction methods, as the Company reserves the right to use different destruction methods). (See Annex-1: Retention and Destruction Table)

6. PERIODIC DESTRUCTION PERIOD

Within the scope of the Regulation on the Deletion, Destruction or Anonymization of Personal Data, the Company deletes, destroys, or anonymizes personal data ex officio at recurring intervals specified in this Personal Data Retention and Destruction Policy, when all conditions for processing personal data under the Law cease to exist. Periodic destruction processes are carried out once every six (6) months.

Personal data for which the purpose of processing no longer exists are destroyed in accordance with the procedures set out in this Policy. During this process, the data recorded in relevant systems—such as documents, files, CDs, diskettes, or hard disks—are deleted in a manner that prevents restoration and ensures irreversibility.

All transactions related to the deletion, destruction, and anonymization of personal data are recorded, and such records are retained for at least three (3) years, except for other legal obligations.

For the tracking of periodic destruction processes, the Company is obliged to register with the Data Controllers Registry (VERBIS) before beginning to process personal data and to take all administrative and technical measures throughout the process.

7. TECHNICAL AND ADMINISTRATIVE MEASURES

In accordance with the Law, it is essential for the Company to take structured, up-to-date, effective, and accountable technical and administrative measures to ensure the secure retention of personal data, to prevent unlawful processing and/or unauthorized access to personal data, and to carry out the Retention and Destruction Processes in compliance with this Policy.

The administrative measures applied by the Company are listed below:

  • Key management is implemented.
  • Security measures are applied within the scope of procurement, development, and maintenance of information technology systems.
  • Disciplinary regulations containing provisions on data security are in place for employees.
  • Periodic training and awareness activities on data security are provided to employees.
  • An authorization matrix has been established for employees.
  • Corporate policies regarding access, information security, use, retention, and destruction have been prepared and implemented.
  • Confidentiality undertakings are executed.
  • Data access privileges of employees who change duties or leave the Company are revoked.
  • Contracts executed by the Company include data security clauses.
  • Additional security measures are taken for personal data transferred via paper, and documents are sent in formats classified according to confidentiality levels.
  • Personal data security policies and procedures have been established.
  • Personal data security issues are reported promptly.
  • Monitoring of personal data security is carried out.
  • Necessary security measures are taken for entry and exit to physical environments containing personal data.
  • The security of environments containing personal data is ensured.
  • Personal data are minimized to the greatest extent possible.
  • Personal data are backed up, and the security of backed-up data is ensured.
  • Existing risks and threats have been identified.
  • Protocols and procedures for the security of special categories of personal data have been established and implemented.
  • Encryption is applied.
  • Awareness of data security is ensured among data processors and service providers.
  • The Four-Eyes Principle is applied in departments that conduct intensive personal data transfers.
  • A labeling system is used to classify data and determine retention periods.

The technical measures applied by the Company are as follows:

  • Network security and application security are ensured.
  • A closed system network is used for personal data transfers via network.
  • Key management is implemented.
  • Security measures are applied within the scope of procurement, development, and maintenance of information technology systems.
  • Security of personal data stored in cloud environments is ensured.
  • An authorization matrix has been established for employees.
  • Access logs are regularly kept.
  • Data access privileges of employees who change duties or leave the Company are revoked.
  • Data masking is applied when necessary.
  • Up-to-date anti-virus systems are used.
  • Firewalls are used.
  • Monitoring of personal data security is carried out.
  • The security of environments containing personal data is ensured.
  • Personal data are backed up, and the security of backed-up data is ensured.
  • A user account management and authorization control system is implemented and monitored.
  • Log records are kept in a way that prevents user intervention.
  • Current risks and threats have been identified.
  • Intrusion detection and prevention systems are used.
  • Penetration tests are performed.
  • Cybersecurity measures are taken and continuously monitored.
  • Encryption is applied.
  • Sending Company-held data to e-mail addresses other than corporate e-mail accounts is prevented.
  • Printer logs are kept.
  • USB ports of user computers are disabled for transferring data to portable storage media.
  • A labeling system is used to classify data and determine retention periods.
  • Secure encryption / cryptographic keys are used for special categories of personal data and are managed by separate units.
  • Special categories of personal data transmitted via e-mail are mandatorily encrypted and sent via KEP or corporate e-mail accounts.
  • Special categories of personal data transferred on portable media such as USB, CD, or DVD are encrypted.
  • Data loss prevention (DLP) software is used.

8. APPLICATIONS BY DATA SUBJECTS

Pursuant to Article 13 of the Law on the Protection of Personal Data and Article 12 of the Regulation on the Deletion, Destruction or Anonymization of Personal Data, the data subject may apply to the Company with a written application in accordance with the “Communiqué on the Procedures and Principles of Application to the Data Controller” and request the deletion or destruction of their personal data.

  • a) If all conditions for processing personal data have ceased to exist, the data controller deletes, destroys, or anonymizes the personal data subject to the request. The data controller finalizes the request within thirty (30) days at the latest and informs the data subject.
  • b) If all conditions for processing personal data have ceased to exist and the personal data subject to the request has been transferred to third parties, the data controller notifies the third party; and ensures that the necessary actions are taken by the third party within the scope of the Regulation.
  • c) If not all conditions for processing personal data have ceased to exist, the data controller may reject the request by explaining the justification. The rejection is notified to the data subject in writing or electronically within thirty (30) days.

The Company may reject the data subject’s request for deletion of personal data on the following grounds:

  • i. Processing of personal data for purposes such as research, planning, and statistics by anonymizing them with official statistics.
  • ii. Processing personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that the processing does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights, and does not constitute a crime.
  • iii. Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security.
  • iv. Processing of personal data by judicial authorities or execution authorities within the scope of investigation, prosecution, trial, or execution procedures.
  • v. Processing of personal data where necessary for the prevention of crime or for criminal investigations.
  • vi. Processing of personal data made public by the data subject themselves.
  • vii. Processing of personal data within the scope of supervisory or regulatory duties carried out by public institutions and organizations, or professional organizations with public institution status, based on the powers granted by law, or where necessary for disciplinary investigations or proceedings.
  • viii. Processing of personal data where necessary for the protection of the State’s economic and financial interests in relation to budgetary, tax-related, or financial matters.
  • ix. Where the request of the data subject is likely to infringe upon the rights and freedoms of other persons.
  • x. Where the request requires disproportionate effort.
  • xi. Where the requested information is a publicly available piece of information.

9. PUBLICATION AND RETENTION

The Policy is published in two formats: a wet-ink signed (printed) version and an electronic version. The printed copy is retained in the files of the Information Technologies and Human Resources Departments.

10. UPDATE PERIOD

The Policy is reviewed annually and updated as necessary, and in any case once every six (6) months.

11. ENFORCEMENT

  • 11.1. This Policy is deemed to have entered into force on 10.11.2024. If a decision is made to abolish or amend the Policy, it shall be cancelled by a Board of Directors Resolution (by affixing a red “cancelled” stamp or marking as cancelled), and the new version shall be signed and may be published on the Company’s website at the Company’s discretion. The new version enters into force upon the Board of Directors' Resolution.
  • 11.2. This Policy shall enter into force upon being communicated to all employees and shall be binding on all business units, consultants, external service providers, and any person processing personal data as of its effective date.
  • 11.3. Monitoring whether employees comply with the requirements of this Policy shall be the responsibility of the supervisors of the relevant employees. In case of any violation of the Policy, the matter shall be immediately reported by the relevant employee supervisor to the next-level supervisor.
  • 11.4. If the violation is significant, the next-level supervisor shall promptly inform the Personal Data Protection Committee without delay.
  • 11.5. Employees who violate the Policy shall be subject to necessary administrative action following an assessment to be carried out by the Human Resources Department.

12. CORPORATE GOVERNANCE WITHIN THE SCOPE OF PERSONAL DATA PROTECTION AND PROCESSING

A Personal Data Protection Committee (“Committee”) has been established within the Company to monitor and manage the actions necessary for ensuring compliance with Law No. 6698. The primary duties of the Committee are as follows:

  1. Submitting fundamental policies regarding the protection and processing of personal data, and any necessary amendments, to senior management for approval and ensuring their enactment;
  2. Deciding on the implementation and supervision of policies relating to the protection and processing of personal data, determining roles and responsibilities within the Company accordingly, and ensuring coordination;
  3. Identifying the actions required to ensure compliance with the Law and relevant legislation, submitting such actions to senior management for approval, and overseeing and coordinating their implementation;
  4. Increasing awareness within the Company and among the Company’s business partners regarding the protection and processing of personal data;
  5. Identifying risks that may arise in the Company’s personal data processing activities and ensuring the implementation of necessary measures; submitting improvement proposals to senior management;
  6. Monitoring relevant legislation concerning the protection of personal data and making updates to prepared documents and Policies;
  7. Designing training activities on the protection of personal data and the implementation of Policies, and providing such trainings following the necessary approvals;
  8. Establishing a mechanism to rapidly address applications submitted by data subjects and deciding on such applications;
  9. Coordinating information and training activities to ensure that data subjects are informed about personal data processing activities and their legal rights;
  10. Monitoring developments and regulations regarding the protection of personal data and advising senior management on necessary actions to ensure compliance with such developments and regulations;
  11. Coordinating relations with the Personal Data Protection Board and the Personal Data Protection Authority;
  12. Fulfilling any additional tasks regarding the protection of personal data assigned by senior management;

Annex-1 — RETENTION AND DESTRUCTION TABLE

Data Category Processed Personal Data Retention Period
Identity Full name, Turkish ID number, date and place of birth, gender, nationality, information contained in identity card, driver’s license, passport and similar documents 1. 10 years following termination of the employment relationship
2. 15 years within the scope of Occupational Health and Safety (OHS) legislation
Contact E-mail address, phone number, full address, KEP address, other information relating to communication channels 10 years following completion of the relevant business activity
Personnel / HR Records Recruitment documents, CV, payroll and wage information, performance records, etc. 1. 10 years following completion of the relevant business activity
2. Exclusively for services performed for terminated ADP clients: 13 months in live operational systems upon ADP’s request
Legal Transaction Correspondence with judicial/administrative authorities, litigation files, notary notifications, official communication records, etc. 1. 10 years following completion of the relevant business activity
2. For ADP-related services: 10 years following termination of the customer account
3. If no dispute exists: 7 years following termination of the customer account (including KYC and similar forms)
Customer Transaction Call center voice records, order information, customer requests, correspondence with customers, service development records, documents related to disputes, etc. 1. 10 years following completion of the relevant business activity
2. Exclusively for terminated ADP clients: 13 months upon ADP’s request
3. If no dispute exists: 7 years following termination of the customer account (including KYC and similar forms)
Physical Security (Visitors) Visitor logs, card access records 2 years
Physical Security (CCTV) Security camera recordings 1 year
Transaction Security IP address, log data, login records, username/password, system login-logout times, etc. 2 years
Finance Bank account information, payment documents, expense forms, financial reports, etc. 1. 10 years following termination of the contract / business activity
2. Exclusively for terminated ADP clients: 13 months upon ADP’s request
3. If no dispute exists: 7 years following termination of the customer account (including KYC and similar forms)
Professional Experience Diploma, certificates, training and seminar participation details, transcript 10 years
Marketing Cookie records 2 years
Visual / Audio Records Photographs, video recordings, audio call records 10 years following completion of the relevant business activity
Health Data (Special Category) Disability information, medical reports, OHS-related health reports, etc. 1. 15 years within the scope of OHS legislation
2. 10 years following termination of the contract / business activity
3. Exclusively for terminated ADP clients: 13 months upon ADP’s request
4. If no dispute exists: 7 years following termination of the customer account (including KYC and similar forms)
Criminal Convictions & Security Measures (Special Category) Criminal record information 10 years following completion of the relevant business activity
Other Data — Signature Signature samples obtained from official documents (e.g., signature circulars) 10 years following completion of the relevant business activity
Risk Management Correspondence, documents, audit reports relating to disputes or risk issues 1. 10 years following completion of the relevant business activity
2. For ADP-related services: 10 years following termination of the customer account
3. If no dispute exists: 7 years following termination of the customer account (including KYC and similar forms)
Location Location information obtained through assigned company vehicles 10 years following termination of employment
Other Data — Business Travel Accommodation and travel information related to business trips 10 years following termination of employment
Other Data — Military Status Information regarding military status 10 years following termination of employment