Personal Data Destruction Policy

The data controller Güncel Öztürk stores and destroys your personal data in accordance with the general principles and regulations specified in this Personal Data Retention and Destruction Policy, prepared in compliance with the Constitution, the Law No. 6698 on the Protection of Personal Data, the Regulation on the Deletion, Destruction or Anonymization of Personal Data, and other relevant legislation.

With this Policy, the Company aims to establish the general principles and guidelines regarding the retention and destruction of personal data of natural persons processed within the scope of the Law, as well as to fulfill the obligations imposed by the relevant legislation.

Explicit Consent: Consent that is related to a specific matter, based on information, and expressed with free will.

Recipient Group: The category of natural or legal persons to whom personal data are transferred by the data controller.

Anonymization: The process by which personal data are rendered impossible to associate with an identified or identifiable natural person, even by matching them with other data.

Relevant User: Persons who process personal data within the organization of the data controller or based on the authority and instructions received from the data controller, excluding those responsible solely for the technical storage, protection, and backup of data.

Destruction: The process of deleting, destroying, or anonymizing personal data.

Personal Data: All information relating to an identified or identifiable natural person (e.g., name, surname, national ID number, e-mail address, residence address, date of birth, credit card number, or bank account number).

Data Subject: The natural person whose personal data are processed.

Processing of Personal Data: Any operation performed on personal data, whether fully or partially automated or non-automated as part of a data recording system, such as obtaining, recording, storing, retaining, modifying, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing their use.

Special Categories of Personal Data: Data related to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance, association, foundation or trade union membership, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data.

Periodic Destruction: The deletion, destruction, or anonymization of personal data carried out ex officio at recurring intervals, as specified in this Policy, when all conditions for processing personal data under the Law have ceased to exist.

DATA STORAGE ENVIRONMENTS REGULATED BY THIS POLICY

Data processing activities conducted within the scope of the Law cover all personal data. In addition, both physical and digital copies of the documents referred to in this Policy fall within this scope.

The Company stores all personal data processed within the scope of the Law, whether fully or partially automated, or non-automated as part of a data recording system, in the following environments:

• Company computers and e-mail accounts
• Desktop computers and mobile devices assigned to employees
• Backup areas and servers
• Physical files, folders, and visitor logs kept in printed form
• Portable storage media (CDs, DVDs, USB drives, external hard disks, etc.)
• Office equipment such as printers, photocopiers, and similar devices

REASONS REQUIRING THE RETENTION AND DESTRUCTION OF PERSONAL DATA

The following principles are fundamental in all personal data processing activities:

• Compliance with the law and the principle of good faith,
• Ensuring that personal data are accurate and, where necessary, kept up to date,
• Processing for specific, explicit, and legitimate purposes,
• Being relevant, limited, and proportionate to the purpose for which they are processed,
• Retaining data only for the period prescribed in the relevant legislation or required for the purpose of processing.

Our Company retains and uses personal data based on the purposes of personal data processing and the processing conditions set forth in Articles 5 and 6 of the Law on the Protection of Personal Data. Once all these conditions cease to exist, personal data are destroyed ex officio or upon the request of the data subject.

Existence of Explicit Consent of the Data Subject: One of the legal bases for processing personal data is the explicit consent of the data subject.

Explicit Provision in Laws: Personal data may be processed without the data subject’s explicit consent if explicitly permitted by law.

Inability to Obtain Consent Due to Actual Impossibility: Where it is impossible to obtain consent due to physical or legal incapacity, personal data may be processed if it is necessary to protect the life or physical integrity of the data subject or another person.

Relevance to the Establishment or Performance of a Contract: Personal data may be processed if it is necessary for the establishment or execution of a contract to which the data subject is a party.

Legal Obligation: Personal data may be processed if required for the Company to fulfill its legal obligations.

Public Disclosure by the Data Subject: Personal data made public by the data subject may be processed to the extent of their public disclosure.

Necessity for the Establishment or Protection of a Right: Personal data may be processed if it is necessary for the establishment, exercise, or protection of a legal right.

Legitimate Interest of the Company: Personal data may be processed for the legitimate interests of the Company, provided that such processing does not violate the fundamental rights and freedoms of the data subject.

DELETION, DESTRUCTION, OR ANONYMIZATION OF PERSONAL DATA

Personal data are deleted, destroyed, or anonymized by the Company — either upon the data subject’s request or ex officio — in cases where the legal provisions forming the basis for their processing have been amended or repealed, when the purpose requiring their processing or retention has ceased to exist, when processing is based solely on explicit consent and such consent is withdrawn by the data subject, when the maximum period requiring retention has expired, or when no legitimate reason remains to justify longer storage of the data.

Unless otherwise decided by the Personal Data Protection Authority, our Company selects the most appropriate method among deletion, destruction, or anonymization of personal data, considering available technological capabilities and implementation costs.

Upon request by the data subject, the Company provides justification for the chosen method. All necessary technical and administrative measures are taken in the execution of these processes.

TECHNICAL AND ADMINISTRATIVE MEASURES

Pursuant to Article 12 of the Law on the Protection of Personal Data and the relevant provisions of the Regulation, as well as the general principles outlined above, this Policy, and the decisions of the Personal Data Protection Authority, our Company implements the necessary technical and administrative measures in accordance with technological possibilities and the cost of implementation, as detailed below:

• Required software and hardware have been determined. Strong passwords are used on all computers and e-mail accounts.
• Personnel have been trained on the importance of protecting customer information, and their obligations have been formally documented in their employment contracts (Confidentiality Agreements). This obligation continues even after their employment ends.
• An appropriate infrastructure has been established to ensure data backup.
• Employees who are authorized to access data have been clearly identified.
• Customer files and information are disclosed only to the concerned individuals, their authorized representatives (with written consent), relevant public institutions and organizations within the framework of legislation, and judicial authorities in legal cases.
• Before starting any personal data processing activity, the obligation to inform data subjects is fulfilled in accordance with the law.
• A personal data processing inventory has been prepared.

RETENTION AND DESTRUCTION PERIODS

Our Company retains personal data only for the period required by the legislation it is subject to, or as long as necessary for the purpose for which they are processed. Once these periods expire, personal data are destroyed.

If a data subject applies to the Company requesting the destruction of their personal data:

• If all conditions for processing personal data have ceased to exist: The Company finalizes the data subject’s request within 30 days at the latest, informs the data subject of the result, and if the relevant data have been transferred to third parties, notifies those parties to ensure that necessary actions are taken accordingly.
• If not all conditions for processing personal data have ceased to exist: The Company may reject the request by providing justification, pursuant to Article 13(3) of the Law on the Protection of Personal Data, and informs the data subject of this decision in writing or electronically within 30 days.

PERIODIC DESTRUCTION PERIODS

Personal data are destroyed during the first periodic destruction process following the date when the obligation to destroy them arises.

Accordingly, if the obligation to destroy personal data arises, such destruction is carried out in six-month intervals on a recurring basis.