Retention and Disposal Policies

AY TEKS TEXTILE INDUSTRY AND FOREIGN TRADE LTD.

PERSONAL DATA

STORAGE and DISPOSAL POLICY

• PURPOSE

Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. (“Company”) has issued this Personal Data Storage and Destruction Policy (“Storage and Destruction Policy”) in order to regulate the technical and administrative protection of personal data in accordance with the Personal Data Protection Law No. 6698 (“Law“), and to regulate the implementation of the provisions of the Regulation on Deletion, Destruction or Anonymization of Personal Data (“Regulation“) published in the Official Gazette dated 28/10/2017 in case the conditions for processing personal data disappear.

• RECORDING MEDIA WHERE PERSONAL DATA ARE STORED

Personal data belonging to data subjects are securely stored by Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. in the environments listed below in accordance with the relevant legislation, especially the provisions of the Law:

Electronic media:

• • E-Mail Box
  • Microsoft Office Programs

Physical environments:

• • Folders
  • Archive

• EXPLANATIONS ON THE REASONS FOR RETENTION

The personal data belonging to the data subjects are collected by Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti:

• Sustainability of activities,
• Fulfillment of legal obligations,
• Planning and execution of employee rights and benefits,
• Ability to manage business relationships,

For this purpose, it is stored securely in the aforementioned physical or electronic media within the limits specified in the Law and other relevant legislation.

Reasons for withholding:

• Personal data is directly related to the establishment and performance of contracts,
• The use of personal data for the establishment, exercise or protection of a right,
• Provided that personal data does not harm the fundamental rights and freedoms of individuals, the Company has a legitimate interest,
• Fulfillment of any legal obligation of the Company of personal data,
• Legislation clearly stipulates the retention of personal data,
• Explicit consent of data subjects in terms of storage activities that require the explicit consent of data subjects.

Pursuant to the relevant regulation, in the cases listed below, the personal data of the data owners are deleted, destroyed or anonymized by Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. ex officio or upon request:

• Amendment or abolition of the provisions of the relevant legislation that constitute the basis for the processing or storage of personal data,
• The purpose requiring the processing or storage of personal data disappears,
• The disappearance of the conditions requiring the processing of personal data under Articles 5 and 6 of the Law.
• In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject’s withdrawal of consent,
• Acceptance by the data controller of the application made by the data subject for the deletion, destruction or anonymization of his/her personal data within the framework of his/her rights under paragraphs 2 (e) and (f) of Article 11 of the Law,
• In cases where the data controller rejects the application made by the data subject with the request for the deletion, destruction or anonymization of his/her personal data, his/her response is found insufficient or he/she does not respond within the period stipulated in the Law; filing a complaint to the Board and this request is approved by the Board,
• Although the maximum period for retaining personal data has elapsed, there are no circumstances that justify retaining personal data for a longer period.

• MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the Law, Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and to carry out or have the necessary audits carried out within this scope. Although all technical and administrative measures have been taken, in the event that the processed personal data is illegally obtained by third parties, Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. informs the relevant units as soon as possible.

4.1 Technical Measures

• • Network security and application security are ensured.
  • Closed system network is used for personal data transfers through the network.
  • Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
  • There are disciplinary regulations for employees that include data security provisions.
  • Training and awareness raising activities on data security are carried out for employees at regular intervals.
  • Authorization matrix has been created for employees.
  • Access logs are kept regularly.
  • Data masking measures are applied when necessary.
  • Corporate policies on access, information security, use, storage and disposal have been prepared and implemented.
  • Confidentiality commitments are made.
  • Employees who are reassigned or leave their jobs are de-authorized in this area.
  • Up-to-date anti-virus systems are used.
  • Firewalls are used.
  • The signed contracts contain data security provisions.
  • Personal data security policies and procedures have been determined.
  • Personal data security issues are reported quickly.
  • Personal data security is monitored.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • Physical environments containing personal data are secured against external risks (fire, flood, etc.).
  • Security of environments containing personal data is ensured.
  • Personal data is minimized as much as possible.
  • Personal data is backed up and the security of backed up personal data is also ensured.
  • User account management and authorization control system is in place, and these are monitored and audited.
  • Internal periodic and/or random audits are conducted and commissioned.
  • Log records are kept without user intervention.
  • Existing risks and threats have been identified.
  • Protocols and procedures for the security of sensitive personal data have been determined and implemented.
  • If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using a KEP or corporate mail account.
  • Intrusion detection and prevention systems are used.
  • Cyber security measures have been taken and their implementation is constantly monitored.
  • Encryption is performed.
  • Sensitive personal data transferred on portable memory sticks, CDs and DVDs are encrypted.
  • Data processing service providers are periodically audited on data security.
  • Awareness of data processing service providers on data security is ensured.
  • Data loss prevention software is used.

4.2 Administrative Measures

• • Personnel are informed and trained on the technical measures to be taken to prevent unlawful access to personal data.
  • Personal data access and authorization processes are designed and implemented within Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. in accordance with the legal compliance requirements for processing personal data on a business unit basis. In limiting access, whether the data is of special nature and the degree of importance are also taken into account.
  • Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. has added records to all kinds of documents containing personal data and regulating the relationship between Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. and its personnel that the obligations stipulated by the Law must be complied with in order to process personal data in accordance with the law, personal data must not be disclosed, personal data must not be used unlawfully and the confidentiality obligation regarding personal data continues even after the termination of the employment contract with Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti.
  • Employees are informed that they cannot disclose the personal data they have learned to anyone else in violation of the provisions of the Law and cannot use them for purposes other than processing, and that this obligation will continue after their resignation and necessary commitments are obtained from them in this direction.
  • In the contracts concluded by Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. with the persons to whom personal data are transferred in accordance with the law; provisions are added that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.
  • In the event that the processed personal data is obtained by others through unlawful means, it shall notify the relevant person and the Board as soon as possible.
  • When necessary, it employs personnel who are knowledgeable and experienced in the processing of personal data and provides training to its personnel within the scope of personal data protection legislation and data security.
  • Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. conducts and has the necessary audits carried out in order to ensure the implementation of the provisions of the Law. It eliminates the confidentiality and security weaknesses that arise as a result of the audits.

• MEASURES TAKEN REGARDING THE DESTRUCTION OF PERSONAL DATA

Although Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. has been processed in accordance with the provisions of the relevant law, it may delete or destroy personal data based on its own decision or upon the request of the personal data owner if the reasons requiring its processing disappear. Following the deletion of personal data, the relevant persons will not be able to access and use the deleted data again in any way. An effective data tracking process will be managed by the Company to define and monitor the destruction processes of personal data. The process carried out will be the identification of the data to be deleted, the identification of the relevant persons, the identification of the access methods of the persons and the deletion of the data immediately afterwards.

Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. may use one or more of the following methods to destroy, delete or anonymize personal data, depending on the medium in which the data is recorded:

• • Methods for Deletion, Destruction and Anonymization of Personal Data
    • Deletion of Personal Data

Deletion of personal data is the process of making personal data inaccessible and non-reusable in any way for the relevant users. As a method of deleting personal data, Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. may use one or more of the following methods:

• Personal data in paper media will be processed by drawing, painting, cutting or erasing with the blackout method.
• The access right(s) of the user(s) for office files in the central file will be eliminated.
• The rows or columns containing personal information in the databases will be deleted with the ‘Delete’ command.

It will be securely deleted with the help of an expert when necessary.

• • • Destruction of Personal Data

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way by the following methods.

Physical Destruction (by burning)

Destruction with Paper Shredder

De-magnetization: It is the method of passing magnetic media through special devices where it will be exposed to high magnetic fields, distorting the data on it in an unreadable way.

• • • Anonymization of Personal Data

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching with other data. Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. may use one or more of the following methods to anonymize personal data:

Masking: Data masking is a method of anonymizing personal data by removing the basic identifying information of personal data from the data set.

Record Extraction: In the de-recording method, the stored data is anonymized by removing the row of data that contains a singularity among the data from the records.

In accordance with Article 28 of the Law; anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the Law and the explicit consent of the personal data owner will not be sought.

Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. will be able to take an ex officio decision regarding the deletion, destruction or anonymization of personal data and will be able to freely determine the method to be used according to the category it has chosen. In addition, within the scope of Article 13 of the Regulation, if the person concerned chooses one of the categories of deletion, destruction or anonymization of his personal data during the application, Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. will be free to use the methods to be used in the relevant category.

• PERSONAL DATA STORAGE AND DESTRUCTION PERIODS

Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. stores personal data for the periods specified in Annex-1 for the purpose for which they are processed. If a period of time is stipulated in the legislation regarding the storage of the personal data in question, this period is complied with. In the absence of a period stipulated in the legislation, personal data will be kept for the maximum period for keeping personal data in the table in Annex-1. These periods; Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. data categories and data owner person groups are evaluated; The data obtained as a result of this evaluation will ensure the fulfillment of the obligations in the laws and the maximum period of limitation (10 years) in the Turkish Code of Obligations has been determined by considering.

In the event that the obligation to delete, destroy or anonymize arises due to the expiration of these periods, Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. deletes, destroys or anonymizes personal data in the first periodic destruction process following this date.

All transactions regarding the deletion, destruction and anonymization of personal data are recorded and such records are kept for at least three years, excluding other legal obligations.

• PERIODIC DESTRUCTION PERIODS

Pursuant to Article 11 of the Regulation, the periodic destruction period is set as 6 months. Accordingly, periodic destruction is carried out in June and December every year. In the systems in question, the information will be deleted from the tools such as documents, files, USBs, CDs, floppy disks, hard disks, if any, where the data is saved, in a way that cannot be recycled.

• STAFF

Within the scope of the Law, Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. as the data controller, based on paragraph 1 of Article 11 of the Regulation, the titles, units and job descriptions of the personnel whose obligations will be fulfilled in terms of the implementation of the data retention and destruction process of the Law are determined by the table in Annex-2 of the Retention and Destruction Policy.

These persons whose limits are determined are responsible for the transactions and actions that take place within their limits of authority within the scope of the Turkish Commercial Code, the Code of Obligations and the Turkish Criminal Code. Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. is authorized to represent and testify in law enforcement, prosecution offices, public institutions and courts. The Chairman of the Personal Data Protection Committee has been elected. Each department responsible will be obliged to supervise whether the relevant users in the departments act in accordance with the Retention and Destruction Policy and Personal Data Policy prepared within the framework of the Law and Regulation. All department heads shall report the transactions carried out in accordance with this Storage and Destruction Policy during the specified periodic destruction periods to the Chairman of the Personal Data Protection Committee of Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti. will report to the Chairman of the Personal Data Protection Committee. The decision resulting from the results of the work done for these reports will be put into practice.

• REVISION AND REPEAL

In case the Retention and Disposal Policy is amended or repealed, the new regulation will be announced on the website of Ay Teks Tekstil Sanayi ve Dış Ticaret Ltd. Şti.

• EFFECTIVENESS

This Retention and Disposal Policy enters into force on the date of its publication.

APPENDICES

Annex 1-Data Retention and Destruction Periods

Annex 2- Table of Personnel in Charge of Personal Data Storage and Destruction

Annex 3- Internal Directive of the Personal Data Protection Committee

Annex 1- Data Retention and Destruction Periods

Annex 2-Table of Personnel in Charge of Personal Data Storage and Destruction