Policies

PERSONAL DATA RETENTION AND DESTRUCTION POLICY

1. Purpose and Scope

This Personal Data Retention and Destruction Policy (“Policy”) has been prepared by Internative Yazılım Anonim Şirketi (“Company”) in its capacity as data controller, in order to fulfill our obligations under the Personal Data Protection Law No. 6698 (“KVKK” or “Law”) and the Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017 (“Regulation”), and to inform data subjects regarding the principles for determining the maximum retention period necessary for the purposes for which personal data are processed, as well as the processes of deletion, destruction and anonymization.

Within the scope of this Policy, data subjects whose personal data are processed, whether fully or partially automated or by non-automated means provided that it forms part of a data recording system, include customers, prospective customers, job candidates, employees, company shareholders, company officials, visitors, business partners, suppliers, employees/shareholders/officials of persons and companies with whom cooperation is established, and third parties.

This Policy applies to all activities carried out by our Company concerning the processing and protection of personal data in all environments where personal data are processed and in all processes related to these.

2. Definitions

Explicit Consent

Consent that is based on information and declared with free will in relation to a specific subject.

Obligation to Inform (Information Notice)

The obligation of the data controller or the person authorized by the data controller to inform the data subjects, at the time personal data are obtained, about the identity of the data controller and, if any, its representative, the purposes for which the personal data will be processed, to whom and for what purposes the processed personal data may be transferred, the method and legal grounds for collecting personal data, and the other rights listed under Article 11 of the Law.

Relevant User

Persons who process personal data within the organization of the data controller or in line with the authorization and instructions received from the data controller, excluding the persons or units responsible only for the technical storage, protection and backup of the data.

Destruction

Deletion, destruction or anonymization of personal data.

Law

The Personal Data Protection Law No. 6698.

Recording Medium

Any environment in which personal data are processed by fully or partially automated means or by non-automated means provided that it forms part of a data recording system.

Personal Data

Any information relating to an identified or identifiable natural person.

Processing of Personal Data

Any operation performed on personal data by fully or partially automated means or by non-automated means provided that it forms part of a data recording system, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or preventing the use of such data.

Anonymization of Personal Data

Rendering personal data impossible to be associated with an identified or identifiable natural person in any way, even by matching them with other data.

Deletion of Personal Data

Making personal data inaccessible and unusable in any way for Relevant Users.

Destruction of Personal Data

Making personal data inaccessible, irretrievable and unusable in any way for anyone.

Board

The Personal Data Protection Board.

Special Categories of Personal Data

Data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Periodic Destruction

The deletion, destruction, or anonymization of personal data to be carried out ex officio at recurring intervals, as specified in the personal data retention and destruction policy, in the event that all of the conditions for processing personal data set forth in the Law no longer apply.

Data Subject / Related Person

The natural person whose personal data are processed.

Data Processor

A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Controller

A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Regulation

The Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on 28 October 2017.

3. Principles Regarding the Processing of Personal Data

Personal data collected by the Company are processed in accordance with the relevant provisions of the Law:

• lawfully and in conformity with the rules of good faith,

• accurately and, where necessary, kept up to date,

• for specified, explicit and legitimate purposes,

• in a manner that is relevant, limited and proportionate to the purposes for which they are processed,

• and are retained for the period stipulated in the relevant legislation or required for the purposes for which they are processed, and for the periods determined by the Company under this Policy.

Explicit consent is obtained from the Data Subject for the personal data processed by the Company, where required. However, in the cases listed below under Article 5 of the Law, personal data may be processed without the explicit consent of the Data Subject:

• Where it is expressly provided for by laws,

• Where it is necessary to protect the life or physical integrity of the person who is unable to express his/her consent due to actual impossibility or whose consent is not deemed legally valid, or of another person,

• Where it is necessary to process personal data of the parties to a contract, provided that it is directly related to the conclusion or performance of the contract,

• Where it is necessary for the data controller to fulfill its legal obligations,

• Where the personal data have been made public by the data subject,

• Where data processing is necessary for the establishment, exercise or protection of a right,

Where data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

The Company records all operations related to the deletion, destruction and anonymization of personal data and retains these records for a minimum of 3 years, without prejudice to other legal obligations.

Unless the Board decides otherwise, the Company selects the appropriate method of deletion, destruction or anonymization of personal data ex officio. However, upon the request of the Data Subject, the appropriate method will be selected and the justification for such choice will be explained.

If all conditions for processing personal data cease to exist, the Company deletes, destroys or anonymizes personal data ex officio or upon the request of the data subject. If the Data Subject applies to the Company in this regard, the request is finalized within 30 (thirty) days at the latest and the data subject is informed. If the data concerned have been transferred to third parties, this situation is also notified to these third parties.

4. Recording Media

Personal data processed by the Company are stored in the following recording media:

Electronic Media

• Servers (domain, backup, e-mail, database, web),

• Software (office software, Holicon, etc.),

• Information security devices (firewalls, antivirus, etc.),

• Personal computers (desktop, laptop),

• Mobile devices (phone, tablet, etc.),

• Optical media (CD, DVD, etc.),

• Removable media (USB, memory cards, etc.).

Physical Media

• Paper (written, printed, visual materials),

• Archive files.

5. Purposes of Retaining Personal Data

Personal data processed by the Company are retained for the following purposes:

• Conducting company activities and cases where data processing is necessary for business operations,

• Fulfilling legal obligations in line with requirements of legal regulations,

• Performing work and transactions arising from executed contracts and protocols,

• Ensuring corporate communication, corporate security, and carrying out sales and marketing activities,

• Establishing and maintaining communication with natural/legal persons in a business relationship with the Company and providing necessary information,

• Providing evidence in potential future legal disputes and fulfilling the burden of proof,

• Conducting statistical studies.

6. Reasons for Destruction of Personal Data

The Company destroys the personal data it processes in the presence of the following circumstances:

• Amendment or repeal of provisions in the relevant legislation which constitute the basis for processing,

• Disappearance of the purpose requiring the processing or storage of personal data,

• Withdrawal of explicit consent in cases where personal data are processed solely on the basis of explicit consent,

• Acceptance by the Company of the data subject’s request for deletion or destruction of his/her personal data within the scope of Article 11 of the Law,

• If the Company rejects the data subject’s request for deletion, destruction or anonymization of personal data, finds the response inadequate, or fails to respond within the period stipulated by the Law; and the data subject files a complaint before the Authority and the Authority decides in favor of the data subject,

• Expiration of the maximum retention period for personal data and the absence of any conditions that would justify further retention.

7. Technical and Administrative Measures

In order to ensure the secure storage of personal data, to prevent unlawful processing and access, and to ensure that personal data are destroyed in accordance with the Law, the Company takes the following technical and administrative measures within the framework of Article 12 of the Law and the sufficient measures determined and announced by the Board under paragraph 4 of Article 6 for special categories of personal data.

a. Technical Measures

Necessary internal controls are carried out within the existing systems.

Penetration tests are regularly performed or commissioned when needed, to identify system vulnerabilities and to detect risks, threats, weaknesses and vulnerabilities concerning information systems, and necessary measures are taken.

Through information security incident management and real-time analysis, risks and threats that may affect the continuity of information systems are continuously monitored.

Necessary measures are taken for the physical security of the Company’s IT hardware, software and data.

To ensure information systems security against environmental threats, hardware (physical security of edge switches constituting the local area network, fire suppression systems, climate control systems, etc.) and software measures (firewalls, intrusion prevention systems, network access control, anti-malware systems, etc.) are taken.

Risks related to unlawful processing of personal data are identified, appropriate technical measures are implemented, and technical controls are performed.

Access to storage areas containing personal data is logged and irregular access attempts are monitored.

Necessary measures are taken to ensure that deleted personal data are not accessible or reusable by relevant users.

Security vulnerabilities are monitored, appropriate security patches are installed, and information systems are kept up to date.

Strong passwords are used in electronic environments where personal data are processed.

Secure logging systems are used in electronic environments where personal data are processed.

Data backup software is used to ensure the secure storage of personal data.

Access to personal data stored electronically or physically is restricted according to access principles.

b. Administrative Measures

Access to stored personal data within the Company is restricted to personnel who need such access within the scope of their job description. Necessary agreements and protocols regarding data security are concluded with such personnel.

Personnel who are knowledgeable and experienced in the processing of personal data are employed; relevant trainings are provided to employees on personal data protection legislation and data security.

Necessary audits are carried out or commissioned to ensure the implementation of the provisions of the Law. Confidentiality and security vulnerabilities identified as a result of audits are remedied.

Under Article 6 of the Law, personal data that may cause victimization or discrimination if unlawfully processed are defined as “special categories of personal data”. These data include race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

The Company takes the necessary measures to protect special categories of personal data that are lawfully processed. Additional care is taken for special categories of personal data within the technical and administrative measures adopted for the protection of personal data.

8. Deletion, Destruction and Anonymization of Personal Data

a. Deletion of Personal Data

Deletion of personal data is the process of making personal data inaccessible and unusable in any way for Relevant Users. Deletion methods vary depending on the recording medium, as follows:

• Personal data stored in cloud systems are deleted by issuing a delete command in a manner that does not allow restoration.

• Personal data on paper are deleted by using a masking/blackout method. This is done by crossing out, painting over or otherwise rendering the information illegible.

• Personal data contained in office files on central servers are deleted using the delete command of the operating system or by removing access rights to the directory where the file is located.

• Personal data on portable media are stored in encrypted form and deleted using appropriate software. If personal data are stored in databases, the relevant rows are deleted using database commands.

b. Destruction of Personal Data

Destruction of personal data is the process of making personal data inaccessible, irretrievable and unusable in any way. Destruction methods by recording medium include:

• Personal data in local systems are destroyed by one of the methods such as de-magnetization, overwriting, or physical destruction.

• Network devices (whose storage media are fixed) are destroyed by one or more of de-magnetization, physical destruction or overwriting methods, as they often do not have a dedicated destruction command.

• Flash-based units (with ATA, SATA, PATA, SCSI, etc.) are destroyed by using the relevant command if supported, or by implementing the destruction method recommended by the manufacturer, or by one or more of de-magnetization, physical destruction or overwriting methods.

• Data stored on units such as magnetic disks are destroyed by exposing them to very strong magnetic fields to de-magnetize them or by physical destruction methods such as burning or melting.

• Data stored in mobile smart phones’ fixed memory areas are destroyed by one or more of de-magnetization, physical destruction or overwriting methods, as many such devices have a delete command but not a specific “destroy” command.

• Optical media are destroyed by physical methods such as burning, shredding or melting.

• For peripheral devices with removable media (such as printers with memory, fingerprint door access systems), all storage media are removed and destroyed by one or more of de-magnetization, physical destruction or overwriting methods.

• For peripheral devices with non-removable media, one or more of de-magnetization, physical destruction or overwriting methods are used.

• Personal data on paper are destroyed by physically destroying the medium itself. The paper is shredded or otherwise rendered illegible (preferably both horizontally and vertically) into very small pieces that cannot be reassembled.

• Personal data originally in paper form that have been scanned into electronic format are destroyed by one or more of de-magnetization, physical destruction or overwriting methods, depending on the electronic medium.

• Personal data in cloud environments are encrypted with cryptographic methods during storage and use, and separate encryption keys are used for each cloud solution where possible. When the cloud computing service relationship ends, all copies of the encryption keys needed to make the personal data usable are destroyed.

c. Anonymization of Personal Data

Anonymization of personal data is rendering personal data impossible to associate with an identified or identifiable natural person, even if matched with other data.

For personal data to be considered anonymized, it must no longer be possible to associate such data with an identified or identifiable natural person, by the data controller or any third party, even through the use of methods and techniques appropriate to the recording medium and related field of activity, such as reversing the process or matching with other data.

9. Retention and Destruction Periods

Personal data processed by the Company are retained for the periods specified below and, upon expiry, will be anonymized or destroyed.

Process / Data Type Retention Period Destruction Period

Data retained under Labour Law (e.g., performance records, etc.) 5 years following termination of employment Within 180 days following the end of the retention period

Data collected under occupational health and safety legislation (e.g., health reports, etc.) 15 years following termination of employment Within 180 days following the end of the retention period

Data retained under Social Security legislation 10 years following termination of employment Within 180 days following the end of the retention period

Documents that may be used in claims/lawsuits related to work accidents/occupational diseases 10 years following termination of employment Within 180 days following the end of the retention period

Data collected under other relevant legislation As long as required by the relevant legislation Within 180 days following the end of the retention period

Personal data relating to an offence under the Turkish Criminal Code or other criminal provisions For the statute of limitations period Within 180 days following the end of the retention period

Customer data 10 years following the date of recording Within 180 days following the end of the retention period

Data relating to system users As long as the user account is active Within 180 days following deletion of the user account

Data relating to job candidates 2 years following the date of recording Within 180 days following the end of the retention period

This Personal Data Retention and Destruction Policy may be amended without prior notice due to legislative changes, new case law, court decisions, or other reasons. Therefore, we recommend that this document be reviewed periodically.