Personal Data Storage, Privacy and Destruction Policy

Purpose

This Policy has been prepared by Optdcom Teknoloji Yatırım Anonim Şirketi (“Company”), as the data controller, in accordance with the Personal Data Protection Law No. 6698, to determine the procedures and principles regarding the processing and protection of personal data, as well as the deletion, destruction, and anonymization of processed personal data, in compliance with the legal legislation underlying this Policy.

Scope

This Policy covers the processing of personal data by the Company, either fully or partially through automatic means, or through non-automatic means provided that it is part of a data recording system. It applies to the representatives and employees of the Company’s customers, Company employees, employee candidates, managers, third parties with whom the Company collaborates, as well as their employees, managers, and other third parties.

The entirety of this Policy may apply to the personal data owners mentioned above, or only certain provisions may be applied.

Legal Basis

This Policy has been prepared based on the Personal Data Protection Law No. 6698, the Regulation on Data Controllers Registry No. 30286, and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data No. 30224.

In case of any differences between this Policy and the applicable legislation regarding the processing, protection, and destruction of personal data, the provisions of the legislation shall prevail.

Definitions

For the purposes of this Policy:

  1. a) Recipient group: Refers to the category of natural or legal persons to whom personal data is transferred by the data controller.
  2. b) Relevant User: Refers to individuals who process personal data within the organization responsible for the technical storage and protection of the data, or individuals authorized and instructed by the data controller.
  3. c) Destruction: Refers to the deletion, destruction, or anonymization of personal data.

ç) Law: Refers to the Personal Data Protection Law No. 6698, dated March 24, 2016.

  1. d) Recording medium: Refers to any medium where personal data processed by fully or partially automated means, or non-automated means as part of a data recording system, is stored.
  2. e) Personal data: Refers to any information related to an identified or identifiable natural person.
  3. f) Personal data owner: Refers to the natural person whose personal data is processed.
  4. g) Anonymization of personal data: Refers to rendering personal data impossible to associate with an identified or identifiable natural person, even by matching it with other data.

ğ) Processing of personal data: Refers to any operation performed on personal data, such as obtaining, recording, storing, retaining, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, through fully or partially automated means, or non-automated means provided that it is part of a data recording system.

  1. h) Deletion of personal data: The process of making personal data inaccessible and unusable by relevant users in any way.

ı) Destruction of personal data: The process of making personal data inaccessible, irretrievable, and unusable by anyone in any way.

  1. i) Board: Refers to the Personal Data Protection Board.
  2. j) Authority: Refers to the Personal Data Protection Authority.
  3. k) Logging: The process of analyzing, collecting, merging, storing in its original form, analyzing as text, and presenting event logs generated by IT systems covering all critical networks and devices according to predetermined rules, in order to obtain evidence and indications of potential attacks. It helps to gather important information such as when and through which channels the attack was carried out, which protocols were used, and where the attack originated.
  4. l) Sensitive personal data: Data related to an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance, association, foundation, or union membership, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data.
  5. m) Periodic destruction: The process of deleting, destroying, or anonymizing personal data at recurring intervals specified in the personal data storage and destruction policy, when all conditions for processing personal data outlined in the law no longer exist.
  6. n) Policy: Refers to this Personal Data Storage, Privacy, and Destruction Policy, which the Company, accepted as a data controller under the Law, uses as a basis for determining the maximum retention period of personal data and for the deletion, destruction, and anonymization of data.
  7. o) Company: Refers to the company with the commercial name Optdcom Teknoloji Yatırım Anonim Şirketi.

ö) Data processor: Refers to the natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.

  1. p) Data recording system: Refers to the recording system where personal data is processed according to specific criteria.
  2. r) Data controller: Refers to the natural or legal person who determines the purposes and means of processing personal data, and is responsible for the establishment and management of the data recording system.

Definitions not included in this Policy shall be interpreted according to the definitions in the Law.

Personal Data Recording Environments

Personal data belonging to data subjects is securely stored by the Company in the environments listed in the table below, in accordance with the provisions of the Law on the Protection of Personal Data (KVKK) and other relevant legislation, as well as in line with international data security principles:

  1. a) Technical recording environments:
  2. Computers and servers registered in the name of the Company,
  3. Network devices,
  4. Shared/non-shared disk drives used for data storage over the network.
  5. Cloud systems,
  6. Mobile phones and all storage areas within them,
  7. Flash drives,
  8. b) Non-technical data recording environments:
  9. Paper,
  10. Cabinets,

General Principles for the Storage and Destruction of Personal Data

The following principles will apply to the storage and destruction of personal data:

  1. a) The Company shall comply with the general principles specified in Article 4 of the Law.
  2. b) The Company acknowledges that preparing this Policy alone does not mean that personal data is automatically deleted, destroyed, or anonymized in compliance with the legislation.
  3. c) The Company shall take the security measures specified in Article 12 of the Law, the provisions of the relevant legislation, the Board’s decisions, and this Policy while storing, deleting, destroying, or anonymizing personal data.

ç) The Company shall ensure compliance with this Policy, as well as the tools, programs, and processes to be applied under this Policy during the deletion, destruction, or anonymization of personal data processed by automatic means, partially or wholly, or by non-automatic means provided that it is part of a data recording system.

  1. d) The Company shall record all operations related to the deletion, destruction, and anonymization of personal data and shall retain these records for a minimum of three (3) years, excluding other legal obligations.

The Company accepts, declares, and undertakes these principles.

Purposes of Processing Requiring Retention

Your personal data, in accordance with Article 20 of the Constitution and Article 4 of the Personal Data Protection Law (KVKK), is processed by the Company, acting as the data controller, for the following purposes:

  • Conducting Information Security Processes
  • Conducting Employee Satisfaction and Loyalty Processes
  • Fulfilling Employment Contract and Legal Obligations for Employees
  • Managing Benefits and Fringe Benefits for Employees
  • Conducting Training Activities
  • Managing Access Authorities
  • Ensuring Compliance with Legislative Activities
  • Conducting Finance and Accounting Affairs
  • Ensuring Physical Space Security
  • Following and Conducting Legal Affairs
  • Conducting Communication Activities
  • Planning Human Resources Processes
  • Conducting and Supervising Business Activities
  • Conducting Occupational Health and Safety Activities
  • Ensuring Business Continuity Activities
  • Conducting Risk Management Processes
  • Conducting Storage and Archiving Activities
  • Conducting Contract Processes
  • Conducting Strategic Planning Activities
  • Conducting Wage Policy
  • Conducting Marketing Processes for Products/Services
  • Ensuring the Security of Data Controller Operations
  • Providing Information to Authorized Persons, Institutions, and Organizations
  • Conducting Management Activities
  • Conducting Occupational Health and Safety Activities

Legal, Technical, and Other Reasons Requiring the Destruction of Personal Data

Personal data belonging to data subjects are destroyed by the Company for legal, technical, and other reasons, including but not limited to:

  1. a) The general principles stated in Article 4 of the Law,
  2. b) The purpose of processing no longer being valid,
  3. c) The request of the data subject,

ç) The expiration of legal obligations,

and similar purposes and reasons.

Technical and Administrative Measures Taken to Ensure the Secure Storage of Personal Data and to Prevent Unlawful Processing and Access

The technical measures taken by the Company to ensure the secure storage of personal data belonging to data subjects and to prevent unlawful processing and access are listed below:

  1. a) Network security and application security are ensured.
  2. b) A closed system network is used for the transfer of personal data over the network.
  3. c) Security measures are taken within the scope of the procurement, development, and maintenance of information technology systems.

ç) The security of personal data stored in the cloud is ensured.

  1. d) Access logs are kept regularly.
  2. e) Updated anti-virus systems are used.
  3. f) Firewalls are used.
  4. g) Personal data security policies and procedures are established.

ğ) Personal data is minimized as much as possible.

  1. h) User account management and authority control systems are implemented, and their monitoring is carried out.

ı) Log records are kept in a manner that prevents user interference.

  1. i) Attack detection and prevention systems are used.
  2. j) Penetration tests are conducted.
  3. k) Cybersecurity measures are in place, and their implementation is continuously monitored.
  4. l) Data loss prevention software is used.

Administrative Measures Taken to Ensure the Secure Storage of Personal Data and to Prevent Unlawful Processing and Access

The administrative measures taken by the Company to ensure the secure storage of personal data belonging to data subjects and to prevent unlawful processing and access are listed below:

  1. a) Disciplinary regulations that include data security provisions are in place for employees.
  2. b) Periodic training and awareness programs on data security are conducted for employees.
  3. c) An authority matrix has been created for employees.

ç) Corporate policies on access, information security, usage, storage, and destruction have been prepared and implemented.

  1. d) Confidentiality agreements are made.
  2. e) The access rights of employees who change positions or leave the company are revoked.
  3. f) The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
  4. g) The security of environments containing personal data is ensured.

ğ) Periodic and/or random internal audits are conducted.

  1. h) Current risks and threats have been identified.

Technical and Administrative Measures Taken for the Lawful Destruction of Personal Data

The technical measures taken by the Company for the lawful destruction of personal data belonging to data subjects are as follows:

  1. a) The use of the most up-to-date technological systems for the destruction of personal data, and the implementation of confidentiality and information security measures.
  2. b) The removal of access, retrieval, and reuse authorizations and methods for Relevant Users regarding personal data, and the revocation of permissions to recover deleted data.
  3. c) Deleting personal data stored in cloud systems and central servers by issuing a deletion command to ensure it cannot be recovered.

ç) In addition to the methods mentioned above, choosing appropriate destruction (physical de-magnetization, overwriting) or anonymization methods based on the nature of personal data from technical recording environments.

  1. d) For the destruction of personal data in non-technical recording environments, applying deletion (blacking out, etc.) or destruction (physical destruction) methods.

Administrative Measures Taken by the Company for the Lawful Destruction of Personal Data

  1. a) Regularly conducting the necessary implementation work and providing training regarding the destruction of personal data,
  2. b) Ensuring the availability of necessary equipment for the physical destruction of non-technical data recording environments, particularly within the workplace of the Company.

Units Responsible for the Storage and Destruction of Personal Data and Their Information

A list of the titles and job descriptions of the personnel working in the units responsible for the storage and destruction of personal data within the Company can be found in Appendix-1.

Periodic Destruction Periods

The period for the storage and destruction of personal data processed by the Company, depending on the category of personal data, is six (6) months following the end of the retention period.

Destruction Periods When Personal Data Is Requested by the Data Subject

When the data subject requests the deletion or destruction of their personal data by applying to the Company in accordance with Article 13 of the Law:

  1. a) If all conditions for processing personal data have ceased to exist, the Company deletes, destroys, or anonymizes the personal data subject to the request. The Company finalizes the data subject’s request within a maximum of thirty (30) days and informs the data subject accordingly.
  2. b) If all conditions for processing personal data have ceased and the personal data subject to the request has been transferred to third parties, the Company informs the third party of the situation as soon as possible and ensures that the necessary actions are taken by the third party.
  3. c) If the conditions for processing personal data have not fully ceased, the Company may reject this request, explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the rejection will be communicated to the data subject in writing or electronically within a maximum of thirty (30) days.

Effective Date

This Policy, prepared by the Company, has entered into force as of the date it was published on the Company’s website.

In case of any conflict between this Policy and the provisions of the Personal Data Protection Law (KVKK) and other related legislation, the provisions of KVKK and other related legislation shall prevail.

Appendix-1: TABLE OF RESPONSIBLE UNITS AND INFORMATION

The titles, units, and job descriptions in the field of personal data protection of the Company’s employees involved in the storage and destruction of personal data are listed in the table below.

Only the job descriptions related to personal data protection are provided for all employees listed below. All are responsible for ensuring compliance with the retention periods for personal data in the processes included in their job descriptions.

 

 TITLE

UNIT

JOB DESCRIPTION

General Manager

 Management Responsible for the implementation of administrative decisions to ensure the Company operates in compliance with legislation.
Finance Manager Human Resources Responsible for ensuring that the Company’s employees act in accordance with KVKK (Personal Data Protection Law) and relevant legislation, for conducting training and awareness activities regarding the legislation, and for the processing of employees’ personal data in compliance with the legislation.
Administrative Affairs Manager

Responsible for conducting internal periodic and/or random audits to ensure that the Company and its employees comply with KVKK legislation.
Responsible for processing and destroying health data classified as sensitive personal data concerning Company employees and ensuring its destruction.
Administrative Affairs Manager Responsible for the destruction and subsequent reporting of personal data stored in non-technical data recording environments (paper, unit cabinets, archive) as determined by the Company.