Personal Data Storage and Destruction Policy

1.PURPOSE OF THE POLICY
The purpose of this policy is to establish all rules to be applied throughout Asya Nakliyat Tic. Ltd. Sti. and the roles and responsibilities for the purpose of fulfilling the obligations regarding the storage and destruction of the personal data in accordance with the articles 5 and 6 of the Regulation on Deletion, Destruction or Anonymization of Personal Data (the Regulation) which was enacted based on the Personal Data Protection Law no 6698 (the Law) and which was published on the Official Gazette no 30224 on 28.10.2017 and the other obligations set forth in the Regulation.

2.SCOPE OF THE POLICY
The policy covers the personal data and special quality personal data which are kept throughout (in) Asya Nakliyat Tic. Ltd. Sti. and which are defined in the Law, all employees, managers, consultants of Asya Nakliyat Tic. Ltd. Sti. and its affiliates and external service providers in all cases where there is personal data sharing and the other real and legal persons with whom Asya Nakliyat Tic. Ltd. Sti. enters into legal relationship.
The policy covers the personal data in the systems in which the data is processed wholly or partially by automatic methods or non-automatic methods on condition that they will be a part of any data recording system as specified in the Law.
Unless otherwise specified, the personal data shall be called as “Personal Data” in general together with the special quality personal data in this Policy.

3.DEFINITIONS
Anonymization means the anonymization of the personal data so that they cannot be correlated with a real person whose identity is definite or determinable even if they are matched with other data,
Destruction means the deletion, destruction or anonymization of the personal data,
Personal Data means all kinds of information regarding a real person whose identity is definite or determinable,
Personal Data Storage Table means the table which indicates the periods during which the personal data will be kept in Asya Nakliyat Tic. Ltd. Sti.,
Personal Data Processing Inventory means the inventory in which the data controllers clarify and detail the personal data processing activities which they carry out depending on the work processes; the maximum period which they establish by correlating with the personal data processing purposes, the data category, the receiver group to which the personal data is transferred and the person group subjecting to the data and which is necessary for the purposes by which the personal data is processed, the personal data which is stipulated to be transferred to foreign countries and the measures regarding the data security,
Deletion of the Personal Data means making the personal data inaccessible and non-reusable for the relevant users,
Destruction of the Personal Data means the process of making the personal data inaccessible, non-recoverable and non-reusable by any person,
Special Quality Personal Data means the data of the persons in relation to their race, ethnic origin, political opinion, philosophical belief, religion, communion or other beliefs, appearance, foundation, association or union membership, health, sexual life, conviction and security measures and their biometric and genetic data,
Periodical Destruction means the deletion, destruction or anonymization process to be performed ex-officio at the repeating intervals specified in the personal data storage and destruction policy in the case that the conditions for the processing of the personal data set forth in the Law are completely eliminated,
Data recording system means the recording system in which the personal data is configured and processed in accordance with specific criteria,
Direct identifiers mean the identifiers which directly reveal, disclose the person with whom they are in relation and make this person distinguishable by themselves,
Indirect identifiers mean the identifiers which reveal, disclose the person with whom they are in relation and make this person distinguishable by coming together with the other identifiers,
Law means the Personal Data Protection Law no 6698 which was published on the Official Gazette dated 07.04.2016 and no 29677,
Regulation means the Regulation on Deletion, Destruction or Anonymization of Personal Data which was published on the Official Gazette dated 28.10.2017 and no 30224,
Board means the Personal Data Protection Board,
Recording environment means all kinds of environment in which the personal data which is processed wholly or partially by automatic methods or non-automatic methods on condition that they will be a part of any data recording system is available,
Personal Data Processing and Protection Policy means the policy which establishes the procedures and principles regarding the management of the personal data held by “Asya Nakliyat Tic. Ltd. Sti.”, which can be accessed from the address of ”www.asyanakliyat.com”,
Data recording system means the recording system in which the personal data is configured and processed in accordance with specific criteria.


4.RECORDING ENVIRONMENTS REGULATED BY THE POLICY
All kinds of environments in which the personal daha which is processed wholly or partially by automatic methods or non-automatic methods on condition that they will be a part of any data recording system is available are included within the scope of recording environment.

4.1. ENVIRONMENTS WHERE THE PERSONAL DATA IS STORED
The personal data stored in “Asya Nakliyat Tic. Ltd. Sti.” is kept in a recording environment in compliance with the nature of the relevant data and our legal obligations.
The recording environments which are used for the storage of the personal data are those listed below in general. However, some data may be available and kept in an environment different from the environments shown herein due to the special qualifications that they have or our legal obligations. “The COMPANY” acts in its capacity of data controller and processes and protects the personal data in compliance with the Law, the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.

a) Printed environments Environments where the data is kept by printing onto papers or microfilms.
b) Local digital environments Other digital environments such as servers, hard or portable discs, optic discs available within the body of “the COMPANY”.
c) Cloud environments Environments where internet-based systems encoded by cryptographical methods are used, which are not available within the body of “the COMPANY”, but which are used by “the COMPANY”.
4.2. ENSURING THE SECURITY OF THE ENVIRONMENTS
“The COMPANY” takes all necessary technical and administrative measures in compliance with the relevant personal data and the qualifications of the environment where it is kept for the storage of the personal data in a safe manner and the prevention of the processing and access of the personal data in contrary to the law.
These measures cover, without limitation, the following administrative and technical measures to the extent that they are in compliance with the nature of the relevant personal data and of the environment where it is kept.

4.2.1. Technical Measures
“The COMPANY” takes the following technical measures in compliance with the qualifications of the relevant data and of the environment where it is kept for all environments where the personal data is stored:

In the environments where the personal data is kept, only the current and safe systems complying with the technological developments are used. The security systems for the environments where the personal data is kept are used.
The security tests and researches are performed for the determination of the security gaps on the information systems. The issues having current or potential risk, which have been found out as a result of the tests and researches performed are eliminated.
Only the authorized persons are allowed to access to this data as limited to the purpose of storage of the personal data by restricting the access to the data in the environments where the personal data is kept.
“The COMPANY” has sufficient technical personnel present within its body in order to ensure the security of the environments where the personal data is kept.
4.2.2. Administrative Measures
“The COMPANY” takes the following administrative measures in compliance with the qualifications of the relevant data and of the environment where the data is kept for all environments where the personal data is stored:

Studies are carried out for increasing the awareness and raising the awareness of all employees of “the COMPANY” who have access to the personal data on the information security, the personal data and the confidentiality of the private life.
The legal and technical consultancy service is purchased in order to follow up the developments in the field of information security, confidentiality of the private life and protection of the personal data and to take the necessary actions.
If the personal data is transferred to third persons due to the technical or legal requirements, protocols are signed with the relevant third persons for the purpose of protecting the personal data and all necessary due diligence is shown for the relevant third persons to comply with their obligations in these protocols.
4.2.3. Internal Audit
“The COMPANY” performs internal audits with respect to the implementation of the Law provisions and the provisions of this Personal Data Storage and Destruction Policy and the Personal Data Processing and Protection Policy pursuant to the article 12 of the Law.
If deficiencies or faults regarding the implementation of these provisions are found out as a result of the internal audits, these deficiencies or faultys are immediately eliminated.
If it is understood during the audit or otherwise that the personal data under the responsibility of “the COMPANY” has been obtained by others by illegal methods, “the COMPANY” notifies this situation to those concerned and the Board within the shortest period of time.

5.DUTIES AND POWERS OF THE PERSONAL DATA PROTECTION COMMITTEE
The Personal Data Protection Committee is responsible for announcing the Policy to the relevant business departments and following up the fulfillment of its requirements by the departments of the COMPANY.
The Personal Data Protection Committee makes the necessary announcements and notifications for the relevant business departments to follow up the situations such as the legislation amendments regarding the protection of the personal data, the regulatory procedures and decisions of the Board, the court decisions or the changes in the processes, applications and systems and to update the work processes if necessary.
The Personal Data Protection Committee determines the processes for the examination, evaluation, follow-up and conclusion of the Law and its secondary regulations, the decisions and regulations of the Board, the court decisions and the decisions and/or demands of the other competent authorities and announces these processes to the relevant departments.


6.ACTIONS TO BE TAKEN IN THE CASE OF THE ELIMINATION OF THE CONDITIONS FOR THE PROCESSING OF THE PERSONAL DATA
If the purpose factor for the processing of the personal data disappears, the express consent is withdrawn or all of the conditions for the processing of the personal data set forth in the articles 5 and 6 of the Law disapper or there is a situation in which any of the exceptions in the mentioned articles cannot be applied, the personal data the processing conditions of which disappeared is deleted, destructed or anonymized by the relevant business department by clarifying the reason for the method applied under the articles 7, 8, 9 or 10 of the Regulation in consideration of the business needs. However, if there is a finalized court decision, the destruction method decided by the court decision must be applied.
All users who process or store the personal data and the departments of the COMPANY which is the data owner shall review whether the conditions related to the processing have disappeared or not in the data recording environments that they use within no later than four-month periods. The relevant users and departments shall make this review in the data recording environments that they use regardless of the periodical inspection period upon the application of the personal data owner or the notification of the Board or a court.
When it is found out that the data processing conditions have disappeared as a result of the periodical reviews or at any time, the relevant user or the data owner shall decide the deletion, destruction or anonymization of the relevant personal data from the recording environment under their own responsibility in accordance with this policy. In the hesitated situations, the action shall be taken by obtaining opinion from the the relevant data owner business department. When it is necessary to take a decision for the destruction of the personal data having multishareholder data ownership available in the Central Information Systems, however, the opinion of the Personal Data Protection Committee shall be obtained and the storage or deletion, destruction or anonymization of the data shall be decided by the relevant data owner business department about the relevant personal data in accordance with this policy.
All procedures performed in relation to the deletion, destruction or anonymization of the personal data are recorded and these records are kept for at least three years except for the other legal obligations.
The methods applied in relation to the deletion, destruction or anonymization process of the personal data shall be published or disclosed after the Policy comes into effect pursuant to the article 7.4 of the Regulation.
In the deletion, destruction or anonymization of the personal data, it is mandatory to act in compliance with the general principles in the article 4 of the Law and the technical and administrative measures required to be taken under the article 12 of the Law, the relevant legislation provisions, the Board decisions and and the court decisions.
When the real person who is the owner of any personal data requests the deletion, destruction or anonymization of his personal data by applying to the COMPANY pursuant to the article 13 of the Law, the relevant data owner business department examines whether all of the personal data processing conditions have disappeared or not. If all of the processing conditions have disappeared, it deletes, destructs or anonymizes the personal data subjecting to the request. In this case, the request is concluded within no later than thirty days as of the application date with its details determined in ISO 27001:203 Information Security Management System and the relevant person is informed via the PDPL team assigned by the PDPL Supervisor. If all of the personal data processing conditions have disappeared and the personal data subjecting to the request have been transferred to third persons, the relevant data owner business department immediately notifies this situation to the third person to whom the personal data has been transferred and ensures that the necessary procedures are performed under the Regulation by the third person.
In the cases where all of the personal data processing conditions have not disappeared, the requests of the personal data owners for the deletion or destruction of their data may be rejected by clarifying the reason by the COMPANY pursuant to the third paragraph of the article 13 of the Law. The rejection is notified to the relevant person in written or in electronic environment within no later than 30 days.
The requests for the deletion or destruction of the personal data shall be evaluated only on condition that the identification of the relevant person has been made. In the requests to be made by the channels other than the mentioned channels, the relevant persons shall be directed to the channels through which the identification or identity verification can be made.


7.ENFORCEMENT OF THE POLICY, CASES OF VIOLATION AND SANCTIONS
This Policy shall come into force by being announced to all employees from the website of the COMPANY and shall be binding for all business departments, consultants, customers, insurance companies, external service providers and everyone who processes personal data in the COMPANY as of its effective date.
The follow-up of whether the employees of the COMPANY fulfill the requirements of the Policy shall be under the responsibility of the supervisors of the relevant employees. When any behaviour in contrary to the Policy is found out, the subject matter shall be immediately notified to an associated senior supervisor by the supervisor of the relevant employee. If the contradiction is significant, however, the Personal Data Protection Committee shall be immediately informed by the senior supervisor.
The necessary administrative procedure shall be applied about the employee who has behaved in contrary to the Policy after the evaluation to be made by the Human Resources department.
For the fulfillment of the requirements of the Policy, all necessary security measures are taken by the COMPANY within the scope of the ISO 27001:2013 Information Security Management System and under the PDPL.


8.PERSONS TO TAKE PART IN THE PERSONAL DATA STORAGE AND DESTRUCTION PROCESSES AND THEIR RESPONSIBILITIES
In the fulfillment of the requirements regarding the destruction of the data as specified by the Law, the Regulation and the Policy within the COMPANY, all employees, customers, insurance companies, consultants, external service providers and everyone who stores and processes personal data in the COMPANY by other means are responsible for fulfilling these requirements.
Each business department is obliged to store and protect the data that it produces within its own work processes. However, in the case that the produced data is available only in the information systems beyond the control and authority of the business department, the mentioned data shall be stored by the departments which are responsible for the information systems.
The periodical destructions which will affect the work processes and cause the distortion of the data integrity, the data loss and the results in contrary to the legal regulations shall eb made by the relevant information systems departments in consideration of the type of the relevant personal data, the systems in which it is available and the data owner business department.

8.1. PERSONAL DATA COMMITTEE
“The COMPANY” establishes a Personal Data Committee within its body. The Personal Data Committee is authorized and responsible for performing/causing to be performed the necessary procedures and auditing the processes for the storage and processing of the data of the relevant persons in compliance with the law, the Personal Data Processing and Protection Policy and the Personal Data Storage and Destruction Policy.
The Personal Data Committee is composed of one manager, one administrative expert and one technical expert. The titles and job definitions of the employees of “the COMPANY” who are in charge in the Personal Data Committee are specified below:

Title Job Definition
Personal Data Committee Manager The Personal Data Committee Manager is obliged to direct all kinds of planning, analysis, research, risk assessment works in the projects carried out within the process of compliance with the Law; to manage the processes required to be carried out pursuant to the Law, the Personal Data Processing and Protection Policy and the Personal Data Storage and Destruction Policy and to conclude the requests from the relevant persons.
PDC Expert ( Contact Supervisor )
(Technical and Administrative) The PDC Expert is responsible for examining the requests of the relevant persons and reporting them to the Personal Data Committee Manager for evaluation; fulfilling the procedures regarding the revelant person requests evaluated and concluded by the Personal Data Committee Manager pursuant to the decision of the Personal Data Committee Manager; performing the inspection of the storage and destruction processes and reporting these inspections to the Personal Data Committee Manager and executing the storage and destruction processes.
8.2. REASONS FOR STORAGE AND DESTRUCTION
8.2.1. Reasons for Storage
The personal data kept within the body of “the COMPANY” is stored for the purposes and reasons specified herein pursuant to the Law and our Personal Data Policy (you can access to the relevant policy from the address of “www.firmaas.com.tr”).

8.2.2. Reasons for Destruction
The personal data available within the body of “the COMPANY” is deleted, destructed or anonymized pursuant to this destruction policy if requested by the relevant person or if the reasons mentioned in the articles 5 and 6 of the Law disappear. The reasons mentioned in the articles 5 and 6 of the PDPL are composed of the following:

It is expressly stipulated in the Laws.
It is mandatory for the protection of the life or bodily integrity of the person who cannot express his consent due to actual impossibility or whose consent is not granted legal validity or another person.
It is necessary for the personal data of the parties to the contract to be processed, provided that it is directly related to the establishment or performance of a contract.
It is mandatory for the data controller to be able to fulfill his legal obligations.
It has been made public by the relevant person.
Data processing is mandatory for the establishment, use or protection of any right.
Data processing is mandatory for the legitimate interests of the data controller, provided that no damage will be caused to the fundamental rights and freedomsof the relevant person.
8.3. DESTRUCTION METHODS
“The COMPANY” deletes, destructs or anonymizes ex-officio the personal data that it stores in compliance with the Law and other legislation and the Personal Data Processing and Protection Policy in line with the request of the relevant person or within the periods specified in this Personal Data Storage and Destruction Policy if the reasons requiring the processing of the data disappear.
The deletion, destruction and anonymization techniques which are mostly used by “the COMPANY” are listed below:

8.3.1.1 Deletion Methods
Deletion Methods for the Personal Data kept in Printed Environment
Blanking The personal data available in printed environment is deleted by using the blanking method. The blanking process is applied as cutting the personal data on the relevant document in the cases possible; or by as making it invisible by using indelible ink so as not to be recoverable and readible with technological solutions in the cases not possible.
Deletion Methods for the Personal Data kept in Cloud and Local Digital Environment
Safely deletion from the software The personal data kept in cloud environment or local digital environments is deleted with digital command so as not to be recoverable any more. The data deleted in this way cannot be achieved again.
8.3.1.2 Destruction Methods
Destruction Methods for the Personal Data kept in Printed Environment
Physical destruction The documents kept in printed environment are destructed in such a manner that they cannot be brought together again with document destruction machines.
Destruction Methods for the Personal Data kept in Local Digital Environment
Physical destruction Physical destruction process such as melting, burning or pulverizing the optic and magnetic media containing personal data. It is ensured that the data is inaccessible by the processes such as melting, burning, pulverizing, physically cutting and/or perforating the optic or magnetic media or passing it through a metal grinder.
Demagnetization (degauss) The process of disrupting the data on the magnetic media in an unreadible manner by exposing the magnetic media to high magnetic field.
Overwriting The former data is prevented from being read and recovered by overwriting random data consisting of 0 and 1s for at least seven times onto the magnetic media and rewritable optic media.
Destruction Methods for the Personal Data kept in Cloud Environment
Safely deletion from the software The personal data kept in cloud environment is deleted with digital command so as not to be recoverable any more and all copies of the encoding keys necessary for making the personal data usable are destructed when the cloud information service relationship is terminated. The data deleted in this way cannot be achieved again.
8.3.1.3. Anonymization Methods
Anonymization is the anonymization of the personal data in such a manner that they cannot be correlated with a real person whose identity is definite or determinable in any way even by matching with the other data.

Removal of the variables Removal of one or several of the direct identifiers which are included in the personal data of the relevant person and which will be used to determine the relevant person in any way.
This method can be used for the anonymization of the personal data and also for the purpose of deletion of the information not complying with the data processing purpose, if any, in the personal data.
Local concealment Process of deleting the information which might be distinguishing with respect to the data which is exceptional in the data table in which the personal data is collectively available as anonymous.
Generalization Process of bringing together the personal data of many persons and making them statistical data by removing the distinguishing information.
Lower and upper limit coding / Global coding For a specific variable, the intervals of that variable are identified and categorized. If the variable does not include a numerical value, the data close to each other in the varibale is categorized.
The values remaining within the same category are combined.
Micro combination By this method, all records in the data cluster are arranged according to a significant sequence in the first place and then the entire cluster is divided into sub-clusters in a specific number. Afterwards, the average of the value of each sub-cluster with regard to the designated variable is taken and the value of the sub-cluster with regard to that variable is replaced with the average value. As the indirect identifiers in the data will have been distorted by this means, it is made difficult for the data to be correlated with the relevant person.
Data mixing and distorting It is ensured that the relation of the personal data with the relevant person is broken and the personal data loses their identifying characteristics by mixing the direct or indirect identifiers in the personal data with other values or distorting them.
“The COMPANY” uses one of several of these mentioned anonymization methods according to the nature of the relevant data for the anonymization of the personal data. While using these anonymization methods, “the COMPANY” can use the statistical methods of K-Anonymity, L-Variability and T-Proximity.

9.PERSONAL DATA STORAGE AND DESTRUCTION PERIODS
The Table indicating the Personal Data Storage and Destruction Periods is given in the Annex:1. In the periodical destruction processes or the destruction processes to be carried out upon request, the mentioned storage and destruction periods shall be taken into account. The Table indicating the Personal Data Storage and Destruction Periods shall be updated by the business departments which are the owner of the processes to be included in the personal data inventory of the COMPANY by obtaining also the evaluations of the Personal Data Protection Committee in case of hesitation.

9.1. Storage Periods
DATA OWNER DATA CATEGORY DATA STORAGE PERIOD
Employee Personal data forming the basis of the employment documents and the notifications for service period and salary, which are made to the Social Security Institution It is maintained during the continuation of the service contract and for 50 (fifty) years as of the expiration of the service contract.
Employee Personal data other than the personal data forming the basis of the employment documents and the notifications for service period and salary, which are made to the Social Security Institution It is maintained during the continuation of the service contract and for 10 (ten) years as of the beginning of the calendar year following the expiration of the service contract.
Employee Data within the Contents of the Workplace Personal Health File It is maintained during the continuation of the service contract and for 30 (thirty) years as of the expiration of the service contract.
Business Partner/Solution Partner/Consultant Identity information, contact information, financial information regarding the execution of the commercial relationship between the Business Partner/Solution Partner/Consultant and “the COMPANY”, voice records taken during the phone calls, data of the employees of the Business Partner/Solution Partner/Consultant It is stored during the continuation of the business/commercial relationship of the Business Partner/Solution Partner/Consultant with “the COMPANY” and for 10 years pursuant to the article 146 of the Turkish Code of Obligations and the article 82 of the Turkish Commercial Code as of the termination of this relationship.
Visitor Name, surname, T.R. Identity Number, vehicle plate of the Visitor, which are taken at the entry into the physical space belonging to “the COMPANY” and camera records, voice records taken during the phone calls It is stored for a period of 2 years.
Website Visitor Name, surname, e-mail address of the Website Visitor, navigation information It is stored for a period of 2 years.
Employee Candidate Information in the curriculum vitae and job application form of the Employee Candidate It is stored as long as the period during which the curriculum vitae will lose its currency so as to be 2 years at most.
Intern(student) Information in the internship file of the intern It is maintained during the continuation of the internship relation and for 10 (ten) years as of the beginning of the calendar year following the expiration of the internship relation.
Customer Name, surname, T.R. Identity Number, communication information of the Customer, payment information and methods, navigation information, voice records taken during the phone calls, product/service preferences, transaction history, special day information It is stored for 10 years pursuant to the article 146 of the Turkish Code of Obligations and the article 82 of the Turkish Commercial Code as of the submission of each product/service purchased by the Customer.
Customer Camera images, vehicle plate information It is stored for a period of 2 years.
Potential Customer Identity information, contact information, financial information obtained during the contract negotiations with regard to the establishment of a commercial relationship between the Potential Customer and “the COMPANY”, voice records taken during the phone calls It is stored for a period of 2 years.
Corporations/ Companies with which “the COMPANY” is in cooperation (Supplier, Contract Manufacturer, Dealer/Franchise Identity information, contact information, financial information regarding the execution of the commercial relationship between the Corporations/Companies with which “the COMPANY” is in cooperation and “the COMPANY”, voice records taken during the phone calls, data of the employees of the Corporations/Companies with which “the COMPANY” is in cooperation It is stored during the continuation of the business/commercial relationship of the Corporations/Companies with which “the COMPANY” is in cooperation with “the COMPANY” and for 10 years pursuant to the article 146 of the Turkish Code of Obligations and the article 82 of the Turkish Commercial Code as of the termination of this relationship.
* If a longer period of time is arranged pursuant to the legislation or a longer period of time is stipulated for lapse of time, period of prescription, storage periods etc. pursuant to the legislation, the periods set forth in the legislation provisions are accepted as the maximum storage periods.

3.3.2. Destruction Periods
“The COMPANY” deletes, destructs or anonymizes the personal data in the first periodical destruction process following the date when its obligation for deleting, destructing or anonymizing the personal data that it is responsible for arises pursuant to the Law, the relevant legislation, the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.
When the relevant person requests the deletion or destruction of his personal data by applying to “the COMPANY” based on the article 13 of the Law;

If all of the personal data processing conditions have disappeared, “the COMPANY” deletes, destructs or anonymizes the personal data subjecting to the request by the appropriate destruction method by clarifying the reason within 30 (thirty) days as of the receipt of the request. For “the COMPANY” to be deemed to have received the request, the relevant person must have made his request in compliance with the Personal Data Processing and Protection Policy. “The COMPANY” informs the relevant person in relation to the process carried out in any case.
If all of the personal data processing conditions have not disappeared, this request may be rejected by “the COMPANY” by clarifying its reason pursuant to the third paragraph of the article 13 of the Law and the rejection is notified to the relevant person in written or in electronic environment within no later than thirty days.


10.PERIODICAL DESTRUCTION PERIODS
In the event that all of the personal data processing conditions set forth in the PDPL no 6698 disappear, “the COMPANY” deletes, destructs or anonymizes the personal data the processing conditions of which have disappeared by a process specified in this Personal Data Storage and Destruction Policy and to be performed at repeating intervals.
The periodical destruction processes start on 30.09.2019 for the first time and is repeated once in every 6 (six) months.
10.1. INSPECTION OF THE COMPLIANCE OF THE DESTRUCTION PROCESS WITH THE LAW
“The COMPANY” carries out the destruction processes that it performs ex-officio either upon request or within the periodical destruction processes in compliance with the Law, the other legislation, the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.
“The COMPANY” takes certain administrative and technical measures in order to ensure that the destruction processes are carried out in compliance with these regulations.

10.1.1. Technical Measures
“The COMPANY” supplies the technical tools and equipment suitable for each destruction method set forth in this policy.
“The COMPANY” ensures the security of the place where the destruction processes are performed.
“The COMPANY” keeps the access records of the persons who perform the destruction process.
“The COMPANY” employs competent and experienced personnel who will perform the destruction process or purchases service from the competent third persons when necessary.
10.1.2. Administrative Measures
“The COMPANY” carries out studies for increasing the awareness and raising the awareness of all of its employees who have access to the personal data on the information security, the personal data and the confidentiality of the private life.
“The COMPANY” purchases legal and technical consultancy service in order to follow up the developments in the field of information security, confidentiality of the private life, protection of the personal data and safe destruction techniques and to take the necessary actions.
In the cases that “the COMPANY” has the destruction process performed by third persons due to the technical or legal requirements, it signs protocols with the relevant third persons for the purpose of protecting the personal data and shows all necessary due diligence for the relevant third persons to comply with their obligations in these protocols.
“The COMPANY” regularly inspects whether the destruction processes are performed in compliance with the law and the terms and obligations set forth in this Personal Data Storage and Destruction Policy and takes the necessary actions.
All processes carried out in relation to the deletion, destruction and anonymization of the personal data are recorded and these records are kept for at least three years except for the other legal obligations.

11.ENFORCEMENT
The Policy shall come into force as of the publication date.
It is under the responsibility of the Personal Data Protection Committee to announce the Policy throughout the COMPANY and to make the necessary updates.


12.UPDATE and ADAPTATION
“The COMPANY” reserves its right to make amendment in the Personal Data Processing and Protection Policy or this Personal Data Storage and Destruction Policy due to the amendments made in the Law, pursuant to the Board decisions or in line with the developments in the sector or in the field of information.
The amendments made in this Personal Data Storage and Destruction Policy are entered into the text without delay and the clarifications regarding the amendments are made at the end of the policy.