PERSONAL DATA STORAGE AND DESTRUCTION POLICY

1. INTRODUCTION AND PURPOSE OF THE POLICY

This Personal Data Storage and Destruction Policy (“Policy”) is prepared by Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline) Prepared as data controller with the purpose of fulfilling our obligations and determining the maximum storage period required for the purpose of processing personal data in accordance with Law No. 6698 on Protection of Personal Data (“LPPD” or “Law”) and the Regulation on Erasure, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017 (“Regulation”) which includes the second regulation of Law and using it as a basis for Erasure, destruction and anonymization operations and informing the relevant persons about these operations.

2. SCOPE

This policy covers all the employees, consultants of the institution and its affiliates, suppliers and other real and legal entities with whom the institution has legal relations in all cases where personal data sharing is made, the personal data which are processed partially or fully automatic system or a system which is not automatic but a part of a data recording system and defined by law and sensitive personal data. Unless otherwise stated in the policy, personal data and sensitive personal data will be referred to as “Personal Data” together.

3. AUTHORITIES AND RESPONSIBILITIES

All employees, consultants, external service providers and everyone who stores and processes personal data within the institution otherwise is responsible for fulfilling these requirements in fulfilling the requirements for the destruction of data specified by Law, Regulation and Policy. Each business unit is obliged to store and protect the data generated in its own business processes.

The responsibility of the actions such as notifying or accepting the notifications or correspondence made to or from the PDP Board on behalf of the data controller and registering to the registry lies with the “Contact Person of the Data Controller.” “

4. DEFINITIONS

Abbreviation	Description
Explicit Consent	A consent about a specific subject based on information and expressed in free will.
Related User	The persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except the person or unit responsible for the technical storage, protection and backup of the data.
Destruction	Erasure, destruction or anonymization of personal data.
Law / KVKK	Law on Protection of Personal Data No. 6698
Recording Medium	Any media in which personal data are processed, which are fully or partially in automated ways or non-automated ways provided that being part of any data recording system.
Personal Data	Any information related to a real person who is identified or identifiable.
Processing of Personal Data	All kinds of processes performed on personal data including obtaining them in fully or partially automatic ways or non-automatic ways provided that is i apart of a data recording system, recording, storing, keeping, changing, re-arranging, disclosure, transmission, acquisition, making available, classification or prevention of use.
Anonymization of Personal Data	Making personal data not to be associated with any identified or identifiable real person in any way, even when paired with other data.

Erasure of Personal Data	Erasure of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way.
Destruction of Personal Data	The process of rendering personal data inaccessible, unrecoverable and unusable by anyone in any way.
Board	Personal Data Protection Board.
Sensitive Personal Data	Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership of associations, foundations or trade-unions, information relating to health, sexual life, convictions and security measures, and the biometric and genetic data of individuals.
Periodic Destruction	In the event that all the processing conditions of personal data in the Law disappear, the process of erasure, destruction, or anonymization of the personal data that will be carried out at regular intervals specified in the storage and destruction policy.
Data Subject/ Related Person	The real person whose personal data is processed.
Data Controller	Real or legal entity responsible for identifying the purposes and means of personal data processing, and installing and managing data recording system.
Regulation	Regulation on Erasure, Destruction or Anonymization of Personal Data published in the Official Gazette on October 28, 2017.

5. RULES

Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline) acts within the framework of the following principles in the storage and disposal of personal data:

1. In the erasure, destruction and anonymization of personal data, the principles¹ listed in Article 4 of the Law and the technical and administrative measures specified in Article 6.2 of this Policy, the provisions of the relevant legislation, Board decisions and this Policy are fully complied with.
2. All transactions regarding the Erasure, destruction and anonymization of personal data are carried out by Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline) and the said records are kept for at least 6 months, excluding other legal obligations.
3. Unless otherwise decided by the Board, the appropriate method of erasure, destruction or anonymization personal data is selected by us. However; the appropriate method will be selected by explaining the reason upon the request of the relevant person.
4. In the event that all the conditions for processing personal data stipulated in Articles 5 and 6 of the Law are eliminated, personal data will be erased, destructed or anonymized by Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline), either on its own motion or upon the request of the related person. If related person applies to Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline) regarding this subject;

• Submitted requests are concluded within 30 (thirty) days at the latest and the relevant person is informed,
• If the data which is subject to the request has been transferred to third parties, this will be reported to the third party to whom the data has been transferred and it will be ensured that the necessary actions are taken by the third parties.

____________________________________

¹ a) Compliance with the rules of law and honesty, b) Being accurate and up-to-date when necessary, c) Processing for specific, clear and legitimate purposes, d) Being connected, limited and proportionate to the purpose for which they are processed, e) Storing for a period of time required for the purposes foreseen in the relevant legislation or for the purpose for which they are processed..

6. EXPLANATIONS REGARDING REASONS REQUIRING STORAGE AND DESTRUCTION

Personal data belonging to data subjects, are stored securely by Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline) in the physical or electronic environments listed above within the limits stipulated in LPPD or other related legislation especially for the purpose of (i) maintaining commercial activities, (ii) fulfilling legal obligations, (iii) planning and performing employee rights and benefits, and (iv) managing customer relations.

The reasons requiring storage are as follows:

• Storage of personal data as it is directly related to the establishment and execution of contracts,
• Storing personal data for the purpose of establishing, exercising or protecting a right,
• Provided that personal data does not harm the fundamental rights and freedoms of individuals, it is mandatory to be stored for the legitimate interests of Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline) Sanayi Ve Tic. A.Ş.,
• Storing personal data with the purpose of fulfilling any legal obligation of Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline) Sanayi Ve Tic. A.Ş.,
• Storage of personal data is clearly foreseen in the legislation,
• Having the explicit consent of the data subjects in terms of storage activities that require the explicit consent of data subjects. Pursuant to the Regulation, in the cases listed below, personal data will be erased, destructed or anonymized by Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline), either on its own motion or upon the request of the related person.

Pursuant to the Regulation, in the cases listed below, personal data will be erased, destructed or anonymized by Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline), either on its own motion or upon the request of the related person:

• Amendment or abolition of relevant legislative provisions that constitute the basis for the processing or storage of personal data,
• Abolition of the purpose that requires the processing or storage of personal data,
• Abolition of conditions that require the processing of personal data in Articles 5 and 6 of the Law.
• The relevant person’s withdrawal of his/her consent in cases where the processing of personal data takes place only in accordance with the explicit consent condition,
• Acceptance of the application of the relevant person regarding the erasure, destruction or anonymization of his/her personal data within the framework of the rights of Article 11 of the Law in paragraphs 2 (e) and (f), by data controller,
• In cases where the data controller rejects the application made by the relevant person on the request of erasure, destruction or anonymization of his/her personal data, his response is found inadequate, or does not respond within the period stipulated by the Law; making a complaint to the Board and approval of this request by the Board,
• Although the maximum time requiring personal data to be stored has expired, the non-existence of any conditions to justify storing personal data for longer.

7. PERIOD OF STORAGE AND DESTRUCTION

Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline) uses the following criteria in determining the storage and destruction periods of your personal data obtained in accordance with the provisions of LPPD and other relevant legislation:

1. If a period is stipulated in the legislation regarding the storage of the said personal data, this period is complied with. Following the expiration of the said period, the data is processed within the scope of the 2^nd paragraph.
2. In the event that the period stipulated in the legislation regarding the storage of the relevant personal data has expired or no period stipulated in the relevant legislation regarding the storage of such data;
3. Personal data are classified as personal data and sensitive personal data based on the definition in Article 6 of LPPD. All personal data determined to be of sensitive nature are destroyed. The method to be applied in the destruction of the data in question, is determined according to the quality of data and importance level of storage of the data for Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline).

• Compliance of data storage with the principles specified in Article 4 of the LPPD, for example; it is questioned whether Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline) Sanayi Ve Tic. A.Ş. has any legitimate purpose in the storage of data. Data whose storage is determined to have a possibility of constituting a contradiction against the principles set out in Article 4 of the Law shall be erased, destroyed or anonymized.
• It is determined which one of the exclusions stipulated in Article 5 and Article 6 of the Law will be taken as basis for the evaluation scope of the data storage. Reasonable periods are determined for data storage within the framework of the exceptions determined. If these periods expire, the data shall be erased, destroyed or anonymized.

You can access the storage, destruction and periodic destruction periods determined by Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline) in the “Personal Data Processing Inventory” attached to the Policy.

Personal data whose storage period has expired are destroyed in accordance with the procedures set out in the Policy with 6-month periods within the framework of the destruction periods included in the annex of the Policy. 

In this regard, all transactions related to the erasure, destruction and anonymization of personal data are recorded and the said records are kept for at least three years, excluding other legal obligations.

8. METHODS OF STORAGE AND DESTRUCTON OF PERSONAL DATA BY SAKA YAPI ÜRÜNLERİ DIŞ VE İÇ TİC. A.Ş. (STONELINE)

RECORDING MEDIA

Personal data belonging to data subjects, is stored in media listed below by Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline) in compliance with provisions of LPPD, related legislation and within the scope of international data security principles:

1. Electronic media:

• Servers (Domain, backup, e-mail, database, web, file sharing etc.)
• Software (office software, portal, government applications, EDMS, VERBIS.)
• Information security devices (firewall, intrusion detection and blocking, log file, antivirus, etc.)
• Personal Computers (Desktop, laptop)
• Optical discs (CD, DVD, etc.)
• Memory sticks (USB, Memory Card etc.)
• Printer, scanner, photocopy machine

2. Physical Media:

• Paper
• Written, printed and visual media.

9. TECHNICAL AND ADMINISTRATIVE MEASURES

All administrative and technical measures taken by Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş (Stoneline) within the framework of the principles in article 12 of the LPPD in order to keep your personal data securely, to process it illegally, to prevent access and to destroy the data in accordance with the law are listed below:

1. Administrative Measures:

Within the scope of administrative measures, Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline);

• Limits the internal access to stored personal data to the personnel required to access it in accordance with the job description. In limitation of access, it is taken into consideration whether the data is sensitive personal data and its importance degree.
• In the event that the processed personal data is obtained by others unlawfully, it will notify this situation to the relevant person and the Board as soon as possible.
• Regarding the sharing of personal data, signs a framework contract with the persons with whom personal data is shared, or the provisions added to the existing contract on the protection of personal data and data security.
• In case of necessity, it employs personnel with knowledge and experience on the processing of personal data, and provides necessary training to its personnel within the scope of personal data protection legislation and data security.
• In order to ensure the enforcement of the provisions of the Law in its own legal entity, it shall perform necessary inspections and have them performed. It shall remove the privacy and security weaknesses that arise as a result of inspections.

2. Technical Measures

Within the scope of technical measures, Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline);

• Makes the necessary internal controls within the scope of the installed systems.
• Performs the processes of information technology risk assessment and business impact analysis within the scope of installed systems.
• Provides the technical infrastructure which will prevent or observe data leakage out of the institution and create the relevant matrix.
• Provides control of system weaknesses by receiving penetration test services regularly and when necessary.
• Ensures that the access rights of employees in information technology units are kept under control.
• Ensures that the destruction of personal data is provided in the manner that it cannot be recycled and leaves no audit trail.
• Pursuant to 12^th Article of the Law, all kinds of digital media where personal data are stored are protected by encrypted or cryptographic methods to meet information security requirements.

10. PERSONNEL

You can access the titles, units and job descriptions of the personnel involved in the personal data storage and destruction process from the list in ANNEX-1 of this Policy.

11. DESTRUCTION METHODS OF PERSONAL DATA

If the purposes for personal data processing stipulated in LPPD and Regulation are abolished, the personal data obtained by Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline) in accordance with the LPPD and other relevant legislation will be destroyed by Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline) on its own motion or upon request of related person, with the following techniques and in compliance with the provisions of Law and related legislation.

1. Techniques of Deleting and Destroying Personal Data

The procedures and principles regarding the erasure and destruction of personal data by Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline) are listed below:

Erasure of Personal Data:

Secure Erasure from Software: While the data that is processed in fully or partially automatic ways and stored in digital media are erased; the methods are used to erase data from the relevant software in a way to make it inaccessible and unusable for the relevant users in any way.

Erasing the relevant data in the cloud system by giving a erasure command; removing the relevant user’s access rights on the file or the directory where the file is located on the central server; the erasure of the relevant rows in the databases with database commands or the erasure of the data on the removable media, i.e. the flash media, by using appropriate software can be considered within this scope.

However, if the erasure of personal data will result in the inability to access and use other data within the system, personal data will also be deemed erased if personal data are archived by making them unrelated to the relevant person, provided that the following conditions are met.

• It is not accessible by any other institution, organization or person,
• All necessary technical and administrative measures are taken to ensure that personal data can only be accessed by authorized persons.

Safe Erasure by Expert: In some cases, it may agree with an expert to erase personal data on its behalf. In this case, the personal data will be securely erased by the person who is an expert on this subject, making it inaccessible and unusable in any way for Related Users.

Blackening of Personal Data on Paper Media: It is a method of physically cutting the relevant personal data out of the document by physically cutting the personal data out of the document in order to prevent the unintended use of personal data or to erase the data requested to be erased, or to make it invisible using fixed ink in a way that cannot be recycled and cannot be read with technological solutions.

Destruction of Personal Data:

Physical Destruction: Personal data can be processed in non-automatic ways, provided that it is a part of any data recording system. When erasing/destructing such data, the system of physical destruction of personal data is applied in a manner that it could not be used afterwards.

2. Techniques for Anonymization of Personal Data:

The procedures and principles regarding the techniques of anonymizing personal data by Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline) are listed below:

Anonymization Methods that do not Cause Value Irregularity

Anonymization methods that do not cause value irregularity, without any change or addition/removal to the personal data being stored, are methods of anonymization applied by generalizing any personal data group, replacing each other or removing a certain data or sub-data group from the group.

Variable Extraction: Existing data set is anonymized by removing “highly descriptive” variables from the data set created after combining the collected data with the method of extracting descriptive data.

Record Extraction: In the record extraction method, the data line containing singularity among the data is removed from the records and the stored data is anonymized. For example, if there is only one senior manager in a company, the remaining data can be anonymized by removing the data of this person from the records where the seniority, salary and gender data of employees at the same level are kept.

Regional Hiding: In the regional hiding method, hiding the relevant data provides anonymization if a single data has a determinant quality because it creates a very less visible combination.

Lower and Upper Limit Coding: With the lower and upper limit coding method, it is anonymized by combining the values ​​in a data group with predefined categories by determining a certain criterion.

Generalization: With the data aggregation method, many data are aggregated and personal data cannot be associated with any person.

Global Coding: With the data derivation method, a more general content is created from the content of personal data and it is ensured that personal data cannot be associated with any person.

Anonymization Methods that Cause Value Irregularities

Unlike those that do not provide value irregularities, changing some data creates distortion in personal data groups in anonymization methods that provide value irregularity. When using these methods, deviations in line with the expected/desired benefit will need to be applied carefully. By ensuring that the total statistics are not distorted, it is still possible to continue to benefit from the data as expected.

In accordance with the 28^th Article of the Law, if personal data are processed for purposes such as research, planning and statistics by anonymizing them through official statistics, this will remain outside the scope of the Law and explicit consent will not be required.

12. OTHER ISSUES

In case of inconsistency between the provisions of the LPPD, other relevant legislation and this Policy, the provisions of the LPPD and other relevant legislation shall be valid.

This Policy which is prepared by Saka Yapı Ürünleri Dış Ve İç Tic. A.Ş. (Stoneline), entered into force on the date of 14.12.2020. In case of any change in made on the Policy, the effective date of the Policy and related articles will be updated accordingly. The update table is given in Appendix-3.

13. SAKA YAPI ÜRÜNLERİ DIŞ VE İÇ TİC. A.Ş. (STONELINE)

ANNEX-1

PERSONNEL TITLE, UNIT AND POSITION LIST

PERSONNEL	POSITION	RESPONSIBILITY
Lawyer	Business Partner as Data Processor Law Firm – Responsible for implementing personal data storage and destruction policy	Ensuring the suitability of processes with storage period and management of personal data destruction process in line with periodical destruction period within the scope of his/her duty
Human Resources	Business Partner as Data Processor Human Resources – Responsible for implementing personal data storage and destruction policy	Ensuring the suitability of processes with storage period and management of personal data destruction process in line with periodical destruction period within the scope of his/her duty
Purchasing	Business Partner as Data Processor Purchasing- Responsible for implementing personal data storage and destruction policy	Ensuring the suitability of processes with storage period and management of personal data destruction process in line with periodical destruction period within the scope of his/her duty
Quality Control	Business Partner as Data Processor Quality Control – Responsible for implementing personal data storage and destruction policy	Ensuring the suitability of processes with storage period and management of personal data destruction process in line with periodical destruction period within the scope of his/her duty
OHS	Business Partner as Data Processor OHS- Responsible for implementing personal data storage and destruction policy	Ensuring the suitability of processes with storage period and management of personal data destruction process in line with periodical destruction period within the scope of his/her duty
Sales-Marketing	Business Partner as Data Processor Sales – Responsible for implementing personal data storage and destruction policy	Ensuring the suitability of processes with storage period and management of personal data destruction process in line with periodical destruction period within the scope of his/her duty
Accounting	Accounting Department – Responsible for implementing personal data storage and destruction policy	Ensuring the suitability of processes with storage period and management of personal data destruction process in line with periodical destruction period within the scope of his/her duty
Information Technologies	Information Technologies – Responsible for implementing personal data storage and destruction policy	Ensuring the suitability of processes with storage period and management of personal data destruction process in line with periodical destruction period within the scope of his/her duty

ANNEX-2

STORAGE AND DESTRUCTION PERIODS TABLE

The storage and destruction periods of the data processed by the institution are determined on the basis of the process in the Personal Data Processing Inventory, and the said Inventory will be accessible through the institution.

If the purpose of the Company to use the relevant personal data has not expired, if the storage period foreseen for the relevant personal data is longer than the periods specified in the table in accordance with the relevant legislation, or if the relevant statute of repose period requires the personal data to be stored longer than the periods specified in the table, the periods which are defined in the table above may not be applied. In this case; the purpose of use, special legislation or period of statute of repose, whichever expires later, shall be applicable.

PROCESS	STORAGE PERIOD	DESTRUCTION PERIOD
Execution of Subsistence Allowance Processes	Until Legal Relationship Ends + 10 YEARS	within 180 days after the expiration of storage period
Human Resources Management and Personnel File	Until Legal Relationship Ends + 10 YEARS	within 180 days after the expiration of storage period
Responding to court/enforcement information requests regarding the personnel	Until Legal Relationship Ends + 10 YEARS	within 180 days after the expiration of storage period
Shareholder and business court processes	During Shareholder Term	within 180 days after the expiration of storage period
Preparation of agreements	10 YEARS	within 180 days after the expiration of storage period
Employment	10 years after the end of the business relationship	within 180 days after the expiration of storage period
Pay rolling	Until Legal Relationship Ends + 10 YEARS	within 180 days after the expiration of storage period
Training Processes	Until Legal Relationship Ends + 10 YEARS	within 180 days after the expiration of storage period
Invoicing Process	10 YEARS	within 180 days after the expiration of storage period
Transaction Security Password Details	10 YEARS	within 180 days after the expiration of storage period
Practices of Occupational Health and Safety	10 YEARS	within 180 days after the expiration of storage period
Workplace Warning Process	10 YEARS	within 180 days after the expiration of storage period
OHS Risk Assessment Report	10 YEARS	within 180 days after the expiration of storage period
Log/Record/Tracking Systems	2 YEAR	within 180 days after the expiration of storage period
Power of Attorney Processes	Until Legal Relationship Ends + 10 YEARS	within 180 days after the expiration of storage period
Tracking of Shareholder Processes	During Shareholder Term	within 180 days after the expiration of storage period
Travel Processes	10 YEARS	within 180 days after the expiration of storage period
Audit Processes	10 YEARS	within 180 days after the expiration of storage period
Execution of Job Application Processes	6 MONTHS	within 180 days after the expiration of storage period
Camera Records Management	30 DAYS	within 30 days after the expiry of the storage period
Annual Leave Follow-Up Process	Until Legal Relationship Ends + 10 YEARS	within 180 days after the expiration of storage period
Foreign Personnel Residence Procedures	Until Legal Relationship Ends + 10 YEARS	within 180 days after the expiration of storage period
Embezzlement Processes	Until Legal Relationship Ends + 10 YEARS	within 180 days after the expiration of storage period
OHS Expertise Processes	10 YEARS	within 180 days after the expiration of storage period
Payment Procedures	Until Legal Relationship Ends + 10 YEARS	within 180 days after the expiration of storage period
Personnel Financial Processes	Until Legal Relationship Ends + 10 YEARS	within 180 days after the expiration of storage period
Part of the contract process and maintenance of the contract	Until Legal Relationship Ends + 10 YEARS	within 180 days after the expiration of storage period
Execution of Goods Sales Processes	10 YEARS	within 180 days after the expiration of storage period
Customer Satisfaction Measurement and Evaluation Process	10 YEARS	within 180 days after the expiration of storage period
Event and Organization Processes	10 YEARS	within 180 days after the expiration of storage period
Certificate Processes	10 YEARS	within 180 days after the expiration of storage period
Purchasing Processes	10 YEARS	within 180 days after the expiration of storage period
Foreign Sales Process	10 YEARS	within 180 days after the expiration of storage period
Dispatch Note Processes	10 YEARS	within 180 days after the expiration of storage period
Execution of Shipping Processes	10 YEARS	within 180 days after the expiration of storage period