PERSONAL DATA STORAGE AND DESTRUCTION POLICY

KOZMO KIMYA INDUSTRY AND FOREIGN TRADE LTD. CO.

PERSONAL DATA STORAGE AND DESTRUCTION POLICY

1. PURPOSE
With this Personal Data Storage and Destruction Policy (“Storage and Destruction Policy”), KOZMO KIMYA INDUSTRY AND FOREIGN TRADE LTD. CO. (“KOZMO KIMYA”) aims to regulate the implementation of the provisions of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated 28/10/2017 (“Regulation”), in line with the Law on the Protection of Personal Data No. 6698 (“Law”), by ensuring the technical and administrative protection of personal data and taking action when the conditions for data processing no longer exist.

2. ENVIRONMENTS IN WHICH PERSONAL DATA IS STORED
Personal data of data subjects are securely stored by KOZMO KIMYA in the following environments, in compliance with the Law and related legislation:

Electronic Environments:

  • MIKRO

  • MS SQL Server

  • Email Inbox

  • Microsoft Office Programs

  • Video Recording Devices

Physical Environments:

  • Department Cabinets

  • Folders

  • Archive

3. EXPLANATION ON REASONS FOR DATA STORAGE
Personal data belonging to data subjects are securely stored by KOZMO KIMYA in physical or electronic environments as listed above, for the following purposes:

  • Continuation of business operations

  • Fulfillment of legal obligations

  • Planning and execution of employee rights and benefits

  • Management of business relationships

Reasons for data retention include:

  • The data being directly related to the establishment or performance of a contract

  • The necessity of the data for the establishment, use, or protection of a right

  • KOZMO KIMYA having a legitimate interest, provided that it does not harm the fundamental rights and freedoms of individuals

  • KOZMO KIMYA fulfilling any legal obligation

  • Legal requirements mandating data retention

  • The presence of explicit consent from data subjects for retention activities that require such consent

According to the Regulation, personal data of data subjects shall be deleted, destroyed, or anonymized by KOZMO KIMYA, either automatically or upon request, in the following cases:

  • The relevant legal provisions that constitute the basis for data processing or storage are amended or repealed

  • The purpose requiring the processing or storage of personal data no longer exists

  • The conditions outlined in Articles 5 and 6 of the Law that justify data processing no longer apply

  • If processing is based solely on explicit consent, and the data subject withdraws such consent

  • Upon the acceptance of a request by the data subject under Article 11, Paragraph 2 (e) and (f) of the Law for deletion, destruction, or anonymization of personal data

  • In case the data controller refuses the data subject’s request for deletion, provides an inadequate response, or fails to respond within the legally prescribed time, and the data subject files a complaint to the Board, which finds the request justified

  • The maximum retention period for personal data has expired and there is no legal justification for retaining the data further

4. MEASURES FOR THE PROTECTION OF PERSONAL DATA
In accordance with Article 12 of the Law, KOZMO KIMYA takes necessary technical and administrative measures to prevent unlawful processing and access to personal data and to ensure its secure storage. It also conducts or commissions relevant audits. If personal data is unlawfully obtained by third parties, KOZMO KIMYA notifies the relevant authorities as soon as possible.

4.1 Technical Measures

  • Network and application security are ensured

  • Closed system networks are used for data transfers

  • Key management is implemented

  • Security measures are taken in the procurement, development, and maintenance of IT systems

  • Security of personal data stored in the cloud is ensured

  • Disciplinary regulations including data security provisions are in place for employees

  • Regular data security training and awareness programs are conducted for employees

  • Authorization matrices are created for employees

  • Access logs are maintained regularly

  • Corporate policies on access, data security, usage, retention, and destruction are prepared and implemented

  • Data masking is applied when necessary

  • Confidentiality agreements are signed

  • Access rights are revoked for employees who change roles or leave the company

  • Up-to-date antivirus software is used

  • Firewalls are implemented

  • Contracts contain data security provisions

  • Additional security measures are taken for personal data transferred via physical documents, and such documents are sent in classified format

  • Personal data security policies and procedures are established

  • Data security incidents are promptly reported

  • Personal data security is regularly monitored

  • Necessary precautions are taken to secure access to physical environments containing personal data

  • Protection against external risks (fire, flood, etc.) is ensured for physical environments

  • Physical data environments are kept secure

  • Data minimization is practiced

  • Personal data is backed up and backup security is ensured

  • User account management and authorization control systems are implemented and monitored

  • Internal audits are conducted periodically or randomly

  • Log records are maintained without user interference

  • Current risks and threats are identified

  • Protocols and procedures for the security of sensitive personal data are in place and enforced

  • Sensitive personal data sent via email is encrypted and sent via KEP or corporate email accounts

  • Secure encryption/cryptographic keys are used and managed by separate units for sensitive data

  • Intrusion detection and prevention systems are employed

  • Cybersecurity measures are in place and continuously monitored

  • Data encryption is practiced

  • Sensitive personal data transferred via portable memory, CD, or DVD is encrypted

  • Data processors are regularly audited regarding data security

  • Data processors are educated on data security awareness

4.2 Administrative Measures

  • Employees receive training on technical measures to prevent unlawful access to personal data

  • Access and authorization processes are designed and implemented based on business units and legal compliance requirements. Sensitivity and classification of the data are taken into account

  • Employment contracts and other documents involving personal data include provisions that emphasize the legal processing of such data, the obligation not to disclose or misuse it, and the continuation of confidentiality obligations after the termination of employment

  • Employees are informed and required to commit that they will not disclose or misuse personal data they have learned during employment, and that this obligation continues even after leaving the company

(Note: The sentence at the end seems incomplete. Let me know if you’d like to continue the translation with the next section.)