ENTRY

Objective: LAYKI - personal data protection policy of our company is used because of the commercial activities that the aim of the legal handling of personal data in accordance with the regulations, protection, deletion, destruction and anonymization is to regulate the procedures and principles.

Business and transactions related to the storage and destruction of personal data are carried out in accordance with this Policy.

Scope: production and sales activities in our personal data protection policy of our company is due to the direct or indirect relationship and communication in the case of employees, employee candidates, service providers, visitors, customers, consumers, social media and website subscribers and other natural persons, corporations or organizations fully or partially automated personal data of their employees, to be part of the record or any of the data recording system with a non-automatic storage of personal data processed in the ways and for the destruction of work and activities.

Statistical data that have become anonymous in such a way that the person concerned cannot be identified, as well as data identifying legal entities, are not considered personal data and are not covered by this policy.

DEFINITIONS

Buyer group: The category of natural or legal persons to whom personal data is transferred by the data controller;

Related user: All employees and units of the Data Controller's organization, or data processors such as third parties who provide services in this field with the authority and instructions they receive from the data controller;

The Relevant User (Special Authorized) : Data processors who, unlike the relevant user, have the right to access personal data deleted by procedure or at the request of the relevant person, but not yet destroyed for legal reasons, are specifically authorized to protect, store this data until it is destroyed, to ensure that it is not accessed by the relevant users;

Destruction: Deletion, destruction or anonymization of personal data;

Law: Law No. 6698 on the Protection of Personal Data;

Registration environment: Any environment in which personal data is completely or partially automated or processed by automated means, provided that it is part of any data registration system;

Personal data: Any information related to an identified or identifiable real person;

Personal data owner: The real person whose personal data is processed;

The processing of personal data: personal data will be fully or partially automated, with the record to be part of any data recording system or non-automatic means obtaining, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, acquisition, can be obtained, making the classification or use any operation that is performed on the data such as the Prevention of;

Inventory of personal data processing: data processing activities depending on the business processes they are accomplishing principals of personal data; purpose of processing personal data the data category, data is transferred to the recipient group and associating with a group of people created by the subject of personal data which is necessary for the purposes for which they are processed, and the maximum time prescribed by explaining the transfer of personal data to foreign countries detaylandirdik inventory of measures and data protection;

Board: Personal Data Protection Board;

Institution: Personal Data Protection Agency;

Qualified special personal data: any of the persons race or ethnic origin, political opinion, philosophical belief, religion and sect, or other beliefs, costume and clothing, Association or trade union membership, health, sexual life, criminal convictions and security measures, biometric and genetic data with data on;

Periodic destruction: In case of complete elimination of the terms of processing of personal data contained in the Law, the deletion, destruction or anonymization process that will be performed at the intervals specified in the personal data storage and destruction policy and resen december will be performed;

Policy: This Policy is based on the process of determining the maximum period of time required for the purpose for which personal data is processed, as well as the process of deleting, destroying and anonymizing this Policy;

Registry: The registry of data officers maintained by the Presidency of the Personal Data Protection Authority;

Data processor: A natural and legal person who processes personal data on his behalf based on the authority granted by the data controller;

Data registration system: A registration system in which personal data is processed by configuring it according to certain criteria;

Data controller: refers to a natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

The definitions in the Law apply to the definitions that are not included in this Policy.

KVK Management Structure - Duties And Responsibilities

All unit managers of LAYKI provide effective support to the proper implementation of technical and administrative measures related to the processing, storage and destruction of Personal Data in their units. Unit managers for this purpose, the unit allows you to increase the awareness of and training of employees, operations monitors and controls access to the data processed and the Prevention of unlawful processing of personal data is unlawful, technical and administrative measures for data security and implementation helps.

It actively supports the performance of processing, storage and destruction of personal data in accordance with the legislation by increasing the information and awareness of the relevant Users about the Protection of Personal Data and providing active support.

The titles, units and job descriptions of those involved in the processes of storing and destroying personal data are as follows:

General Manager: In his capacity as a Representative of the data controller, he is responsible for carrying out all operations related to the protection and destruction of personal data and implementing the policy.

Human Resources Manager: Responsible for the preparation, development, execution of the policy, publication and updating in relevant environments, education and information.

Information Systems Manager: He is responsible for the technical storage, protection and backup of data, the identification and implementation of technical solutions required in the implementation of the policy.

Other Unit Managers: Responsible for monitoring and supervising the implementation and implementation of the policy in their units.

The relevant User and Data Processors are responsible for ensuring that the procedures and procedures related to data processing and storage are in accordance with the law.

The Specially Authorized Relevant User is responsible for the protection, storage, and non-access of deleted personal data by the relevant users until they are destroyed by the procedure or at the request of the relevant person.

1. DATA RECORDING AND STORAGE ENVIRONMENTS

Electronic Media

Servers (domain, backup, email, database, web, file sharing, etc.)

Software (office software)

Information security devices (firewall, intrusion detection and blocking, log file, antivirus, etc. )

Personal computers (desktop, laptop)

Mobile devices (phone, tablet, etc.)

Optical discs (CD, DVD, etc.)

Removable memory (USB, Memory Card, etc.)

Printer, scanner, copier

Physical Environments

Paper

Manual data recording systems (survey forms, visitor log-in book)

Written, printed, visual media

2. DESTRUCTION OF PERSONAL DATA

Personal data shall be destroyed by the following techniques in accordance with the provisions of the relevant legislation upon request of re'sen or the relevant person within the period stipulated in the relevant legislation or at the end of the retention period required for the purpose for which they are processed.

2.1. Reasons That Require Destruction

The reasons for the destruction of personal data processed within the scope of the Company's commercial activity are as follows:

Disappearance or change of legal provisions that are the basis for data processing,

Elimination of the purpose that requires data processing or storage,

In cases where processing personal data depends only on the condition of explicit consent, the person concerned must withdraw his/ her explicit consent,

Acceptance of the application for deletion and destruction of personal data within the framework of the rights of the person concerned in accordance with Article 11 of the KVK Law,

A decision on the destruction of personal data by the Protection Board on the application or complaint of the person concerned,,

The period requiring the storage of personal data has expired and there is no situation that will require the personal data to be stored for a longer period of time.

2.2. Deletion of Personal Data

Processed and protected personal data are deleted, destroyed and anonymized using the methods listed below.

2.2.1. Cloud Solutions

Those that need to be deleted from the data located and stored in the cloud system are deleted by issuing a delete command, they are in no way accessible to users other than the database administrator and are made unavailable again.

2.2.2. Personal Data Contained in the Paper Medium

Personal data contained in physical files and paper media are made inaccessible and unusable in no way for other related users, data processors and employees, except for the Related User assigned by the Data Manager for archive and storage operations. In addition, fixed ink is used to blacken and make it invisible to the relevant users by cutting personal data on the document or by making it irreversible and unreadable with technological solutions.

2.2.3. Office Files Located on the Central Server

Files are deleted using the delete command in the operating system, or access rights of users other than the database administrator are removed from the directory where the file or file is located and their access is blocked.

2.2.4. Personal Data Contained in Portable Media

Personal data in flash-based storage environments is stored in secure environments with encryption keys encrypted by the system administrator and authorized to be accessed only by the system administrator is deleted using software suitable for these environments.

2.2.5. Databases

The rows containing the personal data on the databases are deleted using the database deletion commands.

2.3. Destruction of Personal Data

2.3.1. Personal Data Contained in the Physical Environment

Those who have expired the period that requires them to be stored from personal data contained in the paper medium are irretrievably destroyed by means of destruction tools such as paper clipping machines.

2.3.2. Personal Data Contained in Optical/Magnetic Media

The process of physically destroying the expired ones, such as melting, burning or pulverizing them, which requires them to be stored from personal data contained in optical media and magnetic media, is applied. In addition, the magnetic media is passed through a special device and the data on it is made unreadable by exposing it to a high magnetic field.

2.4. Anonymization of Personal Data

Anonymization of personal data means that personal data cannot be associated with a specific or identifiable natural person in any way, even if it is matched with other data.

To be " anonymized personal data; personal data, or third parties responsible for the data to be returned by and/or with other data, such as data recording media in terms of matching and related techniques through the use of appropriate field of activity, even that cannot be associated with a specific or identifiable natural person the ID is made.

3. Request for Deletion and Destruction of the Data Subject's Personal Data

The Data Subject submits his/her requests regarding the implementation of the Law in writing or by other methods determined by the Board.

The data subject concludes the requests contained in the application as soon as possible and free of charge no later than 30 days, depending on the nature of the request. However, if the transaction also requires a cost, the fee may be based on the tariff determined by the Board. If the application is caused by a processing error, there is no fee or if it has been received, it will be refunded.

The data owner is notified by explaining the reason that his request has been accepted or his request has been rejected. The statement is made in writing or in electronic form.

4. Storage and Disposal Times

4.1. Procedural storage and disposal times

Regarding the personal data being processed within the scope of the Company's activities;

Retention periods on the basis of personal data related to all personal data within the scope of activities carried out depending on the processes are included in the Inventory of Personal Data Processing;

Storage times based on data categories are recorded in VERBIS;

Storage periods on a process-by-process basis are included in the Personal Data Storage and Destruction Policy.

Updates and changes are made to the storage periods within the framework of legal regulations or requirements.

The process of deleting, destroying or anonymizing the re'sen for personal data whose storage periods have expired is performed by the authorized User / Private Authorized User.

Determination of storage and disposal time;

If the processed personal data is related to the processes carried out within the framework of the relationship established by the employment contract, it should be stored for 10 years from the date of termination of the employment contract, taking into account the legal statute of limitations,

In the event that the processed personal data relates to the processes carried out within the framework of any type of commercial relationship established by commercial contracts, it should be stored for 10 years from the end of the commercial relationship, taking into account the legal statute of limitations,

If the processed personal data is indirectly related to the processes carried out within the framework of the relationship established by the employment or commercial contract, it should be stored for 10 years from the end of the legal relationship, taking into account the legal statute of limitations,

If the processed personal data is not directly related to any commercial purchases, is provided for purposes such as contacting, visiting, meeting, bidding, applying for a job or internship, and then does not turn into a business or commercial relationship, it should be stored for 2 years,

Automatic deletion of security records within six months, cutting off the sections that should be stored for another purpose and for a legal reason due to the need for any event or image, storing them in accordance with the relevant legal reason and the statute of limitations period to which the purpose is subject,

Its principles are based on them, and the storage periods are determined accordingly.

4.2. Periods of Deletion and Destruction in Case of Application of the Data Owner

In the event that the Data Subject applies for the deletion or destruction of personal data belonging to him;

a) If all the conditions for processing personal data have been eliminated; the personal data subject to the application will be deleted, destroyed or anonymized. The request of the relevant person is finalized no later than 30 days and the relevant person is informed.

b) all of the requirements of processing personal data personal data is transferred to third parties if the subject has disappeared and the status data is transferred shall be notified to the third party; the third party of personal data deletion, destruction or anonymization within the scope of the regulation provided for necessary action.

c) If all the conditions for processing personal data have not been eliminated, the request of the person concerned may be rejected by explaining the reason and the refusal response will be notified to the Data Owner in writing or electronically no later than 30 days.

4.3. Periods of Destruction

Personal data that has expired or whose purpose of storage has disappeared are destroyed every six months. July January and July of each year, the periodic disposal process is carried out.

5. Publication and Retention of the Policy

The policy is created in two different media: wet-signed (printed paper) and electronic. It is announced on the Internet page created in electronic form. It is stored in the generated file as printed paper.

6. The Period of Updating the Policy

By following the Company's activities and changes that may occur in the processed personal data groups, changes to the legal legislation and the policy decisions of the Personal Data Protection Board, the policy is reviewed according to the need and the necessary sections are updated, changed or recreated.

7. Repeal and Repeal of the Policy

The policy comes into force when registering in the Verbis System. In case of changes in the policy text and content, the old copy is removed from the archive for storage for 5 years and placed in the current text file. Old texts available in electronic form are completely destroyed, if necessary, a new policy is replaced.

                                               LAYKİ MAĞAZACILIK SANAYİ İÇ VE DIŞ TİC. LTD. ŞTİ.