Personal Data Retention and Disposal Policy

 

1. PURPOSE OF THE POLICY

Purpose of this Personal Data Retention and Disposal Policy (“Policy”); 5 and 6 of the Regulation (Regulation) on the Deletion, Destruction or Anonymization of Personal Data, which was issued based on the Law (Law) on the Protection of Personal Data No. 6698 and published in the Official Gazette No. 30224 on 28.10.2017. Veser Kimyevi Maddeler A.Ş. in order to fulfill the obligations regarding the storage and destruction of personal data and other obligations specified in the Regulation. (“Veser”) to determine the rules, processes and obligations to be applied.

2. SCOPE OF THE POLICY

Policy; Personal data defined by the Law, belonging to all Veser employees, managers, consultants and affiliates in all cases where personal data sharing is in question, third party goods and service providers and other real and legal persons with whom Veser has legal and commercial relations, and private data kept at Veser. includes personal data. The Policy covers personal data in systems where data is processed by fully or partially automated or non-automatic means provided that it is a part of any data recording system, as specified in the Law. Unless otherwise stated in the policy, personal data and sensitive personal data will be collectively referred to as "Personal Data".

3. DEFINITIONS

Anonymization: Making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even if it is matched with other data,

Destruction: Deletion, destruction or anonymization of personal data,

Personal Data: Any information relating to an identified or identifiable natural person,

Personal Data Retention Table: The table showing the periods during which personal data will be kept at VESER,

Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data with the purposes of processing, the data category, the transferred recipient group and the data subject group, explaining the maximum time required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security,

Deletion of Personal Data: The process of making personal data inaccessible and unusable for the relevant users,

Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and reusable by anyone,

Special Qualified Personal Data: Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric data. and genetic data,

Periodic destruction: The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the conditions for processing personal data in the law are eliminated,

Data registration system: The registration system in which personal data is processed and structured according to certain criteria,

4. RECORDING MEDIA REGULATED BY POLICY

Personal data is safely stored by Veser in the environments listed below, in accordance with the law.

 

Electronic Media	Non-Electronic Media
Servers (Email database, web, file sharing, backup etc.) Video Rec Personal Computers (Desktop, laptop) Mobile Devices (phone, tablet) Removable Memory (USB, Memory Card etc.) Printer, scanner, copier	Paper Manual Data Recording System (questionnaire forms) Written and printed visual media

 

5. EXPLANATIONS ON STORAGE

by Veser; Personal Data belonging to third parties in relation as employees, employee candidates, visitors and customers are stored in accordance with the Law.

A. Retention Remarks

Veser, within the framework of its commercial, administrative and legal activities,

or for a period suitable for processing purposes.

A.1 Legal Grounds for Retention

Veser stores the Personal Data it processes within the framework of the above-mentioned activities for the period stipulated in the relevant legislation. In this context, Personal Data;

• Law No. 6698 on the Protection of Personal Data,
• Turkish Code of Obligations No. 6098,
• Social Insurance and General Health Insurance Law No. 5510,
• Arrangement of Publications on the Internet No. 5651 and These Publications
• Law on Combating Crimes Committed by
• Occupational Health and Safety Law No. 6331,
• Law on Access to Information No. 4982,
• Law No. 3071 on the Use of the Right to Petition,
• Labor Law No. 4857,
• Social Services Law No. 2828
• Regarding Health and Safety Measures to be Taken in Workplace Buildings and Attachments
• Regulation,
• It is stored as long as the storage periods stipulated in the framework of other secondary regulations in force in accordance with these laws.

 

 

B. Processing Purposes Requiring Storage

Veser stores the Personal Data it processes within the framework of the above-mentioned activities for the purposes stated below.

• Fulfilling obligations arising from laws and relevant legislation,
• To operate the human resources procedure, to create personal files, to make salary payments,
• Fulfilling its obligations within the scope of ISG,
• To fulfill the demands and decisions of courts, enforcement offices, authorized institutions and organizations,
• Providing internet access under control, ensuring compliance with relevant laws,
• Ensuring entry-exit control and security to Veser's headquarters and warehouses,
• To ensure communication with employees, customers and/or third parties within the framework of Veser's activities.
• To carry out the performance process of the performance in accordance with the contracts to which Veser is a party.
• To fulfill the legal obligations arising from the legislation to which Veser is subject,
• To comply with US regulatory requirements in terms of legal obligations of Veser's US-regulated shareholders and group companies
• To ensure compliance with US legislation,
• To report to Veser's shareholders and affiliates,
• To fulfill the burden of proof as evidence in legal disputes that may arise in the future,
• Recruitment evaluation for open position
• Making private health insurance of employees
• Providing employees with rights and benefits arising from employment contracts
• To protect the legitimate interests of Veser in accordance with its commercial operation
• Opening a current account within the scope of commercial activities, determining the credit limit, evaluating the credibility,

 

 

6. TECHNICAL AND ADMINISTRATIVE MEASURES

6.1 Technical Measures

The measures taken by Veser are shown below.

• Veser's information systems equipment, software and necessary for the physical security of data
• measures are taken.
• Physically storing personal data in locked cabinets,
• Limiting the number of employees who can access personal data,
• Keeping inappropriate accesses under control by recording the accesses,
• Taking necessary measures to ensure that the deleted personal data is inaccessible and reusable for the relevant users,
• Establishing an infrastructure to notify the Relevant Person and the Board in case of Unlawful Processing,
• 24/7 employee monitoring system against environmental threats,
• Security vulnerabilities are followed and appropriate security patches are installed and information systems
• kept up to date
• Using Strong Passwords in Electronic Media and changing these passwords periodically,
• Password protection of VPN connections of allowed employees,
• Backup infrastructure that ensures the safe storage of personal data, ISO 9001 certification, (firewalls, attack prevention systems, network access control), systems that prevent malware, etc. use,
• Identification of risks to prevent unlawful processing of personal data, taking appropriate technical measures for these risks, providing measures for the measures taken,
• It covers encryption with SHA 256 Bit RSA algorithm using secure protocol (HTTPS) on company website.
• Access procedures are created in Veser and reporting is made regarding access to personal data.
• Secure record keeping (logging) systems in electronic environments where personal data is processed
• is used.
• A separate policy has been determined for the security of sensitive personal data.

 

• Electronic environments in which sensitive personal data are processed, stored and/or accessed are preserved using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of environments are constantly monitored, necessary security tests are regularly performed/have the test results recorded, are taken under.
• If sensitive personal data needs to be transferred via e-mail, it is transferred in encrypted form with a corporate e-mail address.

 

6.2 Veser's Administrative Measures

The administrative measures taken by Veser regarding the Personal Data processed are as follows:

• Developing the qualifications and technical knowledge/skills of the employees,
• Preventing unlawful processing and access to personal data,
• Ensuring the protection of personal data,
• Signing confidentiality agreements with employees,
• Having the Employees and third parties whose personal data is processed sign the Clarification Text before their personal data is processed,
• Information security trainings are provided for employees in order to carry out periodic and random audits within the company and to prevent illegal processing of personal data and illegal access to personal data.
• A disciplinary procedure has been prepared for veser employees who violate security policies and procedures.
• Trainings have been given and are given in order to prevent the illegal processing of personal data of its employees, to prevent illegal access to personal data, and to ensure the protection of personal data.
• Before the personal data is processed by Veser, the informed consent text is signed by the relevant persons.
• A processing inventory of Personal Data has been prepared.
• In addition, in addition to the administrative measures taken for personal data regarding special quality personal data, regular trainings are provided on data security issues to employees involved in the processing of special quality personal data,
• Security measures are taken for the environments where Special Quality Personal Data are processed and stored, unauthorized entries and exits are prevented, and if it is required to be transferred in paper form, the document is sent in the form of "confidential documents".

 

 

 

7. DISPOSAL PROCEDURE

​7.1. In the event that the purpose factor for the processing of personal data is eliminated, the express consent is withdrawn, or all the conditions for processing personal data in Articles 5 and 6 of the Law are eliminated, or if there is a situation where none of the exceptions in the aforementioned articles can be applied, the processing conditions are eliminated. Personal data is deleted, destroyed or anonymized by the relevant business unit, taking into account business needs, within the scope of Articles 7, 8, 9 or 10 of the Regulation, by explaining the reason for the method applied. However, in case of a finalized court decision, the method of destruction determined by the court decision must be applied.

7.2. All users who process or store personal data and Veser units, which are data owners, will review the data recording media they use, within 6 (six) months at the latest, whether the conditions related to the processing have been eliminated. Upon the application of the personal data owner or the notification of the Board or a court, the relevant users and units will make this review in the data recording media they use, regardless of the period of periodic inspection.

7.3. As a result of periodic reviews or when it is determined that the data processing conditions have disappeared at any time, the relevant user or data owner will decide to delete, destroy or anonymize the relevant personal data from the recording medium in his/her own, in accordance with this Policy. In case of hesitation, action will be taken by obtaining the opinion of the relevant data owner business unit.

7.4. All transactions regarding the deletion, destruction or anonymization of personal data are recorded and these records are kept for at least 3 (three) years, excluding other legal obligations.

7.5. In the deletion, destruction or anonymization of personal data, it is obligatory to act in accordance with the general principles in Article 4 of the Law and the technical and administrative measures to be taken within the scope of Article 12, the provisions of the relevant legislation, Board decisions and court decisions.

7.6. When a real person who owns personal data requests the deletion, destruction or anonymization of his personal data by applying to Veser pursuant to Article 13 of the Law, the relevant data owner business unit examines whether all conditions for processing personal data have been eliminated. If all the processing conditions have disappeared; deletes, destroys or anonymizes the personal data subject to the request. In this case, the request is finalized within 30 (thirty) days at the latest from the date of application and the person concerned is informed in writing or electronically. If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, the relevant data owner business unit immediately notifies the third party to whom the transfer is made and ensures that the necessary actions are taken within the scope of the Regulation before the third party.

7.7. In cases where the conditions for processing personal data are not eliminated, the requests of personal data owners for the deletion or destruction of their data may be rejected by Veser by explaining the reason in accordance with the 3rd paragraph of Article 13 of the Law. The rejection response is notified to the relevant person in writing or electronically within 30 (thirty) days at the latest.

7.8. Requests for the deletion or destruction of personal data will only be considered if the identity of the person concerned has been identified. Otherwise; relevant persons will be directed to channels where identification or verification can be made.

8 METHODS OF DELETING AND DESTROYING PERSONAL DATA

A) Methods of Deletion of Personal Data

 

a. Personal Data in Non-Electronic Media: Physical destruction is destroyed using the appropriate overwriting method. Personal Data in Paper Media are also destroyed by using paper shredders. Personal Data transferred from original paper format to electronic media by scanning are destroyed by appropriate methods according to their environment.

b.Office Files on the Server: They are deleted with the File Shredder program in the operating system and with the DoD 5220-22.M method command.

c. Personal Data in Removable Media: It is deleted with appropriate software or with the deletion command.

D. Office Software: Relevant lines containing Personal Data are deleted with the delete command.

to. Personal Data in Electronic Media: Personal data in electronic media, which require storage, are deleted in accordance with the relevant media and are rendered inaccessible and unusable in any way.

9. POLICY IMPLEMENTATION, VIOLATIONS AND SANCTIONS

9.1. This Policy will enter into force by being announced to all employees and will be binding on all business units, consultants, third party service providers and anyone who processes personal data before other Veser.

9.2. It will be the responsibility of the supervisors of the relevant employees to monitor whether Veser employees fulfill the requirements of the Policy. When a violation of the policy is detected, the issue will be immediately reported to a higher supervisor by the supervisor of the relevant employee. If the violation is significant, the Personal Data Protection Board will be notified without delay by the superior.

9.3. Necessary disciplinary procedure will be applied to the employee who violates the policy, after the evaluation by Human Resources.

 

10. PERSONS TO BE INVOLVED IN PERSONAL DATA STORAGE AND DISPOSAL AND THEIR RESPONSIBILITIES

All employees, consultants, external service providers and anyone else who stores and processes personal data at Veser is responsible for fulfilling the requirements regarding the destruction of data specified in the Law, Regulation and Policy within Veser. Each business unit is obliged to store and protect the data it produces in its own business processes; however, if the generated data is only available in information systems outside of business control and authority, the said data will be stored by the units responsible for information systems. Periodic destructions, which will affect business processes and cause data integrity, data loss and results contrary to legal regulations, will be made by the relevant information systems departments, taking into account the type of personal data, the systems in which it is included, and the data owner business unit.

11. DUTIES AND AUTHORITIES OF THE PERSONAL DATA PROTECTION COMMITTEE

​11.1. The Personal Data Protection Committee is responsible for announcing the Policy to the relevant business units and monitoring the fulfillment of its requirements by the Veser units.

11.2. Personal Data Protection Committee; It makes the necessary announcements and notifications for the relevant business units to follow up on the changes in the legislation regarding the protection of personal data, the regulatory actions and decisions of the Board, the court decisions or the changes in the processes, practices and systems, and update the business processes if necessary.

11.3. Personal Data Protection Committee; It determines the processes for the examination, evaluation, follow-up and conclusion of the law and its secondary regulations as well as the decisions and regulations of the Board, court decisions and decisions and/or requests of other competent authorities and announces them to the relevant units.

12. PERSONAL DATA STORAGE AND DISPOSAL TIMES

Table showing the Periods of Retention and Disposal of Personal Data is given in Appendix: 1. The storage and destruction periods in question will be taken into account in the periodic destruction or on-demand destruction processes. The Table Showing the Periods of Retention and Destruction of Personal Data will be updated by the business units that own the processes to be included in the Veser personal data inventory, in case of hesitation, by taking the evaluations of the Personal Data Protection Committee.

13. PERIODIC DISPOSAL TIMES

Periodic Destruction Period of Personal Data is determined and determined by the relevant business units; however, this period cannot exceed 6 (six) months in any case.

14. EFFECTIVENESS

14.1. The policy will enter into force as of the date of publication.

14.2. It is the responsibility of the Personal Data Protection Committee to announce the policy throughout Veser and make the necessary updates.

 

APPENDIX-1 - Table Showing the Periods of Retention and Destruction of Personal Data

Table Showing the Periods of Retention and Destruction of Personal Data Personal data will be kept for the following periods, taking into account the issues specified in Article 6 of the Policy, unless there is a final court decision or interim injunction to the contrary, and will be destroyed at the end of the period:

PERIOD	STORAGE PERIOD	DISPOSAL TIME
Contracts signed with third parties	10 years	Within 180 days after the end of the storage period
Personnel file	10 years after the termination of the employment relationship	Within 180 days after the end of the storage period
Employee candidates job applications	1 year	Within 180 days after the end of the storage period
Personnel individual pension policies	10 years after the termination of the employment relationship	Within 180 days after the end of the storage period
Allocating vehicles to employees	As long as the employment contract continues and in case of the trial process, as long as the trial process continues	Within 180 days after the end of the storage period
Occupational health and safety practices	15 years after the termination of the employment relationship	Within 180 days after the end of the storage period
Recording/Tracking/Log Systems	2 years	Within 180 days after the end of the storage period
security camera footage	8 months from the date the image was taken	Within 180 days after the end of the storage period
Information about company partners and board members	10 years	Within 180 days after the end of the storage period
Credit/Debit payment transactions, customer information	10 years after the end of the commercial relationship	Within 180 days after the end of the storage period
Storage of meeting notes/satisfaction survey forms/feedback notes	2 year	Within 180 days after the end of the storage period
Filing of all kinds of documents	10 years	Within 180 days after the end of the storage period
Legal process	As long as the trial continues and 10 years from the end of the trial process	Within 180 days after the end of the storage period
Advertising and Promotion Activities	10 years from event date	Within 180 days after the end of the storage period
Marketing	2 years from activity	Within 180 days after the end of the storage period