BÜLENT BÖREKÇİLİK GROUP OF COMPANIES – PERSONAL DATA RETENTION AND DESTRUCTION POLICY

BÜLENT BÖREKÇİLİK MANUFACTURING, MARKETING, INDUSTRY AND FOREIGN TRADE INC.

PERSONAL DATA RETENTION AND DESTRUCTION

POLICY

IN ACCORDANCE WITH LAW NO. 6698 ON THE PROTECTION OF PERSONAL DATA

BÜLENT BÖREKÇİLİK PERSONAL DATA RETENTION AND DESTRUCTION POLICY

1. Introduction

1.1 Purpose

The Personal Data Retention and Destruction Policy (hereinafter referred to as the “Policy”) has been prepared to establish the procedures and principles regarding the retention and destruction activities carried out by the Joint Data Controller Group Companies BÜLENT UNLU MAMÜLLER PAZARLAMA SATIŞ ANONİM ŞİRKETİ and BÜLENT BÖREKÇİLİK İMALAT PAZARLAMA SANAYİ VE DIŞ TİCARET ANONİM ŞİRKETİ (hereinafter referred to as “Bülent Börekçilik” or the “Company”).

In line with our corporate vision and established mission, vision, and core principles, our Company prioritizes the processing of personal data belonging to Company employees, job applicants, service providers, customers, visitors, and other third parties in accordance with the Constitution of the Republic of Turkey, International Conventions, Law No. 6698 on the Protection of Personal Data (hereinafter referred to as the “Law”), and other relevant legislation, while ensuring that the rights of the relevant individuals are effectively exercised.  

The handling of personal data retention and destruction is carried out in accordance with the “Personal Data Retention and Destruction Policy” prepared by our Company for this purpose.

1.2 Scope

Personal data belonging to Company employees, job applicants, service providers, customers, visitors, and other third parties fall within the scope of this Policy, and this Policy is applied to all storage environments where personal data owned or managed by the Company is processed, as well as to all activities related to the processing of personal data.

1.3 Abbreviations and Definitions

Recipient Group
Category of natural or legal persons to whom personal data is transferred by the data controller.

Explicit Consent
Consent given freely based on being informed regarding a specific matter.

Anonymization
The process of making personal data such that it cannot, under any circumstances, be associated with an identified or identifiable natural person, even when combined with other data.

Employee
Company personnel.

Electronic Environment
Environments where personal data can be created, read, modified, and stored using electronic devices.

Non-Electronic Environment
All written, printed, visual, and other environments outside of electronic environments.

Supplier Company
Supplier Companies working with the Company

Service Provider
A natural or legal person providing services to the Company within the framework of a specific contract.

Data Subject
A natural person whose personal data is being processed.

Relevant User
Individuals within the data controller organization, or acting under the authority and instructions of the data controller, who process personal data, excluding the person or unit technically responsible for storing, protecting, and backing up the data.

Destruction
The deletion, destruction, or anonymization of personal data.

Law
Law No. 6698 on the Protection of Personal Data.

Storage Medium
Any environment where personal data is stored, whether processed fully or partially automatically, or manually as part of any data recording system.

Personal Data
Any information relating to an identified or identifiable natural person.

Personal Data Processing Inventory
An inventory in which data controllers detail their personal data processing activities according to business processes; linking the purposes of processing, data categories, recipient groups, and data subjects, while specifying the maximum retention period necessary for the processing purposes, personal data intended for transfer to foreign countries, and the security measures implemented.

Processing of Personal Data
Any operation performed on personal data, including obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, receiving, making accessible, classifying, or preventing the use of such data, whether fully or partially through automated means or, as part of any data recording system, through non-automated methods.

Board
Personal Data Protection Board

Special Category Personal Data
Data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing and appearance, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Periodic Destruction
In the event that all conditions for processing personal data specified in the Law are no longer applicable, the deletion, destruction, or anonymization process, as stated in the personal data retention and destruction policy, will be carried out automatically at recurring intervals.

Policy
Bülent Börekçilik Personal Data Retention and Destruction Policy

Company
Group Companies Bülent Unlu Mamüller Pazarlama Satış Joint Stock Company and Bülent Börekçilik Manufacturing, Marketing, Industry and Foreign Trade Joint Stock Company

Data Processor
A real or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

A data recording system: any structured set of personal data that can be accessed according to specific criteria, whether centralized, decentralized, or functional.
A record system in which personal data is structured and processed according to specific criteria.

Data Controller
The natural or legal person responsible for determining the purposes and means of processing personal data, and for the establishment and management of the data recording system.

Data Controllers’ Registry Information System
An information system created and managed by the Presidency, accessible via the internet, to be used by data controllers for registry applications and other related registry processes.

VERBİS
Data Controllers’ Registry Information System

Regulation
Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette dated October 28, 2017.

2. Responsibilities and Task Distribution

All units and employees of the Company actively support the responsible units in ensuring data security in all environments where personal data is processed, by properly implementing the technical and administrative measures adopted under the Policy, providing training and raising awareness of unit employees, monitoring and continuous auditing, preventing unlawful processing of personal data, preventing unlawful access to personal data, and ensuring the lawful storage of personal data.  

The titles, units, and job descriptions of personnel involved in the storage and destruction processes of personal data within our Company are provided in Table 1. Companies that have a business relationship with the Company as Supplier Firms are not included in the mentioned table. This is because Supplier Firms that establish a contractual commercial relationship with our Company are solely responsible for taking legal and administrative measures as the “Data Controller” in accordance with Law No. 6698..

3. RECORDING MEDIUMS

Personal Data is securely stored in a lawful manner by our Company in the environments listed in Table 2.

TABLE 2

4. EXPLANATIONS REGARDING RETENTION AND DESTRUCTION

Personal data of employees, job applicants, customers, visitors, third parties engaged as service providers, supplier companies, and employees of institutions or organizations are stored and destroyed by the Company in compliance with the Law. Detailed explanations regarding storage and destruction are provided below in sequence.

4.1 Explanations Regarding Storage

In Article 3 of the Law, the concept of personal data processing is defined; in Article 4, it is stated that "the processed personal data must be relevant, limited, and proportionate to the purposes for which they are processed, and must be retained for the period prescribed by the relevant legislation or for the duration necessary for the purposes for which they are processed"; Articles 5 and 6 enumerate the "conditions for processing personal data."

Accordingly, within the scope of our Company’s activities, personal data is retained for the period prescribed by the relevant legislation or for the duration appropriate to our processing purposes..

4.1.1 Legal Grounds Requiring Retention

At our Company, personal data processed within the scope of Company activities is retained for the period prescribed by the relevant legislation. In this context, personal data is stored for the retention periods specified under the following Law and Other Regulations:

1. Law No. 6698 on the Protection of Personal Data,

    

2. Turkish Code of Obligations No. 6098,

    

3. Public Procurement Law No. 4734,

    

4. Social Insurance and General Health Insurance Law No. 5510,

    

5. Law No. 5651 on the Regulation of Publications on the Internet and Related Matters

6. Law on Combating Crimes Committed Through Publications on the Internet and Related Media

    

7. Public Financial Management and Control Law No. 5018

    

8. Occupational Health and Safety Law No. 6361

    

9. Right to Information Law No. 4982

    

10. Law No. 3071 on the Exercise of the Right to Petition

     

11. Labor Law No. 4857

     

12. Social Services Law No. 2828

     

13. Regulation on Health and Safety Measures to Be Taken in Workplace Buildings and Annexes

     

14. Regulation on Archival Services

     

15. Other secondary regulations in force pursuant to these laws

4.1.2 Processing Purposes Requiring Retention

Our company stores the personal data it processes within the scope of its activities for the following purposes:

1. To carry out human resources processes.

    

2. To manage corporate communication.

    

3. To ensure institutional security.

    

4. To conduct statistical studies.

    

5. To execute business and processes resulting from signed contracts and protocols.

    

6. To ensure compliance with legal obligations as required or mandated by legislation.

    

7. To establish contact with real or legal persons who have a business relationship with the institution.

    

8. To carry out legal reporting.

    

9. To manage call center processes.

    

10. To serve as evidence for the burden of proof in potential future legal disputes.

     

11. To fulfill the obligations imposed by the Law and other legislation.

4.2 Reasons Requiring Destruction

Personal data is deleted, destroyed, or anonymized by the Company, either upon the request of the relevant person or ex officio, in the following situations:

1. In the event that the relevant legislative provisions forming the basis for its processing are amended or repealed,

    

2. If the purpose that necessitates its processing or storage ceases to exist,

    

3. In cases where the processing of personal data occurs solely based on explicit consent, if the relevant person withdraws their explicit consent,

    

4. As a result of our Company accepting the request for the deletion and destruction of personal data made by the relevant person within the scope of their rights under Article 11 of the Law,

    

5. In cases where our Company rejects the request made by the relevant person for the deletion, destruction, or anonymization of their personal data, finds the response provided insufficient, or fails to respond within the period stipulated by the Law; if the complaint is deemed appropriate by the Board,

    

6. If the maximum retention period required for personal data has elapsed and there is no condition justifying the retention of personal data for a longer period,

    

7. As a result of a provision of the Law or a decision by Judicial Authorities or a Public Administration concerning the deletion of the data of the relevant person.

5. Administrative and Technical Measures

In order to ensure the secure storage of personal data, to prevent unlawful processing and access, and to lawfully destroy personal data, our Company implements administrative and technical measures for special categories of personal data within the framework of sufficient precautions deemed necessary and announced by the Board, in accordance with Article 12 and Article 6, paragraph 4 of the Law.

5.1 Administrative Measures

The administrative measures taken by our Company regarding the personal data it processes are listed below:

1. Trainings are provided on improving employee qualifications, preventing the unlawful processing of personal data, preventing unlawful access to personal data, ensuring the preservation of personal data, communication techniques, technical knowledge and skills, Law No. 6698, and other relevant legislation.

    

2. When deemed necessary, employees are required to sign the relevant confidentiality agreements regarding the activities carried out by the Company.

    

3. A disciplinary procedure and internal regulation have been prepared for employees who do not comply with security policies and procedures.

    

4. Before starting to process personal data, the Company fulfills its obligation to inform the data subjects.

    

5. A personal data processing inventory has been prepared.

    

6. Periodic and random internal audits are carried out within the Company.

    

7. Information security training is provided to employees.

    

8. Commitments are obtained in accordance with the Law for the protection of personal data.

    

9. Companies engaged in a business relationship are informed of the measures to be taken in accordance with Law No. 6698.

    

10. Commitments have been prepared for Supplier Companies within the scope of Law No. 6698.

     

11. Training has been provided within the Company on Personal Data covered by Law No. 6698 and how it should be protected.

     

12. An internal authorization matrix has been established within the Company in accordance with the Law.

     

13. A Company Data Destruction Policy has been established.

     

14. The company's VERBİS registration has been completed and the necessary notifications have been made.

     

15. A Personal Data Request Procedure has been established regarding the company's customers.

     

16. Necessary informational training has been provided to the company's department managers.

     

17. Consent Forms have been prepared for company employees within the scope of Law No. 6698.

     

18. Information Notices have been prepared for company customers within the scope of Law No. 6698.

     

19. A Call Center Policy Information Procedure has been established within the scope of the Law.

     

20. Devices containing personal data have been assigned to authorized personnel.

     

21. Separate policies have been established for the security of special categories of personal data, and accordingly, the disclosure obligation has been fulfilled and explicit consent texts have been prepared.

     

22. Necessary warning and information notices are used in areas where physical environments such as camera recording are monitored.

     

23. A Personal Data Protection Committee has been established within the scope of the Law to ensure the protection of personal data, to take necessary measures, and to evaluate the applications of data subjects.

     

24. Storage of data kept in physical environments (paper, files) has been ensured in locked areas, and arrangements have been made so that only authorized persons can access them.

     

25. No personal data defined as Personal Data is left exposed in the office or any other environment, except when an authorized person is required to work with it or in situations where its use is mandatory.

5.2 Technical Measures

1. Penetration tests are conducted to identify risks, threats, vulnerabilities, and any potential security gaps in our company's information systems, and necessary measures are taken accordingly.
2. Information security status and incident management ensure that risks and threats that may affect the continuity of information systems are continuously monitored through real-time analyses.
3. Access to IT systems and user authorizations are carried out through computer assignment, access and authorization matrices, and corporate security policies.
4. Necessary measures are taken to ensure the physical security of the Company’s IT system equipment, software, and data.
5. Hardware (access control system allowing only authorized personnel to enter the system room, 24/7 monitoring system, physical security of edge switches forming the local area network, fire suppression system, climate control system, etc.) and software (firewalls, intrusion prevention systems, malware protection systems, etc.) measures are taken to ensure the security of IT systems against environmental threats.
6. Risks aimed at preventing the unlawful processing of personal data are identified, appropriate technical measures are implemented for these risks, and technical controls are conducted on the measures taken..
7. Within the organization, access procedures are established, and reporting and analysis activities regarding access to personal data are conducted..
8. Accesses to storage areas containing personal data are recorded, and unauthorized accesses or access attempts are monitored and controlled.
9. The organization takes the necessary measures to ensure that deleted personal data is inaccessible and cannot be reused by the relevant users.
10. In the event that personal data is unlawfully obtained by others, the Company has established an appropriate system and infrastructure to notify the relevant person and the Board.
11. Security vulnerabilities are monitored, appropriate security patches are applied, and information systems are kept up to date..
12. Strong passwords are used in electronic environments where personal data is processed..
13. Access to personal data stored in electronic or non-electronic environments is restricted according to access principles..
14. A secure protocol (HTTPS) is used when accessing the Company’s website.
15. No processing will be carried out for sensitive personal data that is legally or company-wise mandatory without fulfilling the necessary disclosure obligations to employees and obtaining their explicit consent.
16. Employees involved in personal data processing have been provided training on the security of sensitive personal data, confidentiality agreements have been signed, and access rights for users authorized to access the data have been defined.
17. In cases where sensitive personal data is processed, except in situations where the Law does not require the individual’s consent, or as mandated by the Law, other legislation, and agreements to which the Republic of Turkey is a party, the said data will under no circumstances be transferred to third parties, except to authorized institutions or when the relevant individual has given explicit consent.

Personal Data Destruction Techniques

At the end of the retention period prescribed by the relevant legislation or the period necessary for the purposes for which they are processed, personal data is destroyed by the Company either ex officio or upon the request of the relevant individual, using the techniques specified below in accordance with the provisions of the relevant legislation.

6.1 Deletion of Personal Data

When processed, personal data is deleted using the methods specified below:

• a. Personal Data Stored on Servers
  For personal data stored on servers, once the retention period has expired, the system administrator removes access rights for the relevant users and performs the deletion process..
• b. Personal Data in Electronic Environments Personal data stored in electronic environments, whose retention period has expired, is made completely inaccessible and unusable for all employees (relevant users) except the database administrator.
• c. Personal Data in Physical Environments For personal data stored in physical environments, once the required retention period has expired, it becomes completely inaccessible and unusable for all employees except the unit manager responsible for the document archive. Additionally, the relevant documents are redacted by crossing out, coloring, or erasing in a way that makes them unreadable.
• d. Personal Data on Portable Media For personal data stored on flash-based storage media, once the required retention period has expired, the data is encrypted by the system administrator and access rights are granted only to the system administrator, with the encryption keys stored in secure environments.

6.2 Destruction of Personal Data

Personal data is destroyed by our Company using the methods specified below.

• a. Personal Data in Physical Media Personal data stored on paper, whose retention period has expired, is destroyed in an irreversible manner using paper shredders or manually cut with scissors.
• b. Personal Data on Optical / Magnetic Media Personal data stored on optical and magnetic media, whose retention period has expired, is physically destroyed by methods such as melting, burning, shredding, scratching, or pulverizing.

6.3 Anonymization of Personal Data

The anonymization of personal data is the process by which personal data, even if combined with other data, cannot in any way be associated with an identifiable or identifiable natural person..

For personal data to be considered anonymized, it must be rendered incapable of being associated with an identifiable or identifiable natural person, even through the use of appropriate techniques in the storage medium and relevant activity area, such as restoration by the data controller or third parties and/or matching with other data..

7. Retention and Destruction Periods

By our Company, regarding the personal data processed within the scope of our activities:

• a. The retention periods for all personal data processed within the scope of activities, depending on the processes, are generally limited by the Law; however, in cases where retention periods are determined voluntarily, they are set in accordance with our Company Policies.
• b. Retention periods based on data categories are available in the "Data Controllers’ Registry Information System."
• c. Retention periods based on processes are specified in the "Personal Data Retention and Destruction Policy."

If necessary, the retention periods may be updated by our Company’s authorized bodies; however, for personal data whose retention period has expired, the deletion, destruction, or anonymization is carried out ex officio by the Relevant Units of our Company.

The retention and destruction table for personal data processed by our Company is as follows:

*For durations not specified in this table, the provisions mandated by the Personal Data Protection Law, along with other applicable mandatory regulations, shall apply.

8. Periodic Destruction Interval

Our Company has set the periodic destruction interval as 6 months in accordance with Article 11 of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017. Accordingly, the periodic destruction process is carried out on the last day of June and December each year in our Company.

9. Publication and Retention of the Policy

Our Company's Personal Data Retention and Destruction Policy is published in two formats: hard copy (with wet signature) and electronic format, and it is made publicly available on the website. The printed copy is kept in our Company's Human Resources Department.

10. Policy Revision Period

The Policy is reviewed and necessary sections are updated in case of changes in the Law or whenever needed. For these updates, the publication procedure of our Company's Personal Data Retention and Destruction Policy is followed in accordance with the provisions of Article 9.

11.ENFORCEMENT AND TERMINATION OF THE POLICY

The Personal Data Retention and Destruction Policy of our Company is considered effective upon its publication on the Institution's website. In the event that a decision is made to revoke the Policy, the old printed copies of the Policy are invalidated by the Human Resources Department with the approval of our Company’s Board of Directors (by stamping “canceled” or issuing a cancellation notice) and are retained by our Company’s Human Resources Department for at least 5 years.