Personal Data Protection Information Notice
1- KÜÇÜK GROUP INC. PERSONAL DATA RETENTION AND DESTRUCTION POLICY
KÜÇÜK GROUP INC. PERSONAL DATA RETENTION AND DESTRUCTION POLICY
2- KÜÇÜK GROUP INC. Personal Data Retention and Destruction Policy
TABLE OF CONTENTS
DEFINITIONS AND ABBREVIATIONS .................................................................................................................. 3
1. PURPOSE ............................................................................................................................................... 4
2. SCOPE .............................................................................................................................................. 4
3. RECORDING ENVIRONMENTS .............................................................................................................. 5
4. CASES REQUIRING THE RETENTION AND DESTRUCTION OF PERSONAL DATA .................................................. 5
5. DESTRUCTION OF PERSONAL DATA .................................................................................................................... 7
6. MEASURES TAKEN REGARDING THE RETENTION AND DESTRUCTION OF PERSONAL DATA ................................................................................................................................................................. 8
7. UNITS INVOLVED IN RETENTION AND DESTRUCTION OF PERSONAL DATA AND THEIR DUTIES ............................................................................................................................................. 10
8. METHODS AND PROCESS OF PERSONAL DATA DESTRUCTION ............................................................................. 11
9. RETENTION AND DESTRUCTION PERIODS ............................................................................................................ 12
10. PERIODIC DESTRUCTION PERIODS .............................................................................................................. 13
11. PUBLICATION/STORAGE OF THE POLICY, EFFECTIVE DATE AND UPDATES ................................................................................................................................... 13
DEFINITIONS AND ABBREVIATIONS
Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller.
Inventory: Refers to the Personal Data Processing Inventory.
Relevant User: Persons who process personal data within the organization of the data controller or under authorization, excluding those responsible for technical storage, protection, and backup.
Destruction: Deletion, destruction, or anonymization of personal data.
OHS: Occupational Health and Safety Law.
Law: Personal Data Protection Law No. 6698.
Recording Environment: Any environment where personal data is processed automatically or non-automatically as part of a data recording system.
Personal Data Processing Inventory: Inventory detailing data processing activities, purposes, categories, recipient groups, and data subject groups.
Board: Personal Data Protection Board.
Authority: Personal Data Protection Authority.
Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect, appearance, union membership, health, sexual life, criminal convictions, biometric and genetic data.
Periyodik İmha (Periodic Destruction): Deletion, destruction, or anonymization carried out at recurring intervals when legal grounds for processing cease; in this Policy, refers to June and December.
Policy: KÜÇÜK GROUP INC. Personal Data Retention and Destruction Policy.
Registry: Data Controllers Registry maintained by the Authority.
Data Recording System: System where personal data is structured and processed.
Data Controller: Entity determining purposes and means of processing personal data.
Küçük Group Inc.: Küçük Group Cable Industry Trade Joint Stock Company (Data Controller).
Company: Küçük Group Cable Industry Trade Joint Stock Company.
1. PURPOSE
This Policy has been prepared to define procedures and principles regarding retention and destruction activities carried out by KÜÇÜK GROUP INC.
The Company prioritizes processing personal data in compliance with the Constitution of Türkiye, international conventions, Law No. 6698, and other applicable legislation, ensuring protection of rights of data subjects.
All processing and protection activities are carried out in accordance with this Policy.
2. SCOPE
This Policy covers all departments processing personal data, employees, third parties, institutions, and organizations with whom the Company shares data or from whom it procures services.
It applies to all processing activities and will be updated in line with legal changes.
3. RECORDING ENVIRONMENTS
Electronic Environment:
• Servers (domain, backup, email, database, web, file sharing, etc.)
• Software (office software, portals)
• Security devices (firewalls, intrusion detection systems, antivirus, etc.)
• Magic Face (Personnel Tracking System)
• Cloud systems
• Computers (desktop, laptop)
• Mobile devices (phones, tablets)
• Optical disks (CD, DVD)
• Removable media (USB, memory cards)
• Printers, scanners, copiers
Non-Electronic Environment:
• Paper
• Written, printed, visual media
4. CASES REQUIRING RETENTION AND DESTRUCTION OF PERSONAL DATA
A- CASES REQUIRING RETENTION
Personal data is retained for the period required under applicable legislation or processing purposes, in accordance with Articles 3, 4, 5, and 6 of the Law.
Legal Grounds for Retention include:
• Law No. 6698
• Turkish Code of Obligations
• Public Procurement Law
• Civil Servants Law
• Social Insurance and General Health Insurance Law
• Internet Law No. 5651
• Occupational Health and Safety Law
• Other relevant legislation and secondary regulations
Processing Purposes include:
• Conducting business operations in compliance with law and company policies
• Human resources management
• Strategic planning and execution of commercial activities
• Ensuring legal, technical, and commercial security
• Fulfilling legal obligations and responding to official requests
• Ensuring physical security
• Evidence obligations in legal disputes
B- CASES REQUIRING DESTRUCTION
Personal data is destroyed when:
• Legal basis is changed or removed
• Purpose of processing no longer exists
• Processing becomes unlawful
• Data subject request is accepted
• Complaint is upheld by the Board
• Maximum retention period expires
• Contract is not established or terminated
• Consent is withdrawn
5. DESTRUCTION OF PERSONAL DATA
Destruction is carried out in three ways:
i. Deletion: Making data inaccessible and unusable for users.
ii. Destruction: Ensuring data cannot be accessed, recovered, or reused under any circumstances.
iii. Anonymization: Making data impossible to associate with an identifiable person even when combined with other data.
6. MEASURES TAKEN REGARDING THE STORAGE AND DESTRUCTION OF PERSONAL DATA
A- TECHNICAL MEASURES
The technical measures taken by KÜÇÜK GROUP INC. regarding the personal data it processes are listed below:
• Through various tests, risks, threats, vulnerabilities and possible security gaps in the company’s IT systems are identified and necessary precautions are taken.
• Information security incident management is used to continuously monitor risks and threats that may affect the continuity of IT systems as a result of real-time analyses.
• Access to IT systems and user authorizations are managed through an access and authorization matrix and corporate active directory security policies.
• Necessary measures are taken to ensure the physical security of IT system equipment, software and data belonging to KÜÇÜK GROUP INC.
9- KÜÇÜK GROUP INC. Personal Data Storage and Destruction Policy
• To ensure the security of IT systems against environmental threats, hardware (such as CCTV recording, alarm systems and locking systems) and software (such as firewalls, intrusion prevention systems, network access control, malware prevention systems, etc.) measures are implemented.
• Risks aimed at preventing unlawful processing of personal data are identified, appropriate technical measures are implemented for these risks, and technical controls are carried out on the measures taken.
• Access procedures are established within KÜÇÜK GROUP INC., and reporting and analysis activities are conducted regarding access to personal data.
• Access to storage areas containing personal data is recorded, and unauthorized access or access attempts are monitored and controlled.
• The company ensures that deleted personal data becomes inaccessible and unusable for relevant users.
• An appropriate system and infrastructure have been established to notify the relevant person and the Board in case personal data is unlawfully obtained by others.
• Security vulnerabilities are monitored, necessary security patches are installed, and information systems are kept up to date.
• Strong passwords are used in electronic environments where personal data is processed.
• Secure logging systems are used in electronic environments where personal data is processed.
• Data backup programs are used to ensure secure storage of personal data.
• Access to personal data stored in both electronic and physical environments is restricted according to access principles.
• A separate policy has been established for the security of sensitive personal data.
• Employees involved in sensitive personal data processing are provided with training, confidentiality agreements are signed, and user access rights are defined.
• Electronic environments where sensitive personal data is processed, stored or accessed are protected using cryptographic methods; cryptographic keys are stored securely; all transaction logs are recorded; security updates are continuously followed; regular security tests are conducted or commissioned and test results are recorded.
• Physical environments where sensitive personal data is processed, stored or accessed are secured with adequate measures and protected against unauthorized entry and exit.
10- KÜÇÜK GROUP INC. Personal Data Storage and Destruction Policy
• If sensitive personal data needs to be transmitted via email, it is sent in encrypted form using corporate email accounts or via a registered electronic mail (KEP) account. If transferred via portable media such as USB drives, CDs or DVDs, it is encrypted using cryptographic methods and the cryptographic key is stored in a separate environment. If data transfer is carried out between servers in different physical environments, VPN or sFTP methods are used. If transfer is done via paper, necessary measures are taken against risks such as theft, loss or unauthorized access, and documents are sent in “confidential” format.
B- ADMINISTRATIVE MEASURES
The administrative measures taken by KÜÇÜK GROUP INC. regarding the personal data it processes are listed below:
• Training is provided to improve employee competence on preventing unlawful processing and access to personal data, ensuring data protection, communication techniques, technical knowledge, skills and legislation.
• Employees are required to sign confidentiality agreements for activities carried out by KÜÇÜK GROUP INC.
• A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.
• In cases where personal data is shared with third parties for storage purposes, contracts with such companies include provisions regarding their obligations and responsibilities to take necessary security measures for the protection and secure storage of transferred personal data.
• The security of physical storage areas of personal data is ensured and access rights are restricted.
• A personal data processing inventory has been prepared.
• Periodic and random internal audits are conducted.
• Necessary equipment for physical destruction is kept available in the workplace.
• Accessibility standards in accordance with the Law on Persons with Disabilities are taken into account when providing lighting texts related to CCTV recording for physical security and monitoring.
7. UNITS AND JOB DESCRIPTIONS INVOLVED IN STORAGE AND DESTRUCTION OF PERSONAL DATA
Within KÜÇÜK GROUP INC., the Human Resources Manager within the Human Resources Department and the Accounting Department Manager are authorized for storage and destruction processes of personal data. Other employees’ storage and destruction activities are carried out under the knowledge and supervision of authorized personnel.
11- KÜÇÜK GROUP INC. Personal Data Storage and Destruction Policy
8. METHODS AND PROCESS OF DESTRUCTION OF PERSONAL DATA
At the end of the retention period required by the relevant legislation or the purpose for which they are processed, personal data is destroyed by KÜÇÜK GROUP INC., either ex officio or upon request of the relevant person, in accordance with the applicable legal provisions using the technical methods listed below.
A- DELETION OF PERSONAL DATA
Personal data is deleted using the methods specified in Table-2.
Table 2: Deletion of Personal Data
Data Storage Environment
Description
Personal Data Stored on Servers
For personal data stored on servers whose retention period has expired, the system administrator removes access authorizations of relevant users and performs the deletion process.
Personal Data Stored in Electronic Environment
Personal data stored in electronic environments whose retention period has expired are made inaccessible and unusable in any way for employees other than the database administrator (relevant users).
Personal Data Stored in Physical Environment
For personal data stored in physical environments whose retention period has expired, the documents are made inaccessible and unusable for all employees except the responsible unit manager of the archive. In addition, a blackout process is applied by crossing out, painting over, or erasing the content so that it becomes unreadable.
Personal Data Stored on Portable Media
Personal data stored in flash-based storage media whose retention period has expired are encrypted by the system administrator, and access rights are granted only to the system administrator; encryption keys are stored in secure environments.
B- DESTRUCTION OF PERSONAL DATA
Personal data is destroyed by KÜÇÜK GROUP INC. using the methods specified in Table-3.
Data Storage Environment
Description
14- KÜÇÜK GROUP INC. Personal Data Storage and Destruction Policy
Personal Data Stored in Physical Environment
For personal data stored on servers whose retention period has expired, the system administrator removes access rights of relevant users and performs the deletion process.
Personal Data Stored on Optical/Magnetic Media
Personal data stored on optical and magnetic media whose retention period has expired is physically destroyed by melting, incineration, or pulverization. In addition, magnetic media is rendered unreadable by passing it through a special device and exposing it to a high level of magnetic field.
C- ANONYMIZATION OF PERSONAL DATA
Anonymization is the process of rendering personal data, in cases where it is processed fully or automatically by KÜÇÜK GROUP INC., in such a way that it cannot be associated with an identified or identifiable natural person even when matched with other data.
For personal data to be considered anonymized, it must be processed using appropriate techniques for the storage environment and relevant field of activity so that it cannot be associated with an identified or identifiable natural person, even through reversal or matching with other data.
9. RETENTION AND DESTRUCTION PERIODS
A- Legal Retention and Destruction Periods
Within the scope of its activities, KÜÇÜK GROUP INC. manages personal data as follows:
• Retention periods for personal data based on processes are included in the Personal Data Processing Inventory;
• Retention periods based on data categories are included in the VERBIS registration;
• Retention periods based on processes are included in the Personal Data Storage and Destruction Policy. These retention periods may be updated when necessary. Once retention periods expire, deletion, destruction, or anonymization processes are carried out by authorized employees of the company.
B- Deletion and Destruction Process Upon Request of Data Subjects
When data subjects request deletion or destruction of their personal data by applying as announced on KÜÇÜK GROUP INC.’s website, the company reviews the current legal conditions for processing and initiates the relevant action plan. If all conditions for processing personal data have ceased to exist, the relevant data is deleted, destroyed, or anonymized. KÜÇÜK GROUP INC. completes the request within a maximum of thirty days and informs the data subject. If all processing conditions have ceased and the personal data has been transferred to third parties, the data controller informs the third party and ensures that necessary actions are taken in accordance with the Regulation. If processing conditions have not fully ceased, KÜÇÜK GROUP INC. may reject the request by explaining the reason to the data subject and notifies the response within thirty days in writing or electronically.
Table 4: Process-based retention and destruction periods
PROCESS
RETENTION PERIOD
DESTRUCTION PERIOD
Conducting Commercial Activities
5 Years
At the first periodic destruction period following the end of the retention period
Legal Proceedings
10 Years
At the first periodic destruction period following the end of the retention period
Customer Transactions
5 Years
At the first periodic destruction period following the end of the retention period
Human Resources Processes
10 Years after termination of employment contract and legal process
At the first periodic destruction period following the end of the retention period
Termination of Communication Activities with the Company
5 Years
At the first periodic destruction period following the end of the retention period
Data Controller Application Form
10 Years
At the first periodic destruction period following the end of the retention period
Narbulut Record Tracking Systems
30 Days
Automatically deleted after 30 days
Camera Recordings
25 Days
Automatically deleted after 25 days
Corporate Memory
99 Years
At the first periodic destruction period following the end of the retention period
10. PERIODIC DESTRUCTION PERIODS
Pursuant to Article 11 of the Regulation, KÜÇÜK GROUP INC. has determined the periodic destruction period as 6 months. Accordingly, in June and December of each year, periodic destruction processes are carried out and documented by authorized personnel in accordance with this policy.
11. PUBLICATION / STORAGE OF THE POLICY, EFFECTIVE DATE, AND UPDATES
The policy is published in both printed (wet-signed) and electronic formats and made publicly available on the company’s website. The printed copy is kept in the company’s files.
The policy enters into force after being published on the company’s website. If it is decided to be revoked, the wet-signed copies are cancelled by the authorized signatory (by stamping or marking as cancelled), signed, and stored for at least 5 years.
The policy may be updated if legal regulations change or if deemed necessary.
APPLICATION GUIDELINES
PRIVACY AND COOKIE POLICY
RIGHTS STATEMENT
DATA PROTECTION INFORMATION NOTICE
DATA PROTECTION INFORMATION TEXT
DATA PROTECTION APPLICATION FORM
TR