Personal Data Retention and Destruction Policy

INTRODUCTION

Purpose

Kafein Yazılım Hizmetleri Ticaret A.Ş. (“Kafein” or the “Company”) pays utmost attention to the retention and destruction of personal data in compliance with the Constitution of the Republic of Turkey, the Law on the Protection of Personal Data No. 6698 (“KVKK”), the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224 (“Regulation”), and other applicable legislation, regarding the personal data of real persons including employees, employee candidates, interns, intern candidates, visitors, supplier representatives, supplier employees, individuals who receive products or services, potential product or service recipients, shareholders/partners, members of the board of directors, and other third parties.

For this reason, as the data controller, we determine and carry out the maximum retention period required for the purpose of processing and the procedures and durations regarding the destruction of all personal data obtained during the execution of our business processes, in accordance with this Personal Data Retention and Destruction Policy (the “Policy”).

Furthermore, during the retention and destruction processes of personal data, we take all necessary technical and administrative measures to prevent the unlawful retention or destruction of such data. As Kafein, we attach great importance to the protection of privacy and the safeguarding of data security at the highest level during personal data retention and destruction processes.

This Policy contains explanations regarding the methods we follow for the retention and destruction of personal data obtained during the course of our activities. In the event of any conflict between the applicable legislation and this Policy, our Company acknowledges that the provisions of the applicable legislation shall prevail.

Scope

This Policy covers all personal data processed by Kafein belonging to real persons including employees, employee candidates, interns, intern candidates, visitors, supplier representatives, supplier employees, individuals receiving products or services, potential product or service recipients, subcontractor employees, shareholders/partners, members of the board of directors, and other third parties.

The Policy pertains to the retention and destruction of these personal data processed by the Company in any electronic or physical environment and has been prepared in consideration of the KVKK, all primary and secondary applicable legal regulations, as well as relevant international standards and guiding documents in this field.

In addition, in cases where data processed by Kafein and/or the group companies and/or holdings it is part of are also processed by such group companies or holdings, the data may be processed by the group companies or holding for the purpose of conducting their activities in line with their principles, objectives, goals, and strategies, and for the protection of the rights, interests, and reputation of the relevant companies. In such cases, if a data transfer from one data controller to another occurs under the Law, the relevant Company shall inform the data subject at the stage of personal data collection that their personal data may be transferred to group companies and/or holdings.

Definition and Abbreviations

RESPONSIBILITIES AND TASK DISTRIBUTION

The distribution of titles, departments, and job descriptions of personnel involved in the storage and destruction processes of personal data is provided below.

Data Recording Media

Explanations on Retention and Destruction

Kafein ensures that the personal data of real persons, including employees, job applicants, interns, intern candidates, visitors, supplier representatives, supplier employees, persons receiving products or services, potential recipients of products or services, subcontracted workers, shareholders/partners, board members, and other third parties, are stored and destroyed in compliance with the Personal Data Protection Law (KVKK). Detailed explanations regarding storage and destruction are provided below in sequence.

Explanations Regarding Retention

Many regulations in the legislation require personal data to be retained for a certain period. Therefore, we store the personal data we process for the period stipulated in the relevant legislation, or if no such period is specified, for as long as necessary to fulfill the purposes for which the personal data is processed.

In cases where personal data is processed for multiple purposes, if all processing purposes cease to exist, the data will be deleted, destroyed, or anonymized ex officio, or upon the request of the relevant person, provided that there is no legal obstacle to deletion under the legislation.

Legal Grounds Requiring Retention

Personal data processed within the scope of activities at Kafein is retained for the period stipulated in the relevant legislation. Within this framework, personal data is retained for the storage periods prescribed by:

  • Law No. 6698 on the Protection of Personal Data
  • Turkish Code of Obligations No. 6098
  • Turkish Commercial Code No. 6102
  • Labor Law No. 4857
  • Occupational Health and Safety Law No. 6361
  • Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through These Publications
  • Other secondary regulations in force, primarily including those listed above.

Purposes Requiring Retention

The Company retains personal data processed within the scope of its activities for the following purposes:

  • Emergency Management Processes
  • Information Security Processes
  • Management of Job Applicant Processes
  • Selection and Placement Processes for Job Candidates/Interns/Student
  • Fulfillment of Employment Contract and Legal Obligations for Employees
  • Administration of Employee Benefits and Perquisites
  • Conducting Audit/Ethics Activities
  • Implementation of Training Activities
  • Management of Access Authorizations
  • Ensuring Compliance of Operations with Legislation
  • Execution of Finance and Accounting Tasks
  • Ensuring Physical Facility Security
  • Management of Assignment Processes
  • Monitoring and Execution of Legal Affairs
  • Monitoring and Execution of Personnel Affairs
  • Monitoring and Execution of Business Development Activities
  • Conducting Internal Audit / Investigation / Intelligence Activities
  • Management of Communication Activities
  • Planning of Human Resources Processes
  • Execution and Supervision of Business Operations
  • Implementation of Occupational Health and Safety Activities
  • Ensuring Business Continuity Activities
  • Receiving and Evaluating Suggestions for Business Process Improvement
  • Execution of Goods/Services Procurement Processes
  • Execution of Goods/Services Sales Processes
  • Execution of Goods/Services Production and Operation Processes
  • Execution of After-Sales Support Services for Goods / Services
    Management of Customer Relationship Processes
  • Execution of Activities Aimed at Customer Satisfaction
    Organization and Event
  • Management
    Management of Performance Evaluation Processes
  • Execution of Advertising/Campaign/Promotion Processes
  • Execution of Storage and Archiving Activities
  • Management of Contract Processes
    Monitoring of Requests/Complaints
  • Execution of Supply Chain Management Processes
  • Administration of Compensation Policy
  • Ensuring Security of Data Controller Operations
  • Execution of Talent/Career Development Activities
  • Providing Information to Authorized Persons, Institutions, and Organizations
  • Providing Information to Judicial and Legal Authorities
  • Providing Information to Law Enforcement Agencies
  • Creation and Monitoring of Visitor Records

Explanations Regarding Destruction

Personal data shall be deleted, destroyed, or anonymized by the Company upon the request of the data subject, or ex officio, under the following circumstances:

  • Amendment or repeal of the relevant legislation governing the processing of the data,
  • The purpose requiring the processing or retention of the data no longer exists,
  • In cases where the processing of personal data is based solely on explicit consent, the data subject withdraws their explicit consent,
  • The Company accepts the data subject’s application for deletion and destruction of personal data within the scope of their rights under Article 11 of the Personal Data Protection Law (KVKK),
  • If the Company rejects the data subject’s request for deletion or destruction, provides an insufficient response, or fails to respond within the timeframe stipulated by the KVKK; in such cases, the data subject may file a complaint with the Personal Data Protection Board, and if the Board deems the request appropriate,
  • The maximum retention period required for the storage of personal data has expired and there is no justified reason to retain the data for a longer period.

Technical and Administrative Measures

In accordance with Articles 12 and 6 of the Personal Data Protection Law (KVKK), the Company takes technical and administrative measures within the scope of sufficient precautions determined and announced by the Board for special categories of personal data to ensure the secure storage of personal data, prevent unlawful processing and access, and ensure the lawful destruction of personal data.

Technical Measures

Measures taken by Kafein regarding the personal data it processes are as follows:

  • Network and application security are ensured,
  • Closed system networks are used for personal data transfers via network,
  • Key management is applied,
  • Security measures are taken within the scope of procurement, development, and maintenance of IT systems,
  • Up-to-date antivirus systems are used,
  • Firewalls are used,
    Personal data security is monitored,
  • Personal data is minimized as much as possible,
  • Personal data is stored anonymously whenever possible,
  • Personal data is backed up, and the security of the backups is ensured,
  • User account management and authorization control systems are applied and monitored,
  • Intrusion detection and prevention systems are used,
  • Penetration testing is conducted,
  • Cybersecurity measures have been implemented and are continuously monitored,
  • Encryption is applied.

Administrative Measures

The measures taken by Kafein regarding the personal data it processes are as follows:

  • Disciplinary regulations including data security provisions are in place for employees,
  • Regular training and awareness activities on data security are conducted for employees,
  • An authorization matrix is created for employees,
  • Corporate policies are implemented regarding access, information security, usage, storage, and destruction,
  • Confidentiality agreements are signed,
  • Access rights of employees who have changed roles or left the company are revoked,
  • Signed contracts include data security provisions,
  • Personal data security policies and procedures are established,
  • Personal data security incidents are reported promptly,
  • Necessary security measures are taken for physical areas containing personal data,
  • Security of physical areas containing personal data against external risks (fire, flood, etc.) is ensured,
  • Security of environments containing personal data is maintained,
  • Periodic and/or random internal audits are conducted and enforced,
  • Existing risks and threats are identified, and
  • Awareness of data-processing service providers is ensured.

Techniques for Destructions of Personal Data

At the end of the retention period stipulated by the relevant legislation, or when the retention period necessary for the purpose of processing the personal data has expired, the personal data shall be destroyed by the Company either ex officio or upon the request of the data subject, in accordance with the applicable legal provisions, using the methods specified below.

Deletion of Personal Data

As Kafein, the techniques we employ to lawfully delete personal data are as follows:

Destruction of Personal Data

As Kafein, the technical methods we apply to ensure the lawful destruction of personal data are as follows:

Anonymization of Personal Data

Anonymization of personal data means rendering personal data in such a way that, even if matched with other data, it cannot be associated with an identified or identifiable natural person under any circumstances.

For personal data to be considered anonymized, it must be processed using appropriate techniques—regarding the data storage medium and the relevant activity area—so that it cannot be linked to an identified or identifiable natural person, even by the data controller or third parties through reversal or matching with other data. Our company anonymizes data in this manner.

Retention and Destruction Periods

The processes of automatic deletion, destruction, or anonymization of personal data whose retention periods have expired are carried out by the relevant departments. The retention periods of personal data are determined within the framework of the periods stipulated in the applicable legislation.

Within this framework, if the retention of the relevant data by Kafein is evaluated according to the lawful processing grounds for personal data and special categories of personal data as set forth in Articles 5 and 6 of the KVKK, the retention periods for the related personal data are determined based on these lawful grounds. The destruction process of personal data is carried out by Kafein in accordance with the retention periods established in compliance with the relevant legislation for each relationship. Personal data whose retention periods have expired are deleted, destroyed, or anonymized by Kafein according to the predetermined periodic destruction schedules.

Periodic Destruction Period

According to Article 11 of the Regulation, the periodic destruction interval has been determined by Kafein as [6] months.

Publication and Storage of the Policy

The original of the Policy is maintained within the [quality management system documentation] environment, and an electronic copy is published in a location accessible to employees.

Policy Update Period

The Policy is updated whenever necessary or when there are changes in the processes.

Enforcement and Revocation of the Policy

This Policy shall enter into force on [June 1, 2024] with the approval of the [executive board]. In the event of a decision to revoke the Policy, the previously signed hard copies of this Policy shall be cancelled by the [quality management representative] with the written approval of the [executive board] (by stamping “Cancelled” or annotating the cancellation) and signed accordingly. The cancelled documents shall be retained by the [quality management representative] and destroyed by the [quality management representative] with the written approval of the [executive board] at the end of the retention period

Table of Contents