PERSONAL DATA STORAGE AND TERMINATION POLICY

1. PURPOSE AND SCOPE

HEYBİE BİLİŞİM TEKNOLOJİLERİ VE DİJİTAL HİZMETLER ANONİM ŞİRKETİ ("Our Company") commits to comply with personal data protection, processing, and destruction regulations in accordance with its legal responsibilities arising from relevant legislation. This Personal Data Storage and Destruction Policy ("Policy") contains the framework and principles for carrying out necessary storage and destruction work within the scope of relevant legislation.

Pursuant to the Regulation on Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017, and numbered 30224 ("Regulation"), data controllers are obligated to prepare a personal data storage and destruction policy in accordance with the personal data processing inventory. The purpose of this Policy, prepared based on the above regulation, is to determine the maximum periods required for the purposes for which personal data processed by our Company is processed, and to define the deletion, destruction, or anonymization processes and the roles and responsibilities of persons involved in these processes.

The scope of this Policy includes: maximum storage periods for personal data, technical and administrative measures taken for lawful storage and destruction of personal data, units involved in relevant processes within our Company, and recording environments.

2. DEFINITIONS

Electronic Environment: Environments where personal data can be created, read, modified, and written with electronic devices.

Non-Electronic Environment: All written, printed, visual, etc. other environments outside of electronic environments.

Law: Personal Data Protection Law No. 6698.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: Any operation performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means, or otherwise than by automatic means which form part of a filing system.

Data Controller: HEYBIE INC.

PDP Committee: Personal Data Protection (PDP) Committee, the committee to be established to carry out administrative follow-up of processes created within the scope of the Personal Data Protection Law and sub-regulations, appointed by the Data Controller.

Data Subject: The natural person whose personal data is processed.

Board: Personal Data Protection Board.

Anonymization: Making personal data impossible to link with an identified or identifiable natural person, even through matching with other data.

Destruction: Deletion, destruction, or anonymization of Personal Data.

Recording Environment: Any environment where Personal Data processed by fully or partially automatic means or non-automatic means as part of any data recording system is located.

Personal Data Processing Inventory: The inventory detailing personal data processing activities by associating them with data processing purposes, data category, recipient group, and data subject group, and explaining the maximum period required for the purposes for which personal data is processed, personal data foreseen to be transferred, and measures taken regarding data security.

Personal Data Storage and Destruction Policy/Policy: This policy that data controllers use as a basis for determining the maximum period required for the purposes for which personal data is processed and for deletion, destruction, and anonymization operations.

Periodic Destruction: The deletion, destruction, or anonymization process to be carried out ex officio at recurring intervals specified in the Personal Data Storage and Destruction Policy in case all conditions for processing Personal Data specified in the Law cease to exist.

Relevant User: Persons who process Personal Data within the organization of the Data Controller or based on the authority and instruction received from the Data Controller, excluding the person or unit responsible for technical storage, protection, and backup of Personal Data.

Regulation: Regulation on Deletion, Destruction, or Anonymization of Personal Data

VERBIS: Data Controllers Registry Information System

3. RECORDING ENVIRONMENTS

During our Company's activities, personal data is collected from employees, employee candidates, customers, visitors, and supplier employees and officials, and the collected personal data is stored in accordance with relevant legal legislation in the following environments:

Electronic Environments

  1. Servers (Domain, backup, email, database, web, file sharing, etc.)

  1. Software (office software, portal, EBYS, VERBIS)

  1. Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)

  1. Personal computers (Desktop, laptop)

  1. Mobile devices (phone, tablet, etc.)

  1. Optical discs (CD, DVD, etc.)

  1. Removable memory (USB, Memory Card, etc.)

  1. Printer, scanner, photocopier

Non-Electronic Environments

  1. Paper

  1. Manual data recording systems (survey forms, service forms, job application forms)

  1. Other written, printed, visual environments

4. RESPONSIBILITY

For the purpose of publishing, keeping current, and monitoring the implementation of this Policy, a PDP Committee will be established by our Company's Board of Directors, and the PDP Committee will be authorized for all these matters. The PDP Committee will consist of the Human Resources Manager, Administrative Affairs Manager, and Information Processing Manager. The PDP Committee fulfills the following duties and responsibilities:

  • Ensure compliance with personal data storage period

  • Manage the personal data destruction process during the periodic destruction period

  • Review the Policy at least annually

  • Develop and publish Personal Data Storage and Destruction Procedure and other procedures it deems necessary, detailing operating rules based on the Policy

  • Make necessary task distribution for implementation of Policy and procedures, authorize appropriate persons, and organize training on Law compliance

  • Monitor and plan auditing of implementation of all technical and administrative measures taken pursuant to Article 12 of the Law

  • Identify matters required for ensuring compliance with the Law and relevant legislation, monitor implementation, and ensure necessary coordination

  • Monitor processes related to applications and requests made by natural persons whose Personal Data is processed and ensure necessary actions are taken to resolve issues that may arise regarding implementation of the Law and/or policy and procedures

  • Conduct relations with the Board

5. REASONS REQUIRING DATA STORAGE

Article 3 of the Law defines the concept of processing personal data, and Article 4 requires compliance with the following principles in processing personal data:

a) Being in conformity with the law and good faith b) Being accurate and if necessary, up to date c) Being processed for specified, explicit, and legitimate purposes d) Being relevant, limited, and proportionate to the purposes for which they are processed e) Being stored for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed

Articles 5 and 6 of the Law list the conditions for processing personal data. Accordingly, personal data within the scope of our Company's activities is stored for the period stipulated in relevant legislation or appropriate for our processing purposes.

5.1. LEGAL REASONS

  • Personal Data Protection Law No. 6698

  • Turkish Code of Obligations No. 6098

  • Turkish Commercial Code No. 6102

  • Social Insurance and General Health Insurance Law No. 5510

  • Law No. 5651 on Regulation of Publications on the Internet and Suppression of Crimes Committed by Means of Such Publications

  • Occupational Health and Safety Law No. 6331

  • Labor Law No. 4857

  • Other secondary regulations in force under these laws

5.2. PROCESSING PURPOSES REQUIRING STORAGE

Personal data held within our Company is stored in accordance with the Law and our Personal Data Policy (you can access the relevant policy at "www.heybie.com") for the purposes and reasons stated herein.

6. TECHNICAL AND ADMINISTRATIVE MEASURES

Our COMPANY takes all necessary technical and administrative measures appropriate to the nature of the relevant personal data and the environment in which it is held to ensure secure storage of personal data and prevent unlawful processing and access.

These measures include, but are not limited to, the following administrative and technical measures to the extent appropriate to the nature of the relevant personal data and the environment in which it is held.

6.1. TECHNICAL MEASURES

  • Network security and application security are maintained

  • Closed system network is used for personal data transfers via network

  • Security measures are taken within the scope of procurement, development and maintenance of information technology systems

  • Security of personal data stored in the cloud is ensured

  • Authorization matrix has been created for employees

  • Access logs are regularly maintained

  • Data masking measures are applied when necessary

  • Current anti-virus systems are used

  • Firewalls are used

  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data

  • Security of physical environments containing personal data is ensured against external risks (fire, flood, etc.)

  • Security of environments containing personal data is ensured

  • Personal data is minimized as much as possible

  • Personal data is backed up and security of backed-up personal data is also ensured

  • User account management and authorization control system is implemented and monitored

  • Current risks and threats have been identified

  • Intrusion detection and prevention systems are used

  • Penetration testing is applied

  • Cyber security measures have been taken and their implementation is continuously monitored

  • Encryption is performed

6.2. ADMINISTRATIVE MEASURES

  • Disciplinary regulations containing data security provisions exist for employees

  • Training and awareness activities on data security are conducted for employees at regular intervals

  • Confidentiality agreements are made

  • Corporate policies on access, information security, usage, storage and destruction have been prepared and implemented

  • Authorities in this area are revoked for employees who change positions or leave employment

  • Signed contracts contain data security provisions

  • Personal data security policies and procedures have been determined

  • Personal data security problems are reported quickly

  • Personal data security is monitored

  • Regular audits of data processing service providers regarding data security are ensured

  • Awareness of data processing service providers regarding data security is ensured

  • Internal periodic and/or random audits are conducted and commissioned

7. REASONS REQUIRING DATA DESTRUCTION

Personal data stored within our Company shall be deleted, destroyed, or anonymized by our Company upon request of the data subject or ex officio in the following situations:

  • Amendment or repeal of relevant legislation provisions that form the basis for processing

  • Cessation of the purpose requiring processing or storage

  • In cases where personal data processing is carried out solely based on explicit consent, withdrawal of explicit consent by the data subject

  • Acceptance by our Company of the application made by the data subject for deletion and destruction of personal data within the framework of rights under Article 11 of the Law

  • In cases where our Company rejects the application made by the data subject for deletion, destruction or anonymization of personal data, finds the response insufficient or does not respond within the period specified in the Law; complaint to the Board and approval of this request by the Board

  • Expiration of the maximum storage period required for personal data and absence of any conditions justifying longer storage of personal data

8. DESTRUCTION METHODS

8.1. DELETION OF DATA

This is the process of making Personal Data inaccessible and unusable in any way for Relevant Users.

Personal Data in Physical Environment: Data in such environments whose storage period has expired is made inaccessible and unusable in any way. In this context, the blackout method can be used on relevant data. The blackout method is performed by cutting the personal data on the relevant document where possible, and where not possible, by using permanent ink to make it invisible to other users in a way that cannot be reversed and cannot be read with technological solutions.

Personal Data in Electronic Environment: For data in such environments whose storage period has expired, methods are used to delete the data from the relevant software in a way that cannot be recovered.

8.2. DESTRUCTION OF DATA

This is the process of making Personal Data inaccessible, irretrievable, and unusable by anyone in any way.

Data in such environments whose storage period has expired is destroyed using appropriate methods among physical destruction or overwriting methods.

Network Devices: Switch, router, etc. are destroyed using appropriate methods among magnetization, physical destruction, or overwriting methods.

Flash-Based Media: Destroyed using methods recommended by the relevant manufacturer or appropriate methods among physical destruction or overwriting.

SIM Card and Fixed Memory Cards: Destroyed using appropriate methods among physical destruction or overwriting methods.

Optical Discs: Destroyed by physical methods.

Data Recording Media with Fixed Storage like Printers, Fingerprint Door Access Systems: Destroyed using appropriate methods among physical destruction or overwriting methods.

Paper and similar media: Personal data on paper media is destroyed using paper shredders.

8.3. ANONYMIZATION OF DATA

This is the process of making Personal Data impossible to associate with any identified or identifiable natural person, even when matched with other data. Anonymization is the process of removing and/or changing all direct and/or indirect identifiers in a data set to prevent the identification of the relevant person or losing the ability to be distinguishable within a group or crowd in a way that cannot be associated with a real person. Data that does not point to a specific person as a result of preventing or losing these characteristics is considered anonymized data. All disconnection processes carried out on records in the data recording system where Personal Data is held, using methods such as automatic or non-automatic grouping, masking, derivation, generalization, randomization, are called anonymization methods. It is essential to investigate whether there is a risk of reversing anonymized Personal Data through various interventions and the anonymized data becoming identifiable and distinguishing real persons again, and to take action accordingly.

9. DATA STORAGE PERIODS UNDER RELEVANT LEGISLATION

Storage periods are determined for all Personal Data stored within our Company. When determining storage periods, priority is given to relevant legislation, and if there is no period specified by relevant legislation, the time required for Personal Data processing purpose is considered. Relevant periods are included in the Personal Data Inventory and VERBIS.

Personal Data mentioned in the Personal Data Processing Inventory is stored according to the legal regulations in the table below, unless there is any legal situation that interrupts or stops the statute of limitations, and is destroyed at the first periodic destruction date following the storage period.

Data Category

Data Storage Period

1- Identity

Legal relationship + 20 Years

2- Contact

Legal relationship + 20 Years

3- Personnel

End of employment contract + 10 years

4- Legal Transaction

Until relevant court decision becomes final or statute of limitations expires

5- Customer Transaction

Legal relationship + 10 Years

6- Physical Space Security

15 Days

7- Transaction Security

Legal relationship + 10 Years

8- Risk Management

Legal relationship + 10 Years

9- Finance

Legal relationship + 10 Years

10- Professional Experience

End of employment contract + 10 years

11- Marketing

Last transaction + 10 years

12- Visual and Audio Records

15 Days

13- Health Information

End of employment contract + 10 years

14- Criminal Conviction and Security Measures

End of employment contract + 10 years

15- Military Status Information

End of employment contract + 10 years

16- Family Members and Relative Information

End of employment contract + 10 years

17- Employee Candidate Information

Until destruction period in case of negative application result, End of employment contract + 10 years

18- Request Complaint Information

End of employment contract + 10 years

10. PERIODIC DESTRUCTION PERIOD

Pursuant to Article 11 of the Regulation, our Company has determined the periodic destruction period as 6 months.

When a person applies to our Company requesting deletion or destruction of their personal data, the relevant request is evaluated according to whether the conditions for processing personal data have ceased. If the conditions for processing personal data have completely ceased, our Company deletes, destroys, or anonymizes the personal data subject to the request. If not all conditions for processing personal data have ceased, the relevant request is rejected with an explanation of the reason. Requests are finalized and notified to the relevant person within 30 days in all cases.

All operations related to deletion, destruction, and anonymization of Personal Data are recorded, and these records are kept for at least 3 (three) years, excluding other legal obligations.

11. POLICY UPDATE PERIOD

The Policy is reviewed by the PDP Committee when needed, and necessary sections are updated.

12. POLICY EFFECTIVENESS

This Policy is considered to have entered into force after its publication on our Company's website. It is considered valid and binding as of this date.