Wet Bescherming Persoonsgegevens (Wbp)

1. INTRODUCTION AND PURPOSE OF THE POLICY

The Personal Data Retention and Disposal Policy (“Policy”) has been prepared to determine the procedures and principles regarding the retention and disposal activities carried out by Kalif Mimarlık Mühendislik Proje Yapı Taahhüt Üretim İthalat İhracat ve San. Ltd. Şti. (“KALIF DESIGN” or “COMPANY”). The Company aims to ensure that the personal data of all relevant individuals, including Company employees, customers, suppliers, job applicants, members, and visitors, are processed in compliance with the Personal Data Protection Law No. 6698 (“Law”) and relevant legislation, and to ensure that the rights of the relevant individuals are exercised effectively. All operations related to the retention and disposal of personal data are carried out by the Company in accordance with this policy.

2. SCOPE

This policy covers personal data belonging to:
Company employees
Job applicants
Customers
Suppliers
Members
Visitors
Individuals involved in legal disputes
and other third parties. This Policy is applied to all recording media where personal data owned or managed by the Company is processed and to all activities related to the processing of personal data.

3. DEFINITIONS

Abbreviation

Definition

Explicit Consent

Consent based on information and expressed with free will regarding a specific subject.

Relevant User

Individuals who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.

Disposal

Deletion, destruction, or anonymization of personal data.

Law/PDPL

Personal Data Protection Law No. 6698.

Recording Medium

Any environment where personal data processed wholly or partly by automatic means or non-automatic means provided that they form part of a data recording system is located.

Personal Data

Any information relating to an identified or identifiable natural person.

Processing of

Personal Data

Any operation performed on personal data such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or preventing the use thereof, fully or partially by automatic means or by non-automatic means provided that they form part of a data recording system.

Anonymization of

Personal Data

Rendering personal data impossible to link with an identified or identifiable natural person, even when matched with other data.

Deletion

Personal Data

Making personal data inaccessible and unusable for the Relevant Users in any way.

Destruction

Personal Data

Making personal data inaccessible, irretrievable, and unusable by anyone in any way.

Board

Personal Data Protection Board

Special Categories

Personal Data

Data relating to an individual's race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, attire, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

Periodic Disposal

The process of deletion, destruction, or anonymization of personal data, to be performed automatically at recurring intervals as specified in the personal data retention and disposal policy, in the event that all conditions for processing personal data in the Law are no longer met.

VERBIS

Data recording system where personal data is structured and processed according to specific criteria.

Data Subject/Relevant Person

Natural person whose personal data is processed.

Data Controller

Natural or legal person who determines the purposes and means of processing personal data, and is responsible for the establishment and management of the data recording system.

Regulation

Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette on October 28, 2017.

4. RECORD ENVIRONMENTS

Personal data related to the relevant individual is securely stored by the Company in accordance with the relevant legislation, primarily the Law on the Protection of Personal Data (KVKK), and international data security principles in the following environments:

Electronic Environments:

Company computers

Email servers

Portable storage devices

Accounting software

Social media accounts

Telephone

Non-Electronic Environments::

Paper documents and files

Written, printed, visual media

Locked cabinets

5. PRINCIPLES

The Company operates in accordance with the following principles regarding the storage and destruction of personal data:

In the deletion, destruction, and anonymization of personal data, full compliance is ensured with the Law, relevant legislation, decisions of the Data Protection Authority (Kurul), and this Policy.

During the processing of personal data by the Company, the rights of the data subjects are protected. Personal data is collected and processed in accordance with the general principles stated in Article 4 of the Law on the Protection of Personal Data (KVKK).

All procedures related to the destruction of personal data are recorded by the Company, and these records are kept for a period of 10 (ten) years, except for other legal obligations.

Unless otherwise decided by the Company, the appropriate method for the destruction of personal data is selected by the Company. However, if requested by the data subject, the appropriate method will be selected with the reasoning provided.

In the event that all conditions for the processing of personal data specified in Articles 5 and 6 of the Law cease to exist, personal data is destroyed by the Company ex officio or upon the request of the data subject. In this regard, if the data subject applies to the Company:

Requests are finalized within 30 (thirty) days at the latest, and the data subject is informed,

If the relevant data has been transferred to third parties, this situation is notified to the third party to which the data has been transferred, and necessary actions are taken with respect to such third parties.

6.EXPLANATIONS REGARDING STORAGE AND DESTRUCTION

The personal data processed by the Company is stored securely in electronic or non-electronic environments within the limits specified by the Law on the Protection of Personal Data (KVKK) and other relevant legislation, under the following conditions:when processing personal data, it is necessary to meet legal obligations, such as being explicitly stipulated in laws, being directly related to the establishment or performance of a contract, being necessary for the performance of a contract to which the data subject is a party, being necessary for the data controller to fulfill its legal obligations, being mandatory for the establishment, exercise, or protection of a right, being necessary for the legitimate interests of the data controller provided that it does not harm the fundamental rights and freedoms of the data subject, and being processed within the scope of explicit consent requirements.The data is stored and processed securely within these legal frameworks and stored in electronic or non-electronic environments in compliance with the KVKK and other relevant legislation.

6.1 Explanations Regarding Storage

The retention periods of personal data processed by the Company are determined taking into account the principle stated in Article 4/2.d of the Law on the Protection of Personal Data (KVKK), which states that they should be kept for the period prescribed by the relevant legislation or as long as necessary for the purpose for which they were processed.

In this context, detailed explanations regarding storage and destruction are provided below.

6.1.1 Legal Grounds Requiring Storage

Personal data processed within the scope of the Company's activities is retained for the period prescribed by the relevant legislation. In this context, personal data is retained for the periods envisaged under the following laws and regulations, among others;

General Data Protection Regulation of the European Union

Law on the Protection of Personal Data No. 6698

Turkish Code of Obligations No. 6098

Law on Regulation of Electronic Commerce No. 6563

Law on Consumer Protection No. 6502

Tax Procedure Law No. 213

Turkish Commercial Code No. 6102

Income Tax Law No. 193

Labor Law No. 4857

Criminal Procedure Law No. 5271

Law on Lawyers No. 1136

Social Insurance and General Health Insurance Law No. 5510

Occupational Health and Safety Law No. 6331

Law on Civil Procedure No. 6100

Turkish Civil Code No. 4721

Law on Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications No. 5651

Regulation on Commercial Communications and Commercial Electronic Messages

Personal data is retained for the durations prescribed by secondary regulations in force under these laws and regulations.

6.1.2 Processing Purposes Requiring Storage

The Company retains the personal data processed within the scope of its activities for the following purposes.

- Fulfillment of legal obligations under the Law on Regulation of Electronic Commerce No. 6563, Regulation on Commercial Communications and Commercial Electronic Messages, Consumer Protection Law No. 6502, Tax Procedure Law No. 213, Tax Procedure Law General Communique, Labor Law No. 4857, Occupational Health and Safety Law No. 6331, Social Insurance and General Health Insurance Law No. 5510, and other relevant legislation,,

- Execution of shopping transactions

- Execution of membership transactions,

- Provision of viewing services related to shopping history

- Evaluation of requests,

- Execution of contract processes,

- Sending e-invoice/e-archive invoice related to purchases to you

- Preparation of invoices and, in some cases, current account and reconciliation transactions,

- Fulfillment of obligations under relevant legislation in case of purchase of specific products exceeding a certain amount or subject to explicit regulation,

- Execution of post-sales operational processes,

- Fulfillment of our after-sales support services,,

- Delivery of purchased products via shipping,

- Execution of product returns and refund processes,

- If commercial communication permission/explicit consent is given, to engage in general or personalized campaigns, advantages, promotions, advertisements, information, marketing activities, and commercial communication activities (SMS, email, etc.) aimed at customers,

- Resolving issues, complaints, and requests conveyed to us through our communication channels (call center, email, website, mobile application, social media, etc.), and contacting customers if necessary regarding these matters,

- Exercising all types of litigation, response, and objection rights against official institutions and organizations such as courts, execution offices, arbitration boards in case of disputes, and conducting negotiation and agreement processes related to disputes,

- Tracking legal processes and lawsuits,

- Serving as evidence within the scope of security, investigation, and inquiry,

- Conducting activities in compliance with legislation,

- Fulfilling obligations and transactions arising from the employment contract,

- Conducting contract processes,

- Creating personnel files for employees,

- Monitoring employees' legal rights,

- Determining whether employees' health conditions are suitable,

- Conducting communication activities,

- Preparing payrolls and paying employees' salaries,

- Issuing SGK (Social Security Institution) entry and exit notifications,

- Managing leave processes,

- Conducting training and information activities for employees,

- Providing necessary support in case of employees' need for blood,

- Conducting periodic examination processes for employees by the workplace physician,

- Monitoring working hours and attendance records,

- Executing and tracking projects,

- Managing assignment processes,

- Managing emergency processes,

- Serving as evidence within the scope of security, investigation, inquiry, and lawsuits,

- Receiving job applications for open positions,,

- Examining and evaluating the professional qualifications of applicants,

- Managing the evaluation processes of candidates' applications,

- Communicating with candidates,

- Conducting contract processes,

- Managing and tracking purchasing processes,

- Monitoring accounting for supplier payments,

- Tracking supplier relationships,

- Conducting communication activities with suppliers,

- Updating suppliers' information,

- Conducting communication activities,

- Performing payment transactions,

- Providing information to authorized public institutions and organizations.

6.2 Reasons Requiring Disposal

Personal data;

Amendments or annulments of the relevant legislation provisions that form the basis for the processing or retention of personal data,

The cessation of the purpose that necessitates the processing or storage of personal data,

The elimination of the processing conditions for personal data required by Articles 5 and 6 of the Personal Data Protection Law,

In cases where the processing of personal data occurs solely based on explicit consent, the relevant individual withdrawing their consent,

Acceptance by our Company of requests for the deletion and destruction of personal data within the framework of the rights of the relevant individual pursuant to Article 11 of the Personal Data Protection Law,

If the data controller rejects requests from the relevant individual for the deletion, destruction, or anonymization of their personal data, deems the response inadequate, or fails to respond within the period prescribed by law; filing a complaint with the Board and approval of such request by the Board,

In cases where the maximum retention period required for personal data storage has elapsed, yet there are no conditions justifying the extended retention of personal data,The Company will delete, destroy, or anonymize the personal data upon request or ex officio by the relevant individual.

7. ADMINISTRATIVE AND TECHNICAL MEASURES

To ensure the secure storage of personal data, prevent its unlawful processing and access, and ensure the lawful destruction of personal data; within the framework of the sufficient measures determined and announced by the Personal Data Protection Board for special categories of personal data in accordance with Article 12 and Article 6/4 of the Law on the Protection of Personal Data, the Company takes technical and administrative measures.

All administrative and technical measures taken by the Company are listed below:

7.1. Administrative Measures:

Şirket idari tedbirler kapsamında;

Within the scope of administrative measures, the Company ensures that relevant individuals are informed before starting the processing of personal data.

Personal data inventories are prepared, and existing risks and threats are identified.

Access to stored personal data within the Company is limited to personnel who need access based on their job description. In limiting access, consideration is given to whether the data is of a special nature and its importance.

The Company has prepared a "Personal Data Breach Incident Intervention Policy and Plan" for crisis management. In case personal data processed by the Company is obtained unlawfully by others, this situation is reported to the data subject and the Board within the shortest time possible (within 72 hours).

Regarding the transfer of personal data, the Company ensures data security by signing contracts or adding clauses to existing contracts with the third parties to whom personal data is transferred.

The Company employs knowledgeable and experienced personnel for the processing of personal data and provides them with necessary training on data protection legislation and data security.

When a policy violation is detected, the matter is immediately reported to the manager of the relevant employee. Following an evaluation by Human Resources, necessary actions are taken against the employee who violated the policy.

Discipline regulations containing data security provisions are established for employees.

Regular training and awareness activities are conducted for employees on information security and data security.

Corporate policies on access, information security, use, storage, and disposal are prepared and implemented.

Confidentiality agreements are made

Personal data security provisions are added to contracts prepared by the Company or added to employment contracts.

Periodic and random audit activities are conducted within the Company.

Policies and procedures for the security of special categories of personal data are determined and implemented.

Personal data is minimized as much as possible.

Clauses regarding the protection of personal data are included in the contracts concluded by the Company.

A Personal Data Protection Warning Message is prepared for use in Company emails.

7.2. Technical Measures

Under the scope of technical measures, the Company:;

Removes the authorities of employees who undergo job changes or leave the company.

Utilizes firewalls for security purposes.

Implements additional security measures for personal data transmitted via paper, ensuring that relevant documents are sent in a confidential document format.

Implements necessary security measures for the entry and exit of physical environments containing personal data.

Ensures the security of physical environments containing personal data against external risks such as fire, flood, etc.

Secures environments containing personal data.

Backs up personal data and ensures the security of the backed-up personal data.

Implements user account management and authorization control systems, and monitors them.

Adopts a Password Policy requiring strong and complex passwords with a minimum length of 8 characters, including upper and lower case letters, numbers, and special characters.

9. DESTRUCTION OF PERSONAL DATA

The Company retains personal data for the period stipulated in the relevant legislation or as long as necessary for the purposes for which they are processed. Within this scope, it is first determined whether a retention period is prescribed by the relevant legislation, and if so, the Company complies with this period. If no period is specified, personal data are stored for as long as necessary for the purpose for which they are processed. Upon the expiration of this period or the elimination of the reasons requiring processing, if there is no legal reason to allow for further processing, personal data are deleted, destroyed, or anonymized by the Company in accordance with this policy.

The retention periods begin, if there is a contractual relationship, with the termination of the parties' obligations arising from the contract. For other activities, the period starts after the completion of the transaction and the final result is obtained.

In the case of a legal dispute or litigation process, personal data are retained until the legal process is concluded.

10.TECHNIQUES FOR DESTRUCTION OF PERSONAL DATA

At the end of the retention period, personal data are destroyed by the Company, either ex officio or upon the request of the relevant person, using the techniques specified below, in accordance with the relevant legislative provisions.

Unless otherwise decided by the Board, the Company selects the appropriate method of deletion, destruction, or anonymization of personal data. In case of a request from the relevant person, the Company chooses the appropriate method and provides justification for its choice. All actions taken regarding the deletion, destruction, or anonymization of personal data are recorded, and these records are retained for 10 (ten) years, excluding other legal obligations.

10.1 Deletion of Personal Data

The deletion of personal data is the process of making personal data completely inaccessible and unusable for relevant users. The data controller is obligated to take all necessary technical and administrative measures to ensure that the deleted personal data are inaccessible and unusable for relevant users.

According to Article 4(b) of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, "Relevant user: Persons who process personal data within the data controller's organization or under the authority and instructions received from the data controller, except for the person or unit responsible for the technical storage, protection, and backup of the data."

Personal data are deleted using the methods provided in the table below.

10.1 Table of Personal Data Deletion

DATA STORAGE MEDIUM

DESCRIPTION

Personal Data on Servers

For personal data on servers that have reached the end of their required retention period, the deletion process is carried out by the system administrator by removing access permissions for relevant users.

Personal Data in Electronic Media

For personal data in electronic media that have reached the end of their required retention period, they are made inaccessible and unusable for other employees (relevant users), except for the database administrator.

Personal Data in Physical Media

For personal data stored in physical media that have reached the end of their required retention period, they are made inaccessible and unusable for other employees, except for the unit manager responsible for the document archive.

Personal Data in Portable Media

For personal data stored in flash-based storage media that have reached the end of their required retention period, they are encrypted by the system administrator and stored in secure environments with encryption keys, with access permission given only to the system administrator.

10.2 Destruction of Personal Data:

The destruction of personal data is the process by which personal data is rendered completely inaccessible, irretrievable, and unusable by anyone. The data controller is responsible for taking all necessary technical and administrative measures to ensure the destruction of personal data.

Personal data is destroyed using the methods listed in the table below.

Table of Destruction of Personal Data

DATA RECORDING MEDIUM

DESCRIPTION

Personal Data in Physical Media

Personal data stored in paper form, for which the retention period has expired, is destroyed irretrievably using paper shredders.

Personal Data in Optical / Magnetic Media

Personal data stored on optical and magnetic media, for which the retention period has expired, is destroyed physically through melting, burning, or pulverizing. Additionally, magnetic media is rendered unreadable by exposing it to a high-value magnetic field using a specialized device.

10.3 Anonymization of Personal Data:

Anonymization of personal data means making personal data incapable of being associated with an identified or identifiable natural person, even when combined with other data.

For personal data to be considered anonymized, it must be ensured that the data cannot be reversed, and/or even when matched with other data, it cannot be associated with an identified or identifiable person using techniques appropriate to the data recording medium and the relevant field of activity.

The data controller is obligated to take all necessary technical and administrative measures regarding the anonymization of personal data.

Furthermore, the Company considers the "Guideline on Deletion, Destruction, or Anonymization of Personal Data" published by the Authority (https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/bc1cb353-ef85-4e58-bb99-3bba31258508.pdf) and selects the appropriate example techniques from this guideline for the anonymization of personal data.

11. STORAGE AND DESTRUCTION PERIODS

Regarding the personal data processed within the scope of its activities;

Storage periods for all personal data related to activities conducted based on processes are documented in the Personal Data Processing Inventory;

Process-specific storage periods are detailed in the Personal Data Storage and Destruction Policy.

The Company reserves the right to update these storage periods as necessary.

Upon the expiration of storage periods for personal data, the Company undertakes the process of deletion, destruction, or anonymization as required.

Process-Based Retention and Destruction Periods Table

PROCESS

RETENTION PERIOD

DESTRUCTION PERIOD

Employee Personnel

File Creation

Salary Payments

10 years after the termination of the legal relationship