PERSONAL DATA RETENTION AND DISPOSAL POLICY

1. Introduction
   
   1. Purpose

The purpose of this policy is to determine the procedures and principles relating to the retention, deletion, destruction or anonymisation processes of personal data processed by the Data Controller by wholly or partially automatic means or by non-automatic means provided they form part of a data recording system.

‍

2. Legal Basis

This policy has been prepared in accordance with the Regulation on the Deletion, Destruction or Anonymisation of Personal Data, which was prepared based on paragraph three of Article 7 and subparagraph (e) of the first paragraph of Article 22 of Law No. 6698.

‍

3. Data Controller Basis

The Data Controller has prepared this personal data retention and disposal policy in accordance with the personal data processing inventory.

‍

4. Scope of the Policy:

This Policy covers the information of KK UNİVERSAL TURİZM KONAKLAMA GAYRİMENKUL VE GELİŞTİRME A.Ş. as Data Controller regarding the following matters:

1. The purpose of preparing the policy and the provisions of the basis legislation, internal application procedures of the Data Controller
2. Legal and technical terms and definitions included in the personal data retention and disposal policy
3. Purposes and legal bases for retaining personal data
4. All types of recording environments in which personal data is recorded
5. Explanations regarding the legal, technical or other reasons requiring the retention and disposal of personal data
6. Technical and administrative measures taken by the Data Controller to ensure the secure storage of personal data and to prevent its unlawful processing and access
7. Technical and administrative measures taken to lawfully dispose of personal data
8. Titles, units and job descriptions of those involved in personal data retention and disposal processes
9. Table showing retention and disposal periods
10. Periodic disposal periods and disposal methods
11. Information on changes if the existing personal data retention and disposal policy has been updated

‍

2. Definitions
   
   1. Recipient group: The category of natural or legal persons to whom personal data is transferred by the data controller.
   2. Relevant user: Persons who process personal data within the data controller's organisation or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data.
   3. Disposal: The process of deletion, destruction or anonymisation of personal data.
   4. Recording environment: Any environment in which personal data processed by wholly or partially automatic means or by non-automatic means provided they form part of a data recording system is located.
   5. Electronic Environment: Environments in which personal data can be created, read, modified and written using electronic devices.
   6. Non-Electronic Environment: All written, printed, visual and other environments outside of electronic environments.
   7. Service Provider: A natural or legal person providing services to KK UNİVERSAL TURİZM KONAKLAMA GAYRİMENKUL VE GELİŞTİRME A.Ş. within the framework of a specific contract.
   8. Personal data processing inventory: The inventory created by data controllers by associating the personal data processing activities they carry out in connection with their business processes with the purposes of processing personal data, the data category, the recipient group to which they are transferred and the group of persons subject to the data, and in which they explain in detail the maximum period required for the purposes for which personal data is processed, personal data envisaged to be transferred to foreign countries, and the measures taken regarding data security.
   9. Personal data retention and disposal policy: The policy used by data controllers as the basis for the process of determining the maximum period required for the purposes for which personal data is processed and for the deletion, destruction and anonymisation processes.
   10. Periodic disposal: The deletion, destruction or anonymisation process to be carried out ex officio at repeated intervals specified in the personal data retention and disposal policy, in the event that all conditions for processing personal data set out in the Law cease to exist.
   11. Registry: The data controllers' registry maintained by the Presidency of the Personal Data Protection Authority.
   12. Data recording system: The recording system in which personal data is structured and processed according to specific criteria.
   13. Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
   14. Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
   15. Deletion of personal data Deletion of personal data is the process of making personal data inaccessible and unusable in any way by relevant users.
   16. Destruction of personal data Destruction of personal data is the process of making personal data inaccessible, irrecoverable and unusable in any way by anyone.
   17. Anonymisation of personal data The process of rendering personal data unable to be associated with an identified or identifiable natural person in any way, even when matched with other data. For personal data to be considered anonymised, it must be rendered unable to be associated with an identified or identifiable natural person through the use of techniques appropriate to the recording environment and the relevant field of activity, such as reversal and matching of data with other data, by the data controller, recipient or recipient groups.
   18. Data Subject: The natural person whose personal data is processed.
   19. Explicit Consent: Consent given freely based on information regarding a specific matter.
   20. Personal Data Protection Commission: The commission established within the Data Controller and involved in KVKK processes ("KVKK Commission").

‍

3. Duty Distribution

‍

The Data Controller actively supports all its units and employees in the responsible units in matters relating to the proper implementation of the technical and administrative measures taken within the scope of the Policy, the training and raising of awareness of unit employees, monitoring and continuous supervision, prevention of unlawful processing of personal data, prevention of unlawful access to personal data, and taking of technical and administrative measures to ensure data security in all environments where personal data is processed.

‍

The distribution of titles, units and job descriptions of those involved in personal data retention and disposal processes is given in Table 1.

‍

Table 1: Units Involved in Retention Processes and Duty Distribution

‍

Title

Unit

Duty

Human Resources Manager

Human Resources

Responsible for processes relating to employees and job applicants, management of data collected in these processes and compliance of disposal processes with the KVKK and this policy.

Financial Affairs Manager

Finance Units, Human Resources, Procurement

Responsible for finance and accounting processes, management of data collected in these processes and compliance of disposal processes with the KVKK and this policy.

Senior Management

General Manager, Deputy General Manager

Responsible for monitoring that all units act in compliance with the KVKK and carry out the necessary disposal processes within the scope of the KVKK.

Procurement and Logistics Manager

Procurement and Logistics Unit

Responsible for supplier and business partner contract processes and management of data collected in these processes and compliance of disposal processes with the KVKK and this policy.

IT Manager

Technical Personnel, IT Unit

Responsible for monitoring information security processes, storage of personal data in electronic environments, control of personnel access authorisations, announcing procedures to personnel, monitoring of custody processes and management of data collected in these processes and compliance of disposal processes with the KVKK and this policy.

Personal Data Protection Commission

Responsible for management and monitoring of personal data processes handled by all units and monitoring compliance with this policy.

‍

4. Record environments regulated by the personal data retention and disposal policy:
   
   1. Paper environments; Paper, Manual data recording systems (forms, visitor entry books), Written, printed, visual environments
   2. Electronic environments; Servers (Domain, backup, e-mail, database, web, file sharing, etc.), Software, Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.), Personal computers (Desktop, laptop), Mobile devices (phone, tablet, etc.), Optical discs (CD, DVD, etc.), Removable memories (USB, Memory Card, etc.), Printer, scanner, photocopier

‍

5. Legal Bases Requiring Retention
   
   1. Law No. 6698 on the Protection of Personal Data,
   2. Law No. 6098 Turkish Code of Obligations,
   3. Law No. 5510 on Social Insurance and General Health Insurance,
   4. Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through Such Publications,
   5. Law No. 6331 on Occupational Health and Safety,
   6. Law No. 4982 on the Right to Information,
   7. Law No. 3071 on the Right to Petition,
   8. Law No. 4857 Labour Law,
   9. Law No. 5434 Pension Health Law,
   10. Law No. 2828 on Social Services,
   11. Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes,
   12. Data is retained for the retention periods stipulated within the framework of other secondary regulations in force pursuant to these laws.

‍

6. Processing Purposes Requiring Retention
   
   1. Management of Emergency Processes
   2. Management of Information Security Processes
   3. Management of Job Applicant / Intern / Student Selection and Placement Processes
   4. Management of Job Applicant Application Processes
   5. Management of Employee Satisfaction and Engagement Processes
   6. Fulfilment of Obligations Arising from Employment Contracts and Legislation for Employees
   7. Management of Fringe Benefits and Advantages Processes for Employees
   8. Management of Audit / Ethics Activities
   9. Management of Training Activities
   10. Management of Access Authorisations
   11. Management of Activities in Compliance with Legislation
   12. Management of Finance and Accounting Operations
   13. Management of Company / Product / Service Loyalty Processes
   14. Ensuring Physical Space Security
   15. Management of Assignment Processes
   16. Follow-up and Management of Legal Affairs
   17. Management of Internal Audit / Investigation / Intelligence Activities
   18. Management of Communication Activities
   19. Planning of Human Resources Processes
   20. Management / Supervision of Business Activities
   21. Management of Occupational Health / Safety Activities
   22. Receiving and Evaluating Suggestions for Improving Business Processes
   23. Management of Business Continuity Activities
   24. Management of Logistics Activities
   25. Management of Goods / Service Procurement Processes
   26. Management of After-Sales Support Services for Goods / Services
   27. Management of Goods / Service Sales Processes
   28. Management of Goods / Service Production and Operation Processes
   29. Management of Customer Relations Management Processes
   30. Management of Activities Aimed at Customer Satisfaction
   31. Organisation and Event Management
   32. Management of Performance Evaluation Processes
   33. Management of Risk Management Processes
   34. Management of Storage and Archive Activities
   35. Management of Corporate Social Responsibility and Civil Society Activities
   36. Management of Contract Processes
   37. Management of Sponsorship Activities
   38. Management of Strategic Planning Activities
   39. Follow-up of Requests / Complaints
   40. Ensuring Security of Movable Property and Resources
   41. Management of Supply Chain Management Processes
   42. Management of Remuneration Policy
   43. Management of Product / Service Marketing Processes
   44. Ensuring Security of Data Controller Operations
   45. Management of Investment Processes
   46. Management of Talent / Career Development Activities
   47. Providing Information to Authorised Persons, Institutions and Organisations
   48. Management of Management Activities
   49. Creation and Follow-up of Visitor Records

‍

7. Reasons Requiring Disposal
   
   1. Personal data; amendment or repeal of the relevant legislative provisions constituting the basis for its processing,
   2. Disappearance of the purpose requiring its processing or retention,
   3. In cases where personal data processing is carried out solely on the basis of the explicit consent condition, withdrawal of the explicit consent by the data subject,
   4. Acceptance by the Authority of the application made by the data subject within the framework of their rights under Article 11 of the Law regarding the deletion and destruction of their personal data,
   5. In cases where the Authority rejects the application made to it by the data subject requesting the deletion, destruction or anonymisation of their personal data, finds the response given inadequate or fails to respond within the period provided for in the Law;
   6. Filing a complaint with the Board and this request being approved by the Board,
   7. In the event that the maximum period requiring the retention of personal data has passed and there are no conditions that would justify retaining personal data for a longer period,
   8. shall be deleted, destroyed or anonymised upon the request of the data subject by the Data Controller, or ex officio deleted, destroyed or anonymised.

‍

8. Technical and Administrative Measures Taken to Ensure Secure Storage of Personal Data and to Prevent Unlawful Processing and Access
   
   1. Network security and application security are ensured.
   2. Key management is applied.
   3. Security of personal data stored in the cloud is ensured.
   4. Disciplinary regulations containing data security provisions for employees are in place.
   5. Training and awareness activities on data security are carried out for employees at certain intervals.
   6. An authorisation matrix for employees has been established.
   7. Corporate policies on access, information security, use, storage and disposal have been prepared and put into practice.
   8. Data masking measures are applied when necessary.
   9. Confidentiality undertakings are made.
   10. The authorisations of employees who change positions or leave the Company are revoked.
   11. Firewalls are used.
   12. Signed contracts contain data security provisions.
   13. Personal data security policies and procedures have been determined.
   14. Personal data security issues are reported quickly.
   15. Personal data security is monitored.
   16. The necessary security measures are taken regarding entry and exit to physical environments containing personal data.
   17. The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
   18. The security of environments containing personal data is ensured.
   19. Personal data is minimised as much as possible.
   20. Personal data is backed up and the security of backed-up personal data is also ensured.
   21. A user account management and authorisation control system is in place and is monitored.
   22. Periodic and/or random in-house audits are conducted and commissioned.
   23. Existing risks and threats have been identified.
   24. Protocols and procedures for the security of special categories of personal data have been determined and are applied.
   25. Where special categories of personal data are to be sent by electronic mail, they are sent encrypted using KEP or corporate email accounts.
   26. Cyber security measures have been taken and their implementation is continuously monitored.
   27. Encryption is applied.
   28. Data processing service providers are audited on data security at certain intervals.
   29. Awareness of data processing service providers on data security is ensured.

‍

9. Techniques for Deletion of Personal Data
   
   1. Personal Data on Servers: For personal data on servers whose retention period has expired, the system administrator removes the access authorisation of the relevant users and carries out the deletion process.
   2. Personal Data in Electronic Environments: Personal data in electronic environments whose retention period has expired is made inaccessible and unusable in any way by all employees (relevant users) other than the database administrator.
   3. Personal Data in Physical Environments: Personal data kept in physical environments whose retention period has expired is made inaccessible and unusable in any way by all employees other than the unit manager responsible for the document archive. Additionally, a blackout process is applied by crossing out / painting over / deleting so that the content is unreadable.
   4. Personal Data on Portable Media: Personal data kept on flash-based storage media whose retention period has expired is encrypted by the system administrator, and access authorisation is given only to the system administrator, and stored in secure environments with encryption keys.

‍

10. Techniques for Destruction of Personal Data
    
    1. Personal Data in Physical Environments: Personal data on paper whose retention period has expired is destroyed irreversibly in paper shredders.
    2. Personal Data on Optical / Magnetic Media: Personal data on optical media and magnetic media whose retention period has expired is subjected to physical destruction processes such as melting, burning or pulverising. In addition, magnetic media is passed through a special device and subjected to a high-value magnetic field to render the data on it unreadable.

‍

11. Techniques for Anonymisation of Personal Data
    
    1. Anonymisation of personal data refers to rendering personal data unable to be associated with an identified or identifiable natural person in any way, even when matched with other data. The Data Controller may anonymise personal data whose processing reasons have ceased to exist when it has been lawfully processed.
    2. In accordance with Article 28 of the KVKK; anonymised personal data may be processed for purposes such as research, planning and statistics. Such processes are outside the scope of the KVKK. Since personal data processed by being anonymised will be outside the scope of the KVKK, the rights regulated in section 10 of the policy will not apply to such data.
    3. Masking Data masking is a method of anonymising personal data by removing the fundamental identifying information of the personal data from the data set. Example: Converting to a data set in which identifying the personal data subject becomes impossible by removing identifying information such as name, national ID number, first name, surname, etc.
    4. Aggregation Through the data aggregation method, many data are aggregated and personal data is rendered unable to be associated with any person. Example: Revealing that there are 100 customers born in 1975 without showing the birth years of customers individually.
    5. Data Derivation Through the data derivation method, more general content is created from the content of the personal data and the personal data is rendered unable to be associated with any person. Example: Stating ages instead of dates of birth; stating the district or city of residence instead of the full address.
    6. Data Shuffling (Permutation) Through the data shuffling method, the values within the personal data set are mixed and the link between the values and persons is severed. Example: Altering the quality of audio recordings so that the sounds cannot be associated with or recognised as the data subject.
    7. Removing Variables: Removing one or more parts of data that may serve to associate personal data with a natural person.

‍

12. Retention and Disposal Periods of Personal Data
    
    1. Disposal processes are carried out upon the request of the data subject, a Personal Data Protection Board decision or the expiry of the periodic disposal period.
       
       1. Periodic Disposal: The periodic disposal period determined within the Data Controller is the months of December and June of each year.
       2. Disposal upon request of the data subject: Disposal upon the request of the data subject shall be carried out without delay and within 30 days from the notification of the request in any case, if the request is found appropriate, and the data subject shall be responded to within the same period. The application and request processes of the data subject are set out in the "Data Subject Application Procedure".
       3. Disposal upon Board Decision: In the event that the Personal Data Protection Board issues a decision regarding the disposal of personal data, it shall be fulfilled without delay and within 30 days from the notification of the decision in any case and the Board shall be responded to within the same period.

‍

2. The table below contains the data categories processed within the Data Controller, the processing and retention periods required by law and the processing purpose, and the disposal period.
3. The Personal Data Protection Commission is authorised to decide on the disposal of personal data that is not included in this table but is part of the Data Controller's processes, or on updating and adding to the table, provided that it is proportionate to the purposes of processing personal data and is consistent with Board Decisions. The KVKK Commission shall ensure in its decision that the period is in compliance with the principles in Article 4 of the KVKK.
4. The records in question shall be retained for a minimum of three years, except for other legal obligations.

‍

Table 2: Table Showing Retention and Disposal Periods

‍

No.

Data Subject Group

Process

Data Retention Period

Disposal Time

1

Job Applicant

Job Applicant Application and Evaluation Processes (CV, photograph, all documents obtained for job application)

2 Years

From the date of the first application; provided that the applicant has not been hired, in the first periodic disposal period following the expiry of the retention period

2

Employee

Personnel File Processes (employment contract, identity, contact, driving licence, legal transaction, disciplinary processes, personnel rights processes, CV, criminal record and other documents in personnel file, audiovisual records, custody transactions)

15 years

In the first periodic disposal period following the expiry of the retention period from the date of separation from employment

3

Employee

Processes relating to location information obtained via vehicle tracking system

2 Years

In the first periodic disposal period following the expiry of the retention period from the date of data processing

4

Employee

Accounting, payment and financial processes relating to employee wages and other personnel rights

15 years

In the first periodic disposal period following the expiry of the retention period from the date of separation from employment

5

Employee

Processes of transaction and content records on email, corporate accounts and devices assigned to the employee

15 years

In the first periodic disposal period following the expiry of the retention period from the date of separation from employment

6

Employee

Employer's health and safety records, personal health file and processes relating to approved registers

15 years

In the first periodic disposal period following the expiry of the retention period from the date of separation from employment

7

Employee

Corporate device, email, telephone usage content and processes

15 years

In the first periodic disposal period following the expiry of the retention period from the date of separation from employment

8

Employee

Workplace entry-exit timesheet records

15 years

In the first periodic disposal period following the expiry of the retention period from the date of separation from employment

9

Employee / Visitor / Website Visitor

Transaction Security Processes (Internet usage IP log records, user log records, IP address)

2 years

In the first periodic disposal period following the expiry of the retention period from the recording date

10

Employee / Visitor / Everyone present at Data Controller locations

Physical space security camera recording processes

45 days

Deleted upon expiry of the retention period following the making of the recording.

11

Visitor / Everyone present at Data Controller locations

Physical space security entry-exit visitor record processes

5 years

In the first periodic disposal period following the expiry of the retention period from the recording date

12

All relevant person groups (employees are separately indicated.)

Legal transaction processes

10 years

In the first periodic disposal period following the expiry of the retention period from the date of the legal transaction

13

Suppliers, business partners and customers

Customer transaction information (cheque, bill, invoice, request, complaint)

10 years

In the first periodic disposal period following the expiry of the retention period from the date of the transaction

15

Suppliers, business partners, customers and persons with contracts (employees are separately indicated in another section)

Contract and commercial transaction processes (Written or unwritten contracts and annexes, signature circulars, contact information of parties, delivery and shipment documents relating to the contract)

10 years

In the first periodic disposal period following the expiry of the retention period after the termination of the contract and simultaneously the legal and actual commercial relationship

16

All relevant person groups (employees are separately indicated in another category)

Accounting and finance processes (payments made and received, invoices, financial documents, slips, statements)

10 years

If the relationship is based on a contract, from the termination of the contract and simultaneously the legal and actual commercial relationship; if the relationship is not based on a contract, from the transaction date, in the first periodic disposal period following the expiry of the retention period

17

Visitors

Website cookie information

Retained for the periods specified on our website.

Disposed of at the end of the periods specified on our website.

‍

13. Publication and Storage of the Policy

The Policy is published in two different formats, namely wet-signed (printed paper) and in electronic form, and is disclosed to the public on the website.

‍

14. Policy Update Period

The Policy is reviewed as needed and the necessary sections are updated.

‍

15. Entry into Force

The Policy shall be deemed to have entered into force upon its announcement to employees and its publication on the Data Controller's website.

‍

Data Controller Title : KK UNİVERSAL TURİZM KONAKLAMA GAYRİMENKUL VE GELİŞTİRME A.Ş.

MERSIS No : 0336132644000001

E-mail address : info@kkuniversalinc.com

KEP address : (

Physical Postal Address : Halil Rıfat Paşa Mah. Yüzer Havuz Sk. Perpa Tic. Mer. A Blok No: 1 İç Kapı No: 1766 Şişli / İstanbul

‍

ANNEX 1: DISPOSAL RECORD UPON REQUEST OF DATA SUBJECT

‍

DOCUMENT DISPOSAL RECORD UPON REQUEST OF DATA SUBJECT

‍

The documents containing personal and special categories of personal data listed below have been disposed of by …… in the capacity of Data Controller, in accordance with Law No. 6698 on the Protection of Personal Data and the relevant legislation, in line with the request of the data subject. The disposal technique and date used for the documents disposed of in line with the data subject's request, and the content of the disposed documents and files, are specified in detail in the tables below.

‍

Data Subject

Data Subject Disposal Request Date

Disposal Technique

Date of Notification of Disposal Documents to Data Subject

Data Categories in Documents

(Identity, contact, finance, professional experience, audiovisual records, etc.)

Environment Where Documents are Located

(If physical: personnel file; if digital: Google Drive/Cloud, etc.)

‍

List of Disposed Documents

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

DISPOSERName Surname / Position / Signature

WITNESS TO DISPOSALName Surname / Position / Signature

‍

ANNEX 2: PERIODIC DISPOSAL RECORD

‍

The documents containing personal and special categories of personal data listed below have been disposed of by …… in the capacity of Data Controller, in accordance with Law No. 6698 on the Protection of Personal Data and the relevant legislation, because the retention periods of documents containing personal and special categories of personal data have expired in accordance with the Personal Data Retention and Disposal Policy. The disposal technique and date used for the documents disposed of in line with the expiry of legal retention periods, and the content of the disposed documents and files, are specified in detail in the tables below.

‍

Data Subject Whose Data is Subject to Disposal

Disposal Date

Disposal Technique Used

Data Categories in Documents

(Identity, contact, finance, professional experience, audiovisual records, etc.)

Environment Where Documents are Located

(If physical: personnel file; if digital: Google Drive/Cloud, etc.)

‍

List of Disposed Documents

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

DISPOSERName Surname / Position / Signature

WITNESS TO DISPOSALName Surname / Position / Signature

‍