YEPSAN Group - LPPD PERSONAL DATA PROCESSING, RETENTION AND DESTRUCTION POLICY

LPPD PERSONAL DATA PROCESSING, RETENTION AND DESTRUCTION POLICY

1. INTRODUCTION

As Yepsan Yedek Parça Sanayi Ticaret A.Ş. (“Company”), we attach great importance to the processing and protection of all kinds of personal data of all individuals—limited to the Company’s field of activity and covering customers, suppliers, managers and employees of service providers, business partners, shareholders, employees, employee candidates, interns, visitors, employees of public institutions and organizations and private law legal entities, and other relevant third parties—in compliance with the Law on the Protection of Personal Data No. 6698 (“Law on the Protection of Personal Data (LPPD)”). For this purpose, our Company takes the necessary administrative and technical measures in accordance with legal regulations and decisions adopted.

The Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data No. 108, opened for signature in Strasbourg on 28 January 1981 and entering into force on 1 October 1985, was signed by our country on 28 January 1981. This Convention was incorporated into our domestic law by being published in the Official Gazette dated 17 March 2016 and numbered 29656. Accordingly, the Law on the Protection of Personal Data (“LPPD”) entered into force upon its publication in the Official Gazette dated 07.04.2016. Within the scope of the European Union (EU) legislation on the protection of personal data, regulations are set out in the General Data Protection Regulation (GDPR).

The Personal Data Protection and Processing, Retention and Destruction Policy and its annexes, prepared within the scope of the Law on the Protection of Personal Data No. 6698 and the relevant legislation, have been drawn up by Yepsan Yedek Parça Sanayi Ticaret A.Ş. as the data controller, within the scope of the Law and the Regulation on the Deletion, Destruction or Anonymization of Personal Data.

2. PURPOSE

With this policy text prepared by our Company, it is aimed—within the framework of the basic principles set out below for completing the compliance process with the LPPD by Yepsan Yedek Parça Sanayi Ticaret A.Ş.—to ensure that personal data of customers, suppliers, managers and employees of service providers, business partners, shareholders, employees, employee candidates, interns, visitors, employees of public institutions and organizations and private law legal entities, and other relevant third parties are processed in accordance with the decisions and principles published by the Personal Data Protection Authority, the Constitution of the Republic of Türkiye, International Conventions, the Law on the Protection of Personal Data No. 6698 and related legislation, and that relevant persons can effectively exercise their rights. The works and transactions regarding the retention and destruction of personal data are carried out in accordance with this policy.

The Personal Data Retention and Destruction Policy (“Policy”) has been prepared to determine the procedures and principles to be followed regarding the works and transactions related to the retention and destruction activities carried out by our Company.

3. SCOPE

Personal data of customers, suppliers, supplier representatives, supplier employees, business partners, shareholders, employees, employee candidates, interns, visitors, employees of public institutions and organizations and private law legal entities, and other relevant third parties fall within the scope of this policy; this policy applies to all recording media in which personal data processed by automated or non-automated means are processed within our Company, and to all Company activities regarding personal data processing.

4. ABBREVIATIONS AND DEFINITIONS

Explicit Consent:

Consent based on information and declared with free will regarding a specific subject.

Recipient Group:

The category of natural or legal persons to whom personal data are transferred by the data controller.

Anonymization:

Rendering personal data incapable of being associated in any way with an identified or identifiable real person, even by matching with other data.

Employee:

Covers the employees of our Company.

Employee Candidate:

Those who apply for a job by filling out the job application form via the website or by coming to the workplace in person.

Electronic Environment:

Environments in which personal data can be created, read, modified, and written by electronic devices.

Non-Electronic Environment:

All written, printed, visual, etc. environments other than electronic environments.

Service Provider:

A natural or legal person providing services under a specific contract with the Company.

Relevant User:

Persons who process personal data within the data controller’s organization or upon authorization and instruction from the data controller, excluding those responsible solely for the technical storage, protection, and backup of data.

Data Subject / Personal Data Owner:

The natural person whose personal data are processed.

Destruction:

Deletion, destruction, or anonymization of personal data.

Personal Data Processing Inventory:

An inventory that data controllers create by associating their personal data processing activities with their business processes, the purposes and legal grounds for processing, data categories, recipient groups to whom data are transferred, and categories of data subjects; detailing the maximum retention period necessary for the purposes for which personal data are processed, personal data envisaged to be transferred abroad, and the measures taken regarding data security.

Recording Medium:

Any medium in which personal data processed fully or partially by automated means or non-automated means, provided that it is part of a data recording system, are located.

Personal Data:

Any information relating to an identified or identifiable real person.

Processing of Personal Data:

Any operation performed on personal data such as obtaining, recording, storing, retaining, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, fully or partially by automated means or by non-automated means provided that it is part of a data recording system.

Anonymization of Personal Data:

Rendering personal data incapable of being associated in any way with an identified or identifiable real person, even by matching with other data.

Deletion of Personal Data:

Rendering personal data inaccessible and non-reusable in any way for Relevant Users.

Destruction of Personal Data:

Rendering personal data inaccessible, irretrievable, and non-reusable by anyone in any way.

Law:

Law on the Protection of Personal Data No. 6698

Board:

Personal Data Protection Board

Authority:

Personal Data Protection Authority

Data Controller Contact Person:

The real person notified at the time of registration to the Registry to ensure communication with the Authority regarding the obligations under the Law and secondary regulations issued based on this Law—by the data controller for real and legal persons resident in Türkiye, and by the data controller’s representative for real and legal persons not resident in Türkiye.

Special Categories of Personal Data:

Data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Periodic Destruction:

Deletion, destruction or anonymization to be performed ex officio at recurring intervals specified in the personal data retention and destruction policy in case all conditions for processing personal data set out in the Law cease to exist.

Policy:

General Policy on Personal Data Processing, Retention and Destruction

Retention:

Keeping personal data for the period stipulated in the relevant legislation or for the period necessary for the purpose of processing.

Company:

Yepsan Yedek Parça Sanayi Ticaret A.Ş.

Data Processor:

A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Recording System:

A recording system in which personal data are processed by being structured according to specific criteria.

Data Controllers’ Registry Information System:

The information system created and managed by the Presidency that is accessible via the internet and is used by data controllers during application to the Registry and other related procedures.

VERBİS:

Data Controllers’ Registry Information System

Regulation:

The Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017

5. RESPONSIBILITIES AND DUTY DISTRIBUTION

In accordance with the Law on the Protection of Personal Data No. 6698 and the relevant legislation, to ensure, preserve, and maintain compliance with the personal data protection legislation, a Data Controller Contact Person has been designated within the Company to ensure the necessary coordination, and a personal data protection unit (committee) has been established. The duties and responsibilities of the committee have been defined, necessary decisions have been taken, and communicated to the relevant parties.

To ensure the proper implementation of the technical and administrative measures adopted within the scope of this policy, to train relevant unit employees and increase their awareness, to conduct audits, to prevent the unlawful processing and access to personal data, and to ensure the lawful retention of personal data, technical and administrative measures to ensure data security in all environments where personal data are processed are fulfilled by the responsible units under the coordination of the Data Controller Contact Person and the committee.

6. ENVIRONMENTS IN WHICH PERSONAL DATA ARE RECORDED

Personal data kept by our Company are recorded in electronic environments such as servers, software used, personal computers, mobile devices such as phones and tablets, applications, software programs, optical disks, removable memories, and in non-electronic physical environments such as personal data kept on paper, forms containing information on provided services, personnel files, job application forms, contracts concluded between the Company and third parties, manual data recording systems (survey forms, visitor forms), unit cabinets, and archive rooms.

Your personal data are securely retained in compliance with the LPPD and related legislation and international data security principles. Your personal data are obtained, recorded, stored, altered, rearranged, and subjected to any operation within the scope of our Company’s processing activities—fully or partially by automated means, or by non-automated means provided that they are part of a data recording system.

7. PROCESSING OF PERSONAL DATA AND GENERAL PRINCIPLES

7.1. Confidentiality Principle

As explained in this policy, the data of both employees and all other persons who are personal data subjects in contact with our Company are confidential. Within the scope of this policy and the measures taken, except for the cases specified in the Law, no one may use personal data for any purpose other than those specified by the policies, nor reproduce, copy, transfer to others, or use them for any other purpose.

7.2. Fundamental Principles

Personal Data processed by our Company are processed in accordance with the principles set out in Article 4 of the LPPD. The Company processes, protects, deletes, and destroys Personal Data in accordance with the procedures and principles stipulated by law according to the principles written below.

Being processed lawfully and fairly.
Being accurate and, where necessary, up to date.
Being processed for specific, explicit, and legitimate purposes.
Being relevant, limited, and proportionate to the purposes for which they are processed.
Being retained for the period prescribed by legislation or for the period required for the purpose for which they are processed.

8. CONDITIONS FOR PROCESSING PERSONAL DATA

Personal data processed by our Company are processed in accordance with Article 5 of the LPPD. Personal data cannot be processed without the explicit consent of the data subject. However, if one of the following conditions exists, personal data may be processed without seeking the explicit consent of the data subject.

Clearly stipulated by laws. Principle of legality.
Being necessary to protect the life or physical integrity of the person who is unable to express consent due to actual impossibility or whose consent is not deemed legally valid. Actual impossibility.
Being necessary, provided that it is directly related to the conclusion or performance of a contract, for the processing of personal data of the parties to the contract. Performance of a contract.
Being necessary for the data controller to fulfill its legal obligation. Legal obligation.
Personal data being made public by the data subject. Publicity.
Being necessary for the establishment, exercise, or protection of a right. Necessity.
Provided that it does not harm the fundamental rights and freedoms of the data subject, being necessary for the legitimate interests of the data controller. Legitimate interest.

9. CONDITIONS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

Special Categories of Personal Data processed by our Company are processed in accordance with Article 6 of the LPPD. Data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data are special categories of personal data.

The processing of Special Categories of Personal Data without the explicit consent of the data subject is prohibited by law. Accordingly, Special Categories of Personal Data cannot be processed without the explicit consent of the data subject. However, as stated in the article of the law; excluding personal data relating to health and sexual life listed in paragraph 6/1 of the Law, personal data may be processed without the explicit consent of the data subject in cases stipulated by laws.

Personal data relating to health and sexual life may be processed without the explicit consent of the data subject only:

For the protection of public health,
Preventive medicine,
Medical diagnosis, treatment and care services,
For planning and management of health services and their financing,
By persons under an obligation of confidentiality or by authorized institutions and organizations

Our Company processes Special Categories of Personal Data in compliance with the LPPD and relevant legal legislation and by taking the adequate measures determined by the Board.

10. PROCESSING, COLLECTION AND LEGAL GROUNDS OF PERSONAL DATA

Your personal data are processed and collected—limited to the specified purposes within the scope of Company activities—by all kinds of verbal, written, or electronic means, through filling in application forms, creating personnel files, arranging and performing contracts, processing financial information to establish and maintain accounting, financial and social rights, processing personal data obtained for purchasing, marketing, planning, export, quality, and corporate development purposes, visiting Company buildings and annexes and the website, calling our call services, and by using a video surveillance system in Company buildings and annexes to ensure internal and external security, fully or partially by automated means or by non-automated means provided that it is part of a data recording system.

Your personal data are processed, collected, and transferred in accordance with Article 5 of the Law based on the legal grounds of your explicit consent, being clearly stipulated by laws, being necessary—provided that it is directly related to the conclusion or performance of a contract—for the processing of personal data of the parties to the contract, being necessary for our Company as data controller to fulfill its legal obligation, personal data being made public by the data subject, and being necessary for the legitimate interests of our Company as data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

11. PRINCIPLES REGARDING THE RETENTION AND DESTRUCTION OF PERSONAL DATA

With this policy established by our Company, personal data of customers, suppliers, managers and employees of service providers, business partners, shareholders, employees, employee candidates, interns, visitors, employees of public institutions and organizations and private law legal entities, and other relevant third parties are retained and destroyed in accordance with the relevant legislation, procedure, and law. Detailed explanations regarding retention and destruction are set out below.

11.1. Retention of Personal Data

Article 3 of the Law No. 6698 defines the processing of personal data, Article 4 stipulates that processed personal data must be relevant, limited and proportionate to the purposes for which they are processed and retained for the period stipulated in the relevant legislation or required for the purposes for which they are processed, and Articles 5 and 6 of the Law list the conditions for processing personal data. Detailed explanations regarding this are written above in this policy text, and within the scope of Company activities, personal data are retained for the period stipulated in the relevant legislation or necessary for our processing purposes, by taking administrative and technical measures.

11.2. Legal Grounds Requiring the Retention of Personal Data

Within the scope of this policy, personal data processed within the scope of our Company’s activities are retained for the periods stipulated in the relevant legislation. In addition to the statutory retention periods prescribed by the laws to which individuals are subject within the scope of Company activities and secondary regulations, personal data are retained for the limitation periods stipulated by laws for offenses.

Considering the limitation periods stipulated by the legal legislation to which our Company is subject within the scope of its activities, possible disputes with third parties with whom the Company is in a legal relationship, the Company’s corporate memory, and its commercial business and activities, retention and destruction periods of personal data—apart from the periods stipulated by laws—have been determined as a corporate decision with this policy, taking into account the Company’s legitimate interests and the processes of establishment and performance of contracts concluded or to be concluded with relevant data subjects.

11.3. Processing Purposes Requiring the Retention of Personal Data

The Company retains the personal data it processes in accordance with the relevant legislation and limited to the Company’s activities, for the purposes set out below. Accordingly, the processing purposes requiring the retention of personal data are listed below.

To develop the Company’s products and services and carry out corporate development activities.
To carry out the Company’s finance and accounting affairs.
To conduct the Company’s commercial activities with third parties and service procurement processes.
To fulfill legal obligations within the scope of Company activities.
To plan and execute human resources processes and to carry out employment and internship application processes.
To create personnel files and fulfill financial obligations.
To conclude and perform contracts and protocols made or to be made with the Company’s customers, suppliers, employees, and relevant third parties with whom it has legal relations.
To conduct marketing activities,
To ensure corporate communication with the Company,
To ensure the Company’s corporate quality and the security of relevant persons with whom it is in contact.
To carry out works and processes before the Personal Data Protection Authority within the scope of the LPPD.
To make the necessary legal notifications to the relevant public institutions and organizations as required by legislation.
To fulfill the burden of proof as evidence in legal disputes with third parties.
To carry out the necessary processes for your contact with our Company using our website related to Company activities, to contact us via Company contact information, and to fill out the forms on our website.
To ensure the security of the Company’s buildings, factories, and offices visited by relevant third parties and Company employees and of the Company’s buildings and annexes.

11.4. Reasons Requiring the Destruction of Personal Data

Personal data are deleted, destroyed, or anonymized by the Company upon the request of the data subject, by filling out the application form, in accordance with the procedures and principles stipulated in the policy, law, and regulation, for the reasons set out below. Accordingly;

Where the purpose requiring the processing or retention of personal data by the Company ceases to exist.
Where the provisions of the relevant legislation forming the basis for the processing of personal data are amended or repealed.
Where the processing of personal data by the Company is based solely on the condition of explicit consent, withdrawal of explicit consent by the data subject,
Acceptance by the Personal Data Protection Authority of the data subject’s request for the deletion and destruction of personal data made within the scope of the rights of application to the Company pursuant to Article 11 of the LPPD.
Where, in cases where the Authority is applied by the data subject due to the Authority’s rejection of the request for deletion, destruction, or anonymization of personal data, finding the response inadequate, or failure to respond within the period stipulated in the Law No. 6698; the Personal Data Protection Board finds this request appropriate.
Where the maximum period requiring the retention of personal data under the relevant legal regulation has expired and there is no reason to require the retention of personal data.

12. TECHNICAL AND ADMINISTRATIVE MEASURES REGARDING THE RETENTION AND DESTRUCTION OF PERSONAL DATA

Within the scope of the arrangements determined by this policy, to ensure the secure and lawful retention of personal data, to prevent unlawful processing and access, to prevent data leaks, and to ensure the lawful destruction of personal data, our Company, as data controller, takes the following technical and administrative measures in line with the adequate measures determined and announced by the Personal Data Protection Board as specified in Article 6/4 of the LPPD regarding Special Categories of Personal Data and Article 12 of the same Law to ensure the security of Personal Data.

12.1. Technical Measures:

The technical measures to be taken as announced by the Personal Data Protection Authority are published at https://www.kvkk.gov.tr, and our Company, as data controller, takes the necessary measures regarding the technical measures announced by the Board. A “LPPD Technical Measures Analysis Report” has been prepared by the “Information Technologies Department”, and the necessary technical measures and the precautions to be taken have been identified. As a result of on-site and real-time analyses regarding information security, risks and threats that may affect the continuity of information systems have been identified and are continuously monitored. Necessary measures are taken for the physical security of our Company’s IT systems, hardware, software, and data. Accordingly, the technical measures taken are listed as follows.

Network security and application security are ensured.
A closed system network is used for personal data transfers over the network.
Security measures are taken within the scope of procurement, development, and maintenance of information technology systems.
The security of personal data stored in the cloud is ensured.
Periodic training and awareness activities are conducted for employees on data security.
Access logs are regularly kept.
Corporate policies regarding access, information security, use, retention, and destruction have been prepared and implemented.
Confidentiality undertakings are executed.
Authorizations in this area are revoked for employees who change positions or leave employment.
Up-to-date anti-virus systems are used.
Firewalls are used.
Signed contracts include data security provisions.
Personal data security policies and procedures have been determined.
Personal data security issues are reported quickly.
Personal data security is monitored.
Necessary security measures are taken for entries and exits to physical environments containing personal data.
Security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
The security of environments containing personal data is ensured.
Personal data are minimized as much as possible.
Personal data are backed up and the security of backed-up personal data is ensured.
Periodic and/or random audits are conducted and commissioned within the institution.
Log records are kept in a way that does not allow user intervention.
Existing risks and threats have been identified.
Protocols and procedures for the security of special categories of personal data have been determined and implemented.
Intrusion detection and prevention systems are used.
Cybersecurity measures have been taken and their implementation is continuously monitored.
Data processors (service providers) are audited at certain intervals regarding data security.
Awareness regarding data security is ensured for data processors (service providers).

12.2. Administrative Measures:

Regarding the administrative measures announced by the Personal Data Protection Board, the necessary administrative measures have been taken by the Company as data controller. The Company has taken the necessary corporate decisions within the scope of compliance with the Law on the Protection of Personal Data No. 6698, fulfilled its obligations under the Law, created the policies required to be published, and announced them. Accordingly;

Personal data are processed based on the Personal Data Processing Inventory, which is mandatory pursuant to Article 5/1 of the Regulation and which must contain the matters specified in the relevant legislation. Our Company has also created the Personal Data Processing Inventory, which is updated at certain intervals.
Information and Disclosure Texts have been created, an application form has been prepared and published on the website. A Privacy and Cookie Policy has been created. The personal data protection, processing, retention and destruction policy has been determined, published on the website, and its implementation within the Company is ensured by the data controller contact person and the committee.
In order to improve the qualifications of employees, necessary awareness trainings have been provided to prevent unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the retention of personal data. A LPPD Data Controller Contact Person has been appointed, a personal data protection unit has been established, and the authorities and responsibilities of the committee members have been determined.
Works regarding the fulfillment of retention and destruction requirements for personal data have been initiated. In order to ensure compliance with the LPPD, necessary actions have been taken, Company contracts and texts containing personal data have been reviewed and made compliant with the LPPD. Within the scope of the LPPD, confidentiality undertakings are signed with Company employees, customers, and suppliers.

13. EXPLANATIONS ON PERSONAL DATA DESTRUCTION TECHNIQUES

As written in the policy and personal data inventory created by our Company, upon the expiry of the period stipulated in the relevant legal legislation or the necessary retention period for the purpose of processing personal data, personal data are destroyed by the Company’s authorized units ex officio or upon the application of the personal data owner to our Company, in accordance with the provisions of the LPPD and the relevant legislation, using the methods and techniques specified below.

13.1. Deletion of Personal Data

Personal Data on Servers as a Data Recording Medium: For personal data on servers whose retention period has expired, deletion is carried out by the system administrator by revoking access authorizations of relevant users.
Personal Data in Electronic Media: For personal data in electronic media whose retention period has expired, they are rendered inaccessible and non-reusable for other employees (relevant users) except the database administrator.
Personal Data in Physical Media: For personal data kept in physical media whose retention period has expired, they are rendered inaccessible and non-reusable for employees other than the unit manager responsible for the document archive. In addition, redaction is applied by crossing out/painting/scratching them so as to render them unreadable.
Personal Data in Portable Media: For personal data kept in flash-based storage media whose retention period has expired, they are encrypted by the system administrator and stored in secure environments with encryption keys, with access authorization granted only to the system administrator.

13.2. Destruction of Personal Data

Personal Data in Physical Media: Personal data kept on paper whose retention period has expired are destroyed irreversibly in paper shredders.
Personal Data in Optical/Magnetic Media: For personal data kept in optical and magnetic media whose retention period has expired, physical destruction is applied such as melting, burning, or pulverizing. In addition, magnetic media are made unreadable by passing them through a special device to expose them to a high-value magnetic field.

13.3. Anonymization of Personal Data

Anonymization of personal data means rendering the data incapable of being associated with an identified or identifiable real person under any circumstances, including matching with data belonging to other third persons.

For personal data to be considered anonymized; even by using techniques appropriate to the recording medium and the relevant field of activity such as reversal by the data controller or third parties and/or matching the data with other data, they must be rendered incapable of being associated/linked with an identified or identifiable real person.

14. PERSONAL DATA RETENTION AND DESTRUCTION PERIODS

Regarding personal data processed within the scope of Company activities by our Company; retention periods on a personal data basis for all personal data within the scope of activities carried out depending on processes are set out in the “Personal Data Processing Inventory”; retention periods on a data category basis are set out during VERBİS registration; and retention periods on a process basis are set out in the “Personal Data Retention and Destruction Policy”.

Where necessary, the Data Controller Contact Person and the Personal Data Protection Unit (Committee) make the necessary updates regarding the said retention periods. The ex officio deletion, destruction, or anonymization of personal data whose retention periods have expired is carried out by the Data Controller Contact Person and the Personal Data Protection Unit (Committee) within the scope of the determined powers, duties, and responsibilities. Process-Based Personal Data Retention and Destruction Periods are indicated in the annex in a table.

15. DATA CONTROLLER’S DUTY TO INFORM

Pursuant to Article 10 of the Law, as the data controller; all kinds of technical and administrative measures have been taken to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the retention of personal data. For this purpose, the necessary policies and the disclosure text have been prepared to cover the personal data of customers, suppliers, managers and employees of service providers, business partners, shareholders, employees, employee candidates, interns, visitors, employees of public institutions and organizations and private law legal entities, and other relevant third parties.

Within the scope of the said duty to inform, the information to be notified to personal data subjects is as follows, as listed in the law:

1. The identity of the data controller and, if any, its representative,

2. The purposes for which personal data will be processed,

3. The persons to whom processed personal data may be transferred and the purposes for which they may be transferred,

4. The method and legal ground for the collection of personal data,

5. The rights listed in Article 11 of the LPPD.

Pursuant to Article 10 of the Law on the Protection of Personal Data No. 6698 (“Law”) and the provisions of the Communiqué on the Principles and Procedures to Be Followed in Fulfilling the Duty to Inform, you can review the Disclosure Text prepared by our Company as the data controller on our website.

16. RIGHTS OF THE PERSONAL DATA SUBJECT (RIGHT TO APPLY)

Pursuant to Article 11 of the Law on the Protection of Personal Data No. 6698, which “regulates the rights of the data subject”, an “APPLICATION FORM” has been prepared by our Company as the data controller in accordance with the Communiqué on the Procedures and Principles of Application to the Data Controller. You can review the application form on the Company website.

16.1. Right of the Personal Data Subject to Apply

Pursuant to Article 11 of the Law; everyone, by applying to the data controller, has the right to:

Learn whether personal data are processed,
Request information if personal data have been processed,
Learn the purpose of processing personal data and whether they are used in accordance with their purpose,
Know the third parties to whom personal data are transferred domestically or abroad,
Request correction of personal data if they are incomplete or incorrectly processed,
Request deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the LPPD,
Request that the transactions carried out for the correction, deletion, or destruction of personal data be notified to third parties to whom personal data are transferred,
Object to the occurrence of a result to the detriment of the person by analyzing the processed data exclusively through automated systems,
Request compensation for damages in case of damage due to unlawful processing of personal data.

16.2. Procedures, time limits and principles for the Data Controller’s response to applications

Pursuant to Article 13/1 of the LPPD, you must submit your applications to our Company in writing or by the methods specified by the Personal Data Protection Authority in order to exercise your above-mentioned rights. Our Company will conclude your requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the process incurs a cost, the fee in the tariff determined by the Board will be charged. If the application arises from the fault of the data controller, the fee received shall be refunded to the data subject.

16.3. Right of the Personal Data Subject to Lodge a Complaint with the Board

In case the application is rejected, the reply is found insufficient, or the application is not answered in due time; the data subject may lodge a complaint with the Board within thirty days from the date of learning the data controller’s reply and, in any case, within sixty days from the date of application. Pursuant to Article 13 of the Law, the complaint cannot be lodged without exhausting the application remedy.

17. CASES IN WHICH THE PERSONAL DATA SUBJECT MAY NOT ASSERT RIGHTS (EXCEPTIONS)

Pursuant to Article 28/1 of the LPPD, the following matters are excluded from the scope of application of the Law (exceptions), and personal data subjects may not assert the rights listed in Article 16 above.

Processing of personal data by natural persons within the scope of activities related solely to themselves or their family members living in the same dwelling, provided that they are not given to third parties and the obligations regarding data security are complied with.
Processing of personal data for purposes such as research, planning, and statistics by anonymizing them with official statistics.
Processing of personal data, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights, or does not constitute a crime, for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression.
Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security.
Processing of personal data by judicial authorities or execution authorities with regard to investigation, prosecution, judgment, or execution procedures.

Pursuant to Article 28/2 of the LPPD, provided that it is in compliance with the purpose and basic principles of this Law and is proportionate, Article 10 regulating the data controller’s duty to inform, Article 11 regulating the rights of the data subject—except for the right to request compensation for damages—and Article 16 regulating the obligation to register with the Data Controllers’ Registry shall not apply in the following cases:

Where processing of personal data is necessary for the prevention of crime or for criminal investigation.
Processing of personal data made public by the data subject.
Where processing of personal data is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by public institutions and organizations and professional organizations in the nature of public institutions, based on the authority granted by law.
Where processing of personal data is necessary for the protection of the State’s economic and financial interests with regard to budget, tax, and financial matters.

18. PERIODIC DESTRUCTION AND AUDIT PERIOD OF PERSONAL DATA

The periods for ex officio deletion, destruction, or anonymization of personal data are regulated in Article 11 of the Regulation as set out below. Accordingly; a data controller who has prepared a personal data retention and destruction policy shall delete, destroy, or anonymize the personal data in the first periodic destruction process following the date on which the obligation to delete, destroy, or anonymize personal data arises. The time interval at which periodic destruction will be carried out is determined by the data controller in the personal data retention and destruction policy. In any case, this period shall not exceed six months. A data controller who does not have the obligation to prepare a personal data retention and destruction policy shall delete, destroy, or anonymize personal data within six months following the date on which the obligation to delete, destroy, or anonymize personal data arises. In addition, members of the personal data committee and the data controller shall carry out the necessary audits at intervals not exceeding six months. The Personal Data Protection Board may shorten the periods specified in the Regulation in case of irreparable or impossible damages and clear unlawfulness.

19. DELETION AND DESTRUCTION PERIODS UPON APPLICATION OF THE DATA SUBJECT

The periods for deletion and destruction of personal data upon the application of the data subject are regulated in Article 12 of the Regulation as set out below. Accordingly; if all conditions for processing personal data cease to exist; the data controller shall delete, destroy, or anonymize the personal data subject to the request. The data controller shall conclude the data subject’s request within thirty days at the latest and inform the data subject. If all conditions for processing personal data cease to exist and the personal data subject to the request have been transferred to third parties, the data controller shall notify this situation to the third party; and shall ensure that the necessary actions are taken by the third party within the scope of this Regulation. If all conditions for processing personal data have not ceased to exist, this request may be rejected by the data controller by explaining the justification pursuant to Article 13/3 of the Law, and the rejection response shall be notified to the data subject in writing or electronically within thirty days at the latest.

20. PUBLICATION, RETENTION AND UPDATE OF THE POLICY

This policy prepared by the Company is published in two different media, namely as a wet-ink-signed (printed) copy and in electronic form on the Company’s website www.yepsan.com.tr. With its publication on the website, the Policy shall be deemed to have been disclosed to the public. The printed copy is kept in the “Corporate Development Unit/Department” in the LPPD file. This policy, created by the designated committee members within the scope of their powers and responsibilities, shall be reviewed once a year at the end of each year from the date of publication and, when needed, without waiting, and the relevant sections shall be updated as necessary.

21. ENTRY INTO FORCE AND REPEAL OF THE POLICY

This policy set out in the articles above shall be deemed to have entered into force upon its publication on the Company’s website www.yepsan.com.tr.

In the event that it is decided to repeal the policy with the approval of the data controller and the decision of the personal data committee, the wet-ink-signed old copies of the policy shall be cancelled (by stamping or writing “cancelled”), signed, and retained for at least 5 years by the committee in the “Corporate Development Unit/Department” by the data controller contact person.

Process-Based Personal Data Retention and Destruction Periods

Process

Retention Period

Destruction Period

Execution of Human Resources Processes

15 years from termination of the contract

In the first periodic destruction following the end of the retention period, at the latest within 6 months

Application process information of employee candidates and interns

2 years from the date the request is received

Within 30 days in case the request is evaluated negatively or withdrawn, and in the first audit period following the end of the retention period, at the latest within 180 days

Interns (students)

15 years from the beginning of the calendar year following the end of the internship