Personal Data Storage and Destruction Policy

ARMAS ELECTRONIC INDUSTRY AND TRADE LIMITED COMPANY

PERSONAL DATA STORAGE AND DESTRUCTION POLICY

1. INTRODUCTION AND PURPOSE OF PREPARATION OF THE POLICY

This Personal Data Storage and Destruction Policy (“Policy”), Personal Data Protection Law No. 6698 (“KVKK” or “Law”) < /strong>and to fulfill our obligations in accordance with the Regulation on Deletion, Destruction or Anonymization of Personal Data ("Regulation"), which came into force after being published in the Official Gazette dated 28 October 2017, which constitutes the secondary regulation of the Law. and Armas Elektronik Sanayi Ve Ticaret Limited Şirketi (“Armas” or “Company”), as the data controller, in order to inform data owners about the principles of determining the maximum storage period required for the purpose for which their personal data is processed and the deletion, destruction and anonymization processes. Prepared by.

All units, employees, officials and representatives of Armas are obliged to comply with this Policy and take the necessary steps to comply with the Policy.

Any personal data shared with and obtained by Armas constitutes the subject of this Policy. This Policy relates only to personal data of real persons, and data of legal entities is not within the scope of the Policy.

In case of incompatibility between this Policy and the KVKK, the Regulation and the relevant legislation, the provisions of the legislation shall apply. Armas undertakes to comply with this Policy and the tools, programs and processes to be applied in accordance with the Policy during the deletion, destruction or anonymization of the processed personal data it holds.

2. DEFINITIONS

Abbreviation	Definition
Buyer Group	Category of real or legal person to whom personal data is transferred by the Data Controller
Explicit Consent	Consent regarding a specific issue, based on information and expressed with free will
Anonymization	Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data
Electronic Media	Environments where personal data can be created, read, changed and written with electronic devices
Non-Electronic Media	All written, printed, visual, etc. except electronic media. other media
Service Provider	Natural or legal person providing services within the framework of a specific contract with Armas
Contact Person	Natural person whose personal data is processed
Relevant User	Except for the person or unit responsible for the technical storage, protection and backup of the data, they are the persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller
Destruction	Deletion, destruction or anonymization of personal data
Law/KVKK	Personal Data Protection Law No. 6698
Recording Media	Any environment containing personal data processed by fully or partially automated means or by non-automatic means provided that it is part of any data recording system
Personal Data Processing Inventory	The personal data processing activities carried out by Data Controllers depending on their business processes; The inventory they create and detail by associating the personal data processing purposes, data category, transferred recipient group and data subject person group
Deletion	Making personal data inaccessible and unusable for relevant users in any way
Destruction	Making personal data inaccessible, irretrievable and unusable by anyone
Personal Data	Any information regarding an identified or identifiable natural person
Processing of Personal Data	Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system or any action performed on the data, such as preventing its use
Board	Personal Data Protection Board
Personal Data Protection and Processing Policy	..../…./………, which determines the procedures and principles regarding all kinds of transactions related to the processing of personal data such as obtaining, recording, protecting and transferring personal data by Armas. policy on protection and processing of personal data dated
Special Personal Data	Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic information data
Policy	This personal data retention and destruction policy
Company	Armas Electronic Industry and Trade Limited Company
Periodic Destruction	In case all the conditions for processing personal data specified in the Law are eliminated, the deletion, destruction or anonymization process specified in the personal data storage and destruction policy will be carried out ex officio at recurring intervals
Data Processor	Real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller
Data Recording System	Recording system where personal data is structured and processed according to certain criteria
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system
VERBIS	Data Controllers Registry Information System
Regulation	Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on 28 October 2017

3. PRINCIPLES TO BE OBSERVED IN THE STORAGE AND DESTRUCTION OF PERSONAL DATA

Armas acts within the framework of the following principles in the storage and destruction of personal data:

In the deletion, destruction and anonymization of personal data, the principles listed in Article 4 of the Law and the principles that must be taken within the scope of Article 12 and Article 6.2 of this Policy. We act in full compliance with the technical and administrative measures specified in the article, relevant legislative provisions, Board decisions and this Policy.
Unless a contrary decision is taken by the Board, Armas chooses the appropriate method to delete, destroy or anonymize personal data ex officio. However, upon the request of the Relevant Person, the appropriate method will be selected by explaining the justification. If all the conditions for processing personal data specified in Articles 5 and 6 of the Law are eliminated, personal data is deleted, destroyed or anonymized by Armas ex officio or upon the request of the relevant person. If Armas is contacted by the Relevant Person regarding this matter;
Requests submitted are concluded within 30 (thirty) days at the latest and the Relevant Person is informed.
If the data subject to the request has been transferred to third parties, this situation is notified to the third party to whom the data has been transferred and the necessary actions are taken before the third parties.
If it is understood that all the conditions for processing personal data have not been eliminated; Armas may reject this request by explaining its reasons. In this case, the Relevant Person will be informed in writing or electronically within 30 days at the latest from the date the request is received/notified to Armas.

4. EXPLANATIONS ON THE REASONS REQUIRING STORAGE AND DISPOSAL

The concept of processing personal data is defined in the 3rd article of the Law, in the 4th article, the personal data processed must be related to the purpose for which they are processed, limited and proportionate, and the purpose for which they are processed or envisaged in the relevant legislation. It is stated that it should be kept for the period necessary for the purpose of processing, and the processing conditions of personal data are listed in Articles 5 and 6. Accordingly, Armas stores Personal Data within the framework of its activities for a period of time stipulated in the relevant legislation or appropriate for the purposes of processing.

4.1Processing Purposes Requiring Storage

Personal Data of data owners held within Armas are stored for the following purposes in accordance with KVKK and other relevant legislation and the Personal Data Protection and Processing Policy.

Continuation of commercial and daily activities,
Fulfillment of contractual obligations such as recruitment, creation of personnel file, management and tracking of leave and absence records, recruitment processes, salary payments,
Carrying out the employee's dismissal procedures,
Carrying out and monitoring the training activities of employees,
Conducting periodic checks,
Carrying out financial activities within the scope of accounting, invoicing and payment,
Sharing information with banks,
Fulfillment of Armas's obligations arising from the legislation or other legal obligations, including providing information to public institutions and organizations,
Conducting legal and commercial relations with Armas' past, current and future employees, officials, suppliers, business partners, visitors, service providers and their employees, concluding contracts within this scope and processing Personal Data of the relevant parties for the purpose of fulfilling the contracts. ,
Carrying out corporate communication and management activities,
Planning and execution of customer relations and customer demands and complaints management processes,
Execution of domestic and international sales processes,
Execution of domestic and international purchasing processes,
Execution of processes related to company law,
Following up lawsuits, enforcement proceedings, administrative and criminal investigations, prosecutions and similar processes regarding Armas, and execution of the burden of proof as evidence in legal disputes,
Ensuring data security within Armas.

4.2 Legal Reasons Requiring Storage

Storing personal data because it is directly related to the establishment and execution of contracts,

Storing personal data for the purpose of establishing, exercising or protecting a right,

It is mandatory to keep personal data for the legitimate interests of Armas, provided that it does not harm the fundamental rights and freedoms of individuals,

Storing personal data for Armas to fulfill any legal obligations,

The legislation clearly stipulates the storage of personal data,

Explicit consent of data owners for storage activities that require explicit consent of data owners.

4.3 Reasons Requiring Destruction

In accordance with the Regulation, personal data of data owners are deleted, destroyed or anonymized by Armas ex officio or upon request in the following cases:

Amendment or abolition of the relevant legislative provisions that constitute the basis for the processing or storage of personal data,

The purpose requiring the processing or storage of personal data is eliminated,

Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law,

In cases where personal data is processed only on the basis of explicit consent, the relevant person may withdraw his/her consent.

Acceptance by the data controller of the application made by the relevant person for the deletion, destruction or anonymization of his personal data within the framework of his rights in paragraphs (e) and (f) of Article 11 of the Law,

In cases where the data controller rejects the application made to him/her by the relevant person requesting the deletion, destruction or anonymization of his personal data, his response is found insufficient, or he does not respond within the period stipulated in the Law; Making a complaint to the Board and this request being approved by the Board, Maximum period for which personal data should be stored Although the date has passed, there are no conditions that would justify storing personal data for a longer period of time.

5. CATEGORIES OF PERSONAL DATA TO BE STORED

Personal data to be stored by Armas is divided into the following categories for the purposes of this Policy:

Potential product or service buyer data
Product or service recipient data
Employee data
Employee candidate data
Data of former employees with whom the contractual relationship has ended
Intern
Family relative data
Supplier official/employee data
Partner officer/employee data
Visitor

6. STORAGE AND DISPOSAL PERIOD

Regarding your Personal Data processed by Armas in accordance with KVKK and other relevant legislation;

If a period is stipulated in the legislation, this period is respected,
If no period is stipulated in the relevant legislation for the storage of the data in question, reasonable periods for which the data should be stored are determined within the framework of the exceptions determined in accordance with the KVKK.

If these periods expire, Personal Data will be deleted, destroyed or made anonymous.

You can access the storage, destruction and periodic destruction periods determined by Armas from the "Storage and Destruction Periods Table" in the annex of this Policy [Annex-1]. Process-based retention periods for Personal Data are included in the "Personal Data Processing Inventory", and retention periods based on data categories are recorded in VERBIS.

7. PERIODIC DISPOSAL

Even if the storage period of personal data expires or there is no request from the Relevant Person, if it is understood that the reasons requiring the processing of personal data have disappeared, the relevant personal data will be deleted, destroyed or anonymized in the first periodic destruction process following the disappearance of the reasons. .

Periodical destruction of personal data is carried out every 6 (six) months. However, if a shorter period is determined by the Board for the periodic destruction of personal data in case of irreparable or impossible damages and if there is a clear violation of the law, this period is complied with.

First periodic destruction …/…/…. It will be held on.

All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.

8. MEASURES TAKEN FOR THE SECURITY OF PERSONAL DATA, PREVENTION OF PROCESSING UNLAWFUL AND ACCESS TO PERSONAL DATA

For the purpose of storing your personal data securely, preventing unlawful processing, access, and lawful destruction of personal data, the Board shall comply with the principles in Article 12 of the KVKK and the 4th paragraph of Article 6 of the KVKK for sensitive personal data. All administrative and technical measures are taken by Armas within the framework of adequate measures determined and announced by Armas.

Administrative Measures:

Within the scope of Armas administrative measures;

Armas' employees, officials and representatives are trained and informed about the lawful processing, storage and destruction of personal data.

Access to the stored Personal Data within Armas is limited only to personnel who are required or authorized to access it due to their job description.

In cases where services are received from third parties or cooperation is made with third parties for the storage or other processing of Personal Data, in contracts made with these parties; Provisions regarding the legal storage, security and destruction of personal data are included.

In case the processed Personal Data is obtained by others through illegal means, it notifies the relevant person and the Board as soon as possible.

Armas fulfills its obligation to inform the relevant persons before starting to process Personal Data.

Personal Data processing inventory has been prepared.

It carries out the necessary inspections and has them carried out in order to ensure the implementation of the provisions of the Law within its own legal entity. It eliminates privacy and security vulnerabilities that arise as a result of audits.

Technical Measures:

Within the scope of Armas technical measures;

Network security and application security are provided.

Security measures are taken within the scope of supply, development and maintenance of information technology systems.

The security of personal data stored in the cloud is ensured.

Data masking measures are applied when necessary.

Task The authorizations of employees who change or leave their jobs in this area are removed.

Firewalls are used.

Up-to-date anti-virus systems are used.

Personal data security issues are reported quickly.

Personal data security is monitored.

Necessary security measures are taken regarding entry and exit to physical environments containing personal data.

The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).

The security of environments containing personal data is ensured.

Personal data is reduced as much as possible.

Data processing service providers are made aware of data security.

Encryption is performed.

Cyber security measures have been taken and their implementation is constantly monitored.

Intrusion detection and prevention systems are used.

If sensitive personal data is to be sent via e-mail, it must be sent encrypted and using a KEP or corporate mail account.

Log records are kept without user intervention.

Current risks and threats have been identified.

Periodical and/or random audits are carried out within the institution.

User account management and authorization control system is implemented and these are also monitored.

A closed system network is used for personal data transfer via the network.

Key management is implemented.

There are disciplinary regulations for employees that include data security provisions.

An authority matrix has been created for employees.

Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.

Data processing service providers are periodically audited regarding data security.

Data loss prevention software is used.

9. PROCEDURES FOR STORAGE AND DISPOSAL OF PERSONAL DATA BY AR MAKINA

9.1 RECORDING MEDIA

Personal data belonging to data owners are processed by Armas according to the type and characteristics of personal data; It is stored securely in paper and Armas cabinets in accordance with the relevant legislation, especially the provisions of the KVKK, and within the framework of international data security principles.

9.2 PERSONNEL

The titles, units and job descriptions of the personnel involved in the personal data storage and destruction process are as follows:

Personnel Title	Unit	Job Description

9.3 DESTRUCTION METHODS OF PERSONAL DATA

Personal data obtained by Armas in accordance with KVKK and other relevant legislation. In case the personal data processing purposes listed in the Law and Regulation are eliminated, Armas may process it ex officio or upon the application of the Relevant Person, in accordance with the provisions of the Law and relevant legislation, by using the following techniques: It will be destroyed with

a. Deletion and Destruction of Personal Data;

The procedures and principles regarding the deletion and destruction techniques of personal data by Armas are listed below:

Deletion of Personal Data:

Secure Deletion from Software: When deleting data processed entirely or partially automatically and stored in digital environments; Methods are used to delete the data from the relevant software in a way that makes it inaccessible and unusable for the relevant Users.

Removing the access rights of the relevant user on the file or the directory where the file is located on the central server; deleting relevant rows in databases with database commands; or deleting data on removable media, i.e. flash media, using appropriate software can be considered within this scope.

However, if the deletion of personal data will result in the inability to access and use other data within the system, the personal data will be rendered in a state where they cannot be associated with the relevant person, provided that the following conditions are met. If processed, personal data will be deemed deleted.

Not accessible to any other institution, organization or person,
Taking all necessary technical and administrative measures to ensure that personal data is accessed only by authorized persons.

Blacking of Personal Data on Paper: To prevent unintended use of personal data or to delete the data requested to be deleted, the relevant personal data must be removed from the document by physically cutting it or using fixed ink in a way that is irreversible and unreadable with technological solutions. It is a method of making it invisible and closing it.

Destruction of Personal Data:

De-magnetization: It is a method of corrupting the data on the magnetic media in an unreadable way by passing it through special devices where it is exposed to high magnetic fields. It should be noted that if destruction with this method is not successful, the destruction process can only be completed by physically destroying the media.

Physical Destruction:Personal data can also be processed by non-automatic means, provided that it is part of any data recording system. When destroying such data, a system of physically destroying personal data in such a way that it cannot be used later is applied. Destruction of data on paper and microfiche should be done in this way, as it is not possible to destroy them in any other way.

During the situations listed above, Armas; KVKK fully complies with the Regulation and other relevant legislation to ensure data security and takes all necessary administrative and technical measures.

b.Anonymization of Personal Data;

Anonymization of Personal Data means making Personal Data impossible to associate with an identified or identifiable natural person in any way, even if it is matched with other data.

In order for Personal Data to be anonymized; Personal Data must be returned by the data controller or third parties and/or made unassociatable with an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording environment and relevant field of activity, such as matching the data with other data.

10. UPDATING AND ENFORCEMENT OF THE POLICY

This Policy is stored within Armas with wet signature (printed paper) and is made available to personal data owners upon request. This Policy is updated when and where necessary.

This Policy prepared by Armas entered into force on …/…/…..

ANNEX-1 STORAGE AND DISPOSAL PERIOD TABLE

The storage and destruction periods of the data processed by Armas are determined on a process basis in the Personal Data Processing Inventory.

Process	Storage Period	Destruction Period
Fulfilling contractual obligations such as recruitment, identification and obtaining residence and work permits, health insurance transactions, creation of personnel file, management and follow-up of leave and absence records, recruitment processes, salary payments.	10 years from the termination of the Employment Contract	During the first periodic destruction following the end of the storage period
Carrying out human resources processes, including carrying out and monitoring the training activities of employees, organizing business trips and making allowance payments, informing the relevant authorities and processes regarding applications,	10 years from the termination of the Employment Contract	During the first periodic destruction following the end of the storage period
Carrying out financial activities within the scope of accounting, invoicing and payment,	10 years from the end of the legal relationship	During the first periodic destruction following the end of the storage period
Sharing information with banks,	10 years from the end of the legal relationship	During the first periodic destruction following the end of the storage period
Carrying out the employee's dismissal procedures,	10 years from the end of the legal relationship	During the first periodic destruction following the end of the storage period
Processes in which employee health data is processed	15 years from the end of the Employment Contract for health data	During the first periodic destruction following the end of the storage period
Execution of domestic and international sales processes	10 years from the end of the legal relationship	During the first periodic destruction following the end of the storage period
Conducting domestic and international purchasing processes	10 years from the end of the legal relationship	During the first periodic destruction following the end of the storage period
Planning and execution of customer relations and customer demands and complaints management processes	10 years from the end of the legal relationship	During the first periodic destruction following the end of the storage period