Personal Data Retention and Disposal Policy

T.G.L. TETGLOBAL LOGISTICS TRANSPORTATION TRADE AND INDUSTRY JOINT STOCK COMPANY

(DATA CONTROLLER)

PERSONAL DATA RETENTION AND DISPOSAL POLICY

  1. INTRODUCTION

1.1 Purpose

This Personal Data Retention and Disposal Policy (“Policy”) has been prepared by T.G.L. Tetglobal Logistics Transportation Trade and Industry Joint Stock Company (“Company”) as the data controller to establish the principles regarding the storage and disposal activities of personal data.

The Company has prepared this policy in accordance with the relevant laws, other regulations, and the decisions of the Personal Data Protection Board. All data processing activities within the Company are carried out in accordance with this policy.

1.2 Scope

This policy covers personal data belonging to employees, service providers, suppliers, visitors, and other third parties. All personal data processing activities conducted by the Company are governed by this policy.

1.3 Definitions

Recipient Group The category of natural or legal persons to whom personal data is transferred by the data controller.
Explicit Consent Consent given regarding a specific matter, based on information and expressed through free will.
Anonymization The process of making personal data impossible to associate with an identified or identifiable natural person, even when matched with other data.
Contact Person The natural person whose personal data is processed.
Relevant User Persons within the data controller organization or those processing personal data in accordance with the authorization and instructions received from the data controller, excluding the person or unit technically responsible for data storage, protection, and backup.
Destruction Deletion, destruction, or anonymization of personal data.
Law The Law No. 6698 on the Protection of Personal Data, published in the Official Gazette No. 29677 dated April 7, 2016.
The Board Personal Data Protection Board

Record Medium

Any medium where personal data is processed wholly or partly by automated means or through non-automated means as part of a data recording system.
Personal Data Any information related to an identified or identifiable natural person.
Processing of Personal Data Any operation performed on personal data, whether by automated means or non-automated means as part of a data recording system, including collection, recording, storage, preservation, modification, organization, disclosure, transfer, reception, accessibility, classification, or restriction of use.
Personal Data Processing Inventory A detailed inventory created by data controllers that outlines the personal data processing activities related to their business processes. It includes the purposes and legal basis for processing personal data, data categories, recipient groups to whom data is transferred, and the groups of data subjects. This inventory also specifies the maximum retention period necessary for the purposes for which personal data is processed, any anticipated transfers of personal data to foreign countries, and the measures taken to ensure data security.
Policy The Personal Data Retention and Disposal Policy held by the DATA CONTROLLER, available at https://tetglobal.com/.
Data Processor A natural or legal person who processes personal data on behalf of the data controller, based on the authorization given by the data controller.
Data recording system A data recording system in which personal data is structured and processed according to specific criteria.
Regulation The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette No. 30224 dated October 28, 2017.

2. DUTIES AND RESPONSIBILITIES

All units and employees of the Company actively support the responsible units in ensuring that the technical and administrative measures taken under this Policy are implemented appropriately. They also assist in the training and awareness-raising of unit employees, monitoring, and continuous auditing to prevent unlawful processing of personal data, unauthorized access to personal data, and to ensure lawful storage of personal data. They are responsible for taking technical and administrative measures to ensure data security in all environments where personal data is processed.

2.1 Personal Data Protection Committee

The Company establishes a Personal Data Protection Committee to manage and oversee the personal data processing process. The Committee controls the process from the collection of personal data to its destruction and disposal in accordance with the law and relevant regulations. It also handles the necessary measures and documentation required after the destruction of personal data, managing its activities within the Company.

The titles and job descriptions of the employees assigned to the Personal Data Protection Committee are listed below:

Title Job Description
Personal Data Protection Committee Manager Responsible for directing all planning, analysis, research, and risk assessment activities carried out in compliance with the law; managing the processes required to be carried out in accordance with the Law, the Personal Data Processing and Protection Policy, and the Personal Data Retention and Disposal Policy; and making decisions on requests received from relevant parties.
Personal Data Protection Specialist

(Technical and Administrative)

Responsible for examining and reporting requests from relevant individuals to the Personal Data Protection Committee Manager for evaluation; implementing the actions related to requests from relevant individuals as decided by the Personal Data Protection Committee Manager; overseeing and reporting on the storage and disposal processes to the Personal Data Protection Committee Manager; and managing the execution of storage and disposal processes.

 

3. RECORDING ENVIRONMENTS

Personal data is securely stored in a lawful manner by the Company in the following environments:

Electronic Media Servers, software, information security devices, personal computers, mobile devices, removable memories, printers, scanners, photocopiers.
Non-Electronic Media Paper, manual data recording systems (survey forms, visitor logbook), written, printed, visual media, unit cabinets (locked and with limited access), archives (with special protection).

 

  1. STORAGE AND DESTRUCTIONPersonal data of employees, visitors, service providers, and other third parties with whom the Company has a relationship are stored and destroyed in accordance with the KVKK (Personal Data Protection Law) applicable to the Company’s employees. According to Article 3 of the Law, personal data and their processing must comply with the principles of legality and honesty, be accurate and updated when necessary, processed for specific, explicit, and legitimate purposes, be relevant, limited, and proportionate to the purposes for which they are processed, and be retained for the duration required by the relevant legislation or necessary for the purpose of processing. The Company processes data in accordance with the conditions set out in Articles 5 and 6 of the Law. Accordingly, personal data within the scope of the Company’s activities are retained for the period specified by the relevant legislation or as required for our processing purposes.4.1 Legal Reasons for Retention

    Personal data processed by the Company within the scope of its activities are retained for the period specified by the relevant legislation. This includes the following laws:

    • Law No. 6698 on the Protection of Personal Data
    • Turkish Code of Obligations No. 6098
    • Turkish Commercial Code No. 6102
    • Law No. 6105 on Consumer Protection
    • Tax Procedure Law No. 213
    • Law No. 6563 on Regulation of Electronic Commerce
    • Social Insurance and General Health Insurance Law No. 5510
    • Law No. 5651 on Regulation of Publications Made on the Internet and Fighting Crimes Committed Through These Publications
    • Occupational Health and Safety Law No. 6331
    • Regulation on Occupational Health and Safety Services No. 28512
    • Law No. 4982 on the Right to Information
    • Law No. 3071 on the Use of the Right to Petition
    • Labor Law No. 4857
    • Regulation on Health and Safety Measures to Be Taken in Workplace Buildings and Attachments
    • Public Procurement Law No. 4734
    • Public Financial Management Law No. 5018
    • Retirement Fund Law No. 5434
    • Social Services Law No. 2828

    This list is not exhaustive, and personal data are retained in accordance with the retention periods specified in the relevant legislation related to Company activities.

    4.1.2 Purposes Requiring Retention

    The Company retains personal data processed in the course of its activities for the following purposes:

    • Fulfillment and monitoring of legal obligations,
    • Ensuring the Company’s legal and commercial security, and continuation of commercial activities,
    • Conducting financial and accounting operations,
    • Managing billing processes,
    • Executing, monitoring, and improving business processes,
    • Communication activities,
    • Contract management, establishing and performing contracts,
    • Managing customer relationships,
    • Providing post-sales services, and conducting audit/ethical activities,
    • Managing relationships with third parties,
    • Planning and implementing third-party information access rights,
    • Planning and executing logistics/transportation activities,
    • Conducting training activities,
    • Ensuring the security of Company premises and/or facilities,
    • Monitoring and executing legal affairs,
    • Conducting procurement, production, and operational processes for goods and services,
    • Enhancing customer satisfaction, understanding customers, and using this information in customer environment analysis, and carrying out activities to develop and improve the products and services offered by the Company,
    • Managing information security processes.

    4.2 Reasons Requiring Destruction

    Personal data are destroyed under the following conditions:

    • Amendments to or abolition of the relevant legal provisions that constitute the basis for processing,
    • When the purpose for processing or retaining the data no longer exists,
    • If the data processing was based solely on explicit consent and the data subject withdraws their consent,
    • Acceptance of a request for deletion or destruction of personal data by the Company under Article 11 of the Law,
    • If the Company rejects, finds inadequate, or fails to respond within the legal time frame to a request from the data subject for deletion, destruction, or anonymization of their personal data, and if the data subject complains to the Board and the request is deemed appropriate by the Board,
    • If the maximum retention period for personal data has passed, and no conditions exist that justify retaining the data for a longer period, personal data are deleted, destroyed, or anonymized upon the data subject’s request or automatically.
  1. TECHNICAL AND ADMINISTRATIVE MEASURESTo ensure the secure storage of personal data, prevent unlawful processing and access, and to legally destroy personal data, the Company takes technical and administrative measures as specified by Article 12 of the Law and Article 6, Paragraph 4 of the Law, which relate to special categories of personal data and are determined and announced by the Board.5.1 Technical Measures

    The Company implements the following technical measures to ensure that all environments where personal data is stored are appropriate for the nature of the data and the environment:

    • Penetration Testing: Penetration tests are conducted to identify risks, threats, vulnerabilities, and potential weaknesses in the Company’s IT systems, and necessary measures are taken.
    • Up-to-Date Systems: Technologically advanced and secure systems are used in environments where personal data is stored.
    • Secure Logging: Secure logging systems are used in electronic environments where personal data is processed.
    • Security Testing: Security tests and investigations are conducted to identify vulnerabilities in IT systems, and appropriate technical measures are taken based on the results of these tests and investigations. Technical controls are performed on the implemented measures.
    • Access Control: Access to environments where personal data is stored is restricted, allowing only authorized personnel to access the data strictly for its intended purpose, and all access is logged.
    • Data Deletion: Measures are taken to ensure that deleted personal data cannot be accessed or reused by relevant users.
    • Technical Personnel: Sufficient technical personnel are employed to ensure the security of environments where personal data is stored.
    • Encryption: Encryption is used to ensure the security of special categories of personal data in electronic environments where such data is processed, stored, and accessed. Unauthorized physical access is prevented.
    • Training: Employees involved in processing special categories of personal data receive training on data security, and access rights are defined for users who have permission to access the data.

    5.2 Administrative Measures

    The Company implements the following administrative measures to ensure that all environments where personal data is stored are appropriate for the nature of the data and the environment:

    • Employee Training: All employees with access to personal data are provided with training to increase awareness and understanding of information security, personal data, and privacy.
    • Consultancy Services: Legal and technical consultancy services are utilized to follow developments in information security, privacy, and personal data protection and to take necessary actions.
    • Disciplinary Regulations: Disciplinary regulations containing data security provisions are established for employees.
    • Authorization Matrix: An authorization matrix is created for employees.
    • Confidentiality Agreements: Confidentiality agreements are signed with employees regarding the activities conducted by the Company.
    • Informing Data Subjects: The Company fulfills its obligation to inform data subjects before starting personal data processing.
    • Data Processing Inventory: An inventory of data processing activities is prepared.
    • Periodic Audits: Periodic/random audits are conducted within the Company.
    • Third-Party Protocols: When personal data is transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties to protect personal data, and all necessary care is taken to ensure compliance with these protocols.

    6. TECHNIQUES FOR DESTRUCTION OF PERSONAL DATA

    At the end of the retention period specified by the relevant legislation or required for the processing purpose, personal data are destroyed by the Company either automatically or upon the data subject’s request, in accordance with the following techniques, and in compliance with the relevant legislative provisions.

6.1 DESTRUCTION METHODS

6.1.1 Personal Data Deletion Methods

Data Recording Environment Explanation
Personal data on servers For personal data stored on servers, once the retention period has expired, the system administrator will revoke access permissions for the relevant users and proceed with deletion.

Personal data in electronic form

Personal data in electronic environments that are no longer required to be retained and whose retention period has expired will be rendered inaccessible and unusable by all employees (except for the database administrator).

Personal data in physical form

For personal data stored in physical form, once the retention period has expired, the data will be rendered inaccessible and unusable by all employees except for the unit manager responsible for document archiving. Additionally, redaction measures will be applied, such as marking, coloring, or erasing the data to make it unreadable.
Personal data on portable media Personal data on flash-based storage media, once the retention period has expired, will be encrypted by the system administrator. Access permissions will be granted only to the system administrator, and the encryption keys will be stored in secure environments.

 

6.1.2. Methods for the Destruction of Personal Data

Data Recording Environment Explanation
Personal data in physical environments Personal data on paper, once the retention period has expired, will be irreversibly destroyed using paper shredders.
Personal data contained in optical/magnetic media Personal data on optical and magnetic media, once the retention period has expired, will be physically destroyed through methods such as melting, burning, or grinding into dust. Additionally, magnetic media will be processed through a specialized device to expose it to a high-intensity magnetic field, rendering the data unreadable.

 

6.1.3 Methods for Anonymizing Personal Data

Anonymization refers to the process of making personal data unable to be linked to an identified or identifiable individual, even when matched with other data.

For personal data to be considered anonymized, it must be made impossible to relate to an identified or identifiable individual through any means, including the use of techniques appropriate to the data storage medium and relevant activity areas, such as reversing by the data controller or third parties and/or matching with other data.

Techniques include:

  • Removing variables
  • Regional masking
  • Generalization
  • Encoding with lower and upper limits / global coding
  • Microaggregation
  • Data mixing and distortion
  • Removing records
  • Sampling
  • Adding noise

The company uses one or more of these anonymization methods based on the nature of the data to anonymize personal data.

STORAGE AND DESTRUCTION PERIODS

7.1 Description

The company has established retention and destruction periods for personal data processed in its activities in accordance with laws and the company’s legitimate interests.

These periods are listed in the Personal Data Processing Inventory prepared by the company and were also processed during the VERBIS registration.

If there are changes in the laws, the retention and destruction periods will be updated by the Personal Data Protection Committee.

For personal data whose retention periods have expired, automatic deletion, destruction, or anonymization will be carried out by the Personal Data Protection Committee. All actions related to the deletion, destruction, or anonymization of personal data are documented, and these records are retained for at least 3 years, except for other legal obligations.

7.2 Retention and Destruction Periods

PERIOD RETENTION PERIOD DESTRUCTION PERIOD
Preparation of contracts 10 years following the termination of the contract At the first periodic destruction period following the end of the retention period
Execution of company communication activities 10 years following the end of the activity At the first periodic destruction period following the end of the retention period
Execution of human resources processes 10 years following the end of the activity At the first periodic destruction period following the end of the retention period
Log record tracking systems 10 years At the first periodic destruction period following the end of the retention period
Management of hardware and software access processes 2 years At the first periodic destruction period following the end of the retention period
Visitor and Meeting Attendee Records 2 years following the end of the event At the first periodic destruction period following the end of the retention period
Camera Recordings 1 month At the first periodic destruction period following the end of the retention period
Ministries/Public Institutions/Tender Documents 10 years At the first periodic destruction period following the end of the retention period
Responding to court/enforcement information requests related to staff 10 years after the end of the employment relationship At the first periodic destruction period following the end of the retention period
Contracts signed with third parties 10 years At the first periodic destruction period following the end of the retention period
Personnel file 10 years after the end of the employment relationship At the first periodic destruction period following the end of the retention period
Unsuccessful job applications 2 years from the date of the negative outcome of the application At the first periodic destruction period following the end of the retention period
All documents related to salary and wages 10 years after the end of the employment relationship At the first periodic destruction period following the end of the retention period
Personnel private health and personal accident insurance policies 10 years after the end of the employment relationship At the first periodic destruction period following the end of the retention period
Occupational health and safety practices 15 years after the end of the employment relationship At the first periodic destruction period following the end of the retention period
Payment transactions 10 years At the first periodic destruction period following the end of the retention period
The section of the contract process related to personal data and the retention of the contract 10 years after the end of the employment relationship At the first periodic destruction period following the end of the retention period
Request/complaint information 5 years from the date of recording At the first periodic destruction period following the end of the retention period
Filing of all kinds of documents 10 years At the first periodic destruction period following the end of the retention period
Filing of training records 10 years At the first periodic destruction period following the end of the retention period
The personal data being related to a crime or involved in an offense under the Turkish Penal Code or other criminal law provisions For the duration of the statute of limitations for legal actions and criminal prosecution as stipulated by Articles 66 and 68 of the Turkish Penal Code

 

7.3 Periodic Destruction

In accordance with Article 11 of the Regulation, the Company has determined the periodic destruction period to be 6 months. Accordingly, periodic destruction is carried out every January and July within the Company.

8. PUBLICATION AND RETENTION OF THE POLICY
The Policy is published in two different formats: a wet-signed (printed paper) version and an electronic version. It is also made available on the Company’s website. The printed copy is kept in the GDPR compliance file.

9. PUBLICATION AND WITHDRAWAL OF THE POLICY
The Policy came into effect on the date it was published on the website. If it is decided to withdraw the Policy, the old version is retained in the Company’s GDPR compliance file for at least 5 years.

10. POLICY UPDATE PERIOD
This policy is reviewed and updated as needed in response to legislative changes, sectoral developments, and technical advancements.

When an update is made to this policy, the change is immediately reflected in the document, and an explanation regarding the update is provided.