Personal Data Retention

Personal Data Retention and Destruction Policy

Purpose

Within the scope of personal data processing activities conducted lawfully by New Hire HR Human Resources Training and Consultancy LTD. ŞTİ. (“Company”), personal data processed will be destroyed upon the cessation of the purpose determined in the data inventory and the expiration of the maximum retention period. Personal data may be destroyed through one or more of the deletion, destruction, or anonymization processes in accordance with legislative provisions. This “Personal Data Retention and Destruction Policy” (“Policy”) aims to ensure transparency by informing individuals whose personal data is processed by our Company; the validity of reasons for retaining processed personal data will be regularly checked, and personal data will be destroyed when the valid reason ceases to exist.

Scope

This Policy encompasses all departments, employees, visitors, and third parties (customers, visitors, couriers, etc.) whose personal data is processed by our Company. It covers all destruction activities to be applied to personal data by our Company and will be implemented as a result of any destruction requirement. In the event of new legislation being determined or existing legislation being updated, our Company will update its policy to comply with the relevant legislation.

Definitions

• Explicit Consent: Consent that is related to a specific subject, based on information, and declared with free will.

• Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller.

• Anonymization: The process of rendering personal data impossible to link with an identified or identifiable natural person, even when matched with other data.

• Application Form: The “Application Form for Applications to be Made to the Data Controller by the Data Subject (Personal Data Owner) Pursuant to the Law on the Protection of Personal Data No. 6698,” which includes the application method explained within the scope of the policy.

• Employee Candidate: Real persons who have applied for a job or internship at our Company through any means or have opened their resumes and related information for our Company’s review.

• Direct Identifiers: Identifiers that, on their own, directly reveal, disclose, and distinguish the person they are associated with.

• Indirect Identifiers: Identifiers that, when combined with other identifiers, reveal, disclose, and distinguish the person they are associated with.

• Relevant User: Real and legal persons who process personal data within the data controller’s organization or under the authority and instructions received from the data controller, excluding those responsible for the technical storage, protection, and backup of data.

• Destruction: The deletion, destruction, or anonymization of personal data.

• Website: Refers to the website with the domain name ….

• Employees, Shareholders, and Officials of Institutions We Collaborate With: Real persons, including those working in institutions with which our Company has any business relationship (such as partners, suppliers, etc.), shareholders, and officials of these institutions.

• Business Partner: Parties with whom our Company establishes a business partnership while conducting its activities.

• Law (KVKK): The Law on the Protection of Personal Data No. 6698, published in the Official Gazette dated April 7, 2016, and numbered 29677.

• Redaction: Processes such as crossing out, painting over, or blurring personal data to make it unidentifiable and unrelatable to an identified or identifiable natural person.

• Recording Medium: Any environment where personal data processed wholly or partially automatically or by non-automatic means as part of a data recording system is present.

• Anonymization of Personal Data: The process of rendering personal data impossible to link with an identified or identifiable natural person, even when matched with other data.

• Processing of Personal Data: Any operation performed on personal data, such as collection, recording, storage, retention, alteration, rearrangement, disclosure, transfer, acquisition, making available, classification, or prevention of use, wholly or partially by automatic means or by non-automatic means as part of a data recording system.

• Personal Data Processing Inventory: The inventory created and detailed by data controllers by associating their personal data processing activities with their business processes, processing purposes, data category, transferred recipient group, and data subject group.

• Personal Data: Any information relating to an identified or identifiable natural person. Therefore, information related to legal entities is not within the scope of the Law. For example; name-surname, TCKN, email, address, date of birth, credit card number, etc.

• Personal Data Owner: The natural person whose personal data is processed.

• Personal Data Retention and Destruction Policy: The policy that serves as the basis for determining the maximum period necessary for the purpose for which personal data is processed and for the deletion, destruction, and anonymization processes.

• Deletion of Personal Data: The process of making personal data inaccessible and unusable for the relevant users in any way.

• Destruction of Personal Data: The process of making personal data inaccessible, irretrievable, and unusable by anyone in any way.

• Board: The Personal Data Protection Board.

• Authority: The Personal Data Protection Authority.

• Masking: Processes such as deleting, covering, painting over, or starring certain areas of personal data to make it unidentifiable and unrelatable to an identified or identifiable natural person.

• Special Categories of Personal Data: Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

• Periodic Destruction: The process of deletion, destruction, or anonymization to be carried out ex officio at recurring intervals specified in the Personal Data Retention and Destruction Policy when all conditions for processing personal data specified in the Law cease to exist.

• Registry: The Data Controllers Registry kept by the Presidency.

• Company: New Hire Human Resources Training and Consultancy Limited Company.

• Company Official: The Board of Directors of the Company and other authorized natural persons.

• Supplier: Parties that provide services to our Company based on a contractual relationship in line with our Company’s orders and instructions while conducting our Company’s activities.

• Turkish Penal Code: The Turkish Penal Code No. 5237, published in the Official Gazette dated October 12, 2004, and numbered 25611.

• Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

• Data Recording System: The recording system in which personal data is processed by being structured according to specific criteria.

• Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

• Regulation: Refers to the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.

• Visitor: Natural persons who have entered our Company’s physical premises for various purposes, participated in our events, or visited our websites.

Recording Medium

Personal data of data subjects are securely stored by our Company in accordance with the provisions of the KVKK and other relevant legislation and within the framework of international data security principles in the environments listed in the table below and other environments that may arise:

a) Computers/servers used on behalf of the Company
b) Network devices
c) Shared/non-shared disk drives used for data storage on the network
d) Cloud systems
e) Mobile phones and all storage areas within them
f) Paper
g) Microfiche
h) Peripheral devices such as printers, fingerprint readers
i) Magnetic tapes
j) Optical disks
k) Flash memories
l) Unit Cabinets
m) Archive

Reasons Requiring the Retention and Destruction of Personal Data

Personal data processed by our Company for the continuation of commercial activities, the establishment of employee rights, and the fulfillment of legal obligations are securely stored in accordance with the provisions of the relevant legislation. With this Policy, personal data processed unlawfully and personal data processed previously due to the disappearance of data processing conditions will be destroyed.

Our Company does not retain personal data of data subjects without explicit consent. Exceptions regarding the processing of personal data in Articles 5 and 6 of the Law are reserved. Accordingly, the reasons requiring the retention of personal data are specified below:

• Retention of personal data due to its direct relevance to the establishment and performance of contracts

• Retention of personal data for the establishment, exercise, or protection of a right or for our Company to fulfill its legal obligations

• Retention of personal data in line with our Company’s legitimate interests

Our Company is responsible for the currency of data processing conditions, and data processing does not continue within our Company after the disappearance of data processing conditions. The situations where data processing conditions cease to exist under this Policy are specified below, and personal data is deleted, destroyed, or anonymized ex officio or upon request by our Company:

• Amendment or repeal of the relevant legislative provisions that constitute the basis for processing personal data

• Disappearance of the purpose requiring the processing or retention of personal data

• Disappearance of the conditions for processing personal data specified in Articles 5 and 6 of the Law

• Withdrawal of explicit consent by the data subject in cases where processing personal data is based solely on explicit consent

• Acceptance by the data controller of the data subject’s application for the deletion, destruction, or anonymization of personal data within the framework of the rights specified in subparagraphs (e) and (f) of Article 11 of the Law

• Filing a complaint with the Board in cases where the data controller rejects the data subject’s application for the deletion, destruction, or anonymization of personal data, finds the response insufficient, or fails to respond within the period specified in the Law, and the Board finds this request appropriate

• Absence of any condition justifying the retention of personal data despite the expiration of the maximum retention period

• Processing of personal data contrary to the law or the rules of honesty

• Non-establishment, invalidity, automatic termination, termination, or withdrawal from the contract between the parties

Technical and Administrative Measures

Our Company accepts and undertakes to take all necessary technical and administrative measures to ensure the secure storage of personal data and to prevent unlawful processing and access.

Measures Taken for the Retention of Personal Data

Technical Measures:

• Establishing the necessary technical infrastructure and control mechanisms for the deletion, destruction, or anonymization of personal data

• Taking necessary technical measures to ensure the secure storage of personal data

• Employing technical experts to form a specialized team in this regard

• Developing business continuity and emergency plans against potential risks and systems for their implementation

• Conducting necessary internal controls within the established systems

• Creating security systems for data storage areas in line with technological developments

• Ensuring that all digital environments