Altınçatı Destruction Policy

ALTIN HAYAT SOSYAL HİZMETLER EĞİTİM GIDA İNŞAAT TURİZM VE TİCARET LİMİTED ŞİRKETİ

PERSONAL DATA RETENTION AND DESTRUCTION POLICY

1. INTRODUCTION

The Personal Data Protection Law No. 6698 (“Law”) entered into force on April 7, 2016, and contains regulations regarding the processing of all kinds of information relating to “identified or identifiable” natural persons (“data subject”). As Altın Hayat Social Services Education Food Construction Cleaning Tourism and Trade Limited Company (“Company”), in accordance with the Law and company policy, we attach utmost importance to the lawful processing and protection of personal data, and we act with this care in all our planning, transactions, and activities. Our Company, having this awareness, takes all administrative and technical measures in the processing, protection, and continuation of all these processes of personal data. The most important pillar of this issue is the protection of the personal data of our employees, employee candidates, interns, company officials, the elderly we provide care services for, their relatives/legal representatives, our suppliers, visitors, and third parties, which is managed by this Personal Data Processing and Protection Policy (“Policy”).

According to Article 20 of the Constitution, everyone has the right to demand the protection of their personal data. Regarding the protection of personal data, which is a Constitutional right, our Company shows the necessary care for the protection of personal data and makes this a company policy.

In this Policy, detailed explanations will be made regarding the basic principles we have adopted as a Company in the processing of personal data, which are listed below:

• Processing personal data in accordance with the law, the rules of bona fides, and good faith,
• Keeping personal data accurate and up-to-date when necessary,
• Processing personal data for specific, explicit, and legitimate purposes,
• Processing personal data relevantly, limitedly, and proportionately to the purpose for which they are processed,
• Retaining personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed,
• Clarifying and informing personal data owners,
• Establishing the necessary system for personal data owners to exercise their rights,
• Taking necessary measures for the preservation of personal data,
• Acting in accordance with the relevant legislation and the regulations of the Personal Data Protection Board (“Board”) in transferring personal data to third parties in line with the requirements of the processing purpose,
• Showing the necessary sensitivity to the processing and protection of special categories of personal data.

1. Purpose of the Policy

The purpose of this Policy is to inform personal data owners – primarily our employees, employee candidates, interns, company officials, the elderly we provide care services for, their relatives/legal representatives, suppliers, and visitors – about our Company’s obligations arising from the Law and other relevant legislation, as well as the procedures and principles it will comply with in accordance with the Law, and to maximize the protection of individuals’ fundamental rights and freedoms, especially the privacy of private life regulated in the Constitution, in the processing and protection of personal data in accordance with the purpose of the Law. In line with the purpose of the Policy, we aim to ensure full compliance with the legislation in the personal data processing and protection activities carried out by our Company and to protect the right to privacy and data security of personal data owners.

The Personal Data Retention and Destruction Policy aims to determine the procedures and principles regarding the security, deletion, destruction, and anonymization of personal data in relation to the personal data processed within the scope of various processes carried out before our Company.

2. Scope of the Policy

This Policy relates to all personal data of our employees, employee candidates, interns, company officials, the elderly we provide care services for, their relatives/legal representatives, suppliers, visitors, and third parties processed fully or partially through automatic means or non-automatic means provided that the process is a part of any data recording system. Accordingly, all provisions of the Policy may apply to the personal data owners listed above, or only some provisions may apply. This policy relates to all kinds of operations performed upon data, such as obtaining, recording, storing, preserving, altering, re-arranging, disclosing, transferring, taking over, making retrievable, classifying, or preventing the use thereof, belonging to the data subjects, fully or partially through automatic means, or provided that the process is a part of any data recording system, through non-automatic means, as well as the administrative and technical measures taken for the security of personal data.

3. Application of the Policy and Relevant Legislation

This Policy has been created by embodying and arranging the rules put forward by the legislation in force within the scope of our Company’s practices. In this context, the relevant legal regulations in force regarding the processing and protection of personal data will primarily find application. In case of incompatibility between the current legislation and the Policy, our Company accepts that the current legislation will be applicable. As a company, we carry out the necessary systems and preparations to act in accordance with the enforcement periods stipulated in the Law.

4. Enforcement of the Policy

It has been arranged by our Company and entered into force on 29.12.2021. The Policy is published on our Company’s website (altincatihuzurevi.com).

5. Definitions

In this policy:

1. Explicit consent: Consent that relates to a specified issue, declared by free will and based on information.
2. Anonymization: Rendering personal data impossible to link with an identified or identifiable natural person under any circumstances, even through matching them with other data.
3. Data subject: The natural person whose personal data are processed.
4. Relevant user: Persons who process personal data within the data controller’s organization or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backing up of the data.
5. Destruction: Deletion, destruction, or anonymization of personal data.
6. Law: The Law on the Protection of Personal Data No. 6698 dated 24/3/2016.
7. Personal data: Any information relating to an identified or identifiable natural person.
8. Processing of personal data: Any operation performed upon personal data such as obtaining, recording, storing, preserving, altering, re-arranging, disclosing, transferring, taking over, making retrievable, classifying, or preventing the use thereof, fully or partially through automatic means, or provided that the process is a part of any data recording system, through non-automatic means.
9. Personal data processing inventory: The inventory created by data controllers by associating the personal data processing activities they perform depending on their business processes with the personal data processing purposes, data category, transferred recipient group, and data subject group, and detailing the maximum time required for the purposes for which the personal data are processed, the personal data foreseen to be transferred to foreign countries, and the measures taken regarding data security.
10. Personal data retention and destruction policy: The policy upon which data controllers base the process of determining the maximum period required for the purpose for which personal data are processed, as well as the deletion, destruction, and anonymization processes.
11. k. Board: The Personal Data Protection Board.
12. Authority: The Personal Data Protection Authority.
13. m. Periodic destruction: The ex officio deletion, destruction, or anonymization process to be carried out at recurring intervals specified in the personal data retention and destruction policy in the event that all the conditions for processing personal data in the Law disappear.
14. Registry: The data controllers’ registry maintained by the Presidency of the Personal Data Protection Authority.
15. Data processor: The natural or legal person who processes personal data on behalf of the data controller upon their authorization.
16. Data recording system: The recording system where personal data are processed by being structured according to specific criteria.
17. Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
18. Served elderly relative/legal representative: Refers to the person/patient or their relative/legal representative receiving service from the care centers within our Company.
19. Supplier: Refers to the persons from whom we purchase products/services regarding the execution of activities in our care centers.
20. Potential Service Recipient: Refers to individuals who wish to receive service from the care centers within our Company, request information for this purpose, or have an application.

u. Third party: A natural or legal person outside of our service relationship or similar transactions.

1. Visitor: Refers to individuals who physically visit our care centers or our website.
2. Intern: Refers to individuals who are in the internship training process in our care centers within the scope of education.

RECORDING MEDIUMS

The recording mediums where personal data are kept by the Company are; computers used on behalf of the Company, programs, Cloud Systems, shared/unshared disk drives used for data storage on the network, paper, unit cabinets, office rooms, and the archive. The Company will also include other recording mediums that it may use in addition to the listed recording mediums in its Destruction Policy.

1. PROTECTION OF PERSONAL DATA

In order to ensure data security by our Company, the measures and precautions specified below are taken in accordance with Article 12 of the Law.

1.Security

Our Company takes all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful access to and processing of personal data and to ensure the preservation of personal data in accordance with the Law.

2.Audit

Our Company carries out and commissions the necessary audits in order to establish the data security described above and to ensure the regularity and continuity of the measures taken. In this context, both the units within the Company are provided with the necessary training and external support is received.

3.Confidentiality

Our Company takes all necessary technical and administrative measures according to technological possibilities and implementation costs so that the relevant data controllers and data processors do not disclose the personal data they possess to others contrary to the provisions of the Law and the Policy and do not use them for purposes other than processing. In this context, information and training activities about the Law and Policy are carried out with our Company employees.

4.Unauthorized Access to Personal Data

In the event that the personal data processed by our Company are obtained by others through ways not in compliance with the Law, our Company carries out the necessary procedures to notify the relevant person and the Board of this situation as soon as possible. If deemed necessary by the Board, this situation may be announced on the Board’s website or by another method deemed appropriate by the Board.

5.Observing the Legal Rights of Data Subjects

Our Company observes all legal rights of data subjects regarding the implementation of the Policy and the Law and takes all necessary precautions for the protection of these rights.

6.Protection of Special Categories of Personal Data

According to Article 6 of the Law, data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of associations, foundations or trade unions, health, sexual life, criminal conviction, and security measures, and biometrics and genetics are special categories of personal data. Special categories of personal data are data that carry the risk of causing discrimination against or victimization of their owners if processed, and they need to be protected much more strictly compared to other personal data. Therefore, while our main principle is not to receive such data, all necessary measures are taken with sensitivity for the protection of such personal data processed due to our activities and in accordance with the law.

SECURITY OF PERSONAL DATA

The Company takes all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of and unlawful access to personal data, and to ensure the retention of personal data.

In this context, primarily, a study was carried out to identify what personal data are processed by our Company, risks that may arise regarding the protection of these data were determined by taking into consideration whether the processed personal data are special categories of personal data, and necessary technical and administrative measures aimed at mitigating or eliminating the risks have been put into practice.

In order to ensure personal data security, to prevent unlawful disclosure and sharing of personal data, and to raise awareness about the PDPL, regular training is provided to the personnel and managers.

Additionally, employees involved in personal data processing processes are asked to sign confidentiality agreements as part of the business processes, and the necessary disciplinary process is carried out if it is determined that employees have acted contrary to security policies and procedures.

Access to personal data involved in the data processing processes by the Company has been restricted on a personnel basis, and access authorization to the personal data related to the business processes they execute has been granted to a limited number of personnel. Data processing activities carried out by the personnel are recorded. Entries to and exits from the environments where data are kept are determined according to authorization, and access to data kept in both physical and cloud systems can be provided according to the authorization limit.

Technical systems have been established for the follow-up and auditing of processes relating to the processing of personal data in order to prevent the unlawful processing of personal data and unlawful access to personal data. Regular internal audits are conducted by our company to prevent unlawful processing of personal data and unlawful access to personal data.

Technical methods with an appropriate level of security are used to prevent unlawful access to personal data and to ensure they are stored in safe environments, suitable technologies are utilized for the said methods, and protection measures are updated when necessary.

In the event of an internal or external attack on the Company data recording system, which software and services are running on the IT networks and whether there is any infiltration or inappropriate movement on the IT networks are regularly checked for early detection and early intervention, the transaction movements of all users are regularly kept, and effective and active antivirus software is used for the protection of the systems.

III. DESTRUCTION POLICY AND RETENTION PERIODS OF PERSONAL DATA

1.Reasons Requiring the Retention and Destruction of Personal Data

The Company may process your personal data in the presence of one or more of the following situations:

• Presence of the Explicit Consent of the Personal Data Owner,
• Being Explicitly Stipulated in the Laws, Inability to Obtain Explicit Consent Due to Actual Impossibility, Being Directly Related to the Establishment or Performance of a Contract,
• Being Mandatory for the Fulfillment of the Legal Responsibility of the Company,
• Being Made Public by the Data Subject Himself/Herself,
• Being Mandatory for the Establishment, Exercise or Protection of a Right
• Being Mandatory for the Legitimate Interests of the Company

To access detailed information regarding the processing of personal data, you can review the Personal Data Protection Policy located at the [WEBSITE ADDRESS TO BE WRITTEN] address.

The personal data of the data subjects are destroyed during the first periodic destruction to be carried out together with the disappearance of the reasons for processing personal data listed above. All transactions regarding the deletion, destruction, and anonymization of personal data are recorded, and the said records are kept for at least three years.

2. Deletion, Destruction or Anonymization of Personal Data

Without prejudice to the provisions in other laws regarding the deletion, destruction, or anonymization of personal data, our Company, as regulated in Article 138 of the Turkish Penal Code No. 5237, Article 7 of the Law, and the provisions of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 (“Regulation”), deletes, destroys, or anonymizes personal data ex officio or upon the request of the data subject in the event that the reasons requiring processing disappear, despite the fact that it has been processed in accordance with the provisions of the relevant law.

On the other hand, in accordance with Article 7 of the Regulation titled ‘Principles’, all transactions regarding the deletion, destruction, and anonymization of personal data are recorded by our Company and the said records are kept for at least 3 years, without prejudice to our other legal obligations.

With the deletion of personal data, these data are rendered inaccessible and non-reusable in any way for the relevant users. Accordingly, as a data controller, our Company takes all necessary technical and administrative measures to make deleted personal data inaccessible and non-reusable for the relevant users.

During the process of deleting personal data, the personal data subject to the deletion process are determined, the relevant users who have access authorization to the said personal data and the authorizations of the users on the personal data are identified, and the access, retrieval, and reuse authorizations of the relevant users within the scope of the said personal data are removed.

Personal data in paper medium are deleted using the redaction (blacking out) method. The redaction process is the process of making the personal data on the relevant document invisible to the relevant users by using permanent ink or cutting it out in an irreversible manner that cannot be read by technological analyses.

In the databases where personal data are located, the relevant rows containing the personal data are deleted with database commands; for personal data located in the file operating system, the deletion process is performed by deleting the personal data with the delete command in the operating system of the file or by removing the access rights of the relevant user on the file or the directory where the file is located.

The destruction of data, on the other hand, means the irreversible deletion of the data from materials suitable for data storage, such as documents, files, CDs, diskettes, and hard disks where the data are recorded, in a way that the information cannot be retrieved and used again.

By rendering data anonymous, it is meant that personal data are rendered impossible to link with an identified or identifiable natural person, even if matched with other data. The purpose of anonymization is to sever the link between the data and the person defined by this data. Methods such as automated or non-automated grouping, masking, deriving, generalizing, and randomizing applied to the records in the data recording system where personal data are kept are some of the anonymization methods.

3.Techniques for Deletion, Destruction and Anonymization of Personal Data

a.Techniques for Deletion and Destruction of Personal Data

Despite having been processed in accordance with the provisions of the relevant law, in the event that the reasons requiring processing completely disappear, our Company may delete or destroy personal data based on its own decision or upon the request of the data subject.

Our Company may use the following methods for deletion and destruction operations:

• Physical Destruction: Personal data can also be processed by our Company through non-automatic ways provided that they are part of any data recording system. While destroying such data, a system of physically destroying the relevant personal data in a way that it cannot be accessed, used, and retrieved by anyone later is applied.
• Sending to a Specialist for Secure Deletion: In some cases, our Company may agree with a specialist to destroy personal data on its behalf. In this case, personal data can be securely destroyed by a person who is an expert in this field.

1. Techniques for Anonymizing Personal Data

The anonymization of personal data is the rendering of personal data such that it cannot be associated with an identified or identifiable natural person under any circumstances, even if matched with other data. In accordance with Article 28 of the Law; anonymized personal data may be processed for purposes such as research, planning, and statistics. Such processing falls outside the scope of the Law, and the explicit consent of the data subject will not be sought; anonymization techniques specified by the Authority may be used.

4.Retention and Periodic Destruction Periods of Personal Data

Our Company retains personal data in accordance with the periods stipulated in the laws and other legislation. If there is no period regulation in the laws and other legislation regarding how long personal data should be retained, personal data is processed for a period up to the realization of the purpose of processing the personal data within the scope of the activity carried out when our Company processes that personal data. These data are deleted, destroyed, or anonymized in the first periodic destruction date and process following the date on which the obligation to destroy arises.

The personal data of the data subjects are destroyed during the first periodic destruction to be carried out together with the disappearance of the reasons for processing personal data listed above. All transactions regarding the deletion, destruction, and anonymization of personal data are recorded, and the said records are kept for at least three years.

1. CLASSIFICATION OF DATA SUBJECTS AND MATCHING WITH PERSONAL DATA
2. Classification of Data Subjects

Pursuant to Article 3 of the Law, only natural persons can benefit from the scope of protection of this Policy and the Law; in this context, the data subjects are grouped as follows:

• Employee Candidate: Natural persons who have applied for a job in our Company by any means or who have opened their resume and relevant information to our company’s review.
• Company Customer/Person Receiving Care Service: Persons whose personal data are obtained through the Company.
• Company Business Partner, Shareholder, Official, Employee of Business Partners: All natural persons with whom our Company is in any kind of business relationship, and all natural persons including shareholders and officials working in natural and legal persons (such as business partners, suppliers) with whom our Company is in any kind of business relationship.
• Potential Customer/Person to Receive Care Service: Natural persons who have made a request or shown interest in using our products and services or who have been evaluated in accordance with the rules of commercial custom and bona fides as potentially having this interest.
• Company Employee: Natural persons working within the Company and affiliated companies.
• Company Official: Board members and other authorized persons of the Company and affiliated companies.
• Third Party: Other persons who do not fall within the scope of the Company Policy prepared for Company Employees and who do not fall into any data subject category in this Policy.
• Intern: Refers to individuals who are in the internship training process in our care centers within the scope of education.
• Visitor: All natural persons who have entered the physical campuses owned by our Company for various purposes or who have visited our websites for any purpose.

Personal Data Categories and Data Subject Group Matchings

Pursuant to Article 6 of the Regulation, the titles, units, and job descriptions within the scope of the PPD Law of those involved in the personal data retention and destruction processes in our Company are given.

Responsible Personnel Involved in Personal Data Retention and Destruction Processes

RETENTION and DESTRUCTION PERIODS