PDPL Data Retentıon And Destructıon

KVKK DATA RETENTION AND DESTRUCTION POLICY

1. ENTRANCE

Personal Data Retention and Destruction Policy ("Policy"); It covers all subsidiaries, directorates, units and employees and third parties operating in Turkey and involved in the processes in which Akyacht Yachting Industry and Trade Joint Stock Company ("Company") processes personal data, and all storage and destruction activities to be implemented by the Company on personal data. This Policy will only apply to the destruction and storage of personal data. In the event that the legislation is partially or completely changed, amended, updated or repealed, the Company will update and amend the Policy in accordance with the new legislation.

2. DEFINITIONS

The concepts used in the implementation of this Policy refer to the following meanings;

Recipient group	It is the group formed by real or legal persons to whom personal data is transferred by the data controller.
Contact user	Except for the person or unit responsible for the technical storage, protection and backup of the data, they are the persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller.
Annihilation	It is the deletion, destruction or anonymization of personal data.
KVKK	It is the Law on the Protection of Personal Data No. 6698.
Recording media	It is any environment that contains personal data, which is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.
Personal data processing inventory	It is an inventory that the company creates by associating the personal data processing activities carried out by the company in connection with its business processes, the purposes of processing personal data, the data category, the transferred recipient group and the data subject group, and details the maximum period required for the purposes for which personal data is processed, the personal data envisaged to be transferred to foreign countries and the measures taken regarding data security.
Board	Personal Data Protection Board.
Periodic destruction	In the event that all of the conditions for processing personal data in the KVKK disappear, it is the deletion, destruction or anonymization process to be carried out ex officio by the Company at certain time intervals specified in this Policy.
Register	It is the Data Controllers Registry.
Data recording system	It is a recording system in which personal data is structured and processed according to certain criteria.
Data Controller	It is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Regulation	It is the Regulation on the Deletion, Destruction or Anonymization of Personal Data.

3. PURPOSE AND SCOPE

This Policy is applied to real or legal persons who are responsible for the destruction of personal data, which is included in the Regulation established in accordance with Article 7 of the KVKK, and determines the principles to be followed by the Company and third parties that the Company contractually responsible.

Pursuant to the Regulation, the Company, as a Data Controller with an obligation to register in the Registry, is obliged to prepare and act in accordance with this Policy in order to store the personal data in its possession in accordance with the personal data inventory and to destroy it when necessary.

The following principles shall apply to the storage and destruction of personal data:

a) The general principles in Article 4 of the KVKK will be followed.

b) The Company acknowledges that having prepared this Policy does not mean that personal data is destroyed in accordance with the Regulation, KVKK and relevant legislation.

c) The Company accepts, declares and undertakes that it will act in accordance with the security measures in Article 12 of the KVKK, the provisions of the relevant legislation, the decisions to be taken by the Board and this Policy while storing or deleting, destroying or anonymizing personal data.

d) The Company undertakes that the personal data it contains will comply with this Policy and the tools, programs and processes to be applied in accordance with the Policy during the destruction of personal data whose purpose is fully or partially automatic or processed by non-automatic means, provided that it is a part of any recording system.

e) The Company takes all necessary technical and administrative measures regarding the secure storage of personal data and the prevention of unlawful processing and access. These technical and administrative measures are described in the technical manuals created regarding the methods to be used for the storage and destruction of personal data.

f) If the Company will have employees who will be present in the storage and destruction processes of personal data, it determines their titles, units and job descriptions.

4. ENVIRONMENTS & SAFETY PRECAUTIONS

4.1. Recording Media Where Personal Data Are Stored

Personal data stored by the Company is kept in a recording environment in accordance with the nature of the relevant data and our legal obligations. With this Policy, the Company agrees to include personal data in the environments listed below and other environments that may arise in addition to these, within the scope of the Policy. The Company acts as a data controller in all cases and processes and protects personal data in accordance with the Law, the Personal Data Processing and Protection Policy and this Personal Data Retention and Destruction Policy.

a) Computers/servers used on behalf of the company,

b) Network devices,

c) Shared/non-shared disk drives used for data storage on the network,

d) Mobile phones and all storage areas in them,

e) Paper

f) Optical discs,

g) Portable disks and flash memory,

h) Cloud environments.

4.2. Securing Environments

The Company takes all necessary technical and administrative measures in accordance with the relevant personal data and the characteristics of the environment in which it is kept, in order to store personal data securely and to prevent unlawful processing and access.

These measures include, but are not limited to, the following administrative and technical measures to the extent appropriate to the nature of the relevant personal data and the environment in which it is kept.

4.2.1. Technical Measures

The Company takes the following technical measures in accordance with the characteristics of all environments where personal data is stored, the relevant data and the environment in which the data is kept:

· In environments where personal data is kept, only up-to-date and secure systems suitable for technological developments are used.

· Security systems are used for environments where personal data is kept.

· Security tests and researches are carried out to detect security vulnerabilities on information systems, and existing or potential risk issues identified as a result of tests and researches are eliminated.

· By restricting access to the data in the environments where personal data is kept, only authorized persons are allowed to access this data limited to the purpose of storing personal data, and all accesses are recorded.

· The company has sufficient technical personnel to ensure the security of the environments where personal data is kept.

· Backup programs are used in accordance with the law to ensure that personal data is stored securely.

4.2.2. Administrative Measures

The Company takes the following administrative measures in accordance with the characteristics of all environments where personal data is stored, the relevant data and the environment in which the data is kept:

· Efforts are made to raise awareness and raise awareness of all Company employees who have access to personal data on information security, personal data and privacy.

· Legal and technical consultancy services are obtained or personnel are employed in order to follow the developments in the field of information security, privacy and protection of personal data and to take necessary actions.

· In the event that personal data is transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties for the protection of personal data, and all necessary care is taken to ensure that the relevant third parties comply with their obligations in these protocols.

4.2.3. Internal Audit

Pursuant to Article 12 of the Law, the Company conducts internal audits regarding the implementation of the provisions of the Law and the provisions of this Personal Data Retention and Destruction Policy and the Personal Data Processing and Protection Policy.

If, as a result of internal audits, deficiencies or defects regarding the implementation of these provisions are detected, these deficiencies or defects are immediately corrected.

In the event that it is understood that the personal data under the responsibility of the Company during the audit or otherwise has been obtained by others illegally, the Company shall notify the relevant person and the Board as soon as possible.

5. REASONS FOR STORING PERSONAL DATA

Personal data kept within the company is stored in accordance with the Law and our Personal Data Policy and our Policy on the Processing and Protection of Personal Data of Employees (you can find the relevant policies at akyacht.net or akyacht.com), for the purposes and reasons stated here.

6. SITUATIONS REQUIRING THE DESTRUCTION OF PERSONAL DATA

In case of a breach within the scope specified below, the relevant security breach processes will be operated by the Company by accepting the Potential Security Breach situation, and the relevant reports and notifications regarding these will be shared with the Company management, the Board and the relevant personal data owners when deemed necessary. For this purpose, the Company's breach management processes will be implemented to make such reports and notifications.

6.1. Violation of KVKK

The Company undertakes not to process personal data contrary to the manner specified in the KVKK.

The Company, as long as there are no exceptions to the conditions for processing personal data in Articles 5 and 6 of the KVKK;

a) Except for the exceptions specified in the KVKK, it will not store the personal data of the persons whose explicit consent it has not obtained.

b) In the event that the purpose of processing the data processed within the scope of the exception or within the scope of explicit consent disappears and/or the legal retention periods expire, the Company will not store and destroy this personal data.

6.2. Elimination of Personal Data Processing Conditions

The Company is responsible for the up-to-dateness of the data processing conditions and shares this responsibility with all relevant employees who process personal data.

Employees will not continue to process data in cases where the conditions for data processing are eliminated. The determination of these situations is carried out with the recommendation of the relevant business unit, accompanied by the KVKK Audit Unit and Legal Units established within the Company, and the destruction process is carried out in accordance with this Policy.

The Company acknowledges that the conditions for data processing are eliminated in the relevant cases listed below and specified in the Regulation:

a) Amendment or repeal of the provisions of the relevant legislation that constitute the basis for processing personal data,

b) The contract between the parties has never been established, the contract is invalid, the contract expires automatically, the contract is terminated or the contract is withdrawn,

c) The disappearance of the purpose requiring the processing of personal data,

d) Processing personal data is contrary to the law or the rule of good faith,

e) In cases where the processing of personal data takes place only on the basis of explicit consent, the person concerned withdraws his consent,

f) Acceptance by the Company of the duly submitted application of the person concerned regarding the processing of personal data within the framework of their rights in subparagraphs (e) and (f) of Article 11 of the KVKK ,

g) In cases where the Company rejects the application made to it by the person concerned with the request for the destruction of personal data, if its response is insufficient or if it does not respond within the period stipulated in the KVKK; A complaint is made to the Board and this request is approved by the Board,

h) Although the maximum period requiring the storage of personal data has passed, there are no conditions that would justify storing personal data for a longer period of time.

7. DESTRUCTION OF PERSONAL DATA

Destruction of personal data can be done in three different ways: deletion, destruction or anonymization of the data described in detail below.

The relevant business units within the company, the owners of the information systems and applications containing the personal data in question, the Internal Audit Team, the Legal Unit and other persons or departments that may be related to the subject make a written decision on the method to be applied for the destruction of personal data, depending on the reason for this destruction. Pursuant to this written decision, one of the destruction methods included in the relevant articles of this Policy is applied in accordance with the Guide to Deletion, Destruction and Anonymization of Personal Data published by the Board.

Regarding the methods to be used for the storage and destruction of personal data, the Company also establishes technical manuals and ensures their implementation.

The follow-up of the destruction of personal data is the responsibility of the relevant data owner business unit within the Company. The data owner business unit receives support from different units of the Company, provided that the audit is carried out by it for the destruction of the data.

10.

7.1. Deletion of Personal Data

Deletion of personal data processed by fully or partially automated means; It is the process of making the personal data in question inaccessible and unusable by the relevant users in any way.

In the process of deleting personal data that constitutes a part of any data recording system and is processed by non-automatic means, the personal data that will be subject to deletion are determined, taking into account the legal retention periods. In terms of access to and authorization of personal data, the Company updates the role and authorization matrices that the Company is currently carrying out on information systems and applications and identifies the relevant users. The authorizations and methods of the relevant Users such as access, retrieval and reuse are determined within this scope.

In cases where the Company deletes personal data, it makes the data inaccessible or unusable in any way. In doing so, the Company guarantees that the data is inaccessible or reusable by any user.

7.2. Destruction of Personal Data

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.

The destruction process will be carried out in cases where the Company processes the data in physical recording media and the Company is obliged to make this data irretrievable.

While this process is carried out for the paper medium, the medium will be destroyed by cutting it into small pieces in such a way that it cannot be reassembled in an incomprehensible size with paper shredders or clipping machines. In addition, the Company may receive disposal services from Third Parties in this context.

7.3. Anonymization of Personal Data

Anonymization is the process of making this data unable to be associated with an identified or identifiable natural person, even if it is matched with other data, in cases where the Company processes personal data fully or partially by automated means.

By removing or changing all direct and/or indirect identifiers in the relevant dataset, the Company prevents the identity of the person concerned from being identified, ensuring that it loses its distinguishability within a group or crowd in a way that cannot be associated with a natural person.

During the anonymization of data, the Company may use methods such as one-way functions and encryption.

8. METHODS AND PROCESS OF DESTRUCTION OF PERSONAL DATA

For the destruction of personal data, the Company defines all methods that can be used during destruction in this Policy and its annexes. The data owner business unit is obliged to determine and implement the appropriate method in this Policy according to the appropriate situation.

The Company deletes, destroys or anonymizes the personal data stored in accordance with the Law and other legislation and the Personal Data Processing and Protection Policy, ex officio, upon the request of the person concerned or within the periods specified in this Personal Data Retention and Destruction Policy, in the event that the reasons requiring the processing of the data disappear.

During the destruction process, records are created in accordance with the Company's data destruction instructions. In the process of deleting sensitive personal data, the destruction process in the electronic environment is certified. During the destruction of personal data, the Company performs the destruction by choosing the appropriate one of the following methods according to the written decision to be made:

Deletion Methods

Deletion Methods for Personal Data Held in Printed Media
Blackout	:	Personal data in printed media are deleted using the blackout method. The blackout process is done by cutting the personal data on the relevant document where possible, and in cases where it is not possible, making it invisible by using fixed ink in a way that cannot be reversed and cannot be read with technological solutions.
Deletion Methods for Personal Data Held in Cloud and Local Digital Environment
Soft safe deletion	:	Personal data kept in the cloud or local digital environments is deleted by digital command so that it cannot be recovered again. Data deleted in this way cannot be accessed again.

Disposal Methods

Destruction Methods for Personal Data Kept in Printed Media
Physical destruction	:	Documents kept in printed media are destroyed in such a way that they cannot be reassembled with document shredders.
Destruction Methods for Personal Data Held in Local Digital Environment
Physical destruction	:	It is the process of physical destruction of optical and magnetic media containing personal data, such as melting, burning or pulverizing. Processes such as melting, burning, pulverizing, or passing optical or magnetic media through a metal grinder make data inaccessible.
De-magnetization (degauss)	:	It is the process of illegibly deteriorating the data on the magnetic media by exposing it to a high magnetic field.
Overwrite	:	Random data consisting of 0's and 1's is written at least seven times on magnetic media and rewritable optical media, preventing reading and recovering old data.
Destruction Methods for Personal Data Kept in the Cloud
Soft safe deletion	:	Personal data kept in the cloud environment is deleted with a digital command so that it cannot be recovered, and when the cloud computing service relationship ends, all copies of the encryption keys required to make personal data usable are destroyed. Data deleted in this way cannot be accessed again.

Anonymization Methods

Anonymization is the rendering of personal data that cannot be associated with an identified or identifiable natural person in any way, even by matching it with other data.

Extracting variables	:	It is the extraction of one or more of the direct identifiers in the personal data of the person concerned and that will be used to identify the person concerned in any way. This method can be used to anonymize personal data, or it can be used to delete personal data if there is information that does not comply with the purpose of data processing.
Regional obfuscation	:	It is the process of deleting information that may be distinctive regarding the data that is exceptional in the data table where personal data is collectively anonymized.
Globalization	:	It is the process of bringing together the personal data of many people, removing their distinctive information and turning them into statistical data.
Lower and upper limit coding / Global coding	:	It is the categorization of a certain variable by defining the ranges of that variable. If the variable does not contain a numeric value, then the data within the variable that is close to each other is categorized. Values that fall within the same category are combined.
Micro-incorporation	:	With this method, all the records in the dataset are first arranged in a meaningful order and then the whole set is divided into a certain number of subsets. Then, by taking the average of the value of each subset of the specified variable, the value of that variable of the subset is replaced with the average value. In this way, since the indirect identifiers in the data will be corrupted, it is difficult to associate the data with the relevant person.
Data hashing and corruption	:	Direct or indirect identifiers in personal data are confused or distorted with other values, breaking their relationship with the person concerned and ensuring that they lose their descriptive qualities.

In order to anonymize personal data, the Company uses one or more of these anonymization methods, depending on the nature of the relevant data.

11.

9. STORAGE AND DISPOSAL PERIODS

DATA OWNER	DATA CATEGORY	MAXIMUM DATA RETENTION PERIOD
Employee	It includes the data based on the notifications made to the Social Security Institution (such as employment declaration, premium and service documents, missing day notifications, accruals, notice of resignation), wage and fringe benefit calculation and payment documents, documents of the date of employment, recruitment documents, wages and benefits, records of the date of entry and departure	Based on a possible service/wage determination request and the receivable request of the Social Security Institution, the continuation and termination of the service contract is kept for 10 (ten) years.
Employee	Personnel records	It is kept for 10 (ten) years from the beginning of the calendar year following the continuation of the service contract and its termination.
Employee	Data in the Workplace Personal Health File	It is kept for 15 (fifteen) years in the continuation of the service contract and from the date of its termination.
Business Partner/Solution Partner/Consultant	Identity information, contact information, financial information, voice recordings taken during phone calls, Business Partner/Solution Partner/Consultant employee data regarding the execution of the commercial relationship between the Business Partner/Solution Partner/Consultant and the Company	It is kept for 10 years during the business/commercial relationship of the Business Partner/Solution Partner/Consultant with the Company and from the end of the Turkish Commercial Code in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.
Visitor	Camera recordings taken at the entrance to the physical space of the Company.	It is stored for 3 months.
Employee Candidate	Information in the CV and job application form of the Employee Candidate	It is kept for a maximum of 2 years, for the period during which the resume will lose its currency.
Intern (student)	Identity, contact, finance, photo information in the internship file of the intern.	It is kept for 10 (ten) years from the beginning of the calendar year following the continuation of the internship relationship and its termination.
Customer	Customer's name, surname, T.C.K.N., address, contact information, payment information and methods, product/service preferences, transaction history	It is kept for 10 years in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code from the presentation of each product/service purchased by the Customer.
Customer	Camera footage	It is stored for 3 months.
Lead	Identity information, contact information, financial information, voice recordings taken during phone calls taken during contract negotiations regarding the establishment of a commercial relationship between the Potential Customer and the Company	It is stored for 2 years.
Institutions/Companies with which the Company Cooperates (Supplier etc.)	Identity information, contact information, financial information regarding the execution of the commercial relationship between the Institution/Companies with which the Company Cooperates and the Company, voice recordings taken during phone calls, Institution/Company employee data with which the Company Cooperates	It is kept for 10 years during the business/commercial relationship of the Institutions/Companies with which the Company Cooperates with the Company and from the end of the Turkish Code of Obligations in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.

*If a longer period is regulated in accordance with the legislation or a longer period is stipulated for the statute of limitations, forfeiture periods, retention periods, etc., in accordance with the legislation, the periods in the provisions of the legislation are considered as the maximum storage period.

12.

9.1. Periodic Disposal and Legal Retention Periods

Physical and electronic data that have completed the legal retention and destruction periods are periodically destroyed. The Company destroys personal data in the first periodic destruction process following the date on which the destruction obligation arises.

Periodic destruction is carried out at 6-month time intervals for all personal data. The legal retention periods to be taken as a basis during periodic destruction are determined in the Company's Personal Data Inventory. The destruction process is applied during the first periodic destruction following the occurrence of the destruction obligation.

All transactions related to destroyed personal data are recorded and these records are kept for three years.

9.2. Destruction Process at the Request of Data Owners

In cases where data owners apply to the Company and request the destruction of their personal data, the Company checks the current status of the conditions for processing personal data. As a result of the said control;

· If it is understood that all of the conditions for processing personal data have disappeared, the personal data subject to the request is destroyed within thirty days at the latest in accordance with the decisions and methods specified in this Policy and the relevant person is informed.

· If it is understood that the conditions for processing personal data have disappeared and the personal data subject to the request has been transferred to third parties, the Company notifies the relevant third party of this situation and ensures that the necessary actions are taken before the third party within the scope of the Regulation.

· If all the conditions for processing personal data have not been eliminated, the Company may reject the request by explaining the reason to the relevant data owner and notifies the relevant person in writing or electronically within thirty days at the latest.

In order to meet and respond to requests from data owners, the Management Process of Requests and Complaints from Personal Data Owners is established within the Company.

9.3. Supervision of the Legality of the Destruction Process

The Company carries out the destruction processes carried out ex officio, both upon request and in periodic destruction processes, in accordance with the Law, other legislation, the Personal Data Processing and Protection Policy and this Personal Data Retention and Destruction Policy.

The Company takes a number of administrative and technical measures to ensure that disposal operations are carried out in accordance with these regulations.

9.3.1. Technical Measures

· The Company has technical tools and equipment suitable for each disposal method in this policy.

· The company ensures the safety of the place where the disposal operations are carried out.

· The company keeps access records of the persons who perform the destruction.

· The company employs competent and experienced personnel to carry out the destruction process or receives services from competent third parties when necessary.

9.3.2. Administrative Measures

· The company works to increase the awareness of its employees who will carry out the destruction process on information security, personal data and privacy.

· The company receives legal and technical consultancy services in order to follow the developments in the field of information security, privacy, protection of personal data and secure destruction techniques and to take necessary actions.

· In cases where the Company has the destruction process carried out by third parties due to technical or legal requirements, it signs protocols with the relevant third parties for the protection of personal data, and takes all necessary care to ensure that the relevant third parties comply with their obligations in these protocols.

· The Company regularly checks whether the destruction processes are carried out in accordance with the law and the terms and obligations specified in this Personal Data Retention and Destruction Policy, and takes the necessary actions.

· The Company records all transactions related to the deletion, destruction and anonymization of personal data and keeps such records for at least three years, excluding other legal obligations.

10. AUTHORIZATION IN STORAGE AND DISPOSAL PROCESSES

The Company establishes a Personal Data Committee within its body. The Personal Data Committee is authorized and responsible for taking the necessary actions and supervising the processes for the storage and processing of the data of the data subjects in accordance with the law, the Personal Data Processing and Protection Policy and the Personal Data Retention and Destruction Policy. The company, those involved in the storage and destruction of personal data and their job descriptions are as follows;

KVKK Team: Decides on policies and methods by working with the relevant business units of the Company on the storage and destruction of personal data, ensures that the Policy and its annexes are kept up-to-date, works closely with the relevant units of the Company when necessary, and ensures that the Policy is carried out correctly and in accordance with the KVKK and the Regulation.

Legal Unit: Advises on legal issues related to the storage and destruction of personal data and provides the necessary information to the relevant business units in case of changes in the relevant legislation. It ensures that the Policy is carried out in accordance with the legislation.

Information technologies: In the light of the decisions and methods specified in the Policy, it ensures that the relevant destruction and storage processes are carried out in accordance with the legislation.

Relevant business units of the Company: It expresses its opinions and justifications for determining the policies and methods regarding the storage and destruction of personal data and follows the actions to be carried out in accordance with this Policy.

Appellation

Job Description

Personal Data Committee Manager

To direct all kinds of planning, analysis, research and risk determination studies in the projects carried out during the compliance process; It is obliged to manage the processes to be carried out in accordance with the Law, the Personal Data Processing and Protection Policy and the Personal Data Retention and Destruction Policy and to decide on the requests received by the relevant persons.

KVK Specialist

(Technical and Administrative)

Examining the requests of the relevant persons and reporting them to the Personal Data Committee Manager for evaluation; Fulfillment of the procedures regarding the requests of the data subject evaluated and decided by the Personal Data Committee Manager in accordance with the decision of the Personal Data Committee Manager; auditing the storage and destruction processes and reporting these audits to the Personal Data Committee Manager; It is responsible for the execution of storage and disposal processes.

11. CHANGES TO THE POLICY

13.

14.

11.1. In the event that the KVKK, Regulation or other legislation is partially or completely changed, amended, updated or repealed, the Company will update and amend the Policy in accordance with the new legislation.

11.2. The Company will share the updated Policy with its employees via e-mail so that the changes made on the Policy can be reviewed and make it accessible to its employees via the corporate intranet / Portal.

EFFECTIVE DATE OF THE POLICY