KVKK Data Retention and Destruction Policy

1. GENERAL INFORMATION ABOUT THE KVKK POLICY

1.1. INTRODUCTION

Introduction: This MATRİKS Personal Data Retention and Destruction Policy (“Policy”) has been prepared to ensure compliance with the following regulations:

  • Law No. 6698 on the Protection of Personal Data (“KVKK” or “Law”),
  • Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017 (“Regulation”).

This Policy has been prepared by MATRİKS Building Control Systems Ltd. Co. (“MATRİKS” or “Company”), in its capacity as the data controller, for the following purposes:

  • To determine the purposes for which personal data is processed,
  • To determine the maximum retention periods required for these purposes,
  • To ensure data security; to manage processes related to the protection, deletion, destruction, and anonymization of personal data,
  • To clearly inform data subjects about these processes.

1.2. PURPOSE

Purpose of the Policy: The purpose of this Policy is to:

  • Ensure compliance with the obligations regarding regulations on the Protection of Personal Data,
  • Process and protect the confidentiality of personal data collected by MATRİKS through automated or non-automated means in accordance with the law,
  • Define internal responsibilities, operations, internal controls, and measures within the Company,
  • Inform individuals whose personal data is processed by MATRİKS and ensure transparency.

1.3. SCOPE

This Policy: Applies to all personal data of data subjects that is processed, whether fully or partially automated, or processed by non-automated means provided that it is part of any data recording system.

The persons and groups covered by the Policy are as follows:

  • MATRİKS Company executives
  • Company shareholders
  • Employees
  • Job candidates
  • Interns
  • Suppliers
  • Real persons benefiting from MATRİKS products and services (Customers)
  • Potential customers
  • Dealers
  • Members
  • Visitors
  • Business partners
  • Individuals visiting websites and mobile applications
  • Employees, shareholders, and executives of partner institutions
  • Service providers
  • Other third parties

This Policy applies to all recording media in which personal data owned or managed by MATRİKS is processed, as well as to activities related to the storage and destruction of such data.

1.4. ABBREVIATIONS AND DEFINITIONS

Recipient Group: The category of natural or legal persons to whom personal data is transferred by the Data Controller.

Relevant User: Persons who process personal data within the organization of the data controller or in accordance with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.

Destruction: The deletion, destruction, or anonymization of personal data.

Retention and Destruction Policy: The policy established by MATRİKS that sets out the principles for determining the maximum period necessary for the purpose for which personal data is processed, as well as the deletion, destruction, and anonymization of such data.

Retention and Destruction Policy: The Destruction Policy Regarding the Retention, Deletion, Destruction, and Anonymization of Personal Data.

Law/KVKK: Law No. 6698 on the Protection of Personal Data. Recording medium refers to any environment in which personal data is processed, whether fully or partially automated, or by non-automated means provided it is part of any data recording system.

Personal Data: Any information relating to an identified or identifiable natural person.

Periodic Destruction: The process of deleting, destroying, or anonymizing personal data at recurring intervals, as specified in the retention and destruction policy, when all processing conditions for personal data stated in the Law no longer apply.

Registry: The registry of data controllers maintained by the Personal Data Protection Authority.

Data Recording System: A recording system in which personal data is processed in a structured manner according to specific criteria.

Board: The Personal Data Protection Board.

Data Subject / Relevant Person: The natural person whose personal data is processed.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Regulation: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017.

2. PERSONAL DATA STORAGE MEDIA

The personal data of data subjects is securely stored by MATRİKS, in physical or electronic environments, for the purposes specified in the “MATRİKS Personal Data Protection and Processing Policy”, within the limits defined by the KVKK and other relevant legislation, as outlined in the table below. The MATRİKS Personal Data Protection and Processing Policy can be accessed on the website www.matrikstr.com.

ELECTRONIC MEDIA PHYSICAL MEDIA
Resources allocated and/or managed by Matriks Manual Data Records (Survey, Visitor)
Personal desktop and laptop computers Ledgers, Printed Forms, etc.
Mobile Devices (Phone, tablet, etc.) Printed visual media
Optical Discs (CD, etc.) Files stored on paper
Servers (Web, E-Mail, Backup, Database, File Sharing, Exchange)
Software (CRM, Office Software, Portal, Other Accounting, Human Resources-related software)
Information security devices (Firewall, intrusion detection and prevention, log files, antivirus, etc.)
Removable storage devices (USB, Memory card, etc.)
Printer, scanner, photocopier

3. REASONS REQUIRING THE RETENTION AND DESTRUCTION OF PERSONAL DATA

3.1. Reasons Requiring the Retention of Personal Data

Article 3 of the Law on the Protection of Personal Data No. 6698 (KVKK) defines the concept of personal data processing, while Article 4 stipulates that processed personal data must be relevant, limited, and proportionate to the purposes for which they are processed, and must be retained for the period prescribed by the relevant legislation or as required for the purposes for which they are processed. Articles 5 and 6 set out the conditions for processing personal data.

In the deletion, destruction, or anonymization of personal data, the general principles in Article 4 of the Law, the technical and administrative measures required under Article 12, the provisions of the relevant legislation, Board decisions, and the personal data retention and destruction policy are followed.

Accordingly, within the scope of MATRİKS activities, personal data is retained for the duration stipulated in the relevant legislation or in line with the processing purposes set out in the “MATRİKS Personal Data Protection and Processing Policy”.

Our Company first determines whether there is a retention period for personal data in the relevant legislation. If such a period exists, it is followed. In the absence of a legal retention period, data is retained for as long as required for the purposes for which it is processed.

Upon expiration of the determined retention periods, personal data is destroyed in accordance with periodic destruction schedules or upon the request of the data subject, by one of the deletion, destruction, or anonymization methods.

Destruction processes are recorded, and these records are kept for at least three years, excluding other legal obligations.

In accordance with Article 5 of the KVKK, personal data is retained for the following reasons:

  • Retention of personal data because it is directly related to the establishment and performance of contracts,
  • Retention of personal data for the establishment, exercise, or protection of a right,
  • Retention of personal data is necessary for the legitimate interests of MATRİKS, provided that it does not harm the fundamental rights and freedoms of individuals,
  • Retention of personal data for the fulfillment of any legal obligation of MATRİKS,
  • Retention of personal data is explicitly stipulated in the legislation,
  • In cases where retention activities require the explicit consent of the data subjects, the presence of such explicit consent.

3.2. Reasons Requiring the Destruction of Personal Data

In the following circumstances, the personal data of data subjects is deleted, destroyed, or anonymized by MATRİKS, either ex officio or upon request, in accordance with the Regulation dated October 28, 2017. Specifically:

  • Amendment or repeal of the relevant legislative provisions forming the basis for the processing or storage of personal data,
  • The disappearance of the purpose that requires the processing or storage of personal data,
  • When the conditions requiring the processing of personal data under Articles 5 and 6 of the Law no longer exist; deletion, destruction, or anonymization of personal data by the data controller, either ex officio or upon the request of the data subject,
  • In cases where the processing of personal data relies solely on explicit consent, withdrawal of consent by the data subject,
  • Acceptance by the data controller of the data subject’s request for deletion, destruction, or anonymization of their personal data, made under Article 11 of the Law,
  • If the data controller rejects the destruction request made by the data subject, provides an insufficient response, or fails to respond within the time period stipulated by the Law, and the Personal Data Protection Board deems the request appropriate following a complaint,
  • Expiration of the maximum retention period for personal data, with no conditions justifying longer retention.

4. PERSONAL DATA RETENTION AND DESTRUCTION PERIODS

In determining the retention and destruction periods of personal data obtained by MATRİKS in compliance with the KVKK and other relevant legislation, the following criteria are applied in order:

  1. If the legislation prescribes a retention period for the relevant personal data, this period is adhered to. Upon expiration of the said period, the process outlined in item b is applied to the data.
  2. If the retention period stipulated in the legislation for the relevant personal data has expired or if no such period is stipulated in the relevant legislation, the following steps are taken in order:
    • If the purpose for processing the personal data has ended, the data is deleted, destroyed, or anonymized by MATRİKS, either ex officio or upon the request of the data subject.

4.1. Criteria for Determining Retention and Destruction Periods

MATRİKS classifies personal data as “personal data” and “special categories of personal data” based on the definitions provided in Article 6 of the KVKK. All personal data identified as special category data is destroyed. The method to be applied for the destruction of such data is determined according to the nature of the data and the degree of importance of its retention for MATRİKS.

The compliance of data retention with the principles set forth in Article 4 of the KVKK is evaluated. If data retention is found to be contrary to these principles, the relevant data is deleted, destroyed, or anonymized.

It is determined whether the retention of the data falls within the exceptions stipulated in Articles 5 and 6 of the KVKK. Reasonable retention periods necessary for data preservation are set within the framework of the identified exceptions. When these periods expire, the data is deleted, destroyed, or anonymized.

Personal data whose retention period has expired is subject to periodic destruction every six months, in accordance with the “Retention and Destruction Periods” specified in the relevant section of this Policy.

4.2. Scope of Retention Period Determination

Regarding the personal data processed by MATRİKS:

  • Retention periods for each type of personal data are determined within the Personal Data Processing Inventory, based on the activities carried out in each process.
  • The retention periods determined on a process basis are explicitly included in the following sections of this Policy.

4.3. Process-Based Retention and Destruction Periods

Process Data Subject Retention Period Destruction Period
Creation of Personnel File Employee 10 years following the termination of the employment contract During the first periodic destruction period after the end of the retention period
In-Service Training Planning Employee 10 years following the termination of the employment contract During the first periodic destruction period after the end of the retention period
Salary Payments Employee 10 years after leaving employment During the first periodic destruction period after the end of the retention period
Resume and application form of job/internship candidate Employee / Intern Candidate 6 months after the unsuccessful completion of the application process During the first periodic destruction period after the end of the retention period
Keeping Financial Records Customers / Contracted Companies 10 years after the end of the business relationship During the first periodic destruction period after the end of the retention period
Commercial relationship data (identity, contact, financial, employee information, etc.) Service Provider Institutions/Companies 10 years from the provision of the service (TCO Art. 146, TCC Art. 82) During the first periodic destruction period after the end of the retention period
Preparation of Contracts Customers, Suppliers, Business Partners 10 years following the termination of the contract During the first periodic destruction period after the end of the retention period
Execution of HR processes Employees 10 years following the end of the activity During the first periodic destruction period after the end of the retention period
Visitor and meeting participant registration Visitors, Participants 2 years after the end of the event During the first periodic destruction period after the end of the retention period
Physical facility security (camera, vehicle, audio recordings) Natural persons 3 months During the first periodic destruction period after the end of the retention period
Data obtained prior to establishing a commercial relationship with potential customer Potential Customers 5 years During the first periodic destruction period after the end of the retention period
Information of company shareholders and board members Shareholders, Board Members 10 years after the end of the business relationship During the first periodic destruction period after the end of the retention period
Court/execution information requests Employees 10 years after the end of the business relationship During the first periodic destruction period after the end of the retention period
Log/Record Tracking Systems - 2 years During the first periodic destruction period after the end of the retention period
Administrative security reports (incident detection, incident report, etc.) All relevant natural persons 5 years from initial record During the first periodic destruction period after the end of the retention period
Customer request and complaint information Customer 15 years from the date of record During the first periodic destruction period after the end of the retention period
Company documents (power of attorney, signature circular, etc.) Shareholders, Board Members 10 years from initial record During the first periodic destruction period after the end of the retention period
Vehicle allocation to employees Employees 2 years from vehicle handover During the first periodic destruction period after the end of the retention period
Occupational health and safety practices Employees 15 years after the end of the employment relationship During the first periodic destruction period after the end of the retention period
Criminal convictions and security measures Employees During the term of employment During the first periodic destruction period after the end of the retention period

All transactions related to the deletion, destruction, or anonymization of personal data are recorded, and these records are retained for at least three years, excluding other legal obligations.

5. METHODS OF DESTRUCTION OF PERSONAL DATA

5.1. Techniques for Deleting Personal Data

5.1.1. Deletion of Personal Data Stored on Servers

For personal data stored on servers whose retention period has expired, deletion is carried out by revoking the access rights of relevant users.

5.1.2. Deletion of Personal Data Stored in Electronic Media

Personal data stored in electronic media whose retention period has expired is made completely inaccessible and unusable for employees (relevant users).

5.1.3. Deletion of Personal Data Stored in Physical Media

For personal data stored in physical media whose retention period has expired, documents are made inaccessible to employees. Additionally, redaction is applied by crossing out, painting over, or erasing in a way that makes the information unreadable.

5.1.4. Deletion of Personal Data Stored on Portable Media

Personal data stored on flash-based storage devices whose retention period has expired is encrypted by the system administrator, with access rights granted only to the system administrator, and stored in secure environments.

5.2. Techniques for Destroying Personal Data

5.2.1. Destruction of Personal Data Stored in Physical Media

Personal data stored in paper format whose retention period has expired is destroyed in a way that is irreversible, using paper shredding machines.

5.2.2. Destruction of Personal Data Stored in Optical / Magnetic Media

Data stored in optical and magnetic media is physically destroyed by melting, burning, or pulverizing. In addition, magnetic media is rendered unreadable by exposing it to a high magnetic field using a special device.

5.3. Techniques for Anonymizing Personal Data

Personal data stored on servers, in electronic media, physical media, portable media, and optical/magnetic media whose retention period has expired is rendered impossible to associate with an identified or identifiable natural person, even if matched with other data.

Within this scope, MATRİKS removes or alters direct and/or indirect identifiers to prevent the identification of the relevant person or anonymizes the data in a way that it cannot be associated with them. The applied methods include:

  • Grouping
  • Masking
  • Derivation
  • Generalization
  • Randomization

In applying these methods, the nature, size, environment structure, diversity, and purpose of processing the data are taken into account. As a result, the obtained data can no longer identify a specific individual.

6. PERIODIC DESTRUCTION PERIOD OF PERSONAL DATA

In accordance with Article 11 of the Regulation, MATRİKS has set the periodic destruction period as 6 months. Accordingly, periodic destruction processes are carried out in June and December each year.

7. RESPONSIBILITY IN THE PERSONAL DATA RETENTION AND DESTRUCTION PROCESS

All units and employees of MATRİKS are responsible for implementing the technical and administrative measures taken by the responsible units within the scope of this Policy, ensuring the training and awareness of unit employees, monitoring, and continuous auditing.

They are also obliged to actively support the responsible units in taking technical and administrative measures to ensure the lawful processing of personal data, prevent unlawful access to personal data, and ensure the secure storage of personal data in all environments where data is processed.

The titles, duties, and responsibilities of those involved in the personal data retention and destruction processes are detailed below:

Title Department Duty
General Manager Responsible for the Personal Data Retention and Destruction Policy Ensure compliance of processes within their responsibility with retention periods and manage the destruction process in accordance with the periodic destruction schedule
IT Manager Information Technologies Department: Implementation Responsible Ensure compliance of processes with retention periods and carry out the destruction process
Sales & Marketing Manager Sales and Marketing Department: Implementation Responsible Check compliance of relevant data with retention periods and act in accordance with the destruction process
Finance Manager Finance Department: Implementation Responsible Responsible for the retention and destruction of personal data related to financial processes
Technical Service Manager Technical Service Department: Implementation Responsible Ensure compliance of personal data in technical processes with retention and destruction periods

8. ENTRY INTO FORCE AND UPDATING OF THE POLICY

This Policy has been prepared in accordance with the Law on the Protection of Personal Data No. 6698 and other relevant legislation on personal data, and enters into force as of the date it is published on www.matrikstr.com. (Version 1.0)

MATRİKS may update this Policy from time to time due to changes in processes related to the processing of personal data, legal regulations, or other reasons. Updates take effect as of the date the new Policy text is published on the Website.

The current Policy text is published on the www.matrikstr.com website and made accessible to relevant individuals.