Trans Antalya

TRANS ANTALYA NAKLİYAT İNŞAAT TURİZM TİC. VE SAN. LTD. ŞTİ.

PERSONAL DATA RETENTION AND DISPOSAL POLICY

Purpose

Personal Data Storage and Destruction Policy (“Policy”) has been prepared by Trans Antalya Nakliyat İnşaat Turizm Tic. ve San. Ltd. Sti. (“Trans Antalya”) or the purpose of determining the procedures and principles regarding the works and transactions related to the retention and disposal activities.

In accordance with international contracts, the Law on the Protection of Personal Data No. 6698 ("PDPL") and other relevant legislation, Trans Antalya attaches importance to processing Personal data belonging to its workers, candidates, supplier employees, supplier officials, visitors and other third parties, and to ensuring of effectively exercising the rights of relevant persons.

Where Do We Record Personal Data?

Personal data is securely stored in accordance with the law in media listed below.

Electronic media

Communication servers (Domain, backup, email, database, web, file sharing, etc.)

· Software (office software, portal, EBYS (EDMS: Electronic Document Management System), VERBIS (DSRIS: Data Supervisor Registry Information System))

· Information security devices ((firewall, intrusion detection and prevention, daily - book file, anti-virus etc.)

· Personal computers (PC) (desktop computer, laptop computer)

· Mobile devices (Telephone, tablet pc

· Optical disks (CD, DVD etc.)

· Removable memories (UBS, flash disk etc.)

· Printer, scanner, photocopier

Non-electronic media

· Paper

· Manual data record systems (survey forms, visitor entering book)

· Written, printed, visual media

Disclosures about Retention

Your personal data is stored for a period of time prescribed in the relevant legislation or in accordance with our processing purposes.

Processing Purposes Requiring Retention

Trans Antalya stores the personal data processed within the framework of its activities for the following purposes:

• To carry out human resources processes.

• Conducting communication processes

• Ensuring security.

• To be able to perform business and transactions as a result of signed contracts and protocols

• Within the scope of VERBİS (Data Supervisor Registry Information System), to be determined the preferences and needs of employees, data supervisors, contact persons, data supervisor’s representatives and data processors, and arranging the services accordingly and updating them if necessary.

• To ensure that legal obligations are fulfilled as required or necessitated by legal regulations.

• Fulfilment of legal obligations

• Obligation to show as a proof of legal disputes that may arise in the future

Reasons Requiring Disposal

In the following situation, personal data are disposed and deleted or ex officio deleted, disposed or anonymized by Trans Antalya:

• The disappearance of the purpose requiring the processing or storage of personal data

• In cases where the processing of personal data occurs only on the condition of explicit consent, if the relevant person withdraw his/her explicit consent.

• If the application regarding the deletion and disposal of personal data is accepted by Trans Antalya in accordance with Article 11 of the Law and within the framework of the rights of the person concerned.

•In case of complaining to the Board and approving this request by the Board.

• In case of expiring maximum time that requires the storage of personal data and if there is no condition to justify storing personal data for a longer period of time.

TECHNICAL AND ADMINISTRATIVE PRECAUTIONS

Trans Antalya takes the technical and administrative precautions stipulated in the legislation to safely store personal data, prevents them from being processed and accessed illegally, and to dispose of personal data in accordance with the law.

Technical Precautions

The technical precautions taken by Trans Antalya regarding the personal data processed by it are listed below:

•Through penetration tests, the necessary precautions are taken by revealing the risks, threats, weaknesses and vulnerabilities, if any, for the information systems of Trans Antalya.

• As a result of real-time analysis done through information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.

• Access to information systems and authorization of users are done through security policies over access and authority matrix and corporate active directory.

• Necessary precautions are taken for the physical security of information systems equipment, software and data.

• In order to ensure the security of information systems against environmental threats, hardware (access control system that provides only authorized personnel access to the system room, 7/24 monitoring system, ensuring the physical security of the side switches forming the local area network, fire extinguishing system, air conditioning system etc.) and software (firewalls, attack prevention systems, network access control, systems that prevent harmful software, etc.) are taken.

• Risks are identified to prevent illegal processing of personal data; technical precautions are taken to meet these risks and technical controls are carried out for the precautions taken.

• By establishing access procedures in Trans Antalya, reporting and analysis studies relating to accessing to personal data are carried out.

• By recording accessing to storage areas where personal data are stored, the improper accesses or access attempts are kept under control. Trans Antalya takes the necessary measures to make the deleted personal data inaccessible and reusable for the users concerned.

• In case personal data are obtained illegally by others, a suitable system and infrastructure have been established by Trans Antalya to report this situation to the relevant person and the Board.

• Appropriate security patches are installed by following security gaps and information systems are kept in current state. Strong passwords are used in electronic media where personal data are processed.

• Secure logging systems are used in electronical media where personal data are processed.

• Data backup programs ensuring the storage of personal data securely are used.

• Access to personal data stored in electronical or non-electronical media is restricted according to access principles. Access to Trans Antalya website is encrypted with algorithm SHA 256 Bit RSA by using secure protocol (HTTPS).

• A separate policy has been determined for the security of personal data with special features.

• Trainings on special personal data security were given to employees involved in special personal data processing processes, confidentiality agreements have been made and the authority of users having access authority to data have been defined.

• Electronic medias where special personal data are processed, stored and / or accessed are protected by using cryptographic methods; cryptographic keys are kept in secure media; all transaction records are logged; security updates of the media are constantly monitored; necessary security tests are done / let done regularly and test results are taken under record.

• Adequate security precautions have been taken in physical media where special personal data are processed, stored and / or accessed; by providing physical security, unauthorized entry and exit are prevented.

• If special personal data are required to be transferred via e-mail, they are transmitted in encrypted form via corporate e-mail address or by using a KEP account. If the data needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in different media. If the transfer is made between servers in different physical media, data transfer is performed by installing VPN between servers or through sFTP method. If transfer is required through the paper medium, necessary precautions are taken against risks such as stolen, lost or seen by unauthorized people and the document is sent in “confidential” format.

Administrative Precautions

The administrative precautions taken by Trans Antalya regarding the personal data processed by it are listed below:

• In order to improve the quality of workers, trainings are provided on the prevention of unlawful processing of personal data, prevention of unlawful access of personal data, protection of personal data, communication techniques, technical knowledge skills and related legislation.

• Confidentiality agreements are signed by employees who work regarding the activities carried out by Trans Antalya.

The disciplinary procedure to be implemented for employees, who do not comply with the security policies and procedures, has been prepared.

• Before processing personal data, Trans Antalya fulfils its obligation to enlighten the relevant persons.

• Personal data processing inventory was prepared.

• Periodic and random inspections are carried out in Trans Antalya.

• Information security trainings are provided for employees.

PERSONAL DATA DISPOSAL TECHNIQUES

At the end of the period stipulated in the relevant legislation or the retention period required for the purpose for which they are processed, personal data are destroyed by Trans Antalya ex officio or upon the application of the relevant person in accordance with the provisions of the relevant legislation and with following techniques.

Deleting of Personal Data

Your personal data are deleted through the following methods

Data record Media

Explanation

Personal Data Involved on Servers

For personal data involved on servers, that their necessary retention periods expired, deleting transaction is made by removing the assessing authority of relevant users through system administrator

Personal Data Involved on Electronical

Media

Personal data involved on electronical media, whose necessary retention periods expired are in no way accessible for other workers (relevant users) except data base administrator, and they are made unusable for them

Personal Data Involved on Physical Media

Personal data kept on physical media, that their necessary retention period expired, are in no way accessible for other workers (relevant users) except unit administrator who is responsible document archives, and they are made unusable for them. In addition, dimming transaction is applied by drawing / painting / erasing them in an unreadable manner.

Personal Data on Moveable Media

The personal data on flash base retention media, that their necessary storage period expired, are stored with encryption key on secure media by encrypting by system administrator and by giving the accessing authority only to system administrator.

Disposal of Personal Data

Your personal data are destroyed through the following methods

Data Record Media

Explanation

Personal Data Involved in Physical Media

Personal data involved on paper media, that their necessary retention periods expired, are irreversibly destroyed in paper clipping machines.

Personal Data Involved on Optical / Magnetic Media

Personal data involved on optical and magnetic media, that their necessary retention periods expired, are destroyed by physically disposal methods like fusion, burning, powdering. In addition, the magnetic media is passed through a special device and exposed to a high value magnetic field, making the data on it unreadable.

Anonymization of Personal Data

Anonymizing personal data is to make personal data no way unrelated to an identified or identifiable natural person by any means, even if it is matched with other data. In order for personal data to be anonymized; to be rendered personal data unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording environment and related field of activity, such as the return of data by the data controller or third parties and / or the matching of data with other data.

RETENTION AND DISPOSAL PERIODS

Retention and disposal periods are as follows.

Personal Data

Retention Period

Disposal Period

Personal Data

10 years