Personal Data Retention and Destruction Policy

DEFINITIONS AND ABBREVIATIONS

Institution : RAYTA ENTERTAINMENT CENTERS MANAGEMENT VISUAL ARTS COMMUNICATION AND ORGANIZATION

INDUSTRY AND TRADE JOINT STOCK COMPANY

Law: Personal Data Protection Law No. 6698.

Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

Policy: Personal Data Retention and Destruction Policy.

Personal Data: Any information relating to an identified or identifiable natural person.

Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller.

Explicit Consent: Consent given freely, based on information and related to a specific subject.

Anonymization: Making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching with other data.

Data Subject: The natural person whose personal data is processed.

Destruction: Deletion, destruction or anonymization of personal data.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.

Electronic Environment: Environments where personal data can be created, read, modified and written through electronic devices.

Non-Electronic Environment: All written, printed, visual and other environments outside electronic environments.

PURPOSE AND SCOPE

The Personal Data Retention and Destruction Policy (“Policy”) has been prepared to determine the procedures and principles regarding retention and destruction activities carried out by the Institution.

The Institution has prioritized processing personal data belonging to job applicants, employees, supplier employees and authorities, employees of supplier companies working at the workplace, visitors/customers, website visitors and other relevant persons in accordance with the Constitution of the Republic of Turkey, international agreements, the Personal Data Protection Law No. 6698 (“Law”) and other relevant legislation, and ensuring that data subjects can effectively exercise their rights.

The personal data of the aforementioned persons are within the scope of this Policy, and this Policy applies to all recording environments in which personal data owned or managed by the Institution are processed and to all activities related to personal data processing.

RESPONSIBILITIES AND DUTY DISTRIBUTION

All units and employees of the Institution actively support the responsible units in implementing the technical and administrative measures taken within the scope of the Policy, increasing awareness and training of unit employees, monitoring and continuous auditing, preventing unlawful processing of personal data, preventing unlawful access to personal data, and ensuring that personal data is stored in compliance with the law.

The distribution of titles, units and job descriptions of those involved in personal data retention and destruction processes is as follows.

Title	Duty
Board of Directors	Approves the Policy and ensures its enforcement. It is responsible for ensuring that senior management and employees act in accordance with the Policy. It provides support and resources by establishing the necessary budget for the implementation of the Policy.
Senior Management	Responsible for monitoring the activities carried out within the scope of the implementation and execution of the Policy. Carries out decision-making and implementation activities required for the execution of the Policy.
KVKK Officer	Responsible for the creation of the Policy and its publication in relevant environments after approval. Carries out the implementation of technical solutions decided and provided by senior management in the implementation of the Policy.
Accounting and Finance Leasing Services	Responsible for executing the Policy in accordance with their duties.

RECORD ENVIRONMENTS

Personal data is securely stored by the Institution in the environments listed in the table below in accordance with the law.

Electronic Environments	Non-Electronic Environments
Servers (accounting application server, web server, etc.)	Paper
Software (accounting software, office applications, VERBIS, etc.)	Manual data recording systems (forms, reports, etc.)
Information security devices (firewalls, etc.)	Written and printed environments
Personal computers (desktop, laptop)
Portable media (USB, backup hard drives, devices where images are stored)
Printer, scanner, photocopy machine

EXPLANATIONS ON RETENTION AND DESTRUCTION

Personal data is retained and destroyed by the Institution in accordance with the Law.

Within this scope, detailed explanations regarding retention and destruction are provided below respectively.

Explanations on Retention

In Article 3 of the Law, the concept of processing of personal data is defined; in Article 4, it is stated that processed personal data must be relevant, limited and proportionate to the purpose for which they are processed and must be retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed; and in Articles 5 and 6, the conditions for processing personal data are listed.

Accordingly, within the scope of the Institution’s activities, personal data is retained for the period stipulated in the relevant legislation or appropriate to our processing purposes.

Reasons Requiring Retention

Personal data processed within the scope of the Institution’s activities is retained for the periods stipulated within the framework of the following matters:

Retention periods stipulated by the laws and regulations to which the Institution is subject, listed below,
- Personal Data Protection Law No. 6698,
- Turkish Code of Obligations No. 6098,
- Turkish Commercial Code No. 6102,
- Social Insurance and General Health Insurance Law No. 5510,
- Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through Such Publications,
- Occupational Health and Safety Law No. 6331,
- Right to Information Law No. 4982,
- Labor Law No. 4857,
- Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes,
- Other secondary regulations in force pursuant to the aforementioned laws.

Retention periods accepted as general practice in the sector in which the Institution operates,
Retention periods required by employment contracts with employees and contracts for the procurement of goods or services from suppliers,
Periods during which the legitimate interests of the Institution will be valid in accordance with law and good faith principles,
Periods during which the risks, costs and responsibilities arising from the retention of personal data continue legally,
Statute of limitation periods determined by the Institution for the assertion of a right related to personal data,
Periods during which the Institution is legally obliged to retain personal data belonging to the relevant data category.

Processing Purposes Requiring Retention

The Institution processes personal data within the scope of its activities for the following purposes and retains them for the necessary period.

Execution of Product / Service Marketing Processes
Execution of Goods / Service Sales Processes
Execution of Operational Processes Related to the Provision of Goods / Services
Execution of Goods and Service Procurement Processes
Ensuring Communication with Supplier Companies
Execution of Organization and Event Management Processes
Execution of Contract Processes
Execution and Supervision of Business Activities
Execution of Finance and Accounting Processes
Execution of Communication Activities
Execution of Management Activities
Execution of Job Application Processes of Employee Candidates
Fulfillment of Obligations Arising from Employment Contracts and Legislation for Employees
Execution of Salary, Benefits and Financial Processes
Making Tax and Social Security Notifications
Execution of Working Hours, Leave and Payroll Processes
Execution of Recruitment and Termination Processes
Execution of Assignment Processes
Execution of Inventory and Equipment Assignment Processes
Execution of Disciplinary Processes
Execution of Performance Evaluation Processes
Execution of Employee Satisfaction and Engagement Processes
Execution of Occupational Health and Safety Activities
Execution of Work Accident Processes
Execution of Emergency Management Processes
Preparation and Implementation of Emergency Plans
Ensuring Order and Security in the Workplace
Ensuring Physical Environment Security
Controlling Entry and Exit to the Workplace
Ensuring Security of Movable Property and Resources
Supervision of Subcontractor Obligations
Execution of Personnel Health Services Required by Legislation
Monitoring and Execution of Legal Affairs
Fulfillment of Legal Obligations
Ensuring Compliance of Activities with Legislation
Execution of Audit Activities
Providing Information to Authorized Persons, Institutions and Organizations
Execution of Information Security Processes
Management of Access Authorizations
Protection of Systems and Prevention of Unauthorized Access
Ensuring Website Security
Ensuring Continuous and Secure Operation of the Website
Detection and Resolution of Technical Issues
Creation of Records That May Serve as Evidence in Possible Legal Disputes
Receiving and Evaluating Communication Requests
Contacting You
Execution of Request and Complaint Processes
Providing Information About Services
Execution of Visitor / Customer Relations Processes

Reasons Requiring Destruction

Personal data;

Amendment or repeal of the relevant legislation provisions forming the basis for processing,
Elimination of the purpose requiring processing or retention,
Withdrawal of explicit consent by the data subject in cases where processing is based solely on explicit consent,
Acceptance by the Institution of the application made by the data subject for the deletion or destruction of personal data within the scope of Article 11 of the Law,
In cases where the Institution rejects the request made by the data subject for deletion, destruction or anonymization, finds the response insufficient or does not respond within the period stipulated by the Law; submission of a complaint to the Board and approval of the request by the Board,
Expiration of the maximum retention period and absence of any condition justifying longer retention

in such cases, are deleted, destroyed or anonymized by the Institution, either ex officio or upon request.

TECHNICAL AND ADMINISTRATIVE MEASURES

In order to ensure the secure storage of personal data, prevent unlawful processing and access, and ensure lawful destruction, the Institution takes technical and administrative measures in accordance with Article 12 of the Law and the measures determined by the Board for special categories of personal data pursuant to Article 6.

Technical Measures

The technical measures taken by the Institution regarding personal data are listed below:

Up-to-date antivirus systems are used.
Firewalls are used.
Physical environments containing personal data are secured against external risks (fire, flood, etc.).
Secure encryption methods are used for wireless network connections.

Administrative Measures

The administrative measures taken by the Institution regarding personal data are listed below:

An authorization matrix has been created for employees.
Information Security Commitment has been prepared for employees.
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
Personal data is minimized as much as possible.
Existing risks and threats have been identified.
Personal Data Protection Communication Plan, Personal Data Application Management Procedure, Personal Data Breach Awareness Plan, and Personal Data Breach Response Plan have been created and implemented, and employees have been informed.
Personal Data Processing and Protection Policy, Personal Data Retention and Destruction Policy, Information Technologies Risk Management Policy, Information Security Policy, and Special Categories of Personal Data Security Policy have been created and communicated to employees.

PERSONAL DATA DESTRUCTION TECHNIQUES

At the end of the retention period stipulated in the relevant legislation or required for the processing purpose, personal data are destroyed by the Institution ex officio or upon the request of the data subject using the techniques specified below in accordance with the relevant legislation.

Deletion of Personal Data

Personal data are deleted using the methods specified in the table below.

Data Recording Environment	Description
Personal data stored on servers	Personal data whose retention period has expired are deleted by removing access rights of relevant users by the Information Systems Officer.
Personal data in electronic environments	Personal data whose retention period has expired are made inaccessible and unusable by all employees except the Information Systems Officer / KVKK Officer.
Personal data in physical environments	Personal data whose retention period has expired are made inaccessible and unusable, and additionally redacted in a way that cannot be read.
Personal data on portable media	Personal data stored in flash-based environments are encrypted and securely stored with restricted access.

Destruction of Personal Data

Personal data are destroyed using the methods specified in the table below.

Data Recording Environment	Description
Personal data in physical environments	Personal data stored in paper environments whose retention period has expired are destroyed in paper shredding machines in a way that cannot be recovered.
Personal data in optical/magnetic media	Personal data stored in optical and magnetic media whose retention period has expired are physically destroyed by methods such as melting or breaking.

Anonymization of Personal Data

Anonymization of personal data refers to making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even if matched with other data.

For the anonymization of personal data; personal data are rendered impossible to be associated with an identified or identifiable natural person even through the use of appropriate techniques by the Institution or third parties such as reversing and/or matching the data with other data, considering the recording environment and relevant field of activity.

RETENTION AND DESTRUCTION PERIODS

With regard to personal data processed within the scope of the Institution’s activities;

Retention periods on a personal data basis for all personal data within the scope of activities carried out depending on processes are included in the personal data processing inventory;
Retention periods based on data categories are recorded in VERBIS;
Retention periods based on processes are included in the Personal Data Retention and Destruction Policy

are specified.

The Institution may update these retention periods when necessary.

For personal data whose retention periods have expired, deletion, destruction or anonymization processes are carried out ex officio by the Institution Information Systems Officer / KVKK Officer.

Process	Retention Period	Destruction Period
Employee Personnel Files and Records	10 years from the termination of the employment contract	At the first periodic destruction period following the end of the retention period
Employee Salary, Payroll and Social Security Records	10 years from the termination of the employment contract	At the first periodic destruction period following the end of the retention period
Occupational Health and Safety Records	15 years from the termination of the employment contract	At the first periodic destruction period following the end of the retention period
Camera Records	1 month	At the first periodic destruction period following the end of the retention period
Visitor Records	30 days	At the first periodic destruction period following the end of the retention period
Mountain Coaster Photo and Video Records	At the end of the day the photo was taken or on the same day if not purchased	At the first periodic destruction period following the end of the retention period
Supplier Contract and Service Records	10 years from the termination of the contract	At the first periodic destruction period following the end of the retention period
Supplier Employee Records	10 years from the termination of the service relationship	At the first periodic destruction period following the end of the retention period
Contact Form (Website) Applications	3 years	At the first periodic destruction period following the end of the retention period
E-mail Correspondence	10 years	At the first periodic destruction period following the end of the retention period
Information System Log Records (IP, username, etc.)	1 year	At the first periodic destruction period following the end of the retention period
Accounting and Financial Records	10 years	At the first periodic destruction period following the end of the retention period
Legal Transaction and Dispute Files	10 years from the termination of the legal relationship	At the first periodic destruction period following the end of the retention period

PERIODIC DESTRUCTION PERIOD

In accordance with Article 11 of the Regulation, the Institution has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out every year in January and July.

REVIEW OF THE POLICY

The Institution reviews the Personal Data Retention and Destruction Policy when necessary and updates the relevant sections.

IMPLEMENTATION RESPONSIBILITY OF THE POLICY

The Policy is deemed to have entered into force upon approval by the Board of Directors. The Policy is announced to employees.

Information Text

Policies