Retention and Destruction Policy

Contents…………………………………………………………………………………….1

1.Introduction………………………………………………………………………………………2

1.1. Purpose…………………………………………………………………………………..…2

1.2.Scope………………………………………………………………………………..2

2.Definitions……………………………………………………………………………………2

3. Persons Involved in the Storage and Destruction Processes of Personal Data……………...2

4.Recording Media……………………………………………………………………………3

5. Explanations on Storage and Disposal………………………………………………3

5.1. Processing Purposes Requiring Storage……………………………………………….4

5.2.Reasons Requiring Destruction………………………………………………………..4

6.Technical and Administrative Measures………………………………………………………………4

6.1. Safe Storage of Personal Data and Against the Law

Technical and Administrative Measures Taken to Prevent Processing and Accessing

6.1.1.Technical Precautions……………………………………………………………………...4

6.1.2.Administrative Measures………………………………………………………………………...5

6.2. Techniques and Methods Used for the Lawful Destruction of Personal Data

Administrative Measures………………………………………………………………………………..5

6.2.1. Deletion of Personal Data………………………………………………………..5

6.2.2.Destruction of Personal Data………………………………………………………...6

6.2.3.Anonymization of Personal Data………………………………………..6

7.Storage and Disposal Periods……………………………………………………………….6

8.Periodic Destruction Period………………………………………………………………...8

9.Update of the Policy………………………………………………………………..8

10.Effective Date of the Policy…………………………………………………………….8

 

Personal Data Storage and Destruction Policy

1.1. Aim
This personal data storage and destruction policy ("Policy") establishes the procedures for storing and destroying personal data processed by AGADIGITAL ELEKTRONİK MAĞAZACILIK VE TİCARET ANONİM ŞİRKETİ ("Our Company") under the Personal Data Protection Law No. 6698 ("KVKK") and related legislation. It defines the principles guiding our data management practices. This policy is published on our Company’s website at www.agakulche.com.

1.2. Scope
This Policy applies to the storage and destruction of personal data collected from the Company’s employees, prospective employees, interns, visitors, customers, and other natural persons whose personal data is processed.

2. Definitions

• Recipient group: The category of individuals or organizations to whom personal data is transferred by the data controller.
• Relevant user: Individuals who process personal data within the organization or per the data controller’s authorization, excluding those responsible for technical storage, protection, and backup of the data.
• Destruction: Deletion, destruction, or anonymization of personal data.
• Law: Personal Data Protection Law No. 6698, dated 24/3/2016.
• Recording medium: Any environment where personal data is processed, whether fully or partially automatic or non-automatic, as part of a data recording system.
• Personal data storage and destruction policy: The policy that guides the deletion, destruction, and anonymization of personal data, including the maximum retention period required for the intended purpose.
• Board: Personal Data Protection Board.
• Periodic Destruction: The recurring process of deleting, destroying, or anonymizing personal data, as specified in the personal data storage and destruction policy, when the processing conditions stated in the law no longer apply.
• Data recording system: The system where personal data is structured and processed based on certain criteria.
• Data controller: The natural or legal person responsible for determining the purposes and means of personal data processing, and for establishing and managing the data recording system.
• Regulation: Refers to the Regulation on Deletion, Destruction, or Anonymization of Personal Data.

3. Persons Involved in the Storage and Destruction Processes of Personal Data
The units listed below are assigned to process, store, and destroy personal data per the law and implement technical and administrative measures within the scope of this Policy.

Unit	Title	Responsibilities
IT	IT Manager	Ensures compliance with data retention and destruction periods and manages the technical aspects of the Policy.
Human Resources	Human Resources Manager	Responsible for following data storage and destruction schedules, and executing the Policy accordingly.
Financial Affairs	Accounting Manager	Ensures data storage and destruction compliance within the department’s scope and implements the Policy accordingly.
Data Controller Rep.		Oversees responsible units to ensure proper Policy implementation and manages data processing and registry matters.
Contact Person		Adheres to data retention and destruction periods, facilitates communication, and maintains contact with data owners.

4. Recording Environments
Personal data is collected and stored by our Company both electronically (e.g., desktops, laptops, mobile devices, CDs, DVDs, USB drives, printers, scanners, emails, web, office software) and physically (e.g., paper documents, surveys, guest books), ensuring compliance with this Policy.