İletişim

METROPOL CONSULTİNG DANIŞMANLIK LİMİTED ŞİRKETİ
Personal Data Protection, Processing, and Privacy Policy

1- Our company, Metropol Consulting Danışmanlık Limited Şirketi (“Company”), through this Personal Data Protection, Processing and Privacy Policy (“Policy”), determines the principles and procedures it is obliged to follow when collecting, processing, deleting, destroying, or anonymizing the personal data of all stakeholders.

In this context, in accordance with Law No. 6698 on the Protection of Personal Data (“Law”), the Company is considered a “Data Controller” and the following groups are considered “Data Subjects”: Employee Candidates, Clients, Company Shareholders, Company Officials, Visitors, Employees, Shareholders and Officials of Institutions we cooperate with, Subcontractors and Suppliers, and Third Parties.

This Policy outlines the legal conditions and procedures regarding the Company’s personal data processing activities. It also aims to ensure transparency and obtain explicit consent from the data subjects where necessary. The Privacy Policy is published on our website (www.metropolpartners.com) and is made available upon request.

In addition, a separate internal policy titled “Policy on the Processing of Employees’ Personal Data of Metropol Consulting Danışmanlık Limited Şirketi” has been issued for the Company’s own employees.

2- This Policy applies to all personal data that is processed either automatically or, provided that it is part of a data recording system, non-automatically, belonging to the following categories of data subjects:

  • Employee Candidates: Real persons who apply for a job at the Company or otherwise make their CV and relevant information available to the Company.
  • Employees, Shareholders and Officials of Institutions We Cooperate With, Subcontractors and Suppliers: Employees, shareholders, and authorized persons of institutions that have a business relationship with the Company.
  • Clients: Real persons whose personal data is obtained during the course of the Company’s operations, regardless of whether there is a contractual relationship.
  • Visitors: Real persons who have entered or visited the Company’s physical premises for various purposes.
  • Third Parties: Other real persons whose personal data is processed under this Policy but who are not explicitly categorized above.
  • Company Shareholders: Real persons who hold shares in the Company.
  • Company Officials: Members of the board of directors and other authorized individuals.

The scope of this Policy may apply fully or partially to these data subject categories depending on the specific context and the nature of the data processing.

3- In matters concerning the processing and protection of personal data, current legal regulations take precedence. In the event of a conflict between applicable legislation and this Policy, the Company acknowledges that the provisions of the current legislation shall prevail.

4- Within the scope of this Policy, data subjects whose personal data are processed are categorized as follows:

  • Employee Candidates: Real persons who apply for a job at the Company or otherwise make their CV and related information available.
  • Employees, Shareholders and Officials of Institutions We Cooperate With, Subcontractors and Suppliers: Employees, shareholders, and authorized individuals of organizations having business relationships with the Company.
  • Clients: Real persons whose personal data is obtained in the context of the Company’s operations, regardless of a contractual relationship.
  • Visitors: Individuals who enter or visit the Company’s physical facilities.
  • Third Parties: Other real persons whose personal data are processed within the scope of this Policy but who are not classified into the categories above.
  • Company Shareholders: Natural persons who are shareholders of the Company.
  • Company Officials: Members of the board of directors and other authorized natural persons of the Company.

5- For the implementation of this Policy, the following terms are defined as:

  • Explicit Consent: Consent that is related to a specific matter, given based on information, and expressed with free will.
  • Anonymization: Making personal data impossible to associate with an identified or identifiable natural person, even when matched with other data.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Special Categories of Personal Data: Data concerning race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
  • Processing of Personal Data: Any operation performed on personal data, whether fully or partially automatic or manual provided it is part of a data recording system, such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, retrieval, classification, or prevention of use.
  • Board: The Personal Data Protection Board.
  • Policy: The Company’s Personal Data Protection and Processing Policy.
  • Data Processor: A real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
  • Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

6- The provisions regarding the processing of personal data belonging to Employee Candidates, Clients, Company Shareholders, Company Officials, Visitors, Employees, Shareholders and Officials of Institutions We Cooperate With, Subcontractors and Suppliers, and Third Parties are regulated under this Policy in compliance with the Law.

7- Personal data obtained with the data subject’s explicit consent or due to other legitimate reasons stipulated in the Law are processed only to the extent necessary for the purpose stated in this Policy or based on the legal grounds explained during the clarification process. When the legal grounds expire, or in the absence or withdrawal of explicit consent, all such personal data will be deleted, destroyed, or anonymized.

8- The objectives of this Privacy Policy are:

  • To clarify which personal data belonging to the Data Subject are collected and how they are used or not used;
  • To determine the responsibilities of the Data Subject, the Data Controller, and third parties regarding the protection of rights and privacy under the Law;
  • To explain how the information shared in order to provide a functional and beneficial service will be used.

9- With this Policy, data subjects are considered to have been informed about the processing and confidentiality of their personal data and to have given their consent for the use of their personal data in the manner described herein.

10- The categories of personal data processed by the Data Controller in compliance with the Law on the Protection of Personal Data are as follows. Unless explicitly stated otherwise, the term “Personal Data” used in this Policy refers to the information below:

  • Identity Information: All information contained in documents such as ID cards, passports, residence certificates, including name, surname, national ID number, nationality, place and date of birth, gender, parents’ names, and social security number.
  • Contact Information: Information that clearly belongs to an identified or identifiable person, such as phone number, address, email address, fax number, IP address.
  • Customer Information: Data obtained or produced during business operations relating to the data subject.
  • Customer Transaction Information: Records of product and service use, customer instructions, and requests.
  • Transaction Security Information: Data processed to ensure the security of technical, administrative, legal, and commercial operations.
  • Risk Management Information: Personal data processed through commonly accepted legal, commercial practices to manage our commercial, technical, and administrative risks.
  • Financial Information: Any data reflecting financial outcomes based on the type of legal relationship with the data subject.
  • Employee Candidate Information: Personal data of individuals who have applied for a job or been evaluated as candidates or employees under commercial practices.
  • Legal Process Information: Data processed to assert, pursue, or fulfill legal claims or obligations.
  • Audit Information: Data processed to ensure compliance with legal obligations and company policies.
  • Sensitive Personal Data: Data concerning race, ethnicity, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance, association/foundation/union membership, health, sexual life, criminal records, and biometric/genetic data as defined in Article 6 of the Law.
  • Marketing Information: Personal data processed for the purpose of customizing product and service marketing based on personal preferences and needs, including evaluation reports and analytics.
  • Physical Space Security Information: Information collected during entrance to, presence in, and exit from physical premises such as camera recordings and logbooks.
  • Visual/Audio Data: Visual or audio records that identify an individual, such as photographs, video, voice recordings (excluding those within physical space security).
  • Request/Complaint Management Information: Personal data processed for the purpose of receiving and evaluating any kind of request or complaint.

11- In accordance with Articles 3 and 7 of the Law on the Protection of Personal Data, data that has been anonymized is no longer considered personal data. Therefore, any processing activities related to such data are not subject to the provisions of this Privacy Policy.

12- Our Company processes personal data in accordance with the basic principles outlined in Article 4 of the Law and the principles specified in this Policy. Additionally, personal data is processed under the limited conditions set forth in Article 5, paragraph 2, and Article 6, paragraph 3 of the Law. These legal grounds are:

  • It is explicitly stipulated by law,
  • It is necessary to protect the life or physical integrity of the data subject or another person who is unable to express consent due to physical impossibility or whose consent is not legally valid,
  • It is necessary for the performance of a contract to which the data subject is a party,
  • It is necessary to fulfill the legal obligations of the data controller,
  • The data subject has made the data public,
  • It is necessary for the establishment, exercise, or protection of a right,
  • Provided it does not harm the fundamental rights and freedoms of the data subject, it is necessary for the legitimate interests of the data controller.

Furthermore, the Law defines some data as “sensitive personal data” and imposes stricter conditions on their processing. These include data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership of associations/foundations/unions, health, sexual life, criminal convictions, and biometric/genetic data.

Sensitive personal data may only be processed in the following cases:

  • With the explicit consent of the data subject, or
  • Without explicit consent only if:
    • It is stipulated by law for data other than those relating to health and sexual life,
    • For health and sexual life data, it may only be processed by persons or authorized institutions who are under an obligation of confidentiality, and only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing healthcare financing.

13- In cases where the above legal bases do not apply, the Company will obtain the data subject’s explicit consent before processing any personal data. Within this framework, the Company may process personal data for purposes including but not limited to:

  • Managing customer relations, contracts, legal follow-up, and requests/complaints related to products and services,
  • Conducting communication, analysis, and management of internal operations and infrastructure,
  • Planning and managing human resources policies and processes, performance evaluation, internal training, workforce planning, and employee benefits,
  • Ensuring the legal and commercial security of persons who are in business relations with the Company,
  • Managing operational activities in accordance with procedures and relevant laws, occupational health and safety, legal compliance, security, and risk management,
  • Maintaining financial accuracy, internal audits, and ensuring up-to-date and correct data records.

In all cases, the Company will seek explicit consent from the data subject unless an exception stated in the Law applies. If the data subject does not provide such consent, personal data will not be processed.

14- The personal information in question may also be used to contact the Data Subject or for statistical evaluations, database creation, and market research — without revealing the identity of the data subject.

15- The Company may process the personal data of its employees without requiring their explicit consent, provided that it is necessary for the performance of the employment contract and the fulfillment of legal obligations. The Company ensures the confidentiality and protection of the personal data of its employees. In this context, a separate internal document titled “Policy on the Processing of Employees’ Personal Data of Metropol Consulting Danışmanlık Limited Şirketi” has been issued.

For future employees, the Company may process personal data (including resumes) submitted during job applications or evaluations without requiring explicit consent, until the process is concluded. If the application is unsuccessful, further retention or processing of the data is subject to the candidate’s consent. If such consent is granted, the data may be shared with third parties. If not, the data will be deleted, destroyed, or anonymized after the conclusion of the application process. In cases where the process results in employment, data retention and processing will be carried out in accordance with the new legal relationship.

16- The Company’s camera monitoring activity is conducted in accordance with the Law on Private Security Services and the Law on the Protection of Personal Data (KVKK). The Company provides clear notification of this activity in multiple ways, such as signs indicating that monitoring is being conducted at entrances to the premises.

In doing so, the Company aims to prevent harm to the fundamental rights and freedoms of individuals, ensure transparency, and inform data subjects. Monitoring areas, camera locations, and recording schedules are all set in a way that is sufficient and proportionate to the security purpose. No monitoring is conducted in private areas where individuals’ privacy may be unduly violated.

In line with Article 12 of the KVKK, technical and administrative measures are taken to ensure the security of personal data obtained through camera monitoring. Only a limited number of authorized employees can access live or recorded camera footage.

Additionally, for security and operational reasons, the Company processes personal data (such as names and surnames) of visitors entering its premises. This data is recorded physically or electronically and is used solely to track visitor entries and exits.

17- The Data Controller may share personal data and data derived from their use with external service providers (including email and SMS providers, hosting services), law firms, Company officials, business partners, authorized public institutions, and private entities. This is done to:

  • Fulfill the purposes outlined in this Policy,
  • Provide the relevant services to data subjects,
  • Ensure commercial continuity,
  • Maintain security,
  • Detect fraudulent or unauthorized use, and
  • Conduct operational evaluations.

18- Personal data collected for the legal reasons described above may be processed and transferred in accordance with this Policy and the Law. The Company may transfer personal data to third parties under the following conditions:

  • If the data subject has given explicit consent,
  • If there is a legal provision requiring the transfer of the data,
  • If it is necessary to protect the life or physical integrity of the data subject or another and the data subject cannot give consent due to physical or legal incapacity,
  • If it is necessary for the performance of a contract to which the data subject is a party,
  • If it is necessary for the Company to fulfill its legal obligations,
  • If the personal data has been made public by the data subject,
  • If the transfer is necessary for the establishment, exercise, or protection of a legal right,
  • If the transfer is necessary for the Company’s legitimate interests, provided that the data subject’s fundamental rights and freedoms are not violated.

Sensitive personal data may only be transferred under stricter conditions. If the data subject gives explicit consent or if legal exceptions apply:

  • Sensitive personal data (excluding health and sexual life) may be transferred in cases explicitly prescribed by law.
  • Sensitive personal data related to health and sexual life may only be transferred by persons or authorized institutions under a confidentiality obligation, and only for purposes such as public health protection, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of healthcare services.

19- The Company may transfer personal data to foreign countries that have adequate protection or to countries that undertake to provide adequate protection, under the supervision and approval of the Personal Data Protection Board, in the following cases:

  • If there is a legal provision requiring the transfer,
  • If it is necessary to protect the life or physical integrity of the data subject or another, and the data subject cannot give consent due to physical or legal incapacity,
  • If it is necessary for the performance of a contract to which the data subject is a party,
  • If it is necessary for the Company to fulfill its legal obligations,
  • If the personal data has been made public by the data subject,
  • If the transfer is necessary for the establishment, exercise, or protection of a legal right,
  • If the transfer is necessary for the Company’s legitimate interests, provided that the data subject’s fundamental rights and freedoms are not violated.

20- In accordance with the security measures and legal obligations, the Company may also transfer sensitive personal data to foreign countries that offer adequate protection or that undertake to do so. This is permitted under the following conditions:

  • With the explicit consent of the data subject, or
  • Without explicit consent, only if:
    • Sensitive personal data excluding health and sexual life (such as race, ethnicity, political opinion, religion, criminal record, biometric and genetic data) is permitted to be processed by law,
    • Sensitive personal data concerning health and sexual life is processed only by healthcare professionals or authorized institutions bound by confidentiality, and only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care, and management of healthcare services.

21- Personal data collected for the legal reasons mentioned above may be processed and transferred in accordance with Articles 5 and 6 of the Law and this Privacy Policy.

22- In accordance with Article 11 of the Law, data subjects have the following rights:

  • To learn whether their personal data is being processed,
  • To request information regarding the processing of their personal data,
  • To learn the purpose of processing and whether the data is being used appropriately,
  • To know the third parties to whom personal data has been transferred within or outside Turkey,
  • To request correction of personal data if it is incomplete or incorrectly processed,
  • To request deletion or destruction of personal data under the conditions provided in the Law,
  • To request notification of correction, deletion, or destruction to third parties to whom data was transferred,
  • To object to a result that is against them and that arises from the analysis of processed data exclusively through automated systems,
  • To demand compensation for any damage caused by the unlawful processing of personal data.

23- In accordance with Article 13(1) of the Law, you must submit your requests to exercise your rights in writing or by other methods determined by the Personal Data Protection Board.

For this purpose, your application to the Company under Article 11 must include your identity information, the explanation of the right you wish to exercise, and a clear specification of the article under which your request is made. You may submit your request via registered mail to the following address:

METROPOL CONSULTING DANIŞMANLIK LİMİTED ŞİRKETİ
Address: Nisbetiye Mahallesi, Gazi Güçnar Sokak, No:4/5, Beşiktaş, İstanbul

Requests made by third parties on behalf of the data subject are not accepted unless accompanied by a notarized power of attorney specifically issued by the data subject.

24- In accordance with Article 13 of the Law, the Company evaluates the requests submitted by data subjects and provides a response as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. This is done free of charge unless the process requires additional cost, in which case the fee schedule determined by the Personal Data Protection Board will apply.

The Company may reject the application for the following reasons and inform the data subject accordingly:

  • If it impairs the rights and freedoms of others,
  • If it requires disproportionate effort,
  • If the requested information is already publicly available,
  • If it poses a risk to the privacy of others,
  • If it falls under one of the exceptions provided in the Law.

In cases where the application is rejected, the response is found insufficient, or no response is provided within the timeframe, the data subject may file a complaint with the Board within 30 days of receiving the response or 60 days from the application date, whichever comes first.

The Company takes necessary technical and administrative measures to prevent unlawful processing and access to personal data and to ensure the secure storage of such data. The Data Controller is also responsible for not disclosing personal data unlawfully or using it outside the scope of processing purposes.

25- This Privacy Policy may be updated periodically to adapt to changing conditions and legal regulations.

26- Although no specific period is defined in the Law for the retention of personal data, the general principle is that personal data should be retained only for as long as necessary to fulfill the purpose for which it was collected or as required by relevant legislation.

The Company evaluates each data processing activity based on current legislation and purpose of use and sets minimum retention periods accordingly. Personal data will be stored at least for the duration of legal obligations and the relevant statutory limitation periods.

If a legal dispute arises, personal data may be stored for the time necessary to carry out legal defenses. When the purpose of processing no longer exists, including after the expiration of the retention period, the data will be anonymized, deleted, or destroyed in accordance with the Law.

27- The personal data we collect must be accurate and, when necessary, up to date. Therefore, if there is any change in your personal data, please inform the relevant department of our Company to update your records accordingly.

28- In order to fulfill its obligations under the Law on the Protection of Personal Data (KVKK) and to implement the provisions set forth in this Policy, the Company assigns the necessary personnel internally and establishes the relevant procedures.

This Policy, which includes the principles listed above, is presented to the data subject along with the “Clarification and Consent Statement Regarding the Protection, Processing, and Confidentiality of Personal Data of Metropol Consulting Danışmanlık Limited Şirketi.” It is also provided to data subjects upon request to ensure full transparency.

PERSONAL DATA RETENTION AND DESTRUCTION POLICY

1- The Personal Data Retention and Destruction Policy (“Policy”) has been prepared by Metropol Consulting Danışmanlık Limited Şirketi (“Company”) in its capacity as Data Controller in accordance with Law No. 6698 on the Protection of Personal Data (KVKK) and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, in order to:

  • Define the principles and procedures for retention, deletion, destruction, or anonymization of personal data,
  • Fulfill legal obligations,
  • Inform data subjects about retention periods and destruction methods.

2- This Policy covers real persons whose personal data is processed by automated means or by non-automated means provided that they are part of a data recording system. These persons include:

  • Clients and potential clients,
  • Employee candidates and employees,
  • Company shareholders and officials,
  • Visitors,
  • Business partners,
  • Employees, shareholders, and authorized persons of subcontractors, suppliers, and cooperating institutions,
  • Third parties.

This Policy applies to all personal data processing and protection activities conducted by the Company.

3- This Policy is published on the Company’s website (www.metropolpartners.com) and is made available to relevant persons upon request.

4- The definitions used in the implementation of this Policy are as follows:

  • Relevant Person: Persons within the organization of the data controller (excluding those responsible for technical storage and backup), or authorized third parties who process personal data under the data controller’s instructions.
  • Destruction: Deletion, destruction, or anonymization of personal data.
  • Law: Law No. 6698 on the Protection of Personal Data.
  • Recording Medium: Any environment where personal data is processed, fully or partially, automatically or non-automatically, as part of a data recording system.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Data Subject: The natural person whose personal data is being processed.
  • Processing of Personal Data: Any operation performed on personal data, such as collection, recording, storage, preservation, alteration, disclosure, transfer, classification, or prevention of use.
  • Personal Data Processing Inventory: A document that details data processing activities based on business processes, including the data categories, recipients, retention periods, and technical/organizational measures.
  • Board: Personal Data Protection Board.
  • Authority: Personal Data Protection Authority.
  • Sensitive Personal Data: Data relating to race, ethnic origin, political opinion, religion, sect, appearance, union membership, health, sexual life, criminal record, and biometric/genetic data.
  • Periodic Destruction: The process of automatically deleting, destroying, or anonymizing personal data at regular intervals if the legal processing conditions no longer apply.
  • Retention and Destruction Policy: This policy that serves as the basis for retention durations and destruction procedures.
  • Privacy Policy: The Personal Data Protection and Privacy Policy published on the Company’s website.
  • Registry: The registry maintained by the Personal Data Protection Authority.
  • Data Processor: The person or entity that processes personal data on behalf of the data controller based on delegated authority.
  • Data Recording System: A structured system where personal data is processed according to specific criteria.
  • Data Controller: The person or legal entity who determines the purposes and means of personal data processing and is responsible for managing the data recording system.

In matters not defined herein, definitions provided in the Law shall apply.

5- All department managers within the Company are responsible for ensuring that technical and administrative measures regarding the processing, retention, and destruction of personal data are properly implemented in their units.

For this purpose:

  • They are responsible for training their team members and increasing their awareness on personal data protection.
  • They monitor and audit the processes related to data protection in their departments.
  • They support the implementation of appropriate technical and administrative safeguards to prevent unlawful data processing and access.

The roles, units, and responsibilities of those involved in personal data retention and destruction are as follows:

  • General Manager: Acts as the representative of the Data Controller and is responsible for the implementation of all personal data protection and destruction processes and this Policy.
  • Human Resources Manager: Responsible for preparing, developing, and maintaining this Policy, ensuring that retention durations are met, and managing destruction processes according to the defined periodic destruction calendar. Also responsible for training and informing relevant personnel.
  • Accounting Manager: Similar responsibilities as above, limited to processes under the accounting department.
  • IT Manager: Responsible for the technical storage, protection, and backup of data, and for identifying and implementing the technical solutions required for applying this Policy.
  • Other Department Managers: Ensure the application and monitoring of this Policy in their own departments and manage the destruction process in accordance with retention durations.
  • Relevant Users and Data Processors: Responsible for ensuring that data processing and storage activities are carried out in compliance with the Law and this Policy.
  • Authorized Relevant User: Responsible for securely storing deleted personal data until it is permanently destroyed and ensuring it is inaccessible to unauthorized users.

6- Personal data retained by the Company is stored in appropriate recording media depending on the nature of the data. These include, but are not limited to:

  • Electronic Environments: Servers, external hard drives, software systems, information security devices, employee computers, optical disks, USB devices, printers, scanners, photocopiers, and similar digital environments.
  • Physical Environments: Printed paper documents, manual filing systems, microfilm, and other physical formats.
  • Cloud Environments: Internet-based encrypted systems outside of the Company’s own servers but accessible by the Company under contract.

Regardless of the medium, the Company ensures that all personal data is processed and protected in compliance with the Law, this Policy, and international standards on data security.

7- In accordance with Article 12 of the Law, the Company takes the following technical and administrative measures to ensure the secure retention of personal data, prevent unlawful processing or access, and ensure lawful destruction:

Technical Measures:

  • Only secure and up-to-date systems appropriate for the nature of the data and storage environment are used.
  • Security systems are deployed to protect environments where personal data is stored.
  • Security tests and vulnerability scans are conducted regularly; identified risks are eliminated.
  • Access to environments storing personal data is restricted to authorized persons, and all access is logged. The level of access is determined based on the sensitivity of the data.
  • Adequate technical staff is maintained to ensure system security. Access authorizations are reviewed and controlled.
  • Personal data destruction is carried out in an irreversible and non-recoverable manner.
  • All digital environments are encrypted in compliance with information security standards.

Administrative Measures:

  • Employees with access to personal data are regularly trained on information security, data privacy, and the confidentiality of private life.
  • Legal and technical consultants are engaged to monitor developments and ensure compliance.
  • When personal data must be shared with third parties for technical or legal reasons, contracts and protocols are signed with clear data protection obligations.
  • In the event of any unlawful data breach, both the data subject and the Board are notified promptly.
  • The Company conducts regular audits to ensure compliance and implements improvements if deficiencies are found.

8- Personal data belonging to data subjects is securely stored by the Company, either in physical or electronic environments, for purposes such as:

  • Maintaining commercial activities,
  • Fulfilling legal obligations,
  • Managing employee rights and benefits,
  • Managing customer relations,
  • And other purposes outlined in the Company’s Personal Data Protection and Privacy Policy.

If a data subject requests deletion, or if the legal grounds for data processing as listed in Articles 5 and 6 of the Law no longer exist, then personal data will be deleted, destroyed, or anonymized ex officio in accordance with this Policy.

The legal grounds for processing personal data (which, if removed, trigger destruction) are:

  • It is explicitly prescribed by law.
  • It is necessary to protect the life or physical integrity of a person who cannot express consent.
  • It is necessary for the performance of a contract to which the data subject is a party.
  • It is necessary for the data controller to fulfill a legal obligation.
  • The data subject has made the data public themselves.
  • It is necessary for the establishment, exercise, or protection of a legal right.
  • It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

9- The procedures and principles for deleting and destroying personal data held by the Company are as follows:

DELETION OF PERSONAL DATA

  • Blackout (Masking) on Paper-Based Documents: Physically cutting out personal data from the document or using indelible ink so that the information cannot be read or restored.
  • Secure Deletion from Software Systems: Permanently deleting personal data stored on cloud platforms or local digital environments in a way that it cannot be recovered or accessed again.

DESTRUCTION OF PERSONAL DATA

  • Physical Destruction: Shredding paper documents using document shredders in a way that they cannot be reassembled. Optical or magnetic media containing personal data is destroyed by melting, burning, or pulverizing.
  • Degaussing: Exposing magnetic media to a high magnetic field using special equipment to make the stored data unreadable.
  • Overwriting: Using special software to overwrite the data stored on magnetic or rewritable optical media at least seven times with a series of 0s and 1s, making recovery impossible.

ANONYMIZATION OF PERSONAL DATA

  • Variable Removal: Removing highly descriptive variables in a data set that may lead to the identification of individuals.
  • Suppression (Data Hiding): Hiding values that may uniquely identify individuals in rare cases or categories.
  • Generalization: Aggregating data belonging to multiple individuals and removing identifiable characteristics to convert it into statistical data.
  • Top and Bottom Coding: Categorizing values in a data group by setting predefined thresholds and grouping them accordingly.
  • Micro-Aggregation: Sorting data meaningfully, grouping them, and replacing original values with group averages.
  • Data Shuffling/Distortion: Replacing or modifying identifiers in personal data with unrelated values to break any link with the data subject.

10- Retention and Destruction Timelines

Although the Law does not specify exact durations for retaining personal data, the general principle is that personal data must be stored only for as long as required by law or necessary for the purpose for which it was collected. The Company determines these durations based on applicable legislation and the purpose of processing. The following table outlines the maximum retention periods and the corresponding destruction deadlines:

PROCESSRETENTION PERIODDESTRUCTION PERIOD
Employment documents and data required for declarations to the Social Security Institution (SSI)10 years from the end of the employment contract (starting from the beginning of the following calendar year)Within 180 days after the retention period
Other employment-related documents not required for SSI10 years from the end of the employment contractWithin 180 days after the retention period
Workplace medical records and personal health files10 years from the end of the employmentWithin 180 days after the retention period
Occupational Health and Safety documentation10 years after termination of the employment relationshipWithin 180 days after the retention period
Legal/enforcement correspondence regarding personnel10 years after the end of employmentWithin 180 days after the retention period
Personnel financial records10 years after the end of employmentWithin 180 days after the retention period
Business Partner / Consultant records (identity, contact, financial, and employee data)Duration of business relationship + 10 years under Turkish Code of Obligations (Art. 146) and Turkish Commercial Code (Art. 82)Within 180 days after the retention period
Visitor records (name, surname, license plate, camera footage)2 yearsWithin 180 days after the retention period
Candidate CVs and application formsMaximum 2 years or until considered outdatedWithin 180 days after the retention period
Intern data10 years from the end of the internshipWithin 180 days after the retention period
Customer personal data (name, surname, ID, contact, payment, preferences, transactions)10 years from the provision of each product/serviceWithin 180 days after the retention period
Potential client negotiation records2 yearsWithin 180 days after the retention period
Partner/customer relationship recordsDuration of business relationship + 10 yearsWithin 180 days after the retention period
Corporate communication records10 years after termination of the relationshipWithin 180 days after the retention period
Data processed for the conclusion or performance of contractsDuration of business relationship + 10 yearsWithin 180 days after the retention period
Shareholder and board member data10 yearsWithin 180 days after the retention period
Accident reports10 yearsWithin 180 days after the retention period
Document preparation10 yearsWithin 180 days after the retention period
Training records10 yearsWithin 180 days after the retention period

These periods may be extended if longer retention is required by specific legislation (e.g., statute of limitations, mandatory recordkeeping periods). If the legal reason for processing no longer exists, the data will be deleted, destroyed, or anonymized in accordance with this Policy.

11- Although the Law does not specify an exact retention period for all personal data, the general principle is that personal data must be retained only for as long as required by applicable laws or necessary for the purpose for which they were collected. The Company evaluates each type of processing activity by referencing relevant legislation and the purpose of use.

If any legislation (such as the Turkish Commercial Code, Tax Procedure Law, or Labor Law) specifies a longer mandatory retention period, that duration will be adopted as the maximum retention period.

In addition, if a dispute arises between the data subject and the Company, the Company may retain the personal data for the duration of the statute of limitations applicable to the dispute in order to use the data in legal defenses.

When the legal basis for processing ends — including the expiration of the retention period — and the purpose of use is no longer valid, the data will be anonymized, deleted, or destroyed in accordance with the Law.

12- Personal data for which the retention period has expired or whose purpose of processing is no longer valid shall be destroyed ex officio by the Company every six months (in January and July) through deletion, destruction, or anonymization, in accordance with this Retention and Destruction Policy.

13- In order to fulfill its obligations under the Law and ensure proper implementation of this Policy, the Company assigns designated personnel and establishes internal procedures accordingly.

14- This Policy is reviewed periodically to reflect any changes in the Company’s personal data processing activities, organizational structure, or legal requirements, including amendments to relevant legislation and decisions issued by the Personal Data Protection Board. Based on this review, necessary sections may be updated, revised, or recreated.