1. PURPOSE

The Personal Data Storage and Destruction Policy (“Policy”) has been prepared in order to determine the procedures and principles regarding the works and transactions related to the storage and destruction activities carried out by Shopiverse Teknoloji ve Yazılım Anonim Şirketi (“ShopiVerse”).

By our company; This policy has been prepared in order to determine the procedures and principles regarding the processing of personal data belonging to the Company’s employees, employee candidates, suppliers, customers, visitors and other third parties in accordance with the Constitution of the Republic of Turkey, international conventions, the Law on the Protection of Personal Data No. 6698 (“Law”) and other relevant legislation and the deletion, destruction or anonymization of the processing conditions in case of the disappearance of all of the processing conditions.

The protection of personal data and the observance of the fundamental rights and freedoms of natural persons whose personal data are collected are the basic principles of our policy on the processing of personal data.

Our Company carries out the works and transactions related to the storage and destruction of personal data in accordance with the Policy prepared in line with the principles enumerated.

• SCOPE

The personal data of the Company’s employees, employee candidates, persons receiving products and services, market suppliers and other third parties are covered by this Policy and this Policy will be applied in all recording environments and activities for the processing of personal data that are under the control of the Company or managed by the Company.

• DEFINITIONS

Recipient Group: The category of natural or legal person to whom personal data are transferred by the data controller,

Explicit consent: Consent related to a specific subject, based on being informed and explained with free will,

Anonymization: Even if the personal data is matched with other data, it is made that it cannot be associated with an identified or identifiable real person under any circumstances,

Electronic Media: Environments where personal data can be created, read, changed and written with electronic devices,

Non-Electronic Media: All written, printed, visual, etc. other media other than electronic media,

Relevant person: The natural person whose personal data is processed,

Destruction: Deletion, destruction or anonymization of personal data,

Law: Law No. 6698 on the Protection of Personal Data,

Recording Media: Any medium in which personal data is processed by means that are fully or partially automated or that are processed by non-automated means provided that they are part of any data recording system,

Personal data: Any information relating to an identified or identifiable natural person,

Personal Data Processing Inventory: The personal data processing activities carried out by the data controllers depending on their business processes; the purposes and legal reason for processing the personal data, the data category, the group of recipients transferred and the group of persons subject to the data, and the maximum retention period required for the purposes for which the personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security, and the inventory they have detailed by explaining the measures taken regarding data security,

Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, storing, changing, rearranging, disclosure, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system,

Sensitive Personal Data: Race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing and clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and data on security measures, and biometric and genetic data,

Periodic Destruction: In the event that all of the conditions for the processing of personal data in the Law disappear, the deletion, destruction or anonymization process specified in the personal data retention and destruction policy and to be carried out ex officio at repeated intervals,

Data processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority given by him/her,

Data recording system: The recording system in which personal data is structured and processed according to certain criteria,

Data controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

• RECORDING MEDIUM

Personal data are stored in electronic and non-electronic medium in accordance with the law.

• EXPLANATIONS REGARDING THE LEGAL AND TECHNICAL REASONS REQUIRING THE STORAGE AND DESTRUCTION OF PERSONAL DATA

The personal data processed by the Company are stored and destroyed in accordance with the Law. In accordance with Article 7 of the Law, if the reasons requiring processing are eliminated, personal data must be deleted, destroyed or anonymized. In this context, detailed explanations of storage and destruction are given below.

• DISCLOSURES REGARDING STORAGE

In Article 3 of the Law, the concept of processing personal data is defined, in Article 4 it is stated that the personal data processed should be relevant, limited and proportionate to the purpose for which they are processed and should be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and in Articles 5 and 6, the processing conditions of personal data are enumerated.

The personal data that should be kept in line with the processing purposes within the framework of the activities of our Company are stored for the period stipulated in the relevant legislation or in accordance with our processing purposes.

• LEGAL GROUNDS FOR RETENTION

The personal data processed within the framework of the activities of the Authority are kept for the period stipulated in the relevant legislation. In this context, personal data;

• Law No. 6698 on the Protection of Personal Data,
• Turkish Commercial Code No. 6102,
• Turkish Code of Obligations No. 6098,
• Social Insurance and General Health Insurance Law No. 5510,
• Occupational Health and Safety Law No. 6331,
• Law No. 4982 on Obtaining Information,
• Law No. 3071 on the Exercise of the Right to Petition,
• Labor Law No. 4857,
• Law No. 6563 on the Regulation of Electronic Commerce,
• Other secondary regulations in force pursuant to these laws,
• It is stored for the retention periods stipulated in the framework. If no period is stipulated in the legislation; It is stored until the moment when the purpose requiring the processing of personal data disappears.
• REASONS FOR DESTRUCTION

Personal data is deleted, destroyed or ex officio deleted, destroyed or anonymized by the Company at the request of the person concerned, in the following cases:

• Amendment or abolition of the provisions of the relevant legislation that constitute the basis for their processing,
• The disappearance of the purpose that requires its processing or storage,
• In cases where the processing of personal data takes place only on the basis of the explicit consent requirement, the person concerned withdraws the explicit consent,
• In accordance with Article 11 of the Law, the application of the relevant person regarding the deletion and destruction of his / her personal data within the framework of his / her rights is accepted by the Authority,
• In the event that the Company rejects the application made to it by the person concerned with the request to delete, destroy or anonymize its personal data, finds the response it has given insufficient or does not respond within the period stipulated in the Law; To make a complaint to the Board and if this request is approved by the Board,
• The maximum period requiring the retention of personal data has passed and there are no conditions that justify the retention of personal data for a longer period of time,
• TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN BY THE COMPANY FOR THE LAWFUL STORAGE AND DISPOSAL OF PERSONAL DATA

In order to store personal data securely, to prevent unlawful processing and access to personal data and to destroy personal data in accordance with the law, technical and administrative measures are taken by the Company within the scope of sufficient measures determined by the Board with the Board Decision dated 31.01.2018 and numbered 2018/10 for personal data of special nature in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law.

1. TECHNICAL AND ADMINISTRATIVE MEASURES
2. Network security and application security are provided.
3. A closed system network is used for personal data transfers via the network.
4. Key management is implemented.
5. Security measures are taken within the scope of supply, development and maintenance of information technology systems.
6. Training and awareness activities are carried out periodically for employees on data security.
7. An authorization matrix has been created for employees.
8. Access logs are kept regularly.
9. Corporate policies on access, information security, use, storage and destruction were prepared and started to be implemented.
10. Data masking measures are applied when necessary.
11. Confidentiality undertakings are made.
12. Employees who have a change of duty or leave their jobs are removed from their authority in this area.
13. Current anti-virus systems are used.
14. Firewalls are used.
15. The signed contracts contain data security provisions.
16. Personal data security policies and procedures have been determined.
17. Personal data security issues are reported quickly.
18. Personal data security is monitored.
19. Necessary security measures are taken regarding the entrances and exits to physical environments containing personal data.
20. The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
21. The security of environments containing personal data is ensured.
22. Personal data are reduced as much as possible.
23. Personal data is backed up and the security of the backed up personal data is also ensured.
24. User account management and authorization control system are implemented and follow-up is also carried out.
25. Periodic and/or random audits are carried out and carried out within the institution.
26. Log records are kept in such a way that there is no interference except for authorized users.
27. Protocols and procedures for the security of personal data of special nature are determined and implemented.
28. If personal data of special nature are to be sent via electronic mail, they must be sent encrypted and using KEP or corporate mail account.
29. Secure encryption / cryptographic keys are used for personal data of special nature and managed by different units.
30. Intrusion detection and prevention systems are used.
31. Penetration test is applied.
32. Cyber security measures have been taken and their implementation is constantly monitored.
33. Encryption is done.
34. Awareness of data processing service providers and business partners on data security is ensured.
35. Data loss prevention software is used.

1. DESTRUCTION TECHNIQUES FOR THE DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Destruction lists of persons involved in the destruction process are created. Consent to destruction is obtained from the GMY responsible for the operation. The destruction is reflected on the computer environment and recorded. Documents related to destruction are stored.

1. PERSONS INVOLVED IN THE PROCESS OF STORING AND DESTROYING PERSONAL DATA

All units and employees of the Company shall ensure data security in all environments where personal data is processed in order to properly implement the technical and administrative measures taken by the responsible units within the scope of the Policy, to increase the training and awareness of the unit employees, to monitor and continuously supervise the unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law.  actively supports the responsible units in taking technical and administrative measures.

1. TABLE OF STORAGE AND DESTRUCTION PERIODS

1. PERIODIC DESTRUCTION TIMES

In accordance with Article 11 of the Regulation, the Authority has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out in our Company every year in January and July.

1. PUBLICATION AND STORAGE OF THE POLICY

The policy is published in two different media, wet signed (printed paper) and electronically, and is disclosed to the public on the website. The printed paper copy is also kept in the senior management.

1. POLICY UPDATE PERIOD

The policy is reviewed as needed and the sections are updated as needed.