EKO MMI FUARCILIK LTD. ŞTİ.
PERSONAL DATA STORAGE, DISPOSAL AND ANONIMIZATION POLICY

A-SCOPE

1. This Personal Data Retention and Disposal Policy (“Policy”) comprises all departments, employees and 3rd parties involved in any process where personal data is processed by EKO MMI Fuarcılık Ltd. Şti. (“Eurasia”).
2. This Policy will cover all destruction activities that Eurasia will implement on personal data and will be implemented as a result of any destruction requirement.
3. This Policy will not be applied to data that does not qualify as “personal data”.

B-DEFINITIONS

Law
It is the Law on Protection of Personal Data No. 6698.

Regulation
It is the Regulation on the Deletion, Destruction or Anonymization of Personal Data.

Board                                      
It is the Personal Data Protection Board.

Recording Media                          
It is the name given to any environment where personal data is processed wholly or partially automatically or by non-automatic means provided that it is a part of any data recording system.

Personal Data Processing Inventory
It is the inventory created and detailed by data controllers by associating the personal data processing activities they carry out and personal data processing purposes depending on their business processes, with the data category, the transferred recipients and the data subject group.

Destruction                                      
It is the deletion, destruction or anonymization of personal data.

Periodic Destruction                    
It is the deletion, destruction or anonymization process that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy in the event that all of the personal data processing conditions in the law are eliminated.

Data Recording System                
It is a recording system in which personal data is processed and structured according to certain criteria.

Data Controller                     
It is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

C-PURPOSE

This Policy sets out the principles to be followed by Eurasia and third parties contractually responsible for Eurasia in accordance with Article 7 of the Law [1] and the provisions of the Regulation. In this context, the following principles will apply to the storage and destruction of personal data:

1. Personal data should be kept for the period required by the relevant legislation or for the purpose for which they are processed.
2. Eurasia will act in accordance with the security measures in Article 12 of the Law [2], the provisions of the relevant legislation, the decisions to be taken by the Personal Data Protection Board, and the Policy while storing or deleting, destroying or anonymizing personal data.

D-RECORDING ENVIRONMENTS

Computers/servers used on behalf of Eurasia containing personal data, network devices, shared/non-shared disk drives used for data storage on the network, cloud systems, mobile phones and all storage areas inside, peripherals such as paper, microfiche, printer, fingerprint reader, recording media such as magnetic tapes, optical discs, flash memories and personal data in other media that may arise in addition to these are included in the scope of this Policy.

E-CIRCUMSTANCES REQUESTING THE DISPOSAL OF PERSONAL DATA

1. Change or repeal of the legislation that is the basis for processing,
2. Termination or invalidity of the main contract for processing,
3. The disappearance of the purposes and conditions of processing,
4. Processing activity is against the good faith or the law,
5. Withdrawal of consent in processing activities based on explicit consent,
6. Application by the data controller and acceptance of this application,
7. The decision of the Personal Data Protection Board regarding the application of the data controller and the rejection of this application, regarding the need to meet the request,
8. Expiration of the retention period.

F-DESTRUCTION OF PERSONAL DATA

The purpose of the destruction process is that it is not possible to reach the real person with the remaining data. Destruction of personal data, deletion, destruction or anonymization of data can be implemented by the following methods. These transactions should be carried out with the approval of the owner of the relevant information asset, by obtaining support from the authorized unit when necessary. In all works to be done, the Data Disposal Form must be filled and signed and processed.

The owner of the medium is responsible for requesting the appropriate deletion and destruction of data and software in the aforementioned media and updating the inventory of assets.                                    

1-DELETION

Deletion of personal data is the process of making personal data inaccessible and unusable in any way. The methods of deletion of personal data are as follows.

• Personal data in paper media is deleted using the blackout method.
• Office files on the central server are deleted with the delete command in the operating system.
• Personal data in portable media is deleted with appropriate software.
• Databases, related rows containing personal data are deleted with database commands.

2-ANNIHILATION

Destruction of personal data means the destruction of materials suitable for data storage, such as documents, files, CDs, floppy disks, hard disks, in which the data is recorded, so that the information cannot be retrieved and used again.

2.a. Local Systems

2.a.1. De-magnetizing

It is the process of corrupting the data until it becomes unreadable by exposing the magnetic media to a very high magnetic field by passing it through a special device.

2.a.2. Overwrite

It is the process of making old data unreadable by writing random data consisting of 0 and 1 at least 8 times with software on magnetic media and rewritable optical media.

2.a.3. Physical Annihilation 

It is the physical destruction of optical media or magnetic media by melting, pulverizing, grinding and similar processes. It can be applied in cases where overwrite methods fail.

 2.b. Destruction of Personal Data in Environmental Systems

It is the destruction process that should be done by overwriting and physical destruction on the indoor unit, if not, on the entire device, if there is confidential information in systems such as printer, fingerprint unit, door entry turnstile. This type of destruction must be applied before the devices are subject to backup, maintenance and similar processes.

2.b.1. Network devices (switch, router, etc.): It must be destroyed by using one or more of the appropriate methods specified in F.2.a.

2.b.2. Flash-based environments: It must be destroyed by using the manufacturer’s recommended disposal method or by using one or more of the appropriate methods specified in F.2.a.

2.b.3. Units such as magnetic disk: It must be destroyed by demagnetizing or physical destruction methods such as burning or melting.

2.b.4. Mobile phones (Sim card and fixed memory areas): It must be destroyed by using one or more of the appropriate methods specified in F.2.a.

2.b.5. Optical discs: It must be destroyed by physical destruction methods such as burning, breaking into small pieces, melting.

2.b.6. Peripherals such as printer with removable data recording media, fingerprint door access system: It should be verified that all data recording media are removed and destroyed by using one or more of the appropriate methods specified in F.2.a, depending on their characteristics.

2.b.7. Peripherals such as printer with fixed data recording medium, fingerprint door access system: It must be destroyed by using one or more of the appropriate methods specified in F.2.a.

2.3. Paper Media                

It should be destroyed by dividing it into small pieces that cannot be reassembled, horizontally and vertically if possible, with paper shredders or clipping machines.

3-ANONYMIZATION

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. Anonymization of personal data is the duty of the data subject business unit within Eurasia. The data owner business unit can receive support from different units of Eurasia for the destruction of the data, provided that it is audited by itself. During the anonymization of the data, Eurasia uses the following methods.                                                                                                                 

3 a. Masking : With data masking, it is a method of anonymizing personal data by removing the basic identifier information of the personal data from the data set.                                                                

3.b. Aggregation : With the data aggregation method, many data are aggregated and personal data is rendered unrelated to any person.                                                               

3.c. Data Derivation: With the data derivation method, a more general content is created than the content of the personal data and it is ensured that the personal data cannot be associated with any person.                                                                                                                           

3.d. Data Mixing : With the data mixing method, the values in the personal data set are mixed and the link between the values and the people is broken.

G-STORAGE AND DISPOSAL TIMES

1. Periodic Disposal and Legal Storage Periods

Physical and digital data, which have completed the legal storage and destruction periods, are periodically destroyed. Eurasia deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises. Periodic destruction is carried out at 6-month intervals for all personal data. Transactions regarding deleted, destroyed and anonymized data are kept for at least 3 years, excluding other legal obligations.

2. Deletion and Destruction Process at the Request of Data Owners

In cases where data owners request the deletion or destruction of their personal data by applying to Eurasia, it checks the current status of the personal data processing conditions and takes relevant actions accordingly. If all the conditions for processing personal data have been removed, it deletes, destroys or anonymizes the personal data subject to the request. Eurasia finalizes the request of the person concerned within thirty days at the latest and informs the person concerned. If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, the data controller notifies the third party; and ensures that the necessary actions are taken within the scope of the Regulation before the third party. If all the conditions for processing personal data have not disappeared, Eurasia may reject the request by explaining the reason to the relevant data owner and notify the relevant person in writing or electronically within thirty days at the latest.

Personal Data Owners cannot claim their rights in cases within the scope of Article 28 [3] of the Law.  

H-ENFORCEMENT AND EXECUTION

This Procedure enters into force as of the approval date of the General Directorate. Procedural provisions are executed by persons/units authorized by Eurasia company.

---

[1] Deletion, destruction or anonymization of personal data  

ARTICLE 7- (1) Personal data is deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject, in the event that the reasons requiring processing are eliminated, although it has been processed in accordance with the provisions of this Law and other relevant laws.

(2) The provisions in other laws regarding the deletion, destruction or anonymization of personal data are reserved.

(3) The procedures and principles regarding the deletion, destruction or anonymization of personal data are regulated by a regulation.

[2]  Obligations regarding data security

ARTICLE 12- (1) Data controller;

a) To prevent the unlawful processing of personal data,

b) To prevent unlawful access to personal data,

c) It is obliged to take all necessary technical and administrative measures to ensure the protection of personal data and to ensure the appropriate level of security.

(2) In case the personal data is processed by another real or legal person on his behalf, the data controller is jointly responsible with these persons for taking the measures specified in the first paragraph.

(3) The data controller is obliged to carry out or have the necessary inspections carried out in his own institution or organization in order to ensure the implementation of the provisions of this Law.

(4) Data controllers and data processors cannot disclose the personal data they have learned to others in violation of the provisions of this Law and cannot use them for purposes other than processing. This obligation continues even after they leave office.

(5) In case the processed personal data is obtained by others illegally, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its own website or by any other method it deems appropriate.

[3] Exceptions

ARTICLE 28- (1) The provisions of this Law shall not be applied in the following cases:

a) Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with. b) Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics. c) Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime. ç) Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security. d) Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

(2) In accordance with the purpose and basic principles of this Law, Article 10, which regulates the obligation of disclosure of the data controller, Article 11, which regulates the rights of the data subject, except for the right to demand the compensation of the damage, and Article 16, which regulates the obligation to register in the Data Controllers Registry, shall not be applied in the following cases: a) The processing of personal data is necessary for the prevention of crime or for criminal investigation. b) Processing of personal data made public by the person concerned. c) If personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution, based on the authority granted by the law. ç) The processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial matters.