CLARIFICATION TEXT ON THE PROCESSING OF PERSONAL DATA IN CUSTOMER MARKETING, SALES, AFTER-SALES SERVICES

1. 1. 1.Data Controller and Representative

In accordance with the Personal Data Protection Law No. 6698 (“Law No. 6698”), your personal data; data NBI GİYİM A.Ş. as the responsible person. (“Our Company”) may be processed within the scope explained below. Detaile It was shared with the public on the website https://www.newbalance.com.tr/kisisel-verilerin-korunmasi NBI GİYİM A.Ş. You can access it from the Personal Data Protection Policy. 

Within the scope of this clarification text; You are informed about which of your personal data is processed, for what purpose your personal data can be processed, the method and legal reason for the collection of your personal data, the parties to which your personal data can be transferred and the rights you have.

1. 2. Processed Personal Data of Customers:

Identifying Information: Information of Name, Surname and TR Identity Number given by the visitor.

Contact Information: Telephone number, address and other contact information given by the visitor,

Legal Action: Information in correspondence with judicial authorities, Information in the case file, etc.

Customer Transaction: Call center records, Invoice, promissory note, check information, Information on box office receipts, Order information, Request information, etc.

Physical Environment Security: Camera recordings etc.

Risk Management: Information processed to manage commercial, technical, administrative risks, etc.

Finance: Balance sheet information, Financial performance information, Credit and risk information, Asset information etc.

Marketing: Shopping history information, Survey, Cookie records, Information obtained through Campaign work, etc.

Other data; Visual and Audio Recordings, Request Complaint Information

1. 3. Purposes of Processing Your Personal Data:

We may process your collected Personal data for the purposes listed below;

• •Performing of contracts established with customers and management, planning and execution of relations with customers,
• •Processes for the establishment and performance of contracts and realization of post-contract services,
• •Planning, follow up and execution of activities for finance and accounting,
• •Realization, planning and execution of activities/developments and analyzes for access to systems,
• •Planning and execution of Information Technologies and data security activities,
• •Planning and execution of activities for the development, follow-up and control of commercial affairs, actions, operations,
• •Reporting on activities related to control, data management, analysis, social activities, process development and similar activities,
• •Planning and execution of the physical/electronic security of the company
• •Planning and execution of actions and brand management activities to increase the perception level about the brand,
• •Planning and execution of operations for advertising, sales and marketing for customers,
• •Planning and executing activities for the development and/or customization of products and services by analyzing the usage habits and trends of customers,

• •Planning and execution of the relevant processes in order to obtain the highest benefit from the products or services offered by the company.
• •Carrying out the transactions regarding the payments required to be made within the scope of the employees' contracts
• •Planning and execution of request and complaint management activities for receiving, evaluating and finalizing requests and complaints,
• •Carrying out operations, research, analysis, reporting activities for entering into a contractual relationship with customers or renewing a contract,
• •Execution of contractual and post-contractual relations, realization and follow-up of transactions and activities for after-sales services and fulfillment of contractual obligations,

• •Management, development, planning and execution of relations with the supplier/dealer/business partner,
• •Planning and execution of production and/or operation processes,
• •Planning and execution of corporate communication activities
• •Execution of contractual and post-contractual relations, realization and follow-up of transactions and activities for after-sales services and fulfillment of contractual obligations,
• •Management, development, planning and execution of relations with supplier/dealer/business partner,
• •Planning and execution of production and/or operation processes,

• •Planning and execution of corporate communication activities
• •Planning and execution of logistics activities
• •Planning and/or execution of business continuity activities,
• •Execution of strategic planning activities;
• •Ensuring that the data is accurate and up-to-date
• •Giving information to authorized institutions based on legislation

We may process it for purposes such as (collectively, "Purposes").

1. 4. Collection Method and Legal Reason of Your Personal Data

Your personal data, will be collected from electronic and/or physical environments through our Company's websites, printed forms used in our Company and our Company's dealers and stores, and current accounts, invoices, etc. financial documents, our Company's telephone/call centers, our Company's branches, our Company's e-mail and corporate social media accounts, and our Company's mobile applications. Your personal data collected from these channels are processed for the following purposes and legal reasons and based on the personal data processing conditions specified in Articles 5 and 6 of the Law

Based on the legal reason that it is obligatory for our Company to fulfill its legal obligation as a data controller;

• •Ensuring that the data is correct and up-to-date,
• •iving information to authorized institutions based on legislation
• •Planning and execution of the physical/electronic security of the company
• •Planning, follow up and execution of activities for finance and accounting,
• •Planning and execution of Information Technologies and data security activities

Provided that it is directly related to the establishment or performance of a contract, based on the legal reason which is necessary to process the personal data of the parties to the contract,

• • Execution of contracts established with customers and execution of relations with customers during and after the contract, after-sales services and fulfillment of contractual obligations, realization and follow-up of transactions and activities related to after-sales services and fulfillment of contractual obligations,
• •Planning and execution of production and/or operation processes,
• •Planning and execution of logistics activities

Based on the legal reason that data processing is obligatory for the establishment, use or protection of a right;

• •Planning and execution of request and complaint management activities for receiving, evaluating and finalizing requests and complaints.

Based on the legal reason that data processing is obligatory for the legitimate interests of the data controller; provided that it does not harm the fundamental rights and freedoms of the data subject

• •Planning and execution of the relevant processes in order to obtain the highest benefit from the products or services offered by the company,
• •Management, development, planning and execution of relations with the supplier/dealer/business partner,
• •Planning and execution of production and/or operation processes,
• •Planning and execution of logistics activities
• •Planning and/or execution of business continuity activities
• •Execution of strategic planning activities,
• •Planning and execution of actions to increase the level of perception about the brand and brand management activites

Based on your express consent;

• •Develment of products and services by analyzing the usage habits and tendencies of customers and sending e-commercial messages regarding advertising, sales and marketing to customers

1. 5. Parties to Whom Your Personal Data May be Transferred and Transfer Purposes

Your personal data; Within the scope of the above-mentioned purposes, legally authorized public institutions and/or legally authorized private persons, including our affiliates, suppliers, business partners, can be transferred in accordance with the personal data transfer conditions specified in Articles 8 and 9 of the Law No. 6698.

1. 6. Rights of Personal Data Owner Enumerated in Article 11 of Law No. 6698

As personal data owners, you have the following rights;

• •Learning whether your personal data is processed,
• •If your personal data has been processed, requesting information about it,
• •Learning the purpose of processing of your personal data and whether they are used in accordance with the purpose,
• •Knowing the third parties to whom your personal data is transferred, in country or abroad,
• •Requesting correction of your personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom your personal data has been transferred,
• •Requesting the deletion or destruction of your personal data in case the reasons requiring it to be processed disappear, although it has been processed in accordance with the provisions of the Law No. 6698 and other legislation, and requesting the notification of the transaction made within this scope to the third parties to whom your personal data has been transferred,
• •Objecting to the occurance of a result that is against you by analyzing your processed data exclusively through automated systems,
• •Requesting the compensation of the damage in case you suffer damage due to unlawful processing of your personal data

You have rights. In order to use these rights effectively, we must identify you. necessary information and other requested information and the rights specified in Article 11 of the KVKK. Your request containing your explanations about the right you wish to use; Data Owner Application Form By filling out the form at and submitting a signed copy of the form copy of  Sultan Selim Mah. Hümeyra St. Nef 09 Sitesi B Blok No: 7 İç Kapı No: 152 Kağıthane - İstanbul   You can send it in person, with documents proving your identity, or by registered mail, You can send it through a notary public or other methods specified in KVKK or send the relevant form. You can also submit your requests by sending them with a secure electronic signature to nbigiyim@hs01.kep.tr. You can forward it.

SUPPLIER CLARIFICATION TEXT

1. 1. Data Controller and Its Representative

In accordance with the Personal Data Protection Law No. 6698 (“Law No. 6698”), your personal data; data NBI GİYİM A.Ş. as the responsible person. (“Our Company”) may be processed within the scope explained below. Detailed information about the purposes of processing your personal data by us; with the public at https://www.newbalance.com.tr/kisisel-verilerin-korunmasi/   shared by NBI GİYİM A.Ş. You can access it from the Personal Data Protection Policy.

Within the scope of this clarification text; you are informed about for what purposes, with whom your personal data is shared, with which methods it is collected and the legal reason and the rights of the data subjects within the scope of the processing of their personal data.

2. Suppliers’ Processed Personal Data

Identity Information: Name, Surname and Turkish ID number

Contact Information: Telefon Number, Address and Other Communication Information

Location Information: The place and location information of the suppliers’

Legal Action Information: Information in correspondence with judicial authorities, information in the case file

Physical Place Security: Entry and exit record information, camera records

Finance: Balance sheet information, Financial performance information, Credit and risk information, Asset information, etc.

Other Data: Audio and Visual Recordings, Vehicle, License Plate, Request-Complaint Information, Risk Administration

3. Purposes of Personal Data Processing

Your Personal Data are processed within the scope of the purposes listed below (“Purposes”)

• •To coordinate and carry out the business and communication of the goods and services that supplied by you or your company to Our Company and to evaluate and control the quality related to the performance of Contract / Service,
• •To keep a record of the finance or accounting recording and to perform the payment transactions,
• •To provide the communication between supplier, business partners, external service providers and the customers
• •To take support from the supplier’s employees
• •To carry out the relationship related to Contract or After-Sale, to carry out and to follow after-sale services and transactions and actions related to performance of the obligations stemming from the Contract
• •To administrate, develop, plan and execute the relationships between supplier/dealer / business partners,
• •To plan and execute processes of production and operation,
• •To plan and execute corporate communication activities,
• •To plan and execute the logistics activity,
• •To plan and execute the activities carried out for enabling permanency of the work,
• •To execute the activities of strategy planning
• •To ensure the veracity and currency of the data,
• •To give information to authorized institutions according the law.

We may process it for purposes such as (collectively, "Purposes").

4. The Manner and the Legal Reason of the Collection of Your Personal Data

Your personal data will be collected from physical platforms through Our Company’s websites, financial documents used in the dealers and stores of Our Company such as forms, invoice, current account etc; the call centers that belong Our Company’s dealers and business partners, corporate social media and e-mail accounts of Our Company, Our Company’s mobile applications, security cameras (CCTV). Your personal data collected from the platforms mentioned above may be processed according to the purposes below, legal reasons and conditions set out in the Articles 5 and 6 of the Law.

In case of necessity for Our Company as Data Controller to fulfill its legal obligations;

• •To maintain financial and accounting records and to perform payment transactions
• •To ensure the veracity and currency of the data
• •To give information to authorized institutions according the law.

Provided that it is directly related to the establishment or performance of a contract, based on legal reasons necessary to process the personal data of the parties to the contract;

• •To coordinate and carry out the business and communication of the goods and services that supplied by you or your company to Our Company and to evaluate and control the quality related to the performance of Contract / Service,
• •To provide the communication between supplier, business partners, external service providers and the customers
• •To take support from the supplier’s employees
• •To carry out the relationship related to Contract or After-Sale, to carry out and to follow after-sale services and transactions and actions related to performance of the obligations stemming from the Contract,
• •To administrate, develop, plan and execute the relationships between supplier/dealer / business partners,
• •To plan and execute the logistics activity,

Provided that it is not harmful for his / her fundamental rights and freedoms, based on legal reasons necessary to process data for the benefits of the data subject;

• •To plan and execute processes of production and operation,
• •To plan and execute corporate communication activities
• •To plan and execute the activities carried out for enabling permanency of the work,

1. 5. The Persons to whom your Personal Data may transfer and the Purposes of the Transfer

Your Personal Data may be transferred for the purposes above in accordance with the personal data transfer conditions set out in Articles 8 and 9 of the Law No. 6698 in accordance to our affiliates, domestic suppliers, business partners and legally authorized public institutions and/or legally authorized private individuals.

6. The Rights of Personal Data Subject Prescribed by Article 11 of the Law No. 6698

The Owner of Personal Data has rights on his personal data below:

• •To learn whether personal data is processed
• •To request information if personal data has been processed,
• •To learn the purpose of processing personal data and whether they are used in accordance with the purpose
• •To know the third parties to whom personal data is transferred in domestic or abroad
• •To request correction of personal data if it is incomplete or incorrectly processed or the deletion or notification of the above-mentioned correction, deletion or destruction processes to third parties to whom personal data has been transferred,
• •To request the deletion or destruction of your personal data in the event that the reasons requiring it to be processed disappear, although it has been processed in accordance with the provisions of the Law No. 6698 and other legislation, and to request the notification of the transaction made within this scope to the third parties to whom your personal data has been transferred
• •To object to the emergence of an unfavorable result by analyzing the processed data exclusively through automated systems
• •To object the compensation of the damage in case of damage caused due to unlawful processing of personal data

You have rights. In order to use these rights effectively, we must identify you. necessary information and other requested information and the rights specified in Article 11 of the KVKK. Your request containing your explanations regarding the right you wish to exercise;  Data Owner Application Form by filling out the form and submitting a signed copy of the form. copy of Sultan Selim Mah. Hümeyra St. Nef 09 Sitesi B Blok No: 7 İç Kapı No: 152 Kağıthane - İstanbul  You can send it in person, with documents proving your identity, or by registered mail, You can send it through a notary public or other methods specified in KVKK or send the relevant form. You can also submit your requests by sending them with a secure electronic signature to nbigiyim@hs01.kep.tr. You can forward it.

Top of The Form

PERSONAL DATA RETENTION AND DESTRUCTION POLICY

1.PURPOSE AND SCOPE

NBI GİYİM A.Ş. ("Our Company") undertakes to comply with the regulations on the protection, processing and destruction of personal data in accordance with its legal responsibilities arising from the relevant legal regulations. This Personal Data Retention and Destruction Policy ("Policy") contains the framework and principles for carrying out the necessary retention and destruction activities within the scope of the relevant legislation.

In accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data ("Regulation") published in the Official Gazette dated October 28, 2017 and numbered 30224, data controllers are obliged to prepare a personal data retention and destruction policy in accordance with the personal data processing inventory. The purpose of this Policy, which has been prepared on the basis of the above regulation; Determining the processes of deletion, destruction or anonymization of the personal data processed by our Company with the maximum periods required for the purpose for which they are processed and defining the roles and responsibilities of the persons who will take part in these processes.

The scope of this Policy; The maximum retention periods of personal data and the technical and administrative measures taken for the storage and destruction of personal data in accordance with the law constitute recording environments with the units involved in the execution of the relevant processes within our Company.

2.DEFINITONS

Electronic Environment:Environments where personal data can be created, read, changed and written with electronic devices,

Non-Electronic Environment:: All written, printed, visual, etc. other environments other than electronic environments,

Law: Law No. 6698 on the Protection of Personal Data,

Personal Data: Any information relating to an identified or identifiable real person,

Processing of Personal Data: Any operation performed on the data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or prevention of using personal data completely or partially by automatic or non-automatic means provided that it is a part of any data recording system.

Data Controller: NBI GİYİM A.Ş. as a legal person,

PDP Committee: The Personal Data Protection (PDP) Committee shall constitute the committee to be formed to carry out the administrative follow-up of the processes established within the scope of the Law on the Protection of Personal Data and its sub-regulations appointed by the Data Controller,

Relevent Person: The real person whose personal data is processed,

Committee: Personal Data Protection Committe,

Anonymization: Making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching them with other data,

Destruction: Deletion, destruction or anonymization of personal data

Recording Medium: Any environment where Personal Data is processed wholly or partially automatically or non-automatically provided that it is a part of any data recording system.

Personal Data Processing Inventory: Personal Data processing activities; The inventory created by associating the purposes of processing the Personal Data, the data category, the group of recipients transferred and the group of persons subject to the data and detailing the maximum period required for the purposes for which the Personal Data is processed, the Personal Data foreseen to be transferred and the measures taken regarding data security,

Personal Data Retention and Destruction Policy: This is the policy on which data controllers base the process of determining the maximum period required for the purpose for which Personal Data is processed, and the process of deletion, destruction and anonymization.

Periodic Destruction: In the event that all of the conditions for the processing of Personal Data in the Law disappear, the deletion, destruction or anonymization process specified in the Personal Data Retention and Destruction Policy and to be carried out ex officio at repeated intervals,

Relevant User: It refers to the persons who process Personal Data within the organization of the Data Controller or in accordance with the authority and instruction received from the Data Controller, except for the person or unit responsible for the technical storage, protection and backup of the Personal Data.

Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data

VERBIS: Data Controllers’ Registry Information System

3.RECORDING ENVIRONMENTS

During the activities of our Company, personal data is collected from employees, employee candidates, customers, visitors and supplier employees and officials, and the personal data collected are stored in accordance with the relevant legal legislation in the environments shown below:

• •Electronic Environments

1. 1. Servers (Domain, backup, e-mail, database, web, file sharing, etc.)
2. 2. Software (office software, portal, EBYS, VERBIS.)
3. 3. Information security devices (firewall, intrusion detection and blocking, log file, anti-virus, etc.) Personal computers (Desktop, laptop)
4. 4. Mobile devices (phone, tablet, etc.)
5. 5. Optical discs (CD, DVD, etc.)(CD, DVD vb.)
6. 6. Removable memories (USB, Memory Card, etc.)
7. 7. Printer, scanner, copier

• •Non-Electronic Environments

1. 1. Paper
2. 2. Manual data recording systems (survey forms, service forms, job application forms)
   1. 3. Other written, printed, visual environments

1. 4. RESPONSIBILITY

In order to publish, keep up to date and monitor the implementation of this Policy, our Company's Board of Directors; A KVK Committee will be established and authorized for all these issues. KVK Committee will consist of Human Resources Manager, Administrative Affairs Manager, Information Processing Manager. The KVK Committee fulfills the following duties and responsibilities;

• •To ensure the compliance of Personal Data with the retention period,
• •To carry out the management of the personal data destruction process during the periodical destruction period,
• •To review the Policy on a minimum annual basis,
• •To regulate and publish the Personal Data Retention and Destruction Procedure and other procedures that it deems necessary, which will regulate the transaction rules in detail based on the Policy,
• •To distribute the necessary duties for the implementation of policies and procedures, to authorize the persons it deems appropriate, and to organize trainings on compliance with the Law,
• •To follow up the implementation of all kinds of technical and administrative measures taken in accordance with Article 12 of the Law and to plan the inspection,
• •To determine the issues that need to be done in order to ensure compliance with the law and the relevant legislation, to monitor its implementation and to provide the necessary coordination,
• •To follow up the processes related to the applications and requests made by real persons whose Personal Data are processed and to ensure that the necessary actions are taken to solve the problems that may arise regarding the implementation of the Law and/or the policy and procedure,
• •To carry out relations with the Board

5. REASONS THAT REQUIRE THE KEEPING DATA

The concept of processing personal data is defined in Article 3 of the Law, and the following principles are stipulated in Article 4 for processing of personal data

a) Compliance with the law and good faith.

b) Being true and up-to-date when necessary.

c) Processing for specific, explicit and legitimate purposes.

ç) Being connected, limited and measured with the purpose for which they are processed.

d) Keep for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

In Articles 5 and 6 of the Law, the conditions for the processing of personal data are listed. Accordingly, within the framework of our Company's activities, personal data retention for the period stipulated in the relevant legislation or suitable for our processing purposes.

5.1. LEGAL REASONS

• •Law No. 6698 on the Protection of Personal Data,
• •Turkish Code of Obligations No. 6098,
• •Turkish Commercial Code No. 6102
• •Social Insurance and General Health Insurance Law No. 5510,
• •Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts,
• •Law No. 6331 on Occupational Health and Safety,
• •Labor Law No. 4857,
• •Other secondary regulations in force pursuant to these laws

5.2. PROCESSING OBJECTIVES THAT REQUIRE SAFEKEEPING

Personal data held within our company is subject to our Law and Personal Data Policy (according to the relevant policy). According to “https://www.newbalance.com.tr/kisisel-verilerin-korunmasi/”, It is stored for the purposes and reasons stated herein.

6. TECHNICAL AND ADMINISTRATIVE MEASURES

OUR COMPANY takes all necessary technical and administrative measures in accordance with the relevant personal data and the characteristics of the environment in which it is kept in order to keep personal data safely and prevent unlawful processing and access.

This measures, including but not limited to these, cover the following administrative and technical measures to the extent appropriate to the natüre of the relevant personal data and the environment in which it is kept.

6.1. TECHNICAL MEASURES

Network security and application security are provided.

A closed system network is used for personal data transfers via the network.

Security measures are taken within the scope of procurement, development and maintenance of information technology systems.

The security of personal data stored in the cloud is ensured.

An authorization matrix has been created for employees.

Access logs are kept regularly.

Current anti-virus systems are used.

Firewalls are used.

Necessary security measures are taken regarding entry and exit to physical environments containing personal data.

The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.

The security of environments containing personal data is ensured.

Personal data is reduced as much as possible.

Personal data is backed up and the security of the backed up personal data is also ensured.

User account management and authorization control system are implemented and these are also follow-up.

Existing risks and threats have been identified.

Intrusion detection and prevention systems are used.

Penetration test is applied.

Cyber security measures have been taken and their implementation is constantly followed.

Encryption is done.

6.2. ADMINISTRATIVE MEASURES

There are disciplinary regulations that include data security provisions for employees.

Training and awareness activities are carried out periodically for employees on data security.

Confidentiality commitments are made.

Corporate policies on access, information security, use, safe keeping and destruction have been prepared and started to be implemented.

The authorizations of employees who have change in duty or leave their job in this field are removed.

Personal data security policies and procedures have been determined.

Personal data security issues are reported quickly

Personal data security is follow-up.

Data processing service providers are audited periodically on data security.

Awareness of data processing service providers on data security is provided.

In-house periodic and/or random audits are conducted and made.

7. REASONS REQUIRING THE DISPOSAL OF DATA

Personal data safe keeping within our company delete, destroye or ex officio delete, destroye or anonymize by our company upon the request of the person concerned in the following cases

• · •Amendment or repeal of the provisions of the relevant legislation, which are the basis for processing,
• · •The disappearance of the purpose that requires processing or storage,
• · •In cases where the processing of personal data takes place only on the basis of explicit consent, withdrawing the explicit consent of the relevant person,
• · •Pursuant to Article 11 of the Law, acceptance of the application made by the relevant person regarding the deletion and destruction of his/her personal data by Our Company,
• · •In cases where Our Company rejects the application made by the relevant person for the deletion, destruction or anonymization of his/her personal data, finds the answer insufficient or does not respond within the time stipulated in the Law; Making a complaint to the Board and this request being approved by the Board,
• · •In cases where the maximum period for keeping personal data has passed and there is no condition to justify keeping personal data for a longer period of time

It is deleted, destroyed or ex officio deleted, destroyed or anonymized by our company upon the request of the relevant person.

7. METHODS OF DISPOSAL

7.1. DELETION OF DATA

It is the process of making Personal Data inaccessible and non-reusable for Relevant Users in any way.

Personal Data is located in Physical Media: Data in such media, whose storage period has expired, are rendered inaccessible and non-reusable in any way. In this context, the blackout method can be used on the relevant data. The blackout method is done by cutting the personal data on the relevant document when possible, and making it invisible to other users by using marking ink in a way that cannot be returned and read with technological solutions in cases where it is not possible.

Personal Data is located in Electronic Media: Data is located in such media whose storage period has expired, methods are used to deleting the data from the relevant software in a such way that cannot be recovered while deleting.

7.2. DESTRUCTION OF DATA/b>
It is the process of making Personal Data inaccessible, unrecoverable and unusable by anyone in any way.

The data is located in such media, whose storage period has expired, is destroyed by using the appropriate methods of physical destruction or overwriting.

Network Devices: It is destroyed by using the appropriate method of magnetizing, physical destruction, overwriting in switches, routers, etc

Flash-Based Media: Destroyed using the appropriate manufacturer's recommended methods or physical destruction or overwriting.

Sim Card and Fixed Memory Cards: Destroyed using the appropriate physical destruction or overwriting method.

Optical Discs: Destroyed by physical methods.

Printer with Fixed Data Recording Medium, Door Access Systems with Fingerprint: It is destroyed by using the appropriate method of physical destruction or overwriting.

Paper etc. Medium: Personal data in paper medium are destroyed using paper shredders.

7.3. ANONYMIZATION OF DATA

It is the process of rendering Personal Data unrelated to an identified or identifiable natural person under any circumstances, even if it is matched with other data. Anonymization is the removal or change of all direct and/or indirect identifiers in a data set, preventing the identification of the data subject from being identified, or losing its distinctiveness in a group or crowd in a way that cannot be associated with a natural person. As a result of blocking or losing these features, data that does not point to a specific person is considered anonymized data. All of the bond breaking processes carried out by methods such as automatic or non-automatic grouping, masking, derivation, generalization, randomization applied to the records in the data recording system where Personal Data is kept are called anonymization methods. It is based on researching whether there is a risk of reversing the anonymized Personal Data with various interventions and transforming the anonymized data into re-identifying and distinguishing real persons, and taking action accordingly.

8. DATA RETENTION PERIOD WITHIN THE SCOPE OF THE RELEVANT LEGISLATION

Retention periods are determined for all Personal Data stored within our company. When determining the retention periods, firstly the relevant legislation, if there is no period stipulated by the relevant legislation, the period required for the purpose of processing Personal Data is taken into account. Relevant periods are included in the Personal Data Inventory and Data Controllers’ Registry Information System.

The Personal Data mentioned in the Personal Data Processing Inventory are stored in accordance with the legal regulations in the table below and are destroyed on the first periodic destruction date following the storage period, unless there is any legal situation that interrupts or stops the statute of limitations.

Data Category	Data Retention Period
1-    Identity	Legal relationship+ 20 Years
2-    Contact	Legal relationship+ 20 Years
3-    Location	Termination of the labor contract + 10 years
4-    Personnel Information	Termination of the labor contract + 10 years
5-    Legal Transaction	Until the finalization of the relevant court decision or the expiration of time limit
6-    Customer Transaction	Legal relationship+ 10 Years
7-    Security of Physical Environment	1 Month
8-    Process Security	Until the termination of the labor contract
9-    Risk Management	Legal relationship+ 10 Years
10- Finance	Legal relationship+ 10 Years
11- Work Experience	Termination of the labor contract + 10 years
12- Marketing	Final treatment + 10 years
13- Visual and Auditory Records	1 Mont
14- Association Membership	Termination of the labor contract + 10 years
15- Foundation Membership	Termination of the labor contract + 10 years
16- Union membership	Termination of the labor contract + 10 years
17- Health Informations	Termination of the labor contract + 10 years
18- Criminal Conviction and Security Measures	Termination of the labor contract + 10 years
19- Biometric Data	Until the termination of the employment contract or the relevant authorization
20- Domain Knowledge	In case of a negative result of the application, until the destruction period, the termination of the employment contract + 10 years
21- Insurance Details	Termination of the labor contract + 10 years
22- Family Members and Close Information	Termination of the labor contract + 10 years
23- License Plate and Vehicle Licence Information	Termination of the labor contract + 10 years
24- Working Candidate Information	Termination of the labor contract + 10 years
25- Reference Informations and Evaluations	Termination of the labor contract + 10 years
Request/Complaint Information	Termination of the labor contract + 10 years

9. PERIODIC DESTRUCTION TIME

Pursuant to Article 11 of the Regulation, our Company has determined the period of periodic destruction as 6 months.[UKA1] belirlemiştir.

When the apply to our Company and request the deletion or destruction of their personal data, the relevant request is evaluated according to whether the conditions for processing personal data have been lifted. If the processing conditions for personal data are completely eliminated, our Company deletes, destroys or anonymizes the personal data subject to the request. If the processing conditions of personal data are not completely eliminated, the relevant request is rejected by explaining the reason. In any case, requests are finalized within 30 days and notified to the relevant person.

All transactions regarding the deletion, destruction and anonymization of Personal Data are recorded and these records are kept for at least 3 (three) years, excluding other legal obligations.

10. UPDATE PERIOD OF POLICY

The policy is reviewed by the PDP Committee as needed and the necessary sections are updated.

11. ENFORCEMENT OF THE POLICY

This Policy is deemed to have entered into force after its publication on our Company's website. It is considered valid and binding as of this date

Data Owner Application Form