P.D.P.L - STORAGE AND DISPOSAL POLICY 

1. Purpose of the Policy
The purpose of our personal data storage and destruction policy is to reveal the philosophy, purpose and action plan we will follow in our processes of determining, deleting, destroying and anonymizing the maximum time required for the purpose of processing personal data as a data controller. In this context, our aim is to provide our employees, whose personal data we process, our administrative personnel, our visitors and the companies we cooperate with and Onurtaş Ticaret ve Demir San. A.S. to enlighten all third parties in relation to the processing of their data and their rights, and to act respectfully to personal data and therefore to private life by ensuring transparency in this regard.

2. Basis of the Policy

Our policy is based on the Law on the Protection of Personal Data dated 7.4.2016 and numbered 6698 (KVK K. numbered 6698) and the "Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224. (Regulation) has been created as a requirement of Articles 5 and 6.

3. Scope of the Policy

Our policy covers our employees, administrative staff, visitors and the institutions we cooperate with and Onurtaş Ticaret ve Demir San. A.S. All natural and legal persons in legal relationship with and their KVKK numbered 6698. It includes all personal data with and without special nature defined by. As stated in KVKK numbered 6698, the policy also covers personal data in systems where data is processed completely or partially automatically or non-automatic, provided that it is a part of any data recording system. Unless otherwise stated in the policy, personal data and special quality personal data will be referred to as "Personal Data" together.

4. Definitions

Related person: The real person whose personal data is processed,
Personal data: All kinds of information regarding an identified or identifiable natural person,
Personal data of special nature: Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and their genetic data,
Explicit consent: Consent on a specific subject, based on information and disclosed with free will, Data controller: Real or legal person who determines the purposes and means of processing personal data, and who is responsible for the establishment and management of the data recording system.
Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosure, transferring, taking over, making available, through fully or partially automatic means or non-automatic means of personal data provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use,
Destruction: Deletion, destruction or anonymization of personal data,
Personal data storage and disposal table: Personal data onurtaş Ticaret ve Demir San. A.S. a table showing the periods to be kept with him,
Personal data processing inventory: Personal data processing activities carried out by data controllers depending on the business processes; the inventory that they have created by associating with the personal data processing purposes, the data category, the recipient group and the data subject group, and elaborated by explaining the maximum time required for the purposes for which the personal data is processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security,
Deletion of personal data: The process of making personal data inaccessible and unavailable in any way for the relevant users,
Destruction of personal data: The process of making personal data inaccessible, retrieved and reusable by anyone,
Anonymization: Making personal data unrelated to a certain or identifiable natural person under any circumstances, even if they are matched with other data,
Periodic destruction: The deletion, destruction or anonymization process specified in the personal data storage and disposal policy and will be carried out ex officio at repetitive intervals in case all of the personal data processing conditions in the Law are eliminated,
Data recording system: The recording system in which personal data are structured and processed according to certain criteria,
Board: refers to the Personal Data Protection Board.

5. General Principles Based on Policy

Data controller Onurtaş Ticaret ve Demir San. A.S. The following principles are followed in the processing of data.
5.1. Personal data can only be processed in accordance with the procedures and principles stipulated in KVKK numbered 6698 and other laws.
5.2. The following principles must be followed in the processing of personal data:
a) Compliance with the law and good faith.
b) Being accurate and up-to-date when necessary.
c) Processing for specific, explicit and legitimate purposes.
ç) Being connected, limited and measured for the purpose for which they are processed.
d) Being kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

6. Recording Media Regulated by the Policy
All kinds of media containing personal data processed in a fully or partially automatic way or non-automatic means provided that it is a part of any data recording system are within the scope of recording medium.
7. Duties and Powers of the Personal Data Protection Committee
7.1. The Personal Data Protection Committee is responsible for the announcement of this Policy to the relevant business units and the requirements of Onurtaş Ticaret ve Demir San. A.S. It is responsible for the follow-up of its fulfillment by its units.
7.2. The Personal Data Protection Committee makes the necessary announcements and notifications for the relevant business units to follow up on the legislative changes regarding the protection of personal data, the regulatory actions and decisions of the Personal Data Protection Board (Board), court decisions or changes in processes, applications and systems, and to update their business processes if necessary. .
7.3. Personal Data Protection Committee KVKK numbered 6698. and secondary regulations as well as the decisions and regulations of the Board, court decisions and the processes for the examination, evaluation, follow-up and finalization of the decisions and / or requests of other competent authorities and announces them to the relevant units.

8. What To Do When The Conditions For The Processing Of Personal Data Come Out
8.1. The disappearance of the purpose element for the processing of personal data, the revocation of express consent, or the disappearance of all 3 terms of processing personal data specified in Articles 5 and 6 of KVK Law No.6698, or a situation where none of the exceptions in the mentioned articles can be applied. In the event that the processing conditions are lifted, the personal data are deleted, destroyed or anonymized by the relevant business unit by explaining the reason for the applied method within the scope of Articles 7 to 10 of the Regulation, considering the business needs. However, in case of a final court decision, it is obligatory to apply the method of destruction determined by the court decision.
8.2. All users who process or store personal data and data owner Onurtaş Ticaret ve Demir San. A.S. units will check whether the conditions for processing have been eliminated or not, in the data recording media they use, within a period of six months at the latest. Upon the application of the personal data owner or the notification of the Board or a court, the relevant users and units will make this review on the data recording media they use, regardless of the periodic inspection period.
8.3. As a result of periodic reviews or when it is determined that the data processing conditions have disappeared at any time, the relevant user or data owner will decide to delete, destroy or anonymize the relevant personal data from the recording media under his responsibility, in accordance with this policy. In cases of doubt, action will be taken in consultation with the relevant data owner business unit. When it is necessary to take a decision regarding the destruction of personal data with multi-stakeholder data in the Central Information Systems, the opinion of the Personal Data Protection Committee will be taken and the data owner business regarding the storage or deletion, destruction or anonymization of the data in accordance with this policy. will be decided by the department.
8.4. All transactions regarding the deletion, destruction or anonymization of personal data are recorded and the said records are kept for at least one year, excluding other legal obligations.
8.5. In accordance with Articles 4 and 7 of the Regulation, the methods applied for the deletion, destruction and anonymization of personal data will be explained in the Data Destruction Procedure to be published after the entry into force of this Policy.
8.6. In the deletion, destruction or anonymization of personal data, the general principles in Article 4 of KVKK numbered 6698 and technical and administrative measures to be taken within the scope of Article 12, relevant legislation provisions, Board decisions and personal data storage and destruction policy is required.
8.7. The real person who owns a personal data, according to the 13th article of KVKK numbered 6698, Onurtaş Ticaret ve Demir San. A.Ş., when it requests the deletion, destruction or anonymization of its personal data, the relevant data owner business unit examines whether all the personal data processing conditions have been eliminated. If all the processing conditions have disappeared; It deletes, destroys or anonymizes the personal data subject to the request. In this case, as the details are determined in the Data Destruction Procedure; The request is concluded within thirty days at the latest from the date of application and the applicant is informed through the relevant board. If all the conditions for processing personal data have disappeared and the personal data subject to the request has been transferred to third parties, the relevant data owner business unit immediately notifies the third party to whom the transfer is made and ensures that the necessary actions are taken within the scope of the Regulation at the third party.
8.8. In cases where all the personal data processing conditions are not eliminated, the requests of the personal data owners for the deletion or destruction of their data are sent to Onurtaş Ticaret ve Demir San. A.S. 6698 numbered KVK Law 13th paragraph 3 of the article in accordance with the reason can be rejected by explaining. The rejection is notified to the relevant person in writing or electronically within 30 days at the latest.
8.9. Requests for deletion or destruction of personal data will only be considered on the condition that the identity of the relevant person has been identified. In requests to be made outside of these channels, the relevant persons will be directed to channels where identification or verification can be made.
9.Enforcement of the Policy, Violations and Sanctions
9.1. This Policy will come into effect by announcing to all employees and as of its effect, all business units, consultants, external service providers and other Onurtaş Ticaret ve Demir San. A.S. will be binding for anyone who processes personal data with him.
9.2. Onurtaş Ticaret ve Demir San. A.S. It will be the responsibility of the supervisors of the relevant employees to monitor whether their employees fulfill the requirements of the Policy. When violations of the policy are detected, the matter will be immediately reported to a higher manager, who is affiliated with the relevant employee's supervisor. If the violation is of a significant extent, the Personal Data Protection Committee will be informed without delay by the supervisor.
9.3. The necessary administrative action will be taken about the employee who acts against the policy after the evaluation by the Human Resources unit.
9.4. In order to fulfill the policy requirements, Onurtaş Ticaret ve Demir San. A.S. by; All necessary security measures are taken, including the measures prescribed by the ISO standard and all relevant ministries.

10. Persons to be Involved in Personal Data Storage and Destruction Processes and Their Responsibilities
Onurtaş Ticaret ve Demir San. A.S. All employees, consultants, external service providers and others, Onurtaş Ticaret ve Demir San., in the fulfillment of the requirements regarding the destruction of the data specified in the Regulation of KVKK numbered 6698 and this Policy. A.S. Everyone who stores and processes personal data with him is responsible for fulfilling these requirements. Each business unit is obliged to store and protect the data produced in its own business processes; However, if the data produced is only in information systems outside of the control and authority of the business unit, the said data will be stored by the units responsible for the information systems. Periodic destructions that will affect business processes and cause data integrity to deteriorate, data loss and results contrary to legal regulations will be made by the relevant information systems departments, taking into account the type of personal data, the systems in which it is located and the data owner business unit.

11.Personal Data Storage and Destruction Periods
Storage and Destruction Periods of Personal Data are listed below. The storage and destruction periods will be taken into account in periodic destruction or destruction operations to be carried out upon request. It will be updated by the business units that own the processes to be included in the Table Showing Personal Data Storage and Destruction Times, in case of hesitation, taking into account the evaluation of the Personal Data Protection Committee.
6098 numbered TBK article 146: 10 years
Relevant Legislation: For the prescribed period

12. Periodic Destruction Times
Periodic Disposal of Personal Data is determined by the relevant business units that have the data. This period cannot exceed 6 (six) months in any case.

13. Effectiveness
13.1. The policy will enter into force as of the date of publication.
13.2. The policy of Onurtaş Ticaret ve Demir San. A.S. It is the responsibility of the Personal Data Protection Committee to announce throughout and to make the necessary updates.

Regards.

Onurtaş Ticaret ve Demir San. A.S. (Data Supervisor)


ADDRESS: REPUBLIC OF CUMHURİYET KARAYEL SOKAK NO: 15 ŞEKERPINAR - ÇAYIROVA / KOCAELİ

E-MAIL: satis@onurtas.com.tr

PHONE: 444 12 23

KEP ADDRESS: onurtas@hs01.kep.tr