PERSONAL DATA RETENTION AND DISPOSAL POLICY

This Personal Data Retention and Disposal Policy has been prepared by Hayati Yachting and Tourism Services Limited Company, acting as the data controller, in accordance with the Law on the Protection of Personal Data No. 6698 and the Regulation on Deletion, Destruction, or Anonymization of Personal Data, which constitutes secondary legislation under the Law, to fulfill our legal obligations and to inform data subjects about the principles for determining the maximum retention period required for the purposes for which their personal data is processed, as well as the deletion, destruction, and anonymization processes.

Definitions

Explicit Consent: Consent that is declared with free will, based on being informed, and regarding a specific matter.

Relevant User: Persons who process personal data within the organisation of the data controller or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.

Disposal: Deletion, destruction, or anonymisation of personal data.

Recording Medium: Any medium in which personal data processed by fully or partially automated means, or by non-automated means, provided that it forms part of a data recording system, is stored.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, retaining, altering, reorganising, disclosing, transferring, taking over, making accessible, classifying, or preventing its use, carried out by fully or partially automated means or by non-automated means, provided that it forms part of a data recording system.

Anonymisation of Personal Data: Rendering personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching it with other data.

Deletion of Personal Data: Rendering personal data inaccessible and non-reusable in any way for Relevant Users.

Destruction of Personal Data: Rendering personal data inaccessible, irretrievable, and non-reusable by anyone in any way.

Board: The Personal Data Protection Board.

Periodic Disposal: The deletion, destruction, or anonymisation process is to be carried out ex officio at recurring intervals specified in the personal data retention and disposal policy, if all conditions for processing personal data outlined in the Law cease to exist.

Data Subject/Relevant Person: The natural person whose personal data is processed.

Principles

The Company acts within the framework of the principles set out below in relation to the retention and disposal of personal data:

  • In the deletion, destruction, and anonymisation of personal data, full compliance is ensured with the Law and relevant legislative provisions, Board decisions, and this Policy.
  • All actions taken regarding the deletion, destruction, and anonymisation of personal data are recorded by the Company, and such records are retained for at least three (3) years, except for other legal obligations.
  • Unless otherwise decided by the Board, the Company selects, at its discretion, the appropriate method among ex officio deletion, destruction, or anonymisation methods. However, if requested by the Relevant Person, the appropriate method will be selected by providing justification.
  • If all conditions for processing personal data outlined in Articles 5 and 6 of the Law cease to exist, personal data is deleted, destroyed, or anonymised by the Company ex officio or upon the request of the relevant person.

If the Relevant Person applies to the Company in this regard;

  • Submitted requests are responded to no later than thirty (30) days.
  • If the data subject to the request has been transferred to third parties, this situation is notified to the third party to whom the data has been transferred, and it is ensured that the necessary actions are taken before such third parties.

Explanations Regarding the Reasons Requiring Retention and Disposal

The personal data of data subjects is retained by the Company, particularly within the limits outlined in the Law and other relevant legislation for (i) sustaining commercial activities, (ii) fulfilling legal obligations, and (iii) planning and performance of employee rights and fringe benefits.

The reasons requiring retention are as follows:

  • Retention of personal data due to being directly related to the establishment and performance of contracts,
  • Retention of personal data for the establishment, exercise, or protection of a right,
  • Retention of personal data is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of individuals.
  • Retention of personal data for the purpose of fulfilling any legal obligation of the Company,
  • Personal data retention is explicitly prescribed by legislation,
  • In terms of retention activities requiring the explicit consent of data subjects, the existence of the data subject’s explicit consent.

Pursuant to the Regulation, in the cases listed below, the personal data of data subjects is deleted, destroyed, or anonymised by the Company ex officio or upon request:

  • Where required due to the amendment or repeal of the relevant legislative provisions forming the basis for the processing or retention of personal data,
  • Where the purpose requiring the processing or retention of personal data ceases to exist,
  • Where the conditions requiring the processing of personal data under Articles 5 and 6 of the Law cease to exist,
  • Where the relevant person withdraws consent in cases where personal data processing is carried out solely based on explicit consent,
  • Where the data controller accepts the application made by the relevant person within the scope of Article 11 of the Law regarding the deletion, destruction, or anonymisation of personal data,
  • Where the data controller rejects the application made by the relevant person requesting the deletion, destruction, or anonymisation of personal data; where the response is deemed insufficient; or where the data controller fails to respond within the period prescribed by the Law, and the relevant person files a complaint with the Board, and such request is deemed appropriate by the Board,
  • Where, despite the expiry of the maximum period requiring retention of personal data, no condition exists that would justify retaining the personal data for a longer period.

Retention and Disposal Periods

In determining the retention and disposal periods of your personal data obtained by the Company in accordance with the Law and other relevant legislative provisions, the criteria listed below are used in the stated order:

  • If a retention period is stipulated in legislation for the relevant personal data, such period shall be complied with. Following the expiry of such period, the data will be processed within the scope of the item below.
  • If the period stipulated in legislation for the retention of the relevant personal data expires, or if no period is stipulated in the relevant legislation for the retention of such data, then, in order:
  • Personal data is classified as personal data and special categories of personal data based on the definition set out in Article 6 of the Law. All personal data determined to be of a special category is disposed of. The method to be applied for the disposal of such data is determined according to the nature of the data and the degree of importance of its retention for the Company.
  • Compliance of retaining the data with the principles set out in Article 4 of the Law is evaluated; for example, it is assessed whether the Company has a legitimate purpose for retaining the data. Data determined to potentially constitute non-compliance with the principles in Article 4 of the Law is deleted, destroyed, or anonymised.
  • It is determined under which exception(s) stipulated in Articles 5 and 6 of the Law the retention of the data may be evaluated. Within the framework of the determined exceptions, reasonable retention periods are identified. Upon the expiry of such periods, the data is deleted, destroyed, or anonymised.

You may access the retention, disposal, and periodic disposal periods determined by the Company in the annexe to this Policy. Personal data whose retention period has expired is anonymized or disposed of in accordance with the disposal periods set out in the annex to this Policy, in six (6) month periods, in line with the procedures specified in this Policy. All actions taken regarding the deletion, destruction, and anonymisation of personal data are recorded, and such records are retained for at least three (3) years, except for other legal obligations.

Procedures, Technical and Administrative Measures Regarding the Retention and Disposal of Personal Data

Where it is necessary to process your personal data for our Company to fulfill its obligations within the scope of employment, where data processing is mandatory for the establishment of a right, for you to benefit from customer services, consumer rights, and other opportunities and/or for the fulfillment of commercial, financial, and legal responsibilities and obligations related thereto, to ensure the security of our Company, or for the legitimate purposes of our Company, the personal data to be collected is entered into the personal data system. In addition, all data stored as digital copies is recorded on the Company’s server.

To ensure the secure retention of your personal data, to prevent unlawful processing and access, and to ensure lawful disposal of data, within the framework of the principles outlined in Article 12 of the Law, the administrative and technical measures taken by the Company are listed below:

Administrative Measures:

Within the scope of administrative measures, the Company:

  • Limits internal access to stored personal data to personnel who need access due to their job description. In limiting access, whether the data is of a special category and its degree of importance are also taken into consideration.
  • Notifies the relevant person and the Board as soon as possible if processed personal data is obtained by others through unlawful means.
  • Ensures data security by signing a framework agreement on the protection of personal data and data security with persons with whom personal data is shared, or by adding provisions to existing agreements.
  • Employs personnel who are knowledgeable and experienced in personal data processing and provides its personnel with the necessary training within the scope of personal data protection legislation and data security.
  • Performs and commissions the necessary audits to ensure the implementation of the Law within its legal entity. It remedies confidentiality and security vulnerabilities identified as a result of audits.
  • Ensures that adequate security measures are taken according to the environment in which personal data is stored (against electrical leakage, fire, flood, theft, etc.) and prevents unauthorised entry/exit to such environments.

Technical Measures:

Within the scope of technical measures, the Company:

  • Conducts the necessary internal controls within the established systems.
  • Executes the processes of information technologies risk assessment and business impact analysis within the established systems.
  • Ensures the provision of the technical infrastructure that will prevent and/or monitor data leakage outside the organisation and the creation of relevant matrices.
  • Ensures the control of system vulnerabilities by obtaining penetration testing services regularly and when needed.
  • Ensures that the access authorisations of employees working in information technology units to personal data are kept under control.
  • Ensures that personal data is destroyed in a manner that cannot be recovered and leaves no audit trail.
  • Pursuant to Article 12 of the Law, protects all digital environments in which personal data is stored by encryption or cryptographic methods that meet information security requirements.
  • Ensures that the process logs of all activities performed on special categories of personal data are securely logged.
  • Continuously follows security updates related to the environments where data is stored and ensures that necessary security tests are regularly performed.
  • Where access to special categories of personal data is provided via software, carries out user authorisations for such software and ensures that security tests of such software are regularly performed.
  • Where remote access to special categories of personal data is required, provides at least a two-factor authentication system.
  • In cases where special categories of personal data are transferred:
  • If the data needs to be transferred via e-mail, ensure that it is transferred in encrypted form via a corporate e-mail address or by using a Registered Electronic Mail (KEP) account.
  • If the data needs to be transferred via portable media such as USB drives, CDs, or DVDs, ensure that it is encrypted using cryptographic methods.
  • If a transfer takes place between servers located in different physical environments, ensure that the transfer is carried out by establishing a VPN between servers or via FTP.
  • If transfer of data in paper form is required, ensure that the document is sent in the format of “classified/confidential documents”.

Duties and Authorities of the Personal Data Protection Committee

The Personal Data Protection Committee is responsible for announcing the Policy to the relevant business units and for monitoring the fulfilment of its requirements. The Committee makes the necessary announcements and notifications so that the relevant business units follow legislative changes regarding personal data protection, the Board’s regulatory acts and decisions, court decisions, or changes in processes, practices, and systems, and update business processes where necessary. The Committee determines and announces to the relevant units the processes for reviewing, evaluating, monitoring, and finalising decisions and/or requests of the Law, secondary legislation, Board decisions and regulations, court decisions, and other competent authorities.

Entry into Force of the Policy, Breach Situations, and Sanctions

  • This Policy shall enter into force upon being announced to all employees and, as of its effective date, shall be binding for all business units, consultants, external service providers, and anyone who processes personal data.
  • Monitoring whether employees fulfil the requirements of the Policy shall be under the responsibility of the relevant employees’ supervisors. If non-compliance with the Policy is detected, the matter shall be immediately reported by the relevant employee’s supervisor to the next senior supervisor to whom they report.
  • If the non-compliance is of significant magnitude, the senior supervisor shall inform the Personal Data Protection Committee without delay.
  • Following an assessment to be carried out by Human Resources, the necessary administrative action shall be taken regarding the employee who acts in breach of the Policy.

Personal data shall be retained for the periods specified in the table below, taking into account the matters set out in Article 4 of the Policy, and upon the expiry of such periods, it shall be anonymised or destroyed:

Process Retention Period Disposal Period
Data retained under the Labour Law (e.g., performance records, etc.) 5 years following the termination of the employment relationship Within 180 days following the end of the retention period
Data collected under occupational health and safety legislation (e.g., health reports, etc.) 15 years following the termination of the employment relationship Within 180 days following the end of the retention period
Data retained under the Social Security Institution (SGK) legislation 10 years following the termination of the employment relationship Within 180 days following the end of the retention period
Documents that may be used in a claim/lawsuit regarding an occupational accident/occupational disease 10 years following the termination of the employment relationship Within 180 days following the end of the retention period
Data collected pursuant to other relevant legislation For the period stipulated in the relevant legislation Within 180 days following the end of the retention period
Where the relevant personal data constitutes the subject matter of an offence under the Turkish Penal Code or other criminal legislation For the statute of limitations period of the case Within 180 days following the end of the retention period
Customer data 10 years following the date of record creation Within 180 days following the end of the retention period

If the Company’s purpose for using the relevant personal data has not ended, if the retention period prescribed by the relevant legislation for the relevant personal data exceeds the periods stated in the table, or if the statute of limitations period of a lawsuit regarding the relevant matter requires that the personal data be retained longer than the periods stated in the table, the periods stated in the table above may not apply. In such a case, whichever ends later among the purpose of use, special legislation, or the statute of limitations period of the lawsuit shall apply.