Personal Data Retention and Destruction Policy

AIRONN VENTILATION INDUSTRY JOINT STOCK COMPANY

PERSONAL DATA RETENTION AND DESTRUCTION POLICY

Table of Contents

1. SECTION: NATURE AND PURPOSE OF THE DESTRUCTION POLICY ............ 1

1.1. INTRODUCTION ........................................................................................................... 1

1.2. DEFINITIONS ................................................................................................................. 1

2. SECTION: STORAGE ENVIRONMENTS AND SECURITY MEASURES .......... 2

2.1. ENVIRONMENTS WHERE PERSONAL DATA IS STORED ........................ 2

2.2. ENSURING THE SECURITY OF ENVIRONMENTS ...................................... 2

2.2.1. Technical Measures ........................................................................................... 2

2.2.2. Administrative Measures ................................................................................ 3

2.2.3. Internal Audit ........................................................................................................ 3

3. SECTION: DESTRUCTION OF PERSONAL DATA ................................................. 3

3.1. REASONS FOR RETENTION AND DESTRUCTION .............................................. 3

3.1.1. Reasons for Retention............................................................................................ 3

3.1.2. Reasons for Destruction ................................................................................ 4

3.2. METHODS OF DESTRUCTION ............................................................................. 4

3.2.1. Deletion Methods................................................................................................. 4

3.2.2. Destruction Methods......................................................................................... 4

3.2.3. Anonymization Methods ..................................................................................5

3.3. RETENTION AND DESTRUCTION PERIODS ........................................................ 6

3.3.1. Retention Periods ................................................................................................. 6

3.3.2. Destruction Periods ............................................................................................. 7

3.4. PERIODIC DESTRUCTION ......................................................................................... 8

3.5. AUDIT OF LEGAL COMPLIANCE OF DESTRUCTION OPERATIONS ............. 8

3.5.1. Technical Measures ............................................................................................. 8

3.5.2. Administrative Measures ................................................................................. 8

4. SECTION: PERSONAL DATA COMMITTEE . ............................................................ 9

5. SECTION: UPDATE AND COMPLIANCE .................................................................. 10

1. SECTION: NATURE AND PURPOSE OF THE DESTRUCTION POLICY

1.1. INTRODUCTION

This Destruction Policy has been prepared by AIRONN VENTILATION INDUSTRY JOINT STOCK COMPANY ("AIRONN") as the data controller in accordance with the Law on Protection of Personal Data No. 6698 and other relevant regulations to determine the procedures and principles for the deletion, destruction, or anonymization of personal data held by AIRONN VENTILATION INDUSTRY JOINT STOCK COMPANY.

In this context, the personal data of our employees, employee candidates, customers, and all real persons whose personal data is held by AIRONN VENTILATION INDUSTRY JOINT STOCK COMPANY for any reason are managed in accordance with the Personal Data Processing and Protection Policy and this Personal Data Retention and Destruction Policy in compliance with the law.

1.2. DEFINITIONS

Direct Identifiers: Identifiers that directly reveal, disclose, and distinguish the associated individual.

Indirect Identifiers: Identifiers that, when combined with other identifiers, reveal, disclose, and distinguish the associated individual.

Data Subject: The real person whose personal data is processed.

Destruction: The deletion, destruction, or anonymization of personal data.

Law: The Law on the Protection of Personal Data No. 6698, published in the Official Gazette on April 7, 2016, with issue number 29677.

Regulation: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017, with issue number 30224.

Board: The Personal Data Protection Board.

Recording Medium: Any environment where personal data is processed, whether fully or partially automated or as part of any data recording system that is not automated.

Personal Data Processing and Protection Policy: The policy that determines the procedures and principles for managing personal data held by AIRONN VENTILATION INDUSTRY JOINT STOCK COMPANY.

Data Recording System: The recording system where personal data is processed by structuring it according to specific criteria.

2. SECTION: STORAGE ENVIRONMENTS AND SECURITY MEASURES

2.1. ENVIRONMENTS WHERE PERSONAL DATA IS STORED

The personal data held by AIRONN VENTILATION INDUSTRY JOINT STOCK COMPANY is stored in an environment appropriate to the nature of the data and legal obligations.

The storage environments used for personal data are generally listed below. However, some data may be stored in different environments due to their specific characteristics or legal obligations. In any case, AIRONN VENTILATION INDUSTRY JOINT STOCK COMPANY acts as the data controller and processes and protects personal data in accordance with the Law, the Personal Data Processing and Protection Policy, and this Personal Data Retention and Destruction Policy.

a) Printed environments: Environments where data is stored on paper or microfilm.

b) Local digital environments: Servers, fixed or portable disks, optical disks, and other digital environments within AIRONN VENTILATION INDUSTRY JOINT STOCK COMPANY.

c) Cloud environments: Internet-based systems encrypted with cryptographic methods that are not within AIRONN VENTILATION INDUSTRY JOINT STOCK COMPANY but are used by it.

2.2. ENSURING THE SECURITY OF ENVIRONMENTS

AIRONN VENTILATION INDUSTRY JOINT STOCK COMPANY takes all necessary technical and administrative measures appropriate to the nature of the personal data and the environment where it is stored to ensure its secure storage and to prevent unlawful processing and access.

These measures include but are not limited to the following technical and administrative measures appropriate to the nature of the personal data and the storage environment:

2.2.1. Technical Measures

• Only up-to-date and secure systems that comply with technological advancements are used in the environments where personal data is stored.

• Security systems are employed for the environments where personal data is stored.

• Security tests and research are conducted to detect vulnerabilities in information systems, and identified risks are mitigated based on test and research results.

• Access to environments where personal data is stored is restricted to authorized personnel, and all access is recorded.

• AIRONN VENTILATION INDUSTRY JOINT STOCK COMPANY employs sufficient technical personnel to ensure the security of the environments where personal data is stored.

2.2.2. Administrative Measures

AIRONN HAVALANDIRMA SANAYİ ANONİM ŞİRKETİ implements the following administrative measures to ensure that all environments where personal data is stored comply with the nature of the respective data and storage medium: ▪ Efforts are made to raise awareness and educate all employees of AIRONN HAVALANDIRMA SANAYİ ANONİM ŞİRKETİ on information security, personal data protection, and privacy. ▪ Legal and technical consultancy services are obtained to monitor developments in information security, privacy, and personal data protection and to take necessary actions. ▪ In cases where personal data is transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties to ensure the protection of personal data, and all necessary measures are taken to ensure their compliance with these protocols.

2.2.3. Internal Audits

AIRONN HAVALANDIRMA SANAYİ ANONİM ŞİRKETİ conducts internal audits to ensure compliance with the provisions of the Law and this Personal Data Retention and Destruction Policy, as well as the Personal Data Processing and Protection Policy, in accordance with Article 12 of the Law. If deficiencies or errors in the implementation of these provisions are identified during internal audits, they are immediately rectified. If it is determined during an audit or by other means that personal data under the responsibility of AIRONN HAVALANDIRMA SANAYİ ANONİM ŞİRKETİ has been unlawfully obtained by third parties, AIRONN HAVALANDIRMA SANAYİ ANONİM ŞİRKETİ shall notify the relevant parties and the Board as soon as possible.

SECTION 3: DESTRUCTION OF PERSONAL DATA

3.1. REASONS FOR RETENTION AND DESTRUCTION

3.1.1. Reasons for Retention

Personal data held within AIRONN HAVALANDIRMA SANAYİ ANONİM ŞİRKETİ is stored in accordance with the Law and our Personal Data Policy for the purposes and reasons stated herein.

3.1.2. Reasons for Destruction

Personal data within AIRONN HAVALANDIRMA SANAYİ ANONİM ŞİRKETİ is deleted, destroyed, or anonymized upon request by the data subject or ex officio in accordance with this destruction policy if the reasons stated in Articles 5 and 6 of the Law cease to exist.

The reasons stated in Articles 5 and 6 of the Law are as follows: a) Explicitly stipulated by laws. b) Necessity for protecting the life or physical integrity of the person who is unable to express consent due to actual impossibility or whose consent is not legally valid. c) Requirement for processing personal data of the parties to a contract if it is directly related to the establishment or execution of the contract. d) Necessity for the data controller to fulfill a legal obligation. e) The data subject has made their personal data public. f) Necessity for the establishment, exercise, or protection of a right. g) Processing of data is mandatory for the legitimate interests of the data controller, provided that it does not violate the fundamental rights and freedoms of the data subject.

3.2. METHODS OF DESTRUCTION

AIRONN HAVALANDIRMA SANAYİ ANONİM ŞİRKETİ deletes, destroys, or anonymizes personal data in accordance with the Law, other regulations, and the Personal Data Processing and Protection Policy, either upon request of the data subject or ex officio within the time frames specified in this Personal Data Retention and Destruction Policy.

The most commonly used deletion, destruction, and anonymization techniques by AIRONN HAVALANDIRMA SANAYİ ANONİM ŞİRKETİ are listed below:

3.2.1. Deletion Methods

Deletion Methods for Personal Data Held in Physical Format

• Redaction: Personal data in physical format is deleted using the redaction method. This involves removing personal data from documents by physically cutting it out where possible or making it unreadable with permanent ink in an irreversible manner.

Deletion Methods for Personal Data Stored in Cloud and Local Digital Environments

• Secure deletion via software: Personal data stored in cloud or local digital environments is deleted via digital commands in a way that prevents its recovery. Once deleted, these data cannot be accessed again.

3.2.2. Destruction Methods

Destruction Methods for Personal Data Held in Physical Format

• Physical destruction: Documents stored in physical format are destroyed using shredders in a way that prevents them from being reassembled.

Destruction Methods for Personal Data Stored in Local Digital Environments

• Physical destruction: This includes the melting, burning, or pulverizing of optical and magnetic media containing personal data to physically destroy the data.

• Degaussing: This method involves exposing magnetic media to a high magnetic field, thereby rendering the data unreadable.

• Overwriting: Data stored on magnetic and rewritable optical media is overwritten with random sequences of 0s and 1s at least seven times to prevent the recovery of old data.

Methods for Destruction of Personal Data Stored in the Cloud Environment

Secure Deletion from Software:

Personal data stored in the cloud environment is deleted using a digital command in a way that it can no longer be recovered. When the cloud computing service relationship ends, all copies of encryption keys necessary to make personal data usable are destroyed. Data deleted in this way becomes irretrievable.

3.2.3. Anonymization Methods

Anonymization is the process of making personal data unidentifiable or untraceable to any specific or identifiable individual, even if it is matched with other data.

• Removal of Variables:

This involves the removal of one or more direct identifiers in personal data that could be used to identify the individual. This method can be used both to anonymize the data or to remove information from personal data that is not relevant to the purpose of data processing.

• Regional Masking:

This involves the removal of identifiable information that may distinguish certain data within a dataset of anonymized personal data.

• Generalization:

This method aggregates personal data of many individuals, removing distinguishing information and converting it into statistical data.

• Lower and Upper Bound Coding / Global Coding:

Ranges for a specific variable are defined and categorized. If the variable does not contain a numerical value, closely related data within the variable is categorized. Values within the same category are then combined.

• Micro-Aggregation:

In this method, all records in the dataset are first ordered according to a meaningful sequence, then the entire dataset is divided into a specified number of subsets. Afterward, the average value for a variable of each subset is used to replace the individual value for that variable. This distorts indirect identifiers within the data, making it more difficult to relate the data to the individual.

• Data Scrambling and Distortion:

Direct or indirect identifiers in personal data are mixed with or distorted by other values to sever the link with the individual, causing them to lose their identifying characteristics.

AIRONN AIR CONDITIONING INDUSTRY INC. uses one or more of these anonymization methods according to the nature of the relevant data for anonymizing personal data. AIRONN AIR CONDITIONING INDUSTRY INC. may use K-Anonymity, L-Diversity, and T-Closeness statistical methods when applying these anonymization methods.

3.3. STORAGE AND DESTRUCTION PERIODS

3.3.1. Storage Periods

PERSONAL DATA CATEGORIZATION MAXIMUM STORAGE PERIODS

• Personnel Information

1. For employees who have not suffered work accidents or occupational diseases during the employment contract, personal data is retained for 5 years after the termination of the employment relationship. The period begins from the end of the last working period in cases of intermittent employment.

2. For employees who have suffered work accidents or occupational diseases, or are at risk, personnel records may be kept for 10 years from the date of the accident or disease detection. The longer storage period (5 years from termination of the relationship / 10 years from the accident/diagnosis date) will apply.

• Employee Health Files

Employee health files are retained for 15 years from the employee's termination date.

• Candidate Information

Resumes are retained for a maximum of 2 years, or for the duration in which the resume remains valid.

• Customer Information

Information that supports commercial books and records, including invoices, is retained for 10 years under Article 82 of the Turkish Commercial Code. Other customer data is retained for the necessary duration for the purpose it is processed.

• Visitor Information

Retained for 2 years.

• Business Partner/Solution Partner/Consultant Information

Information is retained during the commercial relationship with AIRONN AIR CONDITIONING INDUSTRY INC. and for 10 years after the relationship ends, in accordance with Article 146 of the Turkish Code of Obligations.

• Personal Data Shared by Institutions/Companies Collaborating with AIRONN AIR CONDITIONING INDUSTRY INC.

Personal data shared by collaborating institutions/companies is retained during the commercial relationship and for 10 years after it ends, in accordance with Article 146 of the Turkish Code of Obligations.

• Potential Customer Information

Retained for 2 years.

If the legislation provides for a longer retention period, or if there are statutes of limitations, prescription periods, or other provisions for longer periods, those legal periods are accepted as the maximum storage periods.

3.3.2. Destruction Periods

In accordance with the Law, relevant regulations, the Personal Data Processing and Protection Policy, and this Personal Data Storage and Destruction Policy, AIRONN AIR CONDITIONING INDUSTRY INC. will delete, destroy, or anonymize the personal data within the first periodic destruction process after the obligation to destroy, delete, or anonymize personal data arises.

If the data subject requests the deletion or destruction of their personal data under Article 13 of the Law, AIRONN AIR CONDITIONING INDUSTRY INC. will delete, destroy, or anonymize the personal data within 30 (thirty) days from the receipt of the request, explaining the reason. AIRONN will confirm receipt of the request and notify the individual in writing or electronically.

If the conditions for processing personal data are not fully removed, the request can be rejected by AIRONN, with a reason explained, and the rejection will be notified within thirty days.

3.4. PERIODIC DESTRUCTION

If all conditions for processing personal data have been removed, AIRONN will delete, destroy, or anonymize the personal data that no longer requires processing in accordance with this Personal Data Storage and Destruction Policy during recurring periodic destruction processes.

Periodic destruction occurs every 6 months.

3.5. MONITORING COMPLIANCE WITH LEGALITY OF DESTRUCTION PROCESSES

AIRONN ensures that personal data deletion, destruction, and anonymization processes are carried out in accordance with the Law, other regulations, and this policy.

3.5.1. Technical Measures

• AIRONN provides appropriate technical tools and equipment for each method of destruction outlined in this policy.

• AIRONN ensures the security of the locations where destruction occurs.

• AIRONN keeps access records for individuals performing destruction tasks.

• AIRONN employs qualified and experienced personnel for destruction processes or hires competent third parties when necessary.

3.5.2. Administrative Measures

• AIRONN conducts training to raise awareness of data security, personal data, and privacy among employees handling destruction.

• AIRONN obtains legal and technical consultancy services to stay updated on developments related to data security, privacy, and secure destruction techniques.

• AIRONN signs protocols with third parties handling destruction to ensure compliance with data protection regulations.

• AIRONN regularly audits destruction processes to ensure they comply with the law and this policy and takes necessary actions.

• AIRONN records all actions related to personal data deletion, destruction, and anonymization, and retains these records for at least three years, except for other legal obligations.

CHAPTER 4: PERSONAL DATA COMMITTEE

AIRONN VENTILATION INDUSTRY INC. establishes a Personal Data Committee within its organization. The Personal Data Committee is authorized and responsible for taking the necessary actions and overseeing the processes to ensure that personal data is stored and processed in compliance with the law, the Personal Data Processing and Protection Policy, and the Personal Data Retention and Destruction Policy.

The Personal Data Committee consists of three members: a manager, an administrative expert, and a technical expert. The titles and job descriptions of the employees assigned to the Personal Data Committee within AIRONN VENTILATION INDUSTRY INC. are outlined below:

• Title | Job Description

Personal Data Committee Manager:

Responsible for leading all planning, analysis, research, and risk assessment activities within projects carried out for compliance with the law; managing processes to be executed in accordance with the Law, the Personal Data Processing and Protection Policy, and the Personal Data Retention and Destruction Policy; and making decisions on requests submitted by relevant persons.

KVK Specialist (Technical and Administrative):

Responsible for reviewing the requests of relevant persons and reporting them to the Personal Data Committee Manager for evaluation; carrying out the actions on the relevant person requests as decided by the Personal Data Committee Manager; overseeing the retention and destruction processes and reporting the audits to the Personal Data Committee Manager; and ensuring the proper execution of retention and destruction processes.

• ________________________________________

• CHAPTER 5: UPDATES AND COMPLIANCE

AIRONN VENTILATION INDUSTRY INC. reserves the right to amend the Personal Data Processing and Protection Policy or this Personal Data Retention and Destruction Policy due to changes in the Law, institutional decisions, or developments in the sector or the field of information technology.

Any amendments made to this Personal Data Retention and Destruction Policy will be immediately reflected in the text, and explanations regarding the changes will be provided at the end of the policy document.