Personal Data Storage and Disposal Policy

1. Purpose

This Personal Data Storage and Disposal Policy (“Policy”) was issued for the purpose of determination of principles and procedures regarding retention, subsequent deletion, destruction, or anonymization of personal data, processed and retained by Lotus Teknik Tekstil Sanayi ve Ticaret Anonim Şirketi (“Lotus” or “Company”).

The Company aims with this Policy to set forth the general principles and procedures of the Company in respect of storage and disposal of personal data of the data subjects, subject to personal data processing activities, and fulfillment of obligations stipulated by legal regulations by the Company and the Company’s Data Processors.

Unless indicated otherwise in this Policy, documents referenced in the Policy involve both printed and electronic copies.

This policy is not applicable to data that do not qualify as personal data.

The following principles shall apply to storage and disposal of personal data:

-General principles in article 4 of the Law no. 6698 on Protection of Personal Data (“LPPD/PPD Law”) and principles in article 7 of the Regulation shall be observed.

-The Company acknowledges that issuance of this Policy may not intrinsically mean that personal data are disposed pursuant to the legislation.

-The Company acknowledges, declares, and represents that it shall act pursuant to this Policy and the legislation in storage or disposal of personal data.

In case of a discrepancy between regulations of the applicable legislation and this Policy, regulations of the applicable legislation shall prevail.

2.     Scope

This Policy involves retention and disposal activities for obtained personal data belonging to the following individuals:

• Our Company’s employees, prospective employees, interns, former employees, and their relatives,
• Our group company’s employees, prospective employees, former employees, interns, and their relatives,
• Representatives, agents, and shareholders of our Company and group companies,
• Employees, representatives, and agents of our business partners,
• Our customers and prospective customers,
• Public/private institution and organization employees,
• Legally authorized individuals,
• Our visitors,
• Other third parties.

Explanations regarding these groups of people are provided in ANNEX-1.

This Policy shall involve all personal data that we obtain through electronic, physical, and other media and store on electronic, physical, and similar media.

1. Authorities and Responsibilities

Information Technologies Supervisor: Coordination and management of conformity with personal data storage period and periodic disposal procedure as the Policy Implementation Manager

Information Technologies Specialists: Conducting disposal of personal data on electronic media as the Policy Implementation Officer

CEO: The CEO is responsible for conducting disposal of personal data on physical media and implementation of this Policy pursuant to their duties as the Implementation Officer.

1. Definitions

Meanings of the technical terms used in the Policy are given below.

Recipient Group                             : Category of natural or legal persons to which the personal data are transferred by the data controller.

Data Subject                        : Persons who process personal data within the organization of the data controller or upon authorization and instructions received from the data controller, other than the person or department which is responsible for the technical storage, protection and back up of personal data.

Disposal                                        : Erasure, destruction or anonymization of personal data.

Law                                     : Personal Data Protection Law no. 6698 of 24/3/2016.

Recording Medium                           : Any type of environment that keeps the personal data processed wholly or partially by automated means or non-automated means, provided that they form part of a data recording system.

Personal Data Processing Inventory: The inventory where the following items are explained and detailed: personal data processing activities performed by data controllers depending on their business processes; maximum period that is required for the purposes relating to the purposes of personal data processing and determined in association with purposes of personal data processing, data category, recipient group to whom the data are transferred, and data subject groups; personal data estimated to be transferred to foreign countries; and measures taken in respect of data security.

Board                                       : Personal Data Protection Board.

Periodic Disposal                       : The erasure, destruction or anonymization process which is determined in the personal data storage and disposal policy and to be carried out periodically ex officio, in the event that all of the conditions for processing laid down in the Law no longer exist.

Registry                                         : Data Controllers’ Registry kept by Personal Data Protection Authority.

Data Recording System                  : The filing system where personal data are processed by being structured according to specific criteria.

Data Controller                      : (Lotus Teknik Tekstil Sanayi ve Ticaret Anonim Şirketi) The natural or legal person who determines the purpose and means of processing personal data and is responsible for the establishment and management of the data filing system.

Anonymization            : Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.

Deletion                                      : Rendering personal data inaccessible and nonreusable by relevant users.

Destruction                               : Rendering personal data inaccessible, nonrestorable and nonreusable by anyone.

Direct Identifiers       : Standalone identifiers that directly reveal, disclose, and distinguish the person, whom they are associated with.

Indirect Identifiers           : Identifiers that reveal, disclose, and distinguish the person, whom they are associated with, in combination with other identifiers.

Disposal                                        : Erasure, destruction or anonymization of personal data.

Obfuscation                                : Actions such as blacking out, painting over, and blurring all personal data, so that they cannot be associated with an identified or identifiable natural person.

Masking                              : Actions such as erasing, blacking out, painting over, and using asterisks to hide certain personal data, so that they cannot be associated with an identified or identifiable natural person.

Electronic Medium                   : Media where personal data can be generated, read, modified, and written by means of electronic devices.

Non-Electronic Medium   : Any recording medium other than electronic media, where personal data are available on written, printed, visual, or similar media.

1. Personal Data Storage Media

Personal data belonging to data subjects are stored securely on the following media pursuant to the LPPD and applicable legislation.

Electronic Media    : Personal data can be stored on the following electronic media.

• Desktop and laptop computers,
• Mobile devices,
• E-mail servers,
• Message boxes of social media accounts,
• Software and connected Databases (Backup Software, Active Directory, Eba, QDMS,  ERP, SQL DB, IFS, Tilcomp, Meditek İSG),
• System rooms,
• Portable media (Flash Drive, CD and DVD, etc.),
• Disk drives used for data storage on network.

In this scope, it is considered that all personal data that we obtain on physical media, verbally or as printed paper, form, or document, but recorded on a fully or partially automated system, are stored on electronic media.

Non-Electronic Media            : Personal data can be stored on non-electronic media as paper, form, document, agreement, or any printed asset. The media, where printed assets are stored, are indicated below.

• Locked cabinets in Lotus offices,
• Boards in Lotus offices and warehouses,
• Archive rooms in Lotus offices,
• Drawers and folders in Lotus offices.

In this scope, it is considered that all personal data, which we obtained from electronic media but then printed out or wrote on paper, forms, or documents to store, are also stored on physical media.

1. Individuals that Manage and Serve in Personal Data Retention and Disposal Process

Titles, units, and job descriptions of executives and officers involved in personal data retention and disposal processes.

.  During storage of Job Application Form, CV, and character analysis tests        Human Resources         Human Resources Manager

.  During storage of personnel files          Human Resources       Human Resources Manager

.  During storage of performance scorecards          Human Resources       Human Resources Manager

. During storage of data collected within the scope of occupational health and safety legislation (medical reports, etc.)        Occupational Physician

. Storage of data regarding occupational accident/occupational disease         Occupational Physician

. During storage of audit reports       Quality         Quality Officer

. During storage of consumer complaints       Quality         Quality Officer

. During visitor book keeping       Administrative Affairs        Administrative Affairs Specialist

. During compensation/advance/debt enforcement payments       Finance       Finance Manager

. During storage of current account cards and invoices        Finance        Finance Manager

. During storage of agreements      Accounting        Accounting Manager

. Durig storage of laboratory device maintenance, laboratory temperature and pH forms        Quality        Quality Officer

. During real-time video recording and storage inside and outside the Company        Electrical and Technical Projects          Senior Electrical and Technical Projects Manager

. During storage of website login/logout data        Information Processing        Information Processing Supervisor

. During backup of used program data and e-mails        Information Processing       Information Processing Supervisor

. During record and storage of workplace entries/exits         Information Processing        Information Processing        Information Processing Supervisor

1. Technical and Administrative Measures Taken for Storage of Personal Data and to Ensure Prevention of Unlawful Processing and Access

Technical Measures Taken for Lawful Storage of Your Personal Data and to Ensure Prevention of Unlawful Processing and Access

 

• Personal data storage, processing, and access activities are inspected by installed technical systems.
• Software and hardware, including antivirus systems and firewalls, are used.
• Technical measures, which are taken, are reported to the relevant party.
• Periodic penetration testing is conducted to identify risks and vulnerabilities pertaining to information systems and necessary security measures are taken.
• Risks pertaining to information technologies are managed with effective risk assessment and response mechanisms.
• Employees with technical knowledge are employed.
• Access authorizations are restricted and authorizations are reviewed regularly.
• Backup software are used in a lawful manner to ensure secure backup of personal data.
• Physical environments containing personal data are secured and necessary measures are taken to prevent unauthorized access to such areas.
• Strict access controls are implemented in systems, where private personal data are processed, to ensure that only authorized individuals access such data; operational records are kept in compliance with the legislation; and data are kept in secure environments.
• Accesses to data storage areas containing personal data are logged and unauthorized accesses or access attempts are instantly notified to relevant parties.
• Suitable security patches are installed on systems in a timely manner, information systems are kept current, strong password policies are implemented to ensure security of access, and secure protocol (HTTPS) is used for online access.

Administrative Measures Taken for Lawful Storage of Personal Data and to Ensure Prevention of Unlawful Processing and Access

• Employees are informed and trained about personal data protection law and lawful storage and processing of personal data.
• Necessary trainings are provided to employees assigned in private personal data processing operations; access authorization for such data is restricted only to relevant individuals; and confidentiality commitment is obtained from employees.
• The personnel that process, store, and access personal data are identified in the Personal Data Processing inventory.
• During data transfers performed on paper media, physical security measures are taken and documents are transmitted to relevant individuals or units upon performance of confidentiality classification.
• Specific analyses are conducted for all departments in respect of all of the performed activities and, as a result of such analysis, personal data processing activities are carried out specific to commercial and administrative activities performed by relevant business units.
• In order to fulfill legal compliance requirements, established on a department basis, awareness is raised and implementation rules are determined specific to the relevant departments; administrative measures necessary for ensuring inspection of these matters and continuity of implementation are adopted by means of internal policies and trainings.
• Employees are informed that they cannot disclose the personal data, which they find out, to another party and they cannot use such data for purposes other than processing in violation of the provisions of the Law no. 6698 on Protection of Personal Data and this obligation shall remain in effect after they leave their offices, and necessary commitments are obtained from them accordingly.
• Aside from instructions of Lotus Teknik Tekstil Sanayi ve Ticaret Anonim Şirketi and exceptions imposed by the law, stipulations that impose obligations not to process, disclose, and use personal data are included in contracts and documents, which govern the legal relationship between employees; thus, awareness is raised among employees.
• Periodic inspections are carried out within the Company and taken actions are reported to ensure sustainability of practices regarding personal data security.

1. Technical and Administrative Measures Taken to Destroy Personal Data in Compliance with the Law

 

• Secure Deletion via Software: Methods for rendering personal data inaccessible and nonreusable by relevant users irrecoverably from the relevant software are used when data processed by completely or partially automated means and stored on digital media are deleted.
• Deletion of Relevant Data by Issuing Delete Command on Cloud System: Removing access rights of the relevant user on the file or the directory containing the file in the core server; deletion of relevant lines in databases with database commands; or deletion of data on removable media, i.e. flash drive, using suitable software can be considered in this scope.

However, if deletion of personal data shall render other data inaccessible in the system or result in the inability to use such data, personal data shall be deemed to have been deleted if they are archived in a manner that cannot be associated with the relevant person, provided that the following conditions are fulfilled.

• Being inaccessible by another institution, organization, or person,
• Taking any and all technical and administrative measures to ensure that only authorized people are able to access personal data.

• Secure Deletion by a Specialist: In certain cases, Lotus may employ a specialist to delete personal data on its behalf. In this case, personal data shall be securely deleted by the specialist, rendering personal data inaccessible and nonreusable by Relevant Users.
• Obfuscation of Personal Data on Paper Media: This is the method of obfuscating data to prevent misuse of personal data or to delete data that are requested to be deleted by physically cutting out and removing relevant personal data from the document or rendering data illegible, covering by using indelible ink so that they cannot be recovered and read by technological solutions.
• Demagnetization: Treating magnetic media with special devices, where they will be exposed to highly magnetic fields, to corrupt data on the media, rendering them unreadable.
• Physical Destruction: Personal data can also be processed by non-automated means as part of any data recording system. Physical destruction system is implemented, in a manner that would render personal data from being used later, when such data are destroyed. Destruction of data on paper and microfiches are also performed in this manner because it is not possible for them to be destroyed otherwise.
• Overwriting: Overwriting method involves writing random data comprising 0 and 1 at least seven times on magnetic media and rewritable optical media using special software.
• Logging and Inspection: During deletion, destruction, and anonymization of personal data, performed procedures are recorded. These log records are protected so that only authorized individuals have access, action history may be reviewed as necessary for inspection purposes, and integrity of records are assured.
• Periodic Disposal Schedule: In the event that the circumstances for processing personal data no longer exist, the relevant data are deleted, destroyed, or anonymized in certain intervals. These periodic disposal procedures are carried out on the basis of periods defined in the personal data storage and disposal policy; transactions may be conducted automatically or manually.
• Automated Deletion/Disposal Systems: Personal data deletion or destruction procedures can be carried out automatically upon expiration of the retention period set on the system. In this scope, period-based triggers are defined and automated disposal processes are run in certain intervals by means of software systems.
• Anonymization methods that do not provide value irregularity: Generalization of any personal data group, substitution, or removal of a certain data or sub-data group from the group without performing any change or addition/removal in stored personal data by means of anonymization methods that do not provide value irregularity
• Variable Removal: It is the anonymization of the available data set by removal of “highly descriptive” ones from the variables in the data set, generated after accumulation of collected data, by removal of descriptive data method.
• Record Removal: Retained data are anonymized by removing data rows, involving singularity among the data, from records.
• Partial Hiding: If a single data has an identifying characteristic as it creates a combination with very low visibility, anonymization is ensured by hiding such data.
• Lower and Upper Limit Coding: It is the anonymization of values in a data set, which contains previously determined categories, by being combined with a certain criteria by lower and upper limit coding method.
• Generalization: Multiple data are aggregated with data aggregation method and personal data are transformed so that they cannot be associated with any person.
• Global Coding: A more general content is generated from the content of personal data by means of data derivation method, and personal data are transformed so that they cannot be associated with any person.
• Anonymization methods that provide value irregularity: Unlike anonymizations that do not provide value irregularity, those that provide value irregularity create corruption by changing certain data in personal data sets.
• Adding Noise: In this method, data are anonymized by adding certain positive or negative deviations at a determined rate to data available in a data set with particularly numeric data.
• Micro Combination: In micro combination method, all data are initially sorted in a meaningful order, separated into groups, their arithmetic mean is calculated, and obtained value is written in the place of relevant data in the existing group to ensure anonymization.
• Data Exchange: In data exchange method, values of variables are exchanged between pairs selected from retained data.

During performance of abovementioned situations, provisions of the LPPD, Regulation, and other applicable legislation are fully observed and all necessary administrative and technical measures are taken.

1. Periodic Disposal Period for Personal Data

Personal data in possession of Lotus shall be checked in certain periodic intervals and the data, processing circumstances of which no longer exist, shall be deleted, destroyed, or anonymized.

Periodic Disposal is carried out in semi-annual intervals for all personal data. The mentioned period does not exceed the maximum periodic disposal period, specified in article 11 of the Regulation, under any circumstances. The Company pledges to comply with new periods if the Board shortens the periods within the scope of the applicable legislation.

These periodic inspection and disposal procedures, to be carried out for personal data, are included in the Personal Data Processing Inventory generated by Lotus and provided/to be provided to VERBİS system.

All operations performed within the scope of disposal are recorded by the Company and such records are retained for at least 3 (three) years, except for other legal obligations. The Company reserves the Personal Data retention rights arising from other legal obligations.

1. 10.Ex Officio Deletion, Destruction, or Anonymization Periods for Personal Data

During the first periodic disposal procedure following emergence of the obligation to delete, destroy, or anonymize personal data, your personal data shall be deleted, destroyed, or anonymized. Such period cannot exceed six months in any event.

The Board may shorten the period set forth in this article if losses, which are difficult or impossible to recover from, arise or in the case of explicit illegality.

1. 11.Periods Applicable Upon the Deletion, Destruction, or Anonymization Request of the Data Subject Regarding Their Personal Data

The Data Subject shall submit their requests regarding implementation of the Law to Lotus in writing or by other methods to be determined by the Board. Lotus approves the request or justifies its rejection and sends the response to the relevant person in writing or online at the latest within thirty days. If the request in the application is approved, necessary action shall be taken.

The personal data subject to the request are deleted, destroyed, or anonymized in the event that all of the circumstances for processing the personal data, which are subject to the request, no longer exist. The requests specified in the application are finalized at no charge, as soon as possible, and at the latest within thirty days according to the nature of request. However, if the procedure requires an additional cost, relevant fee in the tariff determined by the Board may be charged. If it is caused by the mistake of Lotus, charged fee is refunded to the data subject.

Unless the Board makes a resolution to the contrary, Lotus shall select the proper method among ex officio deletion, destruction, or anonymization of personal data. Lotus shall select the suitable method and provides justification upon request of the data subject.

If the personal data subject to the request were transferred to third parties, the matter shall be notified to the third party and it shall be ensured that the third party takes necessary action pursuant to the Regulation on Deletion, Destruction, or Anonymization of Personal Data.

You can file an application regarding matters in respect of processing of your personal data by completing the form on the Company’s website or in writing* to the following address.

Lotus Teknik Tekstil Sanayi ve Ticaret Anonim Şirketi Contact Details

Contact E-Mail: kvkk@lotustekstil.com.tr

Head Office Address: Ortaköy Mah. İlter Bulvarı No:27 34592 Silivri/İstanbul

Head Office Telephone Number: +90 0212 734 38 08

Website address:  http://www.lotustekstil.com.tr/

*Please specify the matter on the envelope as “Information Request Pursuant to the Law on Protection of Personal Data” in case of written application.

12.  References and Basis

By-Law on Erasure, Destruction, and Anonymization of Personal Data

13.    Effective Date of the Policy

The first version of this Policy took effect upon approval by the Board of Directors for implementation regarding all personal data storage and disposal activities of the Company as of 02/01/2020.

In case of a discrepancy between the Turkish version, which this Policy was issued in, and the translation in another language published by the Company, Turkish version shall prevail.

ANNEX-1 GROUPS OF PEOPLE

GROUPS OF PEOPLE	EXPLANATIONS
Customer	Entities that currently procure or commit to procure products/services from Lotus.
Potential Customer	Entities that do not currently procure but may potentially procure the relevant product/service from Lotus.
Company Representative or Agent	Individuals that represent or act as a substitute for Lotus (lawyers that offer consultancy to Lotus, board member authorized to represent and bind Lotus).
Shareholder	Real entities holding shares in Lotus.
Supplier	Employee, prospective employee, representative, or agent of companies, from which Lotus procures services.
Business Partner	Employee, prospective employee, representative, or agent of companies, with which Lotus collaborates in its activities.
Employee	Individuals employed by Lotus in the capacity of employer, who entered into an employment contract.
Prospective Employee	Natural persons that made a job application to Lotus, or made their resumés or relevant details available to examination by Lotus by any means.
Intern	Real persons doing their internship in Lotus.
Visitor	Individuals that visit Lotus company premises and websites.
Legally Authorized Individual	Legally competent public institutions and organizations, or individuals employed by private entities and organizations.
Third Party	Other real entities that are not specified here (E.g. Guarantor, former employee, etc.)

 

ANNEX-2 STORAGE AND DISPOSAL PERIODS TABLE

Storage periods regarding the processes listed in the following table were determined on the basis of the legislation applicable on the effective date of this Policy. Such periods shall be interrupted if the data subject files a claim and the personal data subject to the claim shall be retained at least until finalization of the claim on the legal grounds for protection of a right.

PERSONAL DATA CATEGORY	STORAGE PERIOD	DISPOSAL PERIOD
Contractual relationships (general prescription period under Turkish Code of Obligations)	10 years upon expiration of contractual relationship	During the first periodic operation, which is performed semi-annually, upon expiration of contract
Payment transactions in relationships involving product/service provision to customers	10 years upon expiration of contractual relationship	During the first periodic operation, which is performed semi-annually, upon expiration of contract
Part of the contractual process and retaining contract	10 years upon expiration of contractual relationship	During the first periodic operation, which is performed semi-annually, upon expiration of contract
Job applications by prospective employees	1 years from the date of job application	During the first periodic operation, which is performed semi-annually, upon expiration of contract
Planning human resources processes	10 years upon expiration of employment relationship	During the first periodic operation, which is performed semi-annually, upon expiration of contract
Occupational health and safety activities	10 years upon expiration of employment relationship, at least 15 years upon expiration of employment relationship for medical files	During the first periodic operation, which is performed semi-annually, upon expiration of contract
Performance of leave and compensation processes for employees	10 years upon expiration of contractual relationship[1]	During the first periodic operation, which is performed semi-annually, upon expiration of contract
Personal data pertaining to remuneration rights of employees	5 years	During the first periodic operation, which is performed semi-annually, upon expiration of contract
Access / Log Records	2 years	During the first periodic operation, which is performed semi-annually, upon expiration of contract
General Assembly Operations	10 years	During the first periodic operation, which is performed semi-annually, upon expiration of contract
Information pertaining to the Company’s partners and board members	10 years	During the first periodic operation, which is performed semi-annually, upon expiration of contract
Commercial books and other documents listed in article 82/1 of Turkish Commercial Code	10 years starting from the beginning of the year following the calendar year when the documents were generated, issued, or prepared	During the first periodic operation, which is performed semi-annually, upon expiration of contract
Visitor records for system rooms	During the term of contract	During the first periodic operation, which is performed semi-annually, upon expiration of contract
Commercial Digital Message Procedures	3 years from the rejection date of commercial digital message or commercial digital communication	During the first periodic operation, which is performed semi-annually, upon expiration of contract
Camera Records	90 days for administrative building, production area, outdoor space	During the first periodic operation, which is performed semi-annually, upon expiration of contract
Incident Detection Detail	10 years upon expiration of employment relationship	During the first periodic operation, which is performed semi-annually, upon expiration of contract
Family Members Information	10 years upon expiration of employment relationship	During the first periodic operation, which is performed semi-annually, upon expiration of contract
Customer Request and Complaint Information	10 years upon expiration of contractual relationship	During the first periodic operation, which is performed semi-annually, upon expiration of contract

[1] The mentioned period is applicable to annual leave fee and compensations arising from employment contracts expiring after 12.10.2017. 10-year prescription period shall be applicable to claims predating such date. However, in this case, if the portion of the prescription period that already expired is less than 5 years, the prescription period shall be completed when the remaining period is completed at 5 years. Personal data are destroyed when the prescription period expires.