MANGODO BİLİŞİM A.Ş. PERSONAL DATA RETENTION AND DESTRUCTION POLICY
Identity of the Data Controller
Our Company is Mangodo Bilişim A.Ş. ("Mangodo"), registered with the Istanbul Trade Registry under trade-registry number 819070-0, with its head office at Kandilli Mah. Rasathane Cad. Kandilli Rasathanesi Deprem Araştırma Enstitüsü No: 104/13 Apartment No: 17 Üsküdar / İstanbul.
MANGODO is a data controller that acts in compliance with Law No. 6698 on the Protection of Personal Data ("PDPL", "Law").
Requests Concerning Retention and Destruction
Article 11 of the Law sets out the rights of the data subject. The rights related to retention and destruction are as follows:
• to request information on whether personal data are retained; • to learn the purpose for which personal data are retained and whether they are retained in line with that purpose; • to request correction of stored personal data that are incomplete or inaccurate, and to request that third parties be informed of the correction; • to request the destruction of personal data when the conditions requiring their retention cease, and to request that third parties be informed.
Data subjects may submit their requests regarding the above rights free of charge to MANGODO, using documents that verify their identity and via the methods set out below, the methods determined by the Personal Data Protection Board, or the Data Subject Application Form below.
MANGODO undertakes to respond to such requests as soon as possible, no later than 30 days, free of charge unless the procedure incurs a cost.
Furthermore, under Article 14 of the Law, the data subject may file a complaint with the Board if their application is refused, if the response received is found inadequate, or if no response is received within the time limit. The complaint must be filed within 30 days of learning MANGODO's response and, in any event, within 60 days of the date of application.
Contact Information
MANGODO's communication channels: • [E-mail address to be added] • [KEP address] • Kandilli Mah. Rasathane Cad. Kandilli Rasathanesi Deprem Araştırma Enstitüsü No: 104/13 Apartment No: 17 Üsküdar / İstanbul
Purpose of the Policy
The protection of private life is a fundamental right enshrined in the Constitution of the Republic of Türkiye and the international agreements currently in force. MANGODO acts with due care, in line with its obligations under the PDPL and other applicable legislation, to ensure that the personal data of natural persons who have come into contact with MANGODO are not disclosed, are not accessed by unauthorized persons, and are not used for harmful purposes.
The purpose of this Retention and Destruction Policy (the "Policy") is to ensure that MANGODO's retention and destruction processes are conducted in compliance with Law No. 6698 on the Protection of Personal Data and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data ("Regulation") that entered into force on 1 January 2018, as well as other related legislation. The Policy provides detailed explanations on personal-data processing and retention processes of MANGODO and the third parties contractually accountable to it — who the data subjects are, the purposes and legal grounds for processing, the recording environments, the methods and maximum periods for destruction, the obligations of data-protection personnel regarding retention and destruction, and the technical and administrative measures taken by the Company — thereby aiming to ensure transparency.
Entry into Force and Changes
This Policy has entered into force upon approval by the MANGODO Board of Directors. Changes to the Policy will be made available on the corporate website.
MANGODO will update this Policy in line with the requirements of any new or updated legislation related to the subject.
Scope of the Policy
The personal-data retention and destruction processes carried out by MANGODO constitute the scope of this Policy. Importantly, this Policy does not cover special categories of personal data; as required by the Board, the Company's processing activities relating to special categories of personal data are governed by a separate policy. The Policy may apply in full or in part.
Our Personal-Data Processing Principles
MANGODO takes the utmost care to comply with the principles listed below when processing personal data and follows the principle of data minimization. As a rule, we do not seek any information beyond what is necessary, and we retain the personal data obtained for the minimum period required:
• Lawfulness and good faith. • Accuracy and currency where necessary. • Processing for specified, explicit, and legitimate purposes. • Connected, limited, and proportionate to the purposes of processing. • Retention for the period required by the relevant legislation or by the purpose of processing.
Data Subjects
As a data controller, MANGODO is in contact with many natural persons. The categories of persons whose personal data are processed for various reasons are listed below:
• Third Parties • Employee Candidate(s) • Employee(s) • Employee's Mother • Employee's Father • Employee's Child • Employee's Spouse • Employee's Sibling • Trainers • Former Employees • Physical Visitor • User • Shareholders • Shareholders' Proxies • Contract Party • Contract Party's Representative • Person Completing the Data Controller Application Form
RETENTION OF PERSONAL DATA
Introduction
The preparation and implementation of this Policy — whose scope is determined by the Law and whose principles are set out in Articles 5 and 6 of the Regulation — is the responsibility of MANGODO as data controller.
The retention of all personal data belonging to the data subjects referenced above and falling within the scope of this Policy is carried out in accordance with the practices detailed below.
Recording Environments
Personal data belonging to data subjects are retained by MANGODO in the environments listed below, in line with the technical and administrative measures set out in this Policy and the measures required by the PDPL, under internal authorization and control mechanisms.
Electronic environments: servers; software; cloud systems; flash storage; information-security devices (firewalls, intrusion detection and prevention systems, log files, antivirus, etc.); personal computers (desktops, laptops); mobile devices (phones, tablets, etc.); optical discs (CD, DVD, etc.); removable storage (USB, memory cards, etc.); printers, scanners, photocopiers.
Non-electronic environments: paper; manual data registry systems (survey forms, visitor entry books, etc.); written, printed, and visual materials.
Reasons for Retention
The storage and retention of personal data is treated as a "processing" activity in the "Definitions" section of the Law.
Personal data must be processed on legal grounds and after fulfilment of obligations to inform. The legal grounds on which retention may be based are:
• Explicit consent • Inability to obtain explicit consent due to actual impossibility • Necessity for the establishment or performance of a contract • Legal obligation • Express provision in laws • Establishment, exercise, or protection of a right • Legitimate interest • Public disclosure by the data subject
Purpose
MANGODO retains personal data for the purposes set out in the Data Policy.
Period
MANGODO retains personal data for the period necessary for the purposes of processing and the legal grounds for processing.
Personal-Data Retention and Destruction Periods
Process or Transaction Containing Personal Data | Retention Period | Destruction Period Personnel files prior to 25 October 2017 | 10 years + 6 months | In the first periodic destruction following the end of the retention period. Personnel files for employment contracts that ended before 25 October 2017 but whose statute of limitations had not yet expired as of that date, with more than 5 years remaining | 5 years + 6 months | In the first periodic destruction following the end of the retention period. Personnel files after 25 October 2017 | 10 years + 6 months | In the first periodic destruction following the end of the retention period. Employee financial records (payslips, payroll, etc.) | 5 years + 6 months | In the first periodic destruction following the end of the retention period. Job applications | 1 year | In the first periodic destruction following the end of the retention period. Criminal convictions and security measures | 10 years + 6 months | In the first periodic destruction following the end of the retention period. Security camera recordings (image, vehicle plate) | 2 months | In the first periodic destruction following the end of the retention period. Customer transaction records | 10 years + 6 months | In the first periodic destruction following the end of the retention period. Wish and complaint process records | 2 years | In the first periodic destruction following the end of the retention period. Call-centre records | 3 months | In the first periodic destruction following the end of the retention period. Website contact form records | 1 year | In the first periodic destruction following the end of the retention period. Data obtained as a mass-use provider (IP address, MAC address, Wi-Fi access information) | 6 months | In the first periodic destruction following the end of the retention period. Premium documents and workplace records | 10 years + 6 months | In the first periodic destruction following the end of the retention period. Contract-related records | 10 years from the end of the contract | In the first periodic destruction following the end of the retention period. Company Board of Directors member information | 10 years from the end of board membership | In the first periodic destruction following the end of the retention period. Information on persons authorized to represent the Company | 10 years from the end of the representation relationship | In the first periodic destruction following the end of the retention period. In-house training records | 3 years | In the first periodic destruction following the end of the retention period. Occupational health and safety records | 10 years + 6 months | In the first periodic destruction following the end of the retention period. Information obtained through the website (IP address, cookie records) | 2 years | In the first periodic destruction following the end of the retention period.
If a period other than those listed above is provided in the legislation, personal data are retained for that period. In accordance with the Law, lawfully processed personal data are destroyed ex officio or upon the data subject's request when the conditions requiring processing cease.
In line with the principle of data minimization, MANGODO destroys personal data whose retention period has expired — without the need for any request — in accordance with the procedures and methods set out in this Policy.
Retention periods for all personal data processed by MANGODO are given above. If these periods change, this Policy and its annexes will be updated.
Retention-Responsible Data-Protection Personnel and Their Obligations
MANGODO has primarily appointed employees with sufficient expertise on this subject as Data Protection Personnel, with the responsibility of monitoring compliance with the Law. Some of these Data Protection Personnel are assigned responsibility for retention.
The obligations of Retention-Responsible Data Protection Personnel are as follows:
• Preparing fundamental policies related to retention and submitting them for the approval of the Board of Directors. • Identifying matters required for compliance with the retention-related legislation, submitting them to the Board of Directors for approval, monitoring their implementation, and ensuring coordination. • Raising awareness within MANGODO regarding the secure retention of personal data. • Identifying risks that may arise in retention activities, ensuring necessary measures are taken, and submitting improvement proposals to the Board of Directors. • Determining retention periods according to the relevant data category and submitting them to the Board of Directors for approval. • Determining the retention environments. • Determining and keeping current the purposes and grounds for retention in line with VERBIS and the Data Inventory. • Verifying that personal data are retained in line with the agreed retention periods.
DESTRUCTION OF PERSONAL DATA
Introduction
The destruction of personal data means the deletion, destruction, or anonymization of those data.
When the conditions for processing lawfully obtained personal data cease, MANGODO will destroy the data either ex officio or upon the data subject's request. The technical and administrative measures set out in this Policy are taken to ensure that destruction processes are conducted in compliance with the Law and securely.
Destruction Methods
The principles for personal-data destruction methods are set out in Article 7 of the Law and Chapter 3 of the Regulation. In line with the provisions of the Law and the Regulation, MANGODO has set out the following methods.
Unless the Board decides otherwise, personal data whose retention period has expired will be destroyed by MANGODO using the appropriate method below, with the Destruction Record completed. The choice of method depends on the nature of the personal data. Special categories of personal data are destroyed using the "destruction" method as far as possible. Data that, by nature, are less sensitive than special categories are generally destroyed using the "deletion" method. As needed, certain data groups are anonymized in a manner that prevents identification and used within the Company for statistical activities.
The definitions and methods used in the Company are as follows:
By the "deletion" method, data are "rendered inaccessible and unusable in any way for the relevant users." Personal data whose retention period has expired and that are suitable for this method are deleted as follows:
Deletion methods | Recording medium Servers | The system administrator removes the access rights of the relevant users and performs the deletion. Electronic environment | Data are rendered inaccessible and unusable in any way for employees other than the database administrator (relevant users). The rows or columns containing personal data in the database are deleted using the "Delete" command. Physical environment | Data are rendered inaccessible and unusable in any way for employees other than the unit manager responsible for the archive of documents. In addition, the data are obscured by scribbling, painting, or erasing so that they are illegible. Removable media | Encrypted by the system administrator, with access rights granted only to the system administrator; encryption keys are stored in secure environments.
By the "destruction" method, data are "rendered inaccessible, irretrievable, and unusable in any way by anyone." Personal data whose retention period has expired and that are suitable for this method are destroyed as follows:
Destruction methods | Recording medium Physical environment | Paper records whose retention period has expired are irretrievably destroyed using paper-shredding machines. Optical / magnetic media — Physical destruction: optical media and magnetic media are melted, burned, or pulverized. Optical / magnetic media — Degaussing: magnetic media are passed through a special device and exposed to a high-strength magnetic field, rendering the data on them unreadable. Optical / magnetic media — Overwriting: random data consisting of 0s and 1s are written at least seven times over magnetic media and rewritable optical media, preventing recovery of the old data.
By the "anonymization" method, data are "rendered incapable of being associated with an identified or identifiable natural person, even when combined with other data." Personal data whose retention period has expired and that are suitable for this method are anonymized as follows:
Anonymization methods: • Masking — Removing a key identifying piece of personal data from the dataset, thereby anonymizing it. Example: removing a name or T.R. ID number, transforming the dataset into one in which identifying the data subject is impossible. • Record removal — Removing rows containing unique data so that the remaining data are anonymized. • Regional concealment — When a single data point creates a rarely-seen combination and is therefore identifying, concealing it achieves anonymization. Example: if only one person on a backup roster is 65 years old, writing "Unknown" instead of "Age: 65" or leaving the field blank achieves anonymization. • Global coding — Deriving a more general content from the personal data so that it cannot be associated with any person. Example: stating an age instead of a birth date, or stating the region of residence instead of the full address. • Adding noise — In a dataset dominated by numerical values, deviations of a defined magnitude (plus or minus) are added to existing values to anonymize the data. Example: in a dataset of weights, a deviation of ±3 kg prevents real values from being viewed and anonymizes the data. The deviation is applied equally to each value.
Reasons for Destruction
MANGODO will destroy personal data when the bases for retention listed above ("Reasons for Retention") cease. Specifically, the reasons for destruction are as follows:
• Amendment or repeal of the provisions of the relevant law that justified retention, or termination of the data controller's legal obligation to retain. • Invalidity, non-existence, termination, or withdrawal of the contract between the parties. • Cessation of the purpose requiring retention. • Retention being contrary to the law or to the rule of good faith in Article 2 of the Civil Code. • Withdrawal of explicit consent in retention activities based on consent. • Acceptance by Data Protection Personnel of the data subject's application under Article 11 of the Law. • Approval by the Board of an application made by the data subject to the Board. • Absence of any condition justifying longer retention after the maximum retention period has expired. • Cessation of the legitimate interest that justified retention, or that legitimate interest harming the data subject's fundamental rights and freedoms. • In retention based on the establishment, exercise, or protection of a right, expiry of the right or it becoming unenforceable.
Period
Article 11 of the Regulation states that destruction must be carried out in the first periodic deletion period following the date on which the obligation to destroy arises, and that the periodic destruction period may not exceed 6 months.
The Regulation also provides that when the data subject's application is approved by the data controller, destruction must be carried out in line with the request within 30 days.
As a data controller acting in compliance with the legislation, MANGODO: • has set its periodic destruction period at a maximum of 6 months; for special categories of personal data, this is set at a maximum of 3 months; • concludes data-subject applications approved by MANGODO within 30 days at the latest.
Destruction-Responsible Data-Protection Personnel and Their Obligations
MANGODO has appointed employees with sufficient expertise as Data Protection Personnel to monitor compliance with the Law. Some of these personnel are responsible for destruction.
Their obligations are:
• Deciding how policies regarding the destruction of personal data are to be applied and audited, assigning roles within the Company, and submitting these for the approval of the Board of Directors. • Identifying matters required for compliance with destruction-related legislation, submitting them for board approval, ensuring implementation, and coordinating the work. • Raising awareness within MANGODO's departments regarding personal-data destruction. • Determining the destruction methods and the procedures for applying them, and submitting them for the board's approval. • Ensuring that the destruction methods set out in this Policy are implemented in compliance with the Law and the Policy. • Following up periodic destruction. • Examining and responding to data-subject requests concerning destruction.
Measures Taken Regarding Retention and Destruction
As a data controller, MANGODO is required, under Article 12 of the Law, to take all appropriate technical and administrative measures to: • prevent unlawful processing of special categories of personal data; • prevent unlawful access to them; • ensure their protection.
Accordingly, MANGODO takes the technical and administrative measures necessary, in line with the Law and the Board's "Personal Data Security Guide," providing the required technical expertise. These measures are continuously applied under this Policy and are updated and improved in line with technological developments through the necessary time, resources, and technical support, with audits performed.
In the event of a potential data breach within the Company, the procedure and measures to be followed are set out in the "MANGODO Data Breach Procedure"; regular training is provided to employees and tracked.
The measures listed below may vary by data category. As a fundamental principle, MANGODO applies more comprehensive measures to data considered more sensitive.
Measures Taken for Retention
Technical Measures: • Real-time analyses through IT incident management continuously monitor risks and threats that may affect the continuity of information systems. • Access and authorization technical solutions are implemented for each business unit in line with the requirements of the Law. • Access rights are limited via an authority matrix and reviewed regularly. • The physical security of MANGODO's information-systems equipment, software, and data is ensured. • To ensure information-systems security against environmental threats, both hardware-based measures (system-room access control, physical security of edge switches forming the local network, etc.) and software-based measures (firewalls, intrusion-prevention systems, network access control, anti-malware systems, etc.) are taken. • Technical measures are checked periodically; risk-bearing matters are reassessed and the necessary technological solutions are produced. • Access procedures are established within MANGODO, with reporting and analysis on access to special categories of personal data. • Access to storage areas containing special categories of personal data is logged; inappropriate access or access attempts are controlled. • A suitable system and infrastructure has been established to notify the data subject and the Board within 72 hours if special categories of personal data are obtained unlawfully by others. • Strong passwords and secure logging are used in electronic environments where special categories of personal data are processed. • Data backup programs are used to ensure secure retention of special categories of personal data. • Access to the website is encrypted using SHA 256-bit RSA algorithm via secure protocol (HTTPS). • Software and hardware containing virus-protection systems and firewalls are installed on the electronic devices used in the Company. • Security scans are conducted to detect vulnerabilities in applications collecting special categories of personal data; penetration-testing services are obtained and system weaknesses checked. • Technically knowledgeable and experienced personnel are employed to ensure the security of recording environments. • When electronic recording environments are physically moved, the security of those environments is ensured using high-grade cryptographic methods.
Administrative Measures: • Employees are trained — verbally and in writing — on the technical measures to be taken to prevent unlawful access to personal data. • Before processing begins, the obligations to inform the data subject and obtain explicit consent are fulfilled. • The data inventory prepared under the "Regulation on the Data Controllers' Registry" sets out the legal bases for the retention of personal data within MANGODO and provides information on how long and in what recording environment they are retained. • Periodic and random internal audits are conducted to ensure that personal data are retained in compliance with the relevant legislation and this Policy. • An authority matrix is created and applied through the design of personal-data access and authorization processes for each business unit in line with the requirements of the Law. • Records are added to employees' existing employment contracts to ensure compliance with the obligations set out in the Law for the lawful processing of personal data, non-disclosure, no unlawful use of personal data, and the continuation of the duty of confidentiality even after the end of the employment relationship with MANGODO. The "Workplace Disciplinary Regulation" is updated to address non-compliance with these obligations. • In lawful data-transfer processes, contracts concluded with data processors include provisions on the necessary security measures for the secure and purpose-bound retention of personal data.
Measures Taken for Destruction
Technical Measures: • Necessary measures are taken to ensure that deleted personal data are inaccessible and unusable by the relevant users. • To ensure that destruction processes are carried out securely, technically knowledgeable and experienced personnel are employed and assigned. • A separate policy is established for the security and destruction processes of special categories of personal data; the technical measures taken for those special categories are set out in that policy.
Administrative Measures: • A data inventory specifying the destruction methods and periods for personal data retained by MANGODO has been prepared under the "Regulation on the Data Controllers' Registry." • Periodic and random internal audits are conducted to ensure that retained personal data are destroyed in line with the relevant legislation and this Policy. • Destruction processes within MANGODO are carried out in line with the authority matrix and through the creation of record minutes. • Contracts concluded with data processors to whom personal data are lawfully transferred include provisions on the necessary measures for the destruction of personal data in line with this Policy and the relevant legislation.