GÜR-SEL TURİZM TAŞIMACILIK VE SERVİS TİCARET A.Ş.(Gür-Sel Tourism Transportation & Service Trade Inc.)

PERSONAL DATA STORAGE AND DESTRUCTION POLICY

1. INTRODUCTION

The protection of personal data holds significant importance for Gür-Sel TourismTransportation & Service Trade Inc. ("The Company"), and utmost care is taken in thisregard. Consequently, processing personal data in a manner consistent with individuals' expectations and in compliance with laws is a fundamental cornerstone of our Company. Inthis context, our Company stores and destroys personal data obtained during its activities in accordance with the principles and regulations specified in this Personal Data Storage andDestruction Policy (“The Policy”), as well as the Constitution, Personal Data Protection LawNo. 6698 (“The Law”), Regulation on Deletion, Destruction or Anonymization of PersonalData (“The Regulation”), and other relevant legislation.

2. PURPOSE AND SCOPE OF THE POLICY

The purpose of this Policy is to set out the general principles and obligations of ourCompany regarding the storage and destruction of personal data of real persons subject toprocessing activities under The Law. This Policy covers all personal data processed by ourCompany under The Law. Furthermore, unless otherwise stated in this Policy, the Policy andreferenced documents cover both printed and electronic copies.

3. DEFINITIONS

Unless the context requires otherwise in this Policy:

• Explicit Consent: Consent that is specific to a subject, based on information andexpressed freely.

• Recipient Group: A category of real or legal persons to whom personal data is transferred by the data controller.

• Constitution: The Constitution of the Republic of Turkey.

• Related User: Individuals who process personal data within the organization of the data controller or as authorized, excluding those responsible for technical storage, protection, and backup of data.

• Destruction: The act of deleting, destroying, or anonymizing personal data.

• Recording Medium: Any medium where personal data is processed, whether fully orpartially automated or processed non-automatically as part of a data recording system.

• Personal Data: Any information relating to an identified or identifiable natural person(e.g., name, ID number, email, address, date of birth, credit card number, bank account number - thus, information relating to legal entities is not covered by TheLaw).

• Personal Data Subject: The natural person whose personal data is processed.

• Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, acquiring, making available, classifying, or preventing the use of data, whether fullyor partially automated or part of a data recording system.

• Board: The Personal Data Protection Board.

• Special Categories of Personal Data: Data about race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dressing, membership in associations, foundations or trade-unions, health, sexual life, criminalconvictions and security measures, and biometric and genetic data.

• Periodic Destruction: The process of deleting, destroying, or anonymizing personaldata, to be carried out at repeating intervals automatically when all conditions forprocessing personal data as stated in The Law cease to exist.

• Data Controller: refers to the individual or entity that determines the purposes andmeans of processing personal data and manages the place (data recording system) where the data is systematically stored.

4. RECORD MEDIUMS REGULATED BY THE POLICY

Our Company stores all personal data subject to processing activities under The Lawin the following mediums, where personal data is processed, whether fully or partiallyautomated or non-automatically as part of any data recording system:

• Databases

• CRM/ERP Programs

• Websites

• Email Accounts

• Computers, Servers

• Backup Areas

• Paper/Printed Documents

• Tablets, Mobile Phones

5. REASONS FOR STORING AND DESTROYING PERSONAL DATA

Our Company bases its personal data processing activities on the following principles:

• Compliance with the law and the rule of honesty.

• Ensuring personal data is accurate and up-to-date when necessary.

• Processing for specified, explicit, and legitimate purposes.

• Being related to, limited to, and proportionate to the purposes for which they areprocessed.

• Retaining for the period stipulated by relevant legislation or necessary for the purposefor which the data are processed. Our Company stores and uses personal data in compliance with these principles, as well as for the purposes of processing personaldata stated in the relevant articles of the Gür-Sel Tourism Transportation & Service Trade Inc. Personal Data Storage and Destruction Policy and the KVKK ClarificationText, and in accordance with the conditions of processing personal data stated in Articles 5 and 6 of The Law. When all conditions for processing personal data ceaseto exist, our Company destroys personal data, either on its own initiative or upon therequest of the personal data subject.

(a) Existence of the Personal Data Subject's Explicit Consent

One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the personal data subject should be based on being informed andexpressed with free will on a specific subject.

(b) Explicitly Stipulated by Laws

The personal data of the data subject can be processed lawfully without the explicit consent ifexplicitly stipulated by laws.

(c) Inability to Obtain Explicit Consent due to Actual Impossibility

In cases where it is necessary to process the personal data of the person who is physicallyimpossible to express consent or whose consent cannot be deemed valid to protect the life orbodily integrity of themselves or another person, the personal data of the data subject can be processed.

(d) Direct Relation to the Establishment or Performance of a Contract

Personal data of the parties of a contract can be processed if necessary for the establishmentor performance of a contract, provided it is directly related to the contract.

(e) Legal Obligation

The personal data of the data subject can be processed if it is necessary for our Company tofulfill its legal obligations. 

(f) Publicizing of Personal Data by the Data Subject

If the data subject has publicized their personal data, the relevant personal data can be processed limited to the purposes of publicization. 

(g) Necessity for Processing Data for the Establishment or Protection of a Right

If it is necessary to process data for the establishment, exercise, or protection of a right, thepersonal data of the data subject can be processed. 

(h) Necessity for Data Processing for the Legitimate Interest of Our Company

If it is necessary for data processing for the legitimate interests of our Company, providedit does not harm the fundamental rights and freedoms of the personal data subject, thepersonal data of the data subject can be processed.

In this regard, the basis for personal data processing activity can be only one of theconditions mentioned above or more than one of these conditions.

6. METHODS APPLIED IN THE PROCESS OF DESTROYING PERSONAL DATA AND TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE LAWFUL DESTRUCTION OF PERSONAL DATA

Our Company, when all the conditions for processing personal data as stated in Articles 5 and 6 of The Law cease to exist, destroys personal data using the following methods. OurCompany takes the utmost care and diligence in the destruction of personal data. In thiscontext, our Company takes the necessary technical and administrative measures according totechnological possibilities and implementation costs as per Article 12 of The Law, TheRegulation, the general principles mentioned above, this Policy, and decisions of the Board. All operations conducted within the scope of destruction are recorded by our Company and, except for other legal obligations, these records are retained for 3 years. Unless the Board decides otherwise, our Company chooses the appropriate method of deleting, destroying, oranonymizing personal data according to technological possibilities and implementation costs, and explains the rationale for the chosen method upon the request of the personal data subject.

(a) Methods of Deleting Personal Data

The deletion of personal data is the process of making personal data inaccessible andunusable by any related user. Our Company takes all necessary technical and administrativemeasures according to technological possibilities and implementation costs to ensure thatdeleted personal data are inaccessible and unusable for related users.

In this context, our Company applies the following methods for the deletion of personal data:

İLGİLİ GÖRSELİ EKLEYİNİZ

Identification of Data to be Deleted –> Identification of Relevant Users –> DeterminingUsers' Access Methods –> Deletion/Removal of Data

• Application Type Cloud Solutions as a Service In the cloud system, data should be deleted by giving a delete command. Care must be taken that users authorized toaccess deleted personal data in the cloud system do not have the ability to retrievedeleted data. If necessary, only System Administrators can access deleted personaldata on the cloud-based system. Deleting the user's profile can also delete all personaldata recorded in that user account.

• Personal Data on Paper Media Personal data on paper media should be deleted using theblacking-out method. The blacking-out process is done by cutting the personal data on the relevant document where possible, and where not possible, by making the personaldata invisible to the related users using permanent ink in a way that cannot be reversedand cannot be read with technological solutions.

MÜREKKEPLE KARARTMA GÖRSELİ EKLEYİNİZ

• Office Files Located on Central Servers The file should be deleted with the deletecommand in the operating system or the access rights of the relevant user on the file orthe directory where the file is located should be removed. It should be noted that therelevant user is not also a system administrator while performing this operation.

• Personal Data on Portable Media Personal data in external memories and other storagemedia should be stored encrypted. Ex: Personal data archived using Office programscan be encrypted using the file encryption feature of the Office program andtransported with external memories. Personal data in external memories and otherstorage media will be deleted using the delete command.

• Databases The relevant rows where personal data is located should be deleted withdatabase commands (DELETE, etc.). Care must be taken that users authorized toaccess deleted personal data are not also database administrators. When backups of databases are restored, it should be checked whether the backup includes deletedpersonal data.

.

(a) Methods of Destroying Personal Data

The destruction of personal data involves rendering the data inaccessible, irretrievable, andunusable by anyone. Our Company takes all necessary technical and administrative measures, considering technological capabilities and cost, to destroy personal data. In this regard, ourCompany applies the following methods for destroying personal data:

- If the data is stored on disk media, destruction can be carried out using any of thefollowing options, accompanied by a destruction record;

1- For reusable disks, writing data consisting of 1s and 0s at least 7 times and then deleting it to render the data unreadable.

2- Physical destruction options (crushing, burning, pulverizing) can be used for destruction.

3- Disks scheduled for destruction can be handed over to electronic waste disposal companiesas part of an agreement, and destruction is ensured.

f the data is on paper media, destruction can be carried out using any of the followingoptions, accompanied by a destruction record:

1- Shredding the papers using paper shredders to make them unreadable.

2- Destroying papers using the burning method.

3- Personal data-containing paper waste scheduled for destruction can be handed over topaper waste disposal companies as part of an agreement, and destruction is ensured.

(a) Methods of Anonymizing Personal Data

Anonymizing personal data involves transforming the data in such a way that it can nolonger be associated with an identified or identifiable natural person, even if matched withother data. To ensure that personal data are anonymized, it must be transformed so that it cannot be associated with an identified or identifiable natural person by any appropriatetechniques considering the recording medium and the relevant area of activity, even by ourCompany, the recipient, or recipient groups. Our Company takes all necessary technical andadministrative measures, considering technological capabilities and cost, for anonymizingpersonal data.

In this context, our Company applies the following methods for anonymizing personal data:

- Personal data in databases will be anonymized upon the request of data owners or whenthe conditions for data processing cease to exist.

- For data anonymization methodology, the phrase "KVKK" will be added in place of thepersonal data to be anonymized, preventing its identification.

The categories of data to be anonymized are as follows:

Data Category     Anonymization Method

Name:???kvkk

Surname:???kvkk

ID: ????kvkk                         TABLONUZU EKLEYİNİZ

Phone: ???kvkk

Neighborhood: ??kvkk

Street:??? kvkk

- Data anonymization is exemplified on the following personal data;

Name Surname ID Date of Birth Gender Province District Neighborhood Postal Code

TABLONUZU EKLEYİNİZ

7. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR SECURE STORAGE OF PERSONAL DATA AND TO PREVENT UNLAWFUL PROCESSING AND ACCESS

Our Company takes utmost care and diligence in securely storing personal data andpreventing their unlawful processing and access, in line with Article 12 of The Law andThe Regulation, the general principles mentioned above, this Policy, and decisions of theBoard. The necessary technical and administrative measures are taken according totechnological possibilities and implementation costs, including:

Technical measures:

• Access Control: At least once a year, access permissions of systems containing personaldata will be reviewed with the relevant authorities.

• Access Logs: Access logs of individuals accessing personal data will be kept.

• User Account Management: Every employee will be ensured to log in with their uniqueuser account.

• Penetration Testing: Penetration testing will be conducted at least once a year to ensurethe security of personal data.

• Backup: Data will be backed up to minimize data loss and ensure data integrity.

• Firewalls: Appropriate security rules will be established using firewalls.

• Current Anti-Virus Systems: Updated anti-virus programs will be installed on allcomputers and servers containing data.

• Deletion, Destruction, or Anonymization: Personal data will be deleted, destroyed, oranonymized as needed, according to the rules specified in the Storage and DestructionPolicy.

Administrative measures:

• Preparation of Personal Data Processing Inventory: A personal data inventory will be prepared and maintained up-to-date.

• Corporate Policies (Access, Information Security, Usage, Storage, and Destruction, etc.): Data protection policies will be prepared and made easily accessible to relevantindividuals.

• Contracts: References to the protection of personal data will be made in employee andsupplier contracts.

• Confidentiality Agreements: Confidentiality agreements will be made with employeesand suppliers.

• Internal Periodic Audits: Internal audit controls will include checks related to personaldata for compliance with the law.

• Employment Contract, Discipline Regulations: Penalties will be imposed on personnel/suppliers who violate the protection of personal data.

• Training and Awareness Activities: Awareness training on the protection of personal datawill be provided to employees.

• Notification to the Data Controllers Registry Information System (VERBIS): Registration will be made in the VERBIS system, and the personal data inventory willbe kept up-to-date.

8. TITLES, DEPARTMENTS, AND JOB DESCRIPTIONS OF THOSE INVOLVED IN STORAGE AND DESTRUCTION PROCESSES

All employees are responsible for the process of storing and protecting personal data. Upon a request concerning their personal data by the personal data subject, the requestedprocess will be conducted by the IT Manager and responded to the data subject within 30 days.

The IT Manager will notify all department managers of the personal data request andwait for 3 days to determine the status of the request in the departments.

Based on the responses from the departments, a decision will be made on the action tobe taken according to the nature of the request, and the IT Manager will respond to thepersonal data subject on the matter.

9. STORAGE AND DESTRUCTION PERIODS

Our Company stores and destroys personal data only for the duration specified in therelevant legislation it is obliged to comply with or as necessary for the purposes for whichthe data are processed. In this context, our Company stores and destroys personal data forthe maximum periods specified in the data inventory of the departments:

If the personal data subject applies to our Company requesting the destruction of theirpersonal data, our Company:

(a) If all conditions for processing personal data have ceased:

(i) Will conclude the request of the personal data subject within thirty days at the latestand inform the data subject, and

(ii) If the personal data subject to the request have been transferred to third parties, thissituation will be notified to the third party; necessary actions will be ensured at the thirdparty.,

(b) If not all conditions for processing personal data have ceased,

The request of the personal data subject can be rejected in accordance with the thirdparagraph of Article 13 of The Law, explaining the reason for the refusal, and the refusalanswer will be notified to the personal data subject in writing or electronically within thirtydays at the latest.

10. PERIODIC DESTRUCTION PERIODS

Our Company destroys personal data in the first periodic destruction process followingthe date on which the obligation to destroy personal data arises. In this context, if theobligation to destroy personal data arises, our Company subjects personal data to thedestruction process twice a year. This period, in any case and condition, does not exceedthe maximum periodic destruction period specified in Article 11 of The Regulation. Eachpersonal data to be destroyed will be recorded with a destruction record, and images suchas photos, visual, or log records, if any, will be kept with the destruction record for 3 years.

11. ENFORCEMENT

This Policy has been in effect since 01.12.2019. The Policy may be updated from time to time to adapt to changing conditions and legislation. The current Policy will come intoeffect on the date it is announced within the company and is the responsibility of alldepartments of our Company.