1. PURPOSE OF THE POLICY

The purpose of this policy is to determine the rules, roles, and responsibilities that will be applied throughout ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. to fulfill the obligations regarding the storage and destruction of personal data, and other obligations specified in Articles 5 and 6 of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette No. 30224 on 28.10.2017, based on the Law No. 6698 on the Protection of Personal Data (the “Law”).

2. SCOPE OF THE POLICY

This policy covers all personal data and sensitive personal data defined by Law No. 6698, held within ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. It applies to all employees, managers, consultants, affiliates, external service providers, and legal entities and individuals with whom ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. engages in legal relationships.

The policy covers personal data processed in systems that are fully or partially automated or are part of a data recording system, as defined in the Law.

Unless otherwise stated in this Policy, “Personal Data” will refer to both personal data and sensitive personal data.

3. DEFINITIONS

• Anonymization: The process of making personal data unidentifiable with any specific or identifiable individual, even when combined with other data.
• Destruction: The process of permanently deleting personal data so that it cannot be accessed or used again.
• Personal Data: Any information related to an identified or identifiable individual.
• Personal Data Storage Table (Retention Periods): A table showing the retention periods for personal data held within ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC.
• Personal Data Processing Inventory: An inventory created by data controllers detailing their personal data processing activities, including the purposes, categories of data, the recipient group, and retention periods, as well as necessary security measures for data processing.
• Deletion of Personal Data: The process of making personal data inaccessible and unusable for relevant users.
• Destruction of Personal Data: The process of making personal data completely inaccessible, irreversible, and unusable by anyone.
• Sensitive Personal Data: Data regarding a person’s race, ethnic origin, political opinion, philosophical beliefs, religion, sect, or other beliefs, clothing, membership in associations, foundations, or unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data.
• Periodic Destruction: The automatic deletion, destruction, or anonymization of personal data at recurring intervals once the conditions for processing data under the law cease to exist.
• Data Recording System: A system in which personal data is structured and processed based on certain criteria.
• Direct Identifiers: Identifiers that can directly reveal the identity of the person they refer to.
• Indirect Identifiers: Identifiers that, when combined with other identifiers, can reveal the identity of the person they refer to.
• Law: The Law on the Protection of Personal Data No. 6698, published in the Official Gazette No. 29677 on 04.2016.
• Regulation: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette No. 30224 on 10.2017.
• Board: The Personal Data Protection Board.
• Record Environment: Any environment where personal data, whether fully or partially automated, is processed through non-automated means, or as part of a data recording system.

4. RECORD ENVIRONMENTS REGULATED BY THE POLICY

All environments where personal data is processed through automated or non-automated means, as part of a data recording system, are covered by this policy.

4.1. ENVIRONMENTS WHERE PERSONAL DATA IS STORED

Personal data stored within ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. is kept in a record environment appropriate to the nature of the data and our legal obligations under the Information Security Management System (ISO 27001:2013).

The environments typically used for storing personal data are as follows. However, some data may be stored in different environments due to their specific nature or legal obligations.

a) Paper-based environments
Environments where data is stored in paper or microfilm formats.

b) Local digital environments
Environments such as servers, fixed or portable disks, optical disks, etc., used within ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC.

c) Cloud environments
Environments where cryptographically encrypted internet-based systems, used by ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC., are employed. These environments are not physically located within the company but are utilized through internet-based systems.

4.2. ENSURING THE SECURITY OF THE ENVIRONMENTS

ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. takes all necessary technical and administrative measures in accordance with ISO 27001:2013 to ensure the secure storage of personal data and to prevent unauthorized processing and access to this data.

These measures, which are not limited to the following, include the technical and administrative precautions that are taken based on the nature of the data and the environment in which it is stored:

4.2.1. Technical Measures

• Only updated and secure systems are used in environments where personal data is stored.
• Security tests and research are conducted to identify vulnerabilities in IT systems, and potential risks are eliminated.
• Access to personal data is restricted, and only authorized personnel can access the data, limited to the purpose of data storage.
• ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. employs sufficient technical staff to ensure the security of the environments where personal data is stored.

4.2.2. Administrative Measures

• Training and awareness programs are provided to all employees with access to personal data to enhance their understanding of information security, privacy, and personal data protection.
• Legal and technical consultancy services are obtained to keep up-to-date with developments in information security and personal data protection and take necessary actions.
• In cases where personal data must be transferred to third parties due to technical or legal requirements, protocols are signed with those third parties to ensure the protection of personal data.

4.2.3. Internal Audit

ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. conducts internal audits in compliance with the Law and the Personal Data Protection and Processing Policy to ensure the application of the law and this Personal Data Retention and Destruction Policy.

If any deficiencies or faults are found during the audits regarding the implementation of these provisions, they will be immediately addressed.

If it is determined that personal data under the responsibility of ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. has been unlawfully accessed by others during an audit or otherwise, this situation will be promptly reported to the relevant individuals and the Board.

5. DUTIES AND AUTHORITIES OF THE PERSONAL DATA PROTECTION COMMITTEE

5.1. The Personal Data Protection Committee is responsible for notifying the relevant departments about the policy and ensuring that the necessary actions are followed up by the departments of ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC.

5.2. The Personal Data Protection Committee informs the relevant departments about legal amendments, Board regulations and decisions, court decisions, or changes in processes, applications, and systems, and ensures that necessary updates are made to the business processes when needed.

5.3. The Personal Data Protection Committee establishes and announces processes for reviewing, evaluating, tracking, and concluding issues related to the Law, secondary regulations, and decisions or requests from authorized authorities.

6. ACTIONS TO BE TAKEN WHEN THE CONDITIONS FOR PROCESSING PERSONAL DATA CEASE TO EXIST

6.1. In the event that the purpose of processing personal data ceases to exist, explicit consent is withdrawn, or the conditions for processing personal data as specified in Articles 5 and 6 of the Law are no longer met, or none of the exceptions listed in these articles can be applied, the personal data for which the conditions for processing have ceased will be deleted, destroyed, or anonymized by the relevant department, taking into account business needs, within the scope of Articles 7, 8, 9, or 10 of the Regulation. The method applied will be explained along with its justification. However, if a final court decision is involved, the data will be processed in accordance with the court’s ruling.

6.2. All users and data owners who process or store personal data in the company, “ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC.” will review, at least every four months, whether the conditions for processing have ceased to exist, in the data storage environments they use. Upon the request of the data owner or notification from the Board or a court, the relevant users and departments will review the data storage environments, regardless of the periodic review period.

6.3. If, as a result of periodic reviews or at any point, it is determined that the conditions for processing personal data no longer exist, the relevant user or data owner will decide, based on this policy, to delete, destroy, or anonymize the data in the record environment under their control. If there is any uncertainty, the relevant department will consult with the responsible unit before proceeding. If the decision concerns personal data in centralized information systems with multiple stakeholders, the opinion of the Personal Data Protection Committee will be sought. The relevant department will make the decision on whether to store, delete, destroy, or anonymize the data according to this policy.

6.4. All actions related to the deletion, destruction, or anonymization of personal data are recorded, and these records will be kept for at least three years, except for other legal obligations.

6.5. In accordance with Article 7.4 of the Regulation, the methods applied for deleting, destroying, or anonymizing personal data will be published and explained after the implementation of this Policy.

6.6. Deletion, destruction, or anonymization of personal data must be carried out in compliance with the general principles in Article 4 of the Law, the technical and administrative measures specified in Article 12, relevant legislation, decisions of the Board, and court decisions.

6.7. When a data owner, who is a natural person, requests the deletion, destruction, or anonymization of their personal data, they can apply to “ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC.” The relevant department will review whether the conditions for processing the data have completely ceased. If these conditions are no longer valid, the department will delete, destroy, or anonymize the data. This will be done within a maximum of thirty days from the request, and the data owner will be informed by the designated Data Protection Officer. If the data has been shared with third parties, the relevant department will immediately inform the third party and ensure that the necessary actions are taken as required by the Regulation.

6.8. If the conditions for processing personal data have not ceased, requests for deletion or destruction of personal data may be rejected by “ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC.”, in accordance with Article 13, paragraph 3 of the Law, along with an explanation of the reasons for the rejection. The rejection will be communicated to the relevant person in writing or electronically within 30 days.

6.9. Requests for the deletion or destruction of personal data will only be evaluated if the identity of the relevant person has been confirmed. Requests made through other channels will be directed to channels where the identity can be verified.

7. IMPLEMENTATION OF THE POLICY, VIOLATIONS, AND SANCTIONS

7.1. This Policy will be made public on the website of “ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC.” and will come into force. It will be binding on all departments, consultants, customers, insurance companies, external service providers, and anyone who processes personal data within the organization.

7.2. Supervising the employees’ compliance with the Policy will be the responsibility of their supervisors. If a violation is detected, it will be immediately reported to the relevant supervisor. In cases of significant violations, the supervisor will notify the Personal Data Protection Committee without delay.

7.3. If an employee violates the Policy, the Human Resources department will evaluate the situation and take necessary administrative actions.

7.4. All necessary security measures for compliance with the KVKK Law are being taken by “ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC.” to ensure the enforcement of the Policy.

8. RESPONSIBILITIES AND PERSONNEL INVOLVED IN PERSONAL DATA STORAGE AND DESTRUCTION PROCESSES

All employees, customers, insurance companies, consultants, external service providers, and anyone who processes personal data at “ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC.” are responsible for fulfilling the requirements set by the Law, Regulation, and this Policy regarding data destruction.

Each department is responsible for storing and protecting the personal data produced within its business processes. However, if the data is found only in information systems outside the control of the department, it will be stored by the responsible information systems department.

Periodic destructions that could affect business processes or cause data integrity issues, data loss, or legal non-compliance will be carried out by the relevant information systems departments, considering the type of personal data, the systems in which it is stored, and the department that owns the data.

8.1. PERSONAL DATA PROTECTION COMMITTEE

“ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC.” establishes a Personal Data Protection Committee, which is responsible for ensuring that personal data is stored and processed in accordance with the Law, the Personal Data Protection and Processing Policy, and the Personal Data Storage and Destruction Policy.

The committee consists of at least three members: one manager, one administrative expert, and one technical expert. Their roles and responsibilities are as follows:

Role Description

Personal Data Protection Committee Manager

Responsible for directing planning, analysis, research, risk identification efforts, managing processes that must be carried out according to the Law, and making decisions on requests from individuals.

KVK Expert (Contact Officer)

Responsible for examining individual requests, reporting them to the Committee Manager, and overseeing the execution of actions as decided by the Committee Manager, including storage and destruction processes.

8.2. REASONS FOR STORAGE AND DESTRUCTION

8.2.1. Storage Reasons

Personal data stored by “ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC.” is kept in accordance with the Law and the Personal Data Policy for the reasons outlined in the relevant documents.

8.2.2. Destruction Reasons

Personal data in the possession of “ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC.” will be deleted, destroyed, or anonymized, either upon the request of the individual or when the reasons for processing, as defined in Articles 5 and 6 of the Law, cease to exist.

8.3. DESTRUCTION METHODS

“ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC.” will delete, destroy, or anonymize personal data when the reasons for processing no longer exist, in line with the Law and this Policy.

The most commonly used methods for deletion, destruction, and anonymization are listed below:

8.3.1.1 Deletion Methods

Methods of Deleting Personal Data Stored in Physical Media

Blackout

Personal data stored in physical media is deleted using the blackout method. The blackout process involves making the personal data on the document invisible by cutting it when possible, or by using permanent ink to obscure it in a way that makes it unreadable using technological solutions.

Methods of Deleting Personal Data Stored in Cloud and Local Digital Environments

Secure Deletion from Software

Personal data stored in cloud or local digital environments is deleted via a digital command in a way that makes it impossible to recover. Data deleted in this manner cannot be accessed again.

8.3.1.2 Destruction Methods

Methods of Destroying Personal Data Stored in Physical Media

Physical Destruction

Documents in physical media are destroyed by document shredders, making it impossible to reconstruct them.

Methods of Destroying Personal Data Stored in Local Digital Environments

Physical Destruction

This method involves the physical destruction of optical and magnetic media containing personal data, such as melting, burning, or turning them into dust. These actions render the data inaccessible by physically melting, burning, shredding, puncturing, or passing through a metal grinder.

Demagnetization (Degaussing)

This is the process of exposing magnetic media to a strong magnetic field, making the data on it unreadable.

Overwriting

Random data consisting of 0s and 1s is written onto magnetic and rewritable optical media at least seven times, preventing the recovery or reading of the old data.

Methods of Destroying Personal Data Stored in Cloud Environments

Secure Deletion from Software

Personal data stored in cloud environments is deleted via a digital command in a way that makes it impossible to recover. When the cloud computing service relationship ends, all copies of the necessary encryption keys are also deleted to prevent the data from being accessed. Data deleted in this manner cannot be retrieved.

8.3.1.3 Anonymization Methods

Anonymization is the process of making personal data such that it cannot be associated with any specific person, even when combined with other data.

Removing Variables

This method involves removing one or more directly identifiable details about an individual from personal data to prevent identification. It can be used to anonymize the data or to remove information that is irrelevant to the purpose of processing.

Regional Obfuscation

This process removes information from a dataset that could potentially be used to identify a person in the case of specific exceptional data points within an anonymized dataset.

Generalization

This method involves combining personal data from multiple individuals and removing distinguishing information to transform it into statistical data.

Lower and Upper Boundary Coding / Global Coding

This method defines categories for a specific variable by setting ranges for it. If the variable does not contain numeric data, it groups similar values together.

Micro Aggregation

In this method, all records in a dataset are first sorted in a meaningful order, then divided into a set number of subsets. The average value of a specific variable is calculated for each subset, and the subset’s value for that variable is replaced with the average. This process makes it more difficult to link the data to a specific individual.

Data Mixing and Distortion

Direct or indirect identifiers within personal data are mixed or distorted with other values, breaking the link between the data and the individual, thus losing their identifying characteristics.

“ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC.” uses one or more of these anonymization methods depending on the nature of the data to make personal data anonymized. The company may also apply statistical methods such as K-Anonymity, L-Diversity, and T-Closeness when anonymizing data.

9. PERSONAL DATA STORAGE AND DESTRUCTION PERIODS

The table showing the Personal Data Storage and Destruction Periods can be found in Appendix 1. When periodic or on-demand destruction is performed, the storage and destruction periods in the table will be taken into account. The relevant business units, which are the owners of the processes in ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. personal data inventory, will update these periods if necessary, after consulting the Personal Data Protection Committee in case of uncertainty.

9.1 Personal Data Storage Table (Duration)

If the law or regulations set a longer retention period, these statutory periods will be considered as the maximum storage periods.

9.1.2. Destruction Periods

ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. is responsible for deleting, destroying, or anonymizing personal data within the first periodic destruction after the date when the obligation arises under the law, related legislation, the Personal Data Protection and Processing Policy, and this Personal Data Storage and Destruction Policy.

If an individual requests the deletion or destruction of their personal data, ENEKO HVAC AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. will delete, destroy, or anonymize the requested data within 30 days, providing an explanation of the reason for the action taken.

If the processing conditions for personal data no longer exist, the request will be fulfilled. If not, the request may be rejected, and the individual will be informed within 30 days in writing or electronically.

10. PERIODIC DESTRUCTION PERIODS

In the event that all the conditions for the processing of personal data under Law No. 6698 on the Protection of Personal Data cease to exist, ENEKO VENTILATION AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. will delete, destroy, or anonymize personal data, whose processing conditions have ceased to exist, through a process performed periodically and automatically, as stated in this Personal Data Retention and Destruction Policy.

The periodic destruction process starts on September 30, 2019, and is repeated every 6 (six) months.

10.1. MONITORING THE LEGALITY OF DESTRUCTION

ENEKO VENTILATION AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. carries out its destruction processes, whether upon request or as part of the periodic destruction procedures, in accordance with the Law, other relevant regulations, the Personal Data Protection and Processing Policy, and this Personal Data Retention and Destruction Policy.

To ensure that the destruction operations are conducted in compliance with these regulations, ENEKO VENTILATION AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. takes various administrative and technical measures.

10.1.1. Technical Measures

ENEKO VENTILATION AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. provides the necessary technical tools and equipment suitable for each destruction method stated in this policy.
ENEKO VENTILATION AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. ensures the security of the place where destruction is carried out.
ENEKO VENTILATION AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. maintains access logs for those performing the destruction process.
ENEKO VENTILATION AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. employs qualified and experienced personnel for destruction operations or, if necessary, obtains services from qualified third parties.

10.1.2. Administrative Measures

ENEKO VENTILATION AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. conducts awareness and training activities to increase the knowledge and consciousness of its employees regarding information security, personal data, and privacy.
ENEKO VENTILATION AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. receives legal and technical consultancy services to monitor developments in information security, privacy, personal data protection, and secure destruction techniques, and takes necessary actions accordingly.
ENEKO VENTILATION AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. signs protocols with third parties when destruction operations are outsourced due to technical or legal requirements, ensuring that third parties comply with these obligations to protect personal data.
ENEKO VENTILATION AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. regularly audits the destruction process to ensure compliance with the law and the conditions and obligations set forth in this Personal Data Retention and Destruction Policy and takes necessary actions.
All actions related to the deletion, destruction, and anonymization of personal data are documented, and these records are kept for at least three years, except where other legal obligations apply.

11. EFFECTIVENESS

This policy will come into effect from the date of its publication.
The announcement and necessary updates regarding the policy will be the responsibility of the Personal Data Protection Committee.

12. UPDATES AND COMPLIANCE

ENEKO VENTILATION AND HEAT ECONOMY SYSTEM TECHNOLOGIES MACHINERY INDUSTRY AND TRADE INC. reserves the right to make changes to the Personal Data Protection and Processing Policy or this Personal Data Retention and Destruction Policy due to amendments in the Law, decisions made by the Institution, or developments in the sector or information technology.

Changes made to this Personal Data Retention and Destruction Policy will be immediately incorporated into the text, and the explanations regarding these changes will be provided at the end of the policy.