Personal Data Storage and Destruction Policy

1. PURPOSE OF THE POLICY

Registered with Izmir Chamber of Commerce in Turkey under registration number 250954, MERSIS number 0590130602400001 and registered office "Gulbahce Mah. Gülbahçe Cad. No: 1/48 Interior Door No: 3 Urla / İzmir", Kubba Sağlık Sanayi ve Ticaret A.Ş. ("KUBBA SAĞLIK") This Personal Data Retention and Destruction Policy (''Policy''), prepared by us as the data controller, has been prepared in order to fulfill our obligations in accordance with the Personal Data Protection Law No. 6698 (''KVKK'' or ''Law'') and the Regulation on Deletion, Destruction or Anonymization of Personal Data (''Regulation'') and to determine the maximum retention and destruction periods required for the purpose for which personal data are processed.

2. ORGANIZED RECORDING ENVIRONMENTS

Personal data stored within the Company are sensitively stored in the following recording environments in accordance with the nature of the relevant data and our legal obligations.

Electronic media;

• Ms Office Files
• Our Servers
• Our computers sensitively protected with antivirus programs and firewalls
• Our network devices
• Shared/non-shared disk drives used for data storage on the network
• Mobile phones and all the storage space inside,
• Printer,
• Flash memories
• Database

 

Physical environments;

• Unit Cabinets
• Unit Archive
• Institution Archive
• Archive
• Accounting Unit

 

 

 

 

3. DEFINITIONS AND EXPLANATIONS

Open Consent	Consent on a specific issue, based on information and freely given.
Anonymization/Anonymization	Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Employee	"KUBBA HEALTH" employees.
Destruction	Deletion, destruction or anonymization of personal data.
Recording Environment	Any medium containing personal data that is fully or partially automated or processed non-automatically, provided that it is part of any data recording system,
Personal Data	Any information relating to an identified or identifiable natural person.
Personal Data Owner/Related Person	The natural person whose personal data is processed.
Processing of Personal Data	Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Board	Personal Data Protection Board.
Institution	Personal Data Protection Authority
KVKK, Law	Law No. 6698 on the Protection of Personal Data
Sensitive Personal Data	data on health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Periodic Disposal	If all of the conditions for processing personal data set forth in the Law are no longer applicable in the event of a recurring event specified in the personal data retention and destruction policy erasure, destruction or anonymization to be carried out ex officio at intervals.
Politics	"KUBBA HEALTH" Personal Data Storage and Destruction Policy
Deletion	Making personal data inaccessible and non-reusable in any way for the relevant users.
Supplier	Defines the parties with whom the Data Owner establishes business partnerships for the purposes of obtaining all kinds of services and carrying out operational processes on behalf of the companies in which the Data Owner participates in the capital or is under the management of the Data Owner personally or through its shareholders or managers while conducting its commercial activities
Legally Authorized Public Institutions and Organizations	Public institutions and organizations authorized to receive information and documents from the company in accordance with the provisions of the relevant legislation
Company	Kubba Health Industry and Trade Inc.
Data Processor	A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.
Data Recording System	A recording system in which personal data is structured and processed according to certain criteria, directory.
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Destruction	Making personal data inaccessible, irretrievable and non-reusable by anyone in any way.
Regulation	Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on October 28, 2017

 

4. EXPLANATIONS ON THE REASONS FOR THE RETENTION AND DESTRUCTION OF PERSONAL DATA

Personal data within the Company are stored securely and sensitively in electronic or physical media specified in this Policy for the following data processing reasons in order to provide our Company's services, to continue its commercial activities without interruption, to fulfill its legal obligations, to carry out customer relations, to plan and fulfill employee rights; and are destroyed ex officio or upon the request of the person concerned in the event that these reasons disappear.

• Existence of explicit consent,
• Existence of a legal provision,
• Failure to obtain explicit consent due to actual impossibility,
• It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of the contract,
• It is mandatory for the data controller to fulfill its legal obligation,
• The personal data of the data subject has been made public by him/her,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

 

5. PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

 

Our company does not process personal data specified as special categories of personal data that have the risk of creating discrimination when processed unlawfully, but takes measures in accordance with the data processing conditions set forth in Article 6 of the KVK Law in case of processing special categories of personal data with the explicit consent of the data owner or in cases required by law.  

 

➢ Training is provided to the personnel involved in the processing of sensitive personal data. 

➢ Authorization restriction is provided that prevents access to relevant data. 

➢ Physical and electronic media where data is collected are protected by encryption techniques. 

➢ Access records for this data, the system and the employee are periodically audited.

 

6. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE SECURE STORAGE OF PERSONAL DATA AND THE PREVENTION OF UNLAWFUL PROCESSING AND ACCESS TO IT

Our Company takes the following technical and administrative measures to ensure that personal data is stored securely and processed in accordance with the law and to prevent unlawful access to personal data:

• Network security and application security are ensured.
• Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
• There are disciplinary regulations for employees that include data security provisions.
• Training and awareness raising activities on data security are carried out for employees at regular intervals.
• Authorization matrix has been created for employees.
• Corporate policies on access, information security, use, storage and disposal have been prepared and implemented.
• Employees who are reassigned or leave their jobs are de-authorized in this area.
• Up-to-date anti-virus systems are used.
• Firewalls are used.
• The signed contracts contain data security provisions.
• Extra security measures are taken for personal data transferred via paper and the relevant document is sent in the format of a confidential document.
• Personal data security policies and procedures have been determined.
• Personal data security issues are reported quickly.
• Personal data security is monitored.
• Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
• Physical environments containing personal data are secured against external risks (fire, flood, etc.).
• Security of environments containing personal data is ensured.
• Personal data is minimized as much as possible.
• Personal data is backed up and the security of backed up personal data is also ensured.
• User account management and authorization control system are implemented and monitored.
• Internal periodic and/or random audits are conducted and commissioned.
• Log records are kept without user intervention.
• Existing risks and threats have been identified.
• Protocols and procedures for the security of sensitive personal data have been determined and implemented.
• If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using a KEP or corporate mail account.
• Within the scope of Article 9 of the KVKK; Personal data and information of real/private legal entities in the trade registry in accordance with the principle of publicity of the TCC, explicit consent is obtained due to the effective use of international applications using cloud technology (Whatsapp, Google data-based applications, Yandex data-based applications, Amazon data-based applications, Microsoft data-based applications) in commercial life. Transfers abroad are made only with explicit consent, and the necessary harmonization process will be completed immediately according to the safe country list to be published by the Board. Explicit consent is obtained through an electronic or written consent form. When necessary, the transfer is made through letters of undertaking or application to the Board.
• Within 3 working days following the publication of the adequate protection list, the harmonization process will be carried out and the classification of the works to be carried out without explicit consent and consent due to the nature of the work will be carried out.
• If deemed necessary, the application process for Binding Corporate Rules may be initiated and the procedure for inter-company coordination and efficient operation may be switched to a procedure where explicit consent is not required.
• Cyber security measures have been taken and their implementation is constantly monitored.
• Encryption is performed.
• Sensitive personal data transferred on portable memory sticks, CDs and DVDs are encrypted.
• Data processing service providers are periodically audited on data security.
• Awareness of data processing service providers on data security is ensured.

A written data processor agreement is signed with all our data processing service providers in accordance with Article 12 of the KVKK, and it is supervised that these persons take the necessary technical and administrative measures.

7. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE DESTRUCTION OF PERSONAL DATA IN ACCORDANCE WITH THE LAW

The practices within the Company for the destruction (deletion, destruction and anonymization) of personal data are as follows:

DELETION OF PERSONAL DATA

• Data in the cloud system is deleted by issuing a delete command.
• Personal data on paper media are erased using the blackout method (by scratching/painting/erasing). The blackout process is performed by cutting out the personal data on the relevant document, where possible, and making it invisible to the relevant users by using fixed ink in a way that cannot be reversed and cannot be read by technological solutions.
• Office files on the central server are deleted by deleting the file with the delete command in the operating system or by removing the access rights of the relevant user on the file or the directory where the file is located.
• Personal data on portable media (e.g. data on flash-based storage media) should be stored encrypted and deleted using software suitable for these media.
• Personal data in databases are deleted with database commands (DELETE etc.) of the relevant rows/columns or cells in the table.

 

DESTRUCTION OF PERSONAL DATA

 

• Personal data on local systems are destroyed by de-magnetization (exposing the media to a high magnetic field by passing it through a special device), physical destruction (melting, burning, using shredders of media and magnetic media) and overwriting.
• Destruction of personal data on peripheral systems; Network devices (switch, router, etc.), Flash-based media / hard disks (ATA "SATA, PATA, etc.", SCSI "SCSI Express, etc.), units such as magnetic tape, magnetic disk, Mobile phones (Sim card and fixed memory areas), Printers whose data recording media is removable or fixed, Optical disks.), units such as magnetic tape, magnetic disk, mobile phones (Sim card and fixed memory areas), printers with removable or fixed data recording media, printers with removable or fixed data recording media, optical disks, etc. If the environmental recording systems that we can specify as optical disks are digital media, if they are supported as a product feature, use the destruction command such as, If the digital media is not supported as a product feature, it must be destroyed by using the destruction method recommended by the manufacturer or by using one or more of the appropriate methods specified as "de-magnetization, physical destruction, overwriting", and finally, if it is not digital media, it must be destroyed by using one or more of the appropriate methods specified as "de-magnetization, physical destruction, overwriting".
• Since the personal data contained in paper and micro-office environments are permanently and physically written on the media, the destruction process is carried out by destroying the main media containing this data.
• Personal data in the cloud environment is encrypted and stored, and when the destruction time comes, the destruction command is executed.

 

ANONYMIZATION OF PERSONAL DATA

 

• With the masking method, anonymization is performed by removing the basic identifying information (e.g. name, surname, Turkish ID number) that enables the identification of the data subject.
• With the aggregation method, anonymization is performed by removing personal data in a way that cannot be associated with any person (e.g. more job applications from people between the ages of 25 and 30).
• With the Data Derivation method, anonymization is carried out by creating a more general content than the content of personal data and in a way that personal data cannot be associated with a person in any way (e.g. writing age instead of date of birth).

(Below are definitions and explanations regarding the anonymization methods used in practice. In case one or more of these methods are used within the company, the relevant methods should be selected / specified)

1. A) ANONYMIZATION METHODS THAT DO NOT PROVIDE VALUE REGULARIZATION

No changes, additions or deletions are made to the values of the data; instead, all rows or columns in the cluster are anonymized. This way, while the data is changed in general, the values in the fields are kept in their original form.

• Removing Variables: It is an anonymization method that is achieved by removing one or more of the variables from the table by deleting them completely.
• Removing Records: By removing a row in the dataset that contains a singularity, anonymization is strengthened and the possibility of generating assumptions about the dataset is reduced.
• Regional Concealment: To make the dataset more secure and to reduce the risk of predictability, the value is changed to "unknown" if the combination of values for a particular record has a high probability of causing it to become distinguishable.
• Generalization: It is the process of converting relevant personal data from a specific value to a more general value. The new values obtained by this method show aggregate values or statistics of a group that make it impossible to access a real person.
• Lower and Upper Bound Coding: Generally, the low or high values of a certain variable are collected together and a new definition is applied to these values.
• Global Coding: It is a grouping anonymization method used for datasets that do not contain numeric values or values that cannot be sorted numerically, where lower and upper bound coding is not feasible.
• Sampling Instead of the whole dataset, a subset is disclosed or shared. This reduces the risk of generating accurate predictions about individuals.

 

1. B) ANONYMIZATION METHODS THAT PROVIDE VALUE REGULARIZATION

By changing the existing values, the values of the dataset are distorted and anonymized. Even if the values in the dataset change, the aggregate statistics remain intact and the data can still be utilized.

• Micro Merge: All records in the dataset are first arranged in a meaningful order and then the whole set is divided into a certain number of subsets. Then, the value of each subset for a given variable is averaged and the value of that variable for that subset is replaced by the average value. Thus, the average value of that variable, which is valid for the entire dataset, will not change.
• Data Exchange: Record changes obtained by exchanging the values of a subset of variables between selected pairs of records. This method is mainly used for categorizable variables and the idea is to anonymize the database by exchanging the values of variables between records belonging to individuals.
• Noise Addition: A selected variable is anonymized by making additions and subtractions to provide a specified amount of distortions. This method is mostly applied to datasets containing numeric values. The distortion is applied equally to each value. 

1. C) STATISTICAL METHODS TO STRENGTHEN ANONYMIZATION

In anonymized datasets, as a result of the combination of some values in the records with singular scenarios, the possibility of identifying the identities of the people in the records or deriving assumptions about their personal data may arise. For this reason, anonymity can be strengthened by minimizing the uniqueness of the records in the dataset by using various statistical methods in anonymized datasets. The main purpose of these methods is to minimize the risk of anonymity degradation while keeping the benefit from the dataset at a certain level. In this context, basic methods such as masking and aggregation will be utilized and advanced methods will be used when necessary.

 

8. TITLES, UNITS AND JOB DESCRIPTIONS OF THOSE INVOLVED IN PERSONAL DATA STORAGE AND DESTRUCTION PROCESSES

 

STAFF	UNIT	JOB DESCRIPTION
Archive Supervisor	Archive Supervisor	Destruction of personal data.
Lawyer	Law	Receiving the requests of the relevant persons, checking their compliance with the procedure and responding to the request.
Accounting/Human Resources Personnel	Accounting/Human Resources	Ensuring compliance with the retention period of the processes within the scope of its duties, managing the periodic destruction process, and conducting the necessary audits and controls to respond to the requests of the relevant persons.
Accounting/Finance Personnel	Accounting/Finance	Ensuring compliance with the retention period of the processes within the scope of its duties, managing the periodic destruction process, and conducting the necessary audits and controls to respond to the requests of the relevant persons.
Call Center Personnel	Call Center	Ensuring compliance with the retention period of the processes within the scope of its duties and managing the personal data destruction process in accordance with the periodic destruction period.
Sales-Marketing Personnel	Sales-Marketing	Ensuring compliance with the retention period of the processes within the scope of its duties and managing the personal data destruction process in accordance with the periodic destruction period.
Counselor/Dietician	Counselor/Dietician	Ensuring compliance with the retention period of the processes within the scope of its duties and managing the personal data destruction process in accordance with the periodic destruction period.
Production Personnel	Production	No personal data is processed due to production activities within the scope of his/her duties.

 

9. TABLE ON RETENTION AND DESTRUCTION PERIODS

Personal data within the Company; If stipulated in the relevant laws and legislation, it is stored for the period specified in this legislation.

If the purpose of processing personal data has expired and the retention period determined by the relevant legislation and the company has expired, personal data may be stored only for the purpose of constituting evidence in possible legal disputes or to assert the relevant right related to personal data. In establishing the periods here, the statute of limitations for the assertion of the right in question is taken as basis. In this case, personal data is not accessed for any other purpose. Personal data are destroyed after the expiration of the said periods.

STORED PERSONAL DATA	STORAGE TIME	STORAGE TIME
All records related to accounting and financial transactions (identity, contact, location, personal details,)	Retained for 10 years from the date of termination of the contractual relationship.	Destroyed at the first periodic destruction following the end of the storage period.
Documents related to general company decisions such as powers of attorney, signature circulars, general assembly resolutions, dismissals	10 years from the date of first registration	Destroyed at the first periodic destruction following the end of the storage period.
Contracts signed with third parties (lease agreements, service agreements, supply agreements)	10 years from the expiration date of the relevant contract	Destroyed at the first periodic destruction following the end of the storage period.
Tender / opening a workplace / ministries - Undersecretariats document preparation processes	10 years from the expiration date of the process	Destroyed at the first periodic destruction following the end of the storage period.
Personal data obtained within the scope of occupational health and safety practices	15 years from the date of termination of the employment relationship	Destroyed at the first periodic destruction following the end of the storage period.
Supplier contact and promotion forms	2 years from the date of termination of the Employment Relationship	Destroyed at the first periodic destruction following the end of the storage period.
Personal health data of employees	15 years from the date of termination of the employment relationship	Destroyed at the first periodic destruction following the end of the storage period.
Employee recruitment files, personal data	15 years from the date of termination of the employment relationship	Destroyed at the first periodic destruction following the end of the storage period.
Personal data obtained within the scope of occupational health and safety practices	15 years from the date of termination of the employment relationship	Destroyed at the first periodic destruction following the end of the storage period.
Customer Request/Complaint Information	1 year from receipt of registration	Destroyed at the first periodic destruction following the end of the storage period.
Responding to court/execution information requests related to personnel	15 years from the date of termination of the employment relationship	Destroyed at the first periodic destruction following the end of the storage period.
Personnel Financing Processes	15 years from the date of termination of the employment relationship	Destroyed at the first periodic destruction following the end of the storage period.
Contact information obtained by all units	Contact information is retained for 10 years from the date of acquisition.	Destroyed at the first periodic destruction following the end of the storage period.
ACCORDING TO LAW NO. 5651, INTERNET USAGE LOGS ARE KEPT	Stored for 2 years.	Destroyed at the first periodic destruction following the end of the storage period.
KEEPING CAMERA RECORDS for physical security purposes	Stored for 2 years.	Destroyed at the first periodic destruction following the end of the storage period.
PERSONNEL CANDIDATE EVALUATION	Negative evaluations are kept for 3 years.	Destroyed at the first periodic destruction following the end of the storage period.
EDUCATION ACTIVITIES	Upon termination of the employment contract, personal data within the scope of OHS legislation is kept for 15 years and other data is kept for 10 years.	Destroyed at the first periodic destruction following the end of the storage period.
PERMISSIONS	Retained for 10 years from the end of the employment relationship.	Destroyed at the first periodic destruction following the end of the storage period.
BUSINESS OPENING PROCEDURES	Processed personal data is stored for 10 years.	Destroyed at the first periodic destruction following the end of the storage period.
INVOICE ACCRUAL	In cases arising from the Turkish Commercial Code, it is kept for 10 years, and in cases arising from the Tax Procedure Law, it is kept for 5 years.	Destroyed at the first periodic destruction following the end of the storage period.
DECLARATION PREPARATION	It is kept for 5 years in accordance with the Tax Procedure Law.	Destroyed at the first periodic destruction following the end of the storage period.
Part of the Contract Process and Contract Maintenance	10 years from the date of termination of the employment relationship	Destroyed at the first periodic destruction following the end of the storage period.
Location information	5 Years from the end of the commercial activity	Destroyed at the first periodic destruction following the end of the storage period.
KVK Processes (Disclosure, Explicit Consent, Applications and Complaints)	10 years from the date of the relevant registration	Destroyed at the first periodic destruction following the end of the storage period.
Erasure Destruction Anonymization Recording Process	3 years from the transaction date	Destroyed at the first periodic destruction following the end of the storage period.
Mail- Cargo Worklem Kayıtları	1 year from the transaction date	Destroyed at the first periodic destruction following the end of the storage period.
PERSONAL DATA RELATING TO CUSTOMERS	10 years from the end of the legal/contractual relationship	Destroyed at the first periodic destruction following the end of the storage period.

 

10. PERIODIC DESTRUCTION PERIODS

Personal data shall be erased, destroyed or anonymized at the first periodic destruction following the date on which the obligation to destroy personal data arises. Periodic destruction is carried out at 6-month intervals (at the end of the 1st and 7th month of each year) for all personal data.

Minutes of the transactions related to deleted, destroyed and anonymized data are kept for at least 3 years, excluding other legal obligations.

11. PUBLICATION, STORAGE AND ENTRY INTO FORCE OF THE POLICY

The Policy is published in two different media, wet signed (printed paper) and electronic media, and disclosed to the public on the website. The Policy is reviewed as needed. Following any official changes to be made in the relevant legislation, this Policy may be amended in accordance with this change. In case of any incompatibility between the Personal Data Protection Law and the relevant regulations and this Policy, the KVKK regulations shall prevail. The Policy shall be deemed to have entered into force after its publication on the website of the Authority. In case it is decided to be abolished, the old copies of the Policy with wet signature shall be canceled and signed by the Company Official and kept by the Company for at least 20 years.

12. TABLE OF CONTENTS OF THE UPDATE TO THE EXISTING PERSONAL DATA RETENTION AND DESTRUCTION POLICY

UPDATE DATE	BEFORE UPDATING	AFTER UPDATE
15.04.2025	CREATION	07.05.2025

 

13. RECORD

The above-mentioned deletion, destruction and anonymization operations shall be recorded with a report prepared with the joint signature of the relevant Company Official and Contact Person who perform the operations.