JENGAL SOFTWARE INC. PERSONAL DATA RETENTION AND DISPOSAL POLICY

1. INTRODUCTION


1.1 Purpose
The Personal Data Retention and Disposal Policy (“Policy”) has been prepared to determine the procedures and principles regarding the storage and disposal activities of personal data processed by Jengal Software Inc. (“Company”).
The Company, in line with its mission, vision, and core principles, prioritizes the processing of personal data belonging to Company employees, employee candidates, service providers, visitors, customers, potential customers, suppliers, and other third parties in compliance with the Constitution, international agreements, the Personal Data Protection Law No. 6698 (“Law/KVKK”), and other relevant legislation, and ensures that the relevant persons can effectively exercise their rights. The processes related to the storage and disposal of personal data are carried out by the Company in accordance with this Policy.
1.2 Scope
This Policy covers the personal data of Company employees, employee candidates, service providers, visitors, customers, potential customers, suppliers, and other third parties, and applies to all recording environments where personal data are processed by the Company or managed by the Company, and all personal data processing activities.
1.3 Definitions
Recipient Group: The category of natural or legal persons to whom personal data are transferred by the data controller.
Explicit Consent: The consent given by a data subject for a specific issue, based on information, and expressed with free will.
Making Anonymized: The process of making personal data impossible to link with an identified or identifiable natural person, even if it is matched with other data.
Employee: Personnel of the Personal Data Protection Authority. EBYS: Electronic Document Management System.
Employee Candidate: Natural persons who have applied for a job to the Company in any way or have opened their resume and related information for the Company’s review.
Electronic Environment: Environments where personal data can be created, read, modified, and written with electronic devices.
Non-Electronic Environment: All written, printed, visual, etc., other environments outside of electronic environments.
Service Provider: A natural or legal person who provides services to the Personal Data Protection Board under a specific contract.
Relevant Person: The natural person whose personal data are processed.
Relevant User: Persons who process personal data within the data controller organization or under the authority and instructions received from the data controller, except for the persons or units responsible for the technical storage, protection, and backup of the data.
Disposal: The process of deleting, destroying, or anonymizing personal data.
Law: Personal Data Protection Law No. 6698.
Recording Environment: Any environment where personal data are processed, fully or partially automatically, or by non-automatic means provided that they are part of a data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing of Personal Data: Any operation performed on personal data, such as collection, recording, storage, retention, modification, rearrangement, disclosure, transfer, takeover, making available, classification, or prevention of use, fully or partially by automated means, or by non-automated means provided that they are part of a data recording system.
Board: Personal Data Protection Board.
Customer: Natural persons who use or have used the products and services offered by the Company, regardless of whether they have a contractual relationship with the Company.
Special Categories of Personal Data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, attire, association, foundation or trade union membership, health, sexual life, criminal convictions, and security measures, and biometric and genetic data.
Periodic Disposal: The process of deleting, destroying, or anonymizing personal data, which will be carried out ex officio at repetitive intervals specified in the personal data retention and disposal policy if all the conditions for processing personal data specified in the Law are no longer met.
Policy: Personal Data Retention and Disposal Policy.
Company: Jengal Software Inc.
Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Data Recording System: The recording system where personal data are structured and processed according to specific criteria.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Regulation: Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette on October 28, 2017.
Visitor: All natural persons who enter the Company’s physical premises for various purposes or visit the websites for any purpose.

2. RECORDING ENVIRONMENTS


Your personal data is securely stored by Jengal Software Inc. in the environments mentioned below in compliance with the law.

Electronic Environments

Non-Electronic Environments

Network devices,
Shared/non-shared disk drives used for data storage on the network, Software (office software)
Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)
Removable Disks (USB, Memory Card, etc.)
Personal Computers (Desktop, Laptop)
Mobile Devices (phone, tablet, etc.)
Optical Disks (CD, DVD, etc.)
Servers (Domain, backup, email, database, web, file sharing, etc.)
Printers, scanners, photocopiers
Software (office software)
Printers, scanners, photocopiers
Archive
Paper
Manual Data Recording Systems (survey forms, visitor logbook)
Written, printed, visual media
Unit cabinets.


3. EXPLANATIONS REGARDING RETENTION AND DISPOSAL


Personal data of company partners, shareholders, company officials, employees, employee candidates, interns, intern candidates, company customers, customer candidates, customer representatives and employees, potential product or service recipients, suppliers, supplier employees, supplier representatives, visitors, consultants and third parties, business partners, product or service recipients, and all natural persons whose personal data are available at the Company for any reason, are processed, stored, and disposed of in accordance with the procedures and principles stated in the Law, Regulation, and relevant legislation. Explanations regarding retention and disposal are provided below.
3.1 Explanations Regarding Retention
In Article 3 of KVKK, the concept of personal data processing is defined, and in Article 4, it is stated that the processed personal data should be related, limited, and proportional to the purpose for which they are processed and should be kept for the period required for the purpose for which they are processed or as stipulated in the relevant legislation. Articles 5 and 6 list the conditions for processing personal data.
Personal data are retained by the Company for the period stipulated in the relevant legislation or as required for the purposes of processing.
3.1.1 Legal Reasons for Retention
Personal data processed within the scope of the Company's activities are retained for the period stipulated in the relevant legislation. Personal data can be processed based on the legal reasons specified in Articles 5 and 6 of KVKK as follows:
Explicit consent of the relevant person,
Explicitly stipulated in the laws (Personal Data Protection Law No. 6698, Turkish Code of Obligations No. 6098, Consumer Protection Law No. 6502, Banking Law No. 5411, Regulation on Employment of the Disabled, Ex-Convicts and Terrorism Victims, Turkish Commercial Code No. 6102, Tax Procedure Law No. 213, Regulation on Internet Mass Use Providers, Bankruptcy and Enforcement Law No. 2004, Social Insurance and General Health Insurance Law No. 5510, Occupational Health and Safety Law No. 6331, Regulation on Occupational Health and Safety Services, Labor Law No. 4857, Regulation on Health and Safety Measures in Workplace Buildings and Annexes, Regulation on Archive Services, Other Regulations in Force Under These Laws)
In cases where the explicit consent of the person cannot be obtained due to actual impossibility or legal invalidity, it is necessary to protect the life or physical integrity of the person or another person.
It is necessary for the processing of personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract.
It is mandatory for the data controller to fulfill its legal obligation.
It has been made public by the relevant person.
It is necessary for the establishment, exercise, or protection of a right.
Provided that it does not harm the fundamental rights and freedoms of the relevant person, it is mandatory for the legitimate interests of the data controller to process personal data.
3.1.2 Purposes Requiring Retention
Personal data processed within the scope of the Company’s activities are retained for the following purposes:
Execution of Emergency Management Processes
Execution of Information Security Processes
Execution of Employee Candidate/Intern/Student Selection and Placement Processes
Execution of Employee Candidate Application Processes
Execution of Employee Satisfaction and Loyalty Processes
Fulfillment of Employment Contract and Legislative Obligations for Employees
Execution of Benefits and Rights Processes for Employees
Execution of Audit Activities
Execution of Training Activities
Execution of Access Authorizations
Ensuring Compliance with Legislation
Execution of Finance and Accounting Affairs
Execution of Company/ Product/ Service Loyalty Processes
Ensuring Physical Space Security
Execution of Assignment Processes
Follow-up and Execution of Legal Affairs
Execution of Internal Audit/Investigation/Intelligence Activities
Execution of Communication Activities
Planning of Human Resources Processes
Execution/Audit of Business Activities
Execution of Occupational Health and Safety Activities
Receiving and Evaluating Suggestions for Improvement of Business Processes
Execution of Business Continuity Activities
Ensuring Quality Standards
Monitoring and Controlling Entry and Exit to Company Premises
Execution of Goods/Service Purchasing Processes
Execution of Goods/Service After Sales Support Services
Execution of Goods/Service Sales Processes
Execution of Goods/Service Production and Operation Processes
Execution of Customer Relationship Management Processes
Execution of Organization and Event Management
Execution of Marketing Analysis Studies
Execution of Performance Evaluation Processes
Execution of Advertising/Campaign/Promotion Processes
Execution of Storage and Archive Activities
Execution of Contract Processes
Follow-up of Requests/Complaints
Execution of Wage Policy
Execution of Marketing Processes of Products/Services
Ensuring the Security of Data Controller Operations
Execution of Investment Processes
Execution of Talent/Career Development Activities
Providing Information to Authorized Persons, Institutions, and Organizations
Execution of Management Activities
Creating and Tracking Visitor Records
Ensuring the Security of Movable Property and Resources
Issuance of Product Invoices
Execution of Product Sales Policy


3.2 Reasons Requiring Disposal
Your personal data;
Amendment or repeal of the provisions of the relevant legislation which constitutes the basis for the processing,
The purpose that requires processing or retention no longer exists,
If the processing is based solely on the condition of explicit consent, the data subject withdraws their explicit consent,
In accordance with Article 11 of KVKK, the data subject’s request for the deletion or destruction of their personal data is accepted by the Company,
The conditions for processing personal data as stated in Articles 5 and 6 of the Law are no longer present,
If the Company rejects the data subject's request for deletion, destruction, or anonymization of personal data, the response is deemed insufficient, or the Company fails to respond within the period specified in the Law, the data subject may file a complaint with the Board, and this request is approved by the Board,
The maximum period for retaining personal data has been exceeded and there are no conditions to justify further retention,
In such cases, personal data shall be deleted, destroyed, or anonymized by the Company upon the request of the relevant person, or shall be ex officio deleted, destroyed, or anonymized.

4. PERSONAL DATA DISPOSAL TECHNIQUES


At the end of the period specified in the relevant legislation or required for the purpose for which they are processed, personal data shall be disposed of by the Company either ex officio or upon the request of the Relevant Person, in accordance with the provisions of the relevant legislation, using the techniques listed below.
Unless otherwise decided by the Board, the Company selects an appropriate method from among the techniques for deletion, destruction, or anonymization of personal data. However, upon the request of the relevant person, the appropriate method is selected by providing a rationale.
4.1 Deletion of Personal Data
Deletion of personal data refers to making personal data inaccessible and unusable for the relevant users in any way. Personal data processed by the Company are deleted from the recording environments in which they are stored as specified in Table 2 below;

Data Recording Environment

Explanations

Personal Data on Servers

For personal data on servers for which the retention period has expired, the deletion process is carried out by the system administrator by revoking the access rights of the relevant users.

Personal Data in Electronic Environment

Personal data in electronic environment for which the retention period has expired are made inaccessible and unusable for other employees (relevant users) except for the database administrator.

Personal Data in Physical Environment

For personal data in physical environment for which the retention period has expired, they are made inaccessible and unusable for other employees except for the unit manager responsible for the document archive. Additionally, they are blackened out by crossing/painting/erasing so that they are unreadable.

Personal Data on Portable Media

For personal data stored on flash-based storage media for which the retention period has expired, they are encrypted by the system administrator and stored in secure environments with access rights granted only to the system administrator using encryption keys.

In Database

The relevant rows containing personal data are deleted using database commands.

On Company Computers

Personal data are accessed with authentication and deleted using operating system commands.



4.2 Destruction of Personal Data
Destruction of personal data refers to the process of making personal data inaccessible, unrecoverable, and unusable by anyone in any way. Personal data processed by the Company are destroyed from the recording environments in which they are stored as specified in Table 3 below;

Data Recording Environment

Explanations

Personal Data in Physical Environment

Physical Destruction

Personal data in paper environment for which the retention period has expired are destroyed in paper shredders in an irreversible manner.

Methods for Destroying Personal Data Stored in Local Digital Environment

Physical Destruction

It is the process of physically destroying optical and magnetic media containing personal data by melting, burning, or pulverizing them. It ensures the inaccessibility of data by melting, burning, pulverizing, or passing them through a metal shredder.

Methods for Destroying Personal Data Stored in Cloud Environment

Secure Deletion from Software

Personal data stored in the cloud environment are securely deleted with a digital command in a way that they cannot be recovered, and all copies of the encryption keys necessary to make the personal data usable are destroyed when the cloud service relationship ends. This ensures that the deleted data cannot be accessed again.





4.3 Anonymization of Personal Data
Anonymization of personal data refers to making personal data impossible to link with an identified or identifiable natural person, even if it is matched with other data. Personal data processed by the Company are anonymized in the recording environments in which they are stored as specified in Table 4 below;

Data Recording Environment

Explanations

Regional Concealment

It is the process of deleting distinguishing information in the data table containing personal data in bulk, which may identify the individual in exceptional cases.

Variable Removal

It is the process of removing one or more direct identifiers in personal data that can be used to identify the relevant person in any way.

This method can be used to anonymize personal data, as well as to delete information that does not fit the purpose of data processing in personal data.

Generalization

It is the process of collecting personal data of many people and converting them into statistical data by removing distinguishing information.

Masking

Data masking is the method of anonymizing personal data by removing the main identifying information from the data set.

Data Swapping

It is the process of disrupting the relationship with the individual and ensuring that direct or indirect identifiers in personal data lose their identifying characteristics by mixing or distorting them with other values.



5. RETENTION AND DISPOSAL PERIODS


When determining the retention periods of personal data, Jengal Software Inc. considers the obligations imposed by legal regulations. In addition to legal regulations, the retention period is determined based on the purposes of processing personal data and the legitimate interest of the Company in processing the personal data. In this context, it is first determined whether there is a period stipulated in the relevant legislation for the retention of personal data, and if a period is stipulated, personal data are retained for this period. If no period is stipulated in the relevant legislation, personal data are retained for the period required for the purpose for which they are processed. Unless otherwise decided by the Board, the Company selects an appropriate method for deleting, destroying, or anonymizing personal data.

PERSON GROUP WHOSE DATA IS PROCESSED

DATA CATEGORY

DATA RETENTION PERIOD

Employee

Identity, Location, Contact, Physical Space Security, Family and Close Person Information, Transaction Security, Visual-Auditory Records, Financial, Work-related Data, Leave Data,

Retained for 10 (Ten) Years from the Termination of the Employment Contract.

Employee

Health-Related Obligations and Occupational Health and Safety

Retained for 15 (Fifteen) Years from the Termination of the Employment Contract. (Regulation on Occupational Health and Safety Services, Art. 7)

Employee Candidate

Identity, Contact, Visual-Auditory Records

Retained for 1 Year from the Date of Application, 10 Years from the Termination of the Employment Contract

Instructor

Identity, Financial

Retained for 10 Years from the End of the Training

Customer

Identity, Contact, Visual and Auditory Data

Retained for 10 Years from the Purchase Transaction

Customer Company Representative

General Assembly-Decision Book Transactions

Identity, Contact

Identity, Contact, Financial Information

Retained for 10 Years from the Purchase Transaction

30 Years from the Date of the Decision

Customer Employee

Identity, Contact

Retained for 10 Years from the Purchase Transaction

Visitor

Identity, Physical Space Security

Retained for 2 Years from the Date of Visitor Registration

Website Visitor

Identity, Contact, Transaction Security

Retained for 2 Years from the Date of Record Creation

Product/Service Recipient

Identity, Contact, Transaction Security, Customer Transaction,

Retained for 10 (Ten) Years from the Date of Provision of Each Product/Service Purchased by the Recipient under Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.

Workplace Camera Records

Log Records

Physical Space Security

Transaction Security

3 Months in Normal Circumstances, Statute of Limitations for Judicial Cases

10 Years from the Date of Processing, Longer Period if Required by Law for Judicial Cases

Organizations/Firms Cooperating with the Company



Retained for the Duration of the Business/Commercial Relationship and 10 Years from Its Termination under Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.


If a longer period is stipulated by legislation, or if a longer period is required by statute of limitations, limitation periods, retention periods, etc., the periods specified in the legislation are accepted as the maximum retention period.


5.1 Disposal Periods
In accordance with KVKK, relevant legislation, the Personal Data Processing and Protection Policy, and this Personal Data Retention and Disposal Policy, the Company deletes, destroys, or anonymizes personal data during the first periodic disposal process following the date when the obligation to delete, destroy, or anonymize personal data arises.
If the data subject requests the deletion or destruction of their personal data in accordance with Article 13 of KVKK;
If all conditions for processing personal data have disappeared, the Company deletes, destroys, or anonymizes the personal data in question within 30 (thirty) days from the date of receiving the request, explaining the rationale and using an appropriate disposal method. The data subject must make the request in accordance with the Company's Personal Data Processing and Protection Policy published on the official website to be considered valid. The Company informs the data subject of the process in any case.
If all conditions for processing personal data have not disappeared, this request may be rejected by the Company in accordance with the third paragraph of Article 13 of KVKK, explaining the reason, and the refusal response is communicated to the data subject in writing or electronically within thirty days at the latest.
5.2 Periodic Disposal Period
If all conditions for processing personal data specified in the Law are no longer met, the Company deletes, destroys, or anonymizes personal data ex officio at repetitive intervals specified in this Personal Data Retention and Disposal Policy. Jengal Software Inc. has determined the periodic disposal period as 6 months from the expiration of the retention period in accordance with Article 11 of the Regulation.


6. TECHNICAL AND ADMINISTRATIVE MEASURES


Technical and administrative measures are taken by the Company to securely store personal data, prevent unlawful processing and access, and ensure the lawful disposal of personal data, in accordance with Article 12 of KVKK and the sufficient measures announced by the Board for special categories of personal data as per the fourth paragraph of Article 6 of KVKK.
6.1 Technical Measures
The technical measures taken by the Company regarding the personal data it processes are specified below.
The Company provides appropriate technical tools and equipment for each disposal method specified in this policy.
Network security, firewall, Wazuh intrusion detection (HIDS) system is continuously monitored and the system shuts itself down against external attacks and similar incidents.
Penetration tests are conducted to identify risks, threats, vulnerabilities, and weaknesses in the Company’s information systems, and necessary measures are taken. Penetration tests cover firewall, web applications, access, wireless networks, antispam, and cyber attacks; if vulnerabilities are found in any of these areas, necessary actions are taken by reconfiguring programs and firewall rules.
Risks related to the unlawful processing of personal data are identified, appropriate technical measures are taken, and technical controls are carried out for these measures.
When data transfer is required via paper, necessary measures are taken against risks such as theft, loss, or unauthorized access, and documents are sent in confidential format when necessary. Digital data are backed up daily with an external backup unit (NAS) and user access to digital files is restricted through authorization. If personal data are inactive on servers, they are encrypted and deleted from the digital environment.
Access to storage areas containing personal data is logged, and unauthorized access attempts are monitored and controlled.
Personal data are destroyed in a way that they cannot be recovered and leave no audit trail.
The Company ensures that deleted personal data are inaccessible and unusable by relevant users. Access to folders containing personal data is restricted or revoked for relevant users. The disposal procedure makes processed data irrecoverable.
Backup programs such as Veeam Backup and Shadow Protect are used to ensure the secure storage of personal data.
A separate policy has been established for the security of special categories of personal data.
Employees involved in special category personal data processing are provided with training on the security of special categories of personal data, confidentiality agreements are signed, and access rights are defined for users with access to these data.
Adequate security measures are taken for physical environments where special categories of personal data are processed, stored, and/or accessed, and unauthorized access is prevented.
Users are restricted from accessing special categories of personal data by creating individual passwords and usernames specific to each user.
Periodic training and awareness activities on data security are conducted for employees.
Access logs are regularly maintained and timestamped in accordance with Law No. 5651.
Access rights are restricted, regularly reviewed, and access is limited for former employees within one week.
Access rights for employees who change roles or leave the company are revoked.
Virus protection systems such as Sonicwall Firewall and Eset Antivirus are used, including software and hardware for data breach security and firewalls.
Workplace entry and exit are recorded daily with the Perkotek Card Access System and Perkotek Software.
Sonicwall and Pfsense firewalls are used. Users are blocked from accessing the internet or data even if they have passwords, and attempts to access data are detected by software and appropriate actions are taken.
Security is provided for physical environments containing personal data against external risks (fire, flood, etc.).
Personal data are minimized as much as possible.
User account management and authorization control system is applied and monitored. The system is continuously monitored and authorization controls are periodically carried out. Access vulnerabilities in data folders are reconfigured through authorization programs on the main server.
All authorizations and periodic data backups are encrypted with user-specific access passwords using 128-bit to 256-bit encryption.
Guest networks are created for wireless networks, and these users are logged in accordance with Law No. 5651. User computers are protected by antivirus software, and security rules are established against external threats trying to infiltrate the system. Windows security updates for user computers are performed periodically.


6.2 Administrative Measures
The administrative measures taken by the Company regarding the personal data it processes are specified below.
Efforts are made to raise awareness and educate employees involved in the disposal process about information security, personal data, and privacy.
Legal and technical consultancy services are obtained to follow developments in information security, privacy, personal data protection, and secure disposal techniques, and to take necessary measures.
If technical or legal requirements necessitate outsourcing the disposal process to third parties, confidentiality agreements are signed with the relevant third parties to protect personal data, and all necessary care is taken to ensure compliance with these agreements.
Periodic audits are conducted to ensure that disposal processes are carried out in accordance with the law and this Personal Data Retention and Disposal Policy, and necessary measures are taken.
A disciplinary regulation has been prepared for employees who do not comply with security policies and procedures.
Periodic and random internal audits are conducted.
Confidentiality agreements are prepared. These agreements include provisions specifically addressing the protection of personal data.
KVKK Awareness Trainings are provided to employees within the Company.
Confidentiality agreements are prepared between the Company as the Data Controller and the Data Processor.
The designated contact person is announced in the Disclosure Texts.
Disclosure Texts are prepared for Employees/Visitors/Service Recipients.
Employment Contracts of employees within the Company are made compliant with KVKK.
Disclosure Texts for Camera Systems are posted in all areas where Camera Systems are present.
Computer Usage Instructions are prepared for employees within the Company.
Access restrictions are applied to rooms where personal data are stored within the Company.
Security is provided for physical environments containing personal data against external risks (fire, flood, etc.).
Information texts aimed at protecting personal data are announced on a departmental basis.
Access rights for employees who change roles or leave the company are revoked.
Signed agreements include data security provisions.
Personal data security is monitored.


7. ENFORCEMENT AND ANNOUNCEMENT


This Policy prepared by the Company entered into force on 04.08.2023 and was presented to the public at www.jengal.com.
The Company reserves the right to make changes to the Policy in parallel with legal regulations. The current version of the Policy can be accessed at www.jengal.com.
Last Updated: 01.06.2024