1. PURPOSE OF THE POLICY

Atakul Makine Otomotiv San. ve Tic. A.Ş. ("Atakul") this Personal Data Storage and Destruction Policy ("Retention and Destruction Policy") and personal data in accordance with the Law No. 6698 on the Protection of Personal Data the "Law"), technical and administrative protection of personal data in accordance with the Law, the disappearance of the conditions for the processing of personal data In the event that the Deletion, Destruction or Destruction of Personal Data published in the Official Gazette dated 28/10/2017 Implementation of the provisions of the Regulation on Incorporation ("Regulation") for the purpose of regulation.

2. RECORDING MEDIA WHERE PERSONAL DATA ARE STORED

The personal data belonging to the data subjects are stored by Atakul in the environments listed below, primarily in accordance with the Law provisions of the relevant legislation, it is stored securely in accordance with the relevant legislation:

Electronic media:

• ERP Canias
• MYSQL Server
• E-Mail Box
• Microsoft Office Programs
• Image Recorders

Physical environments:

• Unit Cabinets
• Folders
• Archive

3. EXPLANATIONS ON THE REASONS FOR RETENTION

The personal data belonging to the data subjects shall be collected by Atakul, in particular:

1. Sustainability of activities,
2. Fulfillment of legal obligations,
3. Planning and execution of employee rights and benefits,
4. Ability to manage business relationships, for the purposes of the above-mentioned physical or electronic media in a secure manner in accordance with the Law and other relevant are kept within the limits specified in the legislation

Reasons for withholding:

1. Personal data are directly related to the establishment and performance of contracts,
2. The establishment, exercise or protection of a right,
3. Provided that personal data does not harm the fundamental rights and freedoms of individuals, Atakul legitimate interest,
4. Fulfillment of any legal obligation by Atakul of personal data,
5. The legislation clearly stipulates the retention of personal data,
6. Data in terms of storage activities that require the explicit consent of data subjects

Explicit consent of the data owners.Pursuant to the Regulation; in the following cases, personal data belonging to data subjects may be ex officio or deleted, destroyed or anonymized upon request:

1. The provisions of the relevant legislation that constitute the basis for the processing or storage of personal data modification or abolition,
2. The purpose requiring the processing or storage of personal data disappears,
3. The conditions requiring the processing of personal data under Articles 5 and 6 of the Law have disappeared ceases to exist.
4. In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject's withdrawing consent,
5. Personal data subject's rights under Article 11, paragraphs 2 (e) and (f) of the Law of his/her application for the deletion, destruction or anonymization of his/her data acceptance by the data controller,
6. The data controller is authorized by the data subject to delete, destroy or anonymize his/her personal data rejects the application made to it with the request to render the application in order, the answer given is inadequate or fails to respond within the period stipulated in the Law; in case of a complaint to the Board and this request is approved by the Board,
7. Despite the fact that the maximum period required for the retention of personal data has elapsed, the personal data there is no condition that would justify storing it for a longer period of time.

4. MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA

Pursuant to Article 12 of the Law, Atakul shall not be liable for any unlawful use of the personal data it processes to prevent the processing of data, to prevent unlawful access to data and to ensure the preservation of data take the necessary technical and administrative measures to ensure the appropriate level of security in order to provide To carry out or have the necessary audits carried out within the scope. All technical and administrative controls of the processed personal data being seized by third parties illegally even though measures have been taken In this case Atakul shall notify the relevant units as soon as possible.

4.1. Technical Measures:

• Network security and application security are ensured.
• Corporate policies on access, information security, use, storage and destruction prepared and started to be implemented.
• Confidentiality undertakings are made.
• The authorizations of employees who change their duties or leave their jobs are removed.
• Up-to-date anti-virus systems are used.
• Closed system network is used for personal data transfers through the network.
• Key management is implemented.
• Security measures within the scope of procurement, development and maintenance of information technology systems is received.
• The security of personal data stored in the cloud is ensured.
• There are disciplinary regulations that include data security provisions for employees.
• Periodic training and awareness activities on data security for employees are made.
• An authorization matrix has been created for employees.
• Access logs are kept regularly.
• Firewalls are used.
• Signed contracts contain data security provisions.
• Extra security measures are taken for personal data transferred via paper and the relevant documents sent in confidentiality-grade document format.
• Personal data security policies and procedures have been determined.
• Personal data security issues are reported quickly.
• Personal data security is monitored.
• Necessary security measures are taken for entry and exit to and from physical environments containing personal data is taken.
• Security of physical environments containing personal data against external risks (fire, flood, etc.) is provided.
• The security of environments containing personal data is ensured.
• Personal data is minimized as much as possible.
• Personal data is backed up and the security of backed up personal data is also ensured.
• User account management and authorization control system is implemented and their follow-up is also ensured are carried out.
• Internal periodic and/or random audits are carried out and conducted.
• Log records are kept without user intervention.
• Existing risks and threats have been identified.
• Protocols and procedures for the security of special categories of personal data have been determined and is applied.
• Protocols and procedures for the security of sensitive personal data have been determined and is applied.
• If sensitive personal data is to be sent via electronic mail, it must be encrypted and It is sent using KEP or corporate mail account.
• Intrusion detection and prevention systems are used.
• Cyber security measures have been taken and their implementation is constantly monitored.
• Encryption is performed.
• Data of special nature transferred in portable memory, CD, DVD media are encrypted is transferred.
• Periodic audits of data processing service providers on data security is ensured.

Awareness of data processing service providers on data security is ensured.

4.2. Administrative Measures:

• Technical measures to be taken to prevent unlawful access to personal data on the subject of personal data processing.
• Processing of personal data on a business unit basis is carried out in accordance with legal compliance requirements by Atakul access to personal data and authorization processes are designed and implemented. In limiting access, it is also taken into account whether the data is of special nature and the degree of importance is taken.
• All kinds of documents that regulate the relationship between Atakul and its personnel and that contain personal data are referred to as personal complies with the obligations stipulated by the Law for the lawful processing of data should be acted, personal data should not be disclosed, personal data should not be disclosed in accordance with the law should not be used in violation of the obligation of confidentiality regarding personal data Atakul even after the termination of his employment contract with Atakul.
• Employees may disclose the personal data they have learned to others in violation of the provisions of the Law. disclose and use it for purposes other than processing, and this obligation shall not be dismissed from duty will continue after their departure and accordingly necessary commitments are obtained from them.
• The agreements concluded with the persons to whom personal data are transferred by Atakul in accordance with the law contracts; the persons to whom personal data are transferred, necessary for the protection of personal data take security measures and ensure compliance with these measures in its own organizations provisions regarding the processing of personal data.
• In the event that the processed personal data is obtained by others through unlawful means, this notifies the relevant person and the Board as soon as possible.
• Where necessary, employs personnel who are knowledgeable and experienced in the processing of personal data and its personnel within the scope of personal data protection legislation and data security shall.
• Atakul conducts the necessary inspections to ensure the implementation of the provisions of the Law and to carry out audits. Eliminates confidentiality and security weaknesses revealed as a result of audits

5. MEASURES TAKEN REGARDING THE DESTRUCTION OF PERSONAL DATA

Although Atakul has been processed in accordance with the provisions of the relevant law, the upon its own decision or upon the request of the personal data owner if the reasons disappear delete or destroy personal data. Following the deletion of personal data, the data subjects will not be able to deleted data will not be accessed and used again. Destruction of personal data by Atakul An effective data tracking process will be managed to define and monitor the processes. Executed The process includes determining the data to be deleted, identifying the relevant persons, determining the access methods of the persons detection and the subsequent deletion of the data.

5.1. Methods for Deletion,Destruction and Anonymization of Personal Data

5.1.1. Deletion of Personal Data

Deletion of personal data means that the personal data are inaccessible to the users concerned in any way and cannot be retrieved is the process of making it unusable. As a method of deleting personal data, Atakul uses the following may use one or more of these methods:

By drawing, painting, cutting personal data on paper by blackout method or deletion will be applied. The access right(s) of the user(s) for the office files in the central file will be removed. Will be removed. Rows or columns containing personal information in databases will be removed using the 'Delete' command will be deleted with It will be securely deleted with the help of an expert when necessary.

5.1.2. Destruction of Personal Data

Destruction of personal data means that personal data cannot be accessed or retrieved by anyone in any way and making it unrecoverable and unusable again.

• Physical Destruction
• Destruction with Paper Shredder
• De-magnetization: Specialized applications where magnetic media will be exposed to high magnetic fields. is the method of corrupting the data on it in an unreadable way by passing it through devices.

5.1.3. Anonymization of Personal Data

Anonymization of personal data, even by matching personal data with other data, under no circumstances It refers to making it impossible to associate it with an identified or identifiable natural person. Atakul may use one or more of the following methods to anonymize personal data can use it:

• Masking: Data masking can be used to identify the key identifying information of personal data in the data set. is the method of anonymizing personal data by removing it from the data.
• De-recording: In the de-registration method, the data containing singularity among the data line is removed from the records and the stored data is anonymized.
• Regional Hiding: In the regional hiding method, a single piece of data is anonymized concealment of the relevant data if it is determinative because it creates a combination anonymization.
• Global Coding: A more general content than the content of personal data by data derivation method and making personal data impossible to associate with any person provided. For example: age instead of date of birth, residence instead of street address indicating the region of interest.
• Noise Addition: The method of adding noise to data, especially where numerical data is predominant some deviations in a data set, plus or minus a specified proportion to the available data is anonymized by adding weight values. For example, a data with weight values (+/-) 3 kg deviation in the group, preventing the display of actual values and the data is anonymized. The deviation is applied equally to each value In accordance with Article 28 of the Law; anonymized personal data shall be used for research, planning and It may be processed for purposes such as statistics. Such processing is outside the scope of the Law and the personal data owner explicit consent will not be sought. Ex officio decision regarding the deletion, destruction or anonymization of personal data and will be able to freely determine the method to be used according to the category it has chosen. Also Within the scope of Article 13 of the Regulation, the personal data of the data subject during the application the relevant person chooses one of the categories of erasure, destruction or anonymization, the relevant Atakul will be at liberty about the methods to be used in the category.

6. PERSONAL DATA STORAGE AND DESTRUCTION PERIODS

Atakul stores personal data for the purposes for which they are processed for the periods specified in Annex-1. Mentioned in the legislation If a period of time is stipulated for the storage of personal data, this period shall be respected. In the absence of a period of time stipulated in the legislation, personal data shall be processed in accordance with the personal data protection rules set out in the table in Annex-1. data will be stored for the maximum period for retention of the data. These periods; Atakul's data categories and data owner person groups are evaluated; and the data obtained as a result of this evaluation are evaluated in accordance with the will ensure the fulfillment of the obligations and the statute of limitations under the maximum Turkish Code of Obligations period (10 years). Upon expiration of these periods, the obligation to erase, destroy or anonymize arises in the first periodic destruction process following this date, Atakul deletes and destroys personal data or anonymizes it. All transactions regarding the deletion, destruction and anonymization of personal data are recorded and such records shall be kept for at least three years, excluding other legal obligations stored.

7. PERIODIC DESTRUCTION PERIODS

Pursuant to Article 11 of the Regulation, the periodic destruction period is set as 6 months. Accordingly Periodic destruction is carried out in June and December every year. The aforementioned systems in a way that the information cannot be retrieved again, documents, files, CDs, if any, where the data is saved, will be deleted from floppy disks, hard disks, etc. in a way that cannot be recycled.

8. STAFF

Within the scope of the Law, Atakul, as the data controller; in accordance with paragraph 1 of Article 11 of the Regulation on the basis of the Law, fulfill the obligations in terms of the implementation of the data retention and destruction process The titles, units and job descriptions of the personnel to be brought in are given in Annex-2 of the Retention and Destruction Policy is determined by the table in the field. These persons whose boundaries have been determined within the scope of the Turkish Commercial Code, Code of Obligations and Turkish Penal Code is responsible for the transactions and actions that take place within the limits of its authority. Especially in Law Enforcement, Authorized to represent Atakul at prosecutor's offices, public institutions and courts and to testify Atakul was elected as the Chairman of the Personal Data Protection Committee. Each department responsible, Storage and Destruction of the relevant users in the departments prepared within the framework of the Law and Regulation Policy and the Personal Data Policy. All department heads shall comply with this Retention and Destruction Policy within the specified periodic destruction periods.Atakul Personal Data Protection Committee Chairperson for the transactions carried out in line withwill report. The decision resulting from the results of the work done for these reports will be implemented.

9. REVISION AND REPEAL

In case the Retention and Disposal Policy is amended or repealed, the new regulation Atakul will be announced on the website.

10.ENFORCEMENT

This Retention and Disposal Policy enters into force on the date of its publication.

APPENDICES

Annex 1-Data Retention and Destruction Periods ANNEX 2-Titles, Units and Duties of Personnel Involved in the Personal Data Storage and Destruction Process Definitions Annex 3- Internal Directives of the Personal Data Protection Committee

ANNEX-1 Data Retention and Destruction Periods

---

Data Category / Identity

Retention Period / Date of transaction subject to legislation or the termination of the legal relationship 10 years starting from the following year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Contact

Retention Period / Date of transaction subject to legislation or the termination of the legal relationship 10 years starting from the following year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Location

Retention Period / Date of transaction subject to legislation or the termination of the legal relationship 10 years starting from the following year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Personnel

Retention Period / following the termination of the relationship 10 years starting from the year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Legal Action

Retention Period / 10 years following the date of judicial proceedings 10 years

Destruction Period / If a lawsuit has been filed, following finalization 5 years starting from the year

Destruction Period / following the end of the retention period during the first periodic destruction period

---

Data Category / Customer Transaction

Retention Period / Date of transaction subject to legislation or the termination of the legal relationship 10 years starting from the following year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Physical Space Security

Retention Period / 30 Days

Destruction Period / Following the end of the retention period during the first periodic destruction period

---

Data Category / Process Security

Retention Period / Date of transaction subject to legislation or the termination of the legal relationship 10 years starting from the following year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Risk Management

Retention Period / Date of transaction subject to legislation or the termination of the legal relationship 10 years starting from the following year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Finance

Retention Period / Date of transaction subject to legislation or the termination of the legal relationship 10 years starting from the following year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Professional Experience

Retention Period / Following the end of the employment relationship 10 years starting from the year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Marketing

Retention Period / Date of transaction subject to legislation or the termination of the legal relationship 10 years starting from the following year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Audio and Visual Recordings

Retention Period / Date of transaction subject to legislation or the termination of the legal relationship 10 years starting from the following year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Health Information

Retention Period / Following the termination of the employment relationship 15 years starting from the year

Destruction Period / Following the end of the storage period during the first periodic destruction period Criminal Conviction and

---

Data Category / Security Measures

Destruction Period / Following the termination of the employment relationship 10 years starting from the year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Family Information Following the end of the employment relationship 10 years starting from the year

Retention Period / Following the end of the storage period during the first periodic destruction period Employment Data Following the termination of the employment relationship 10 years starting from the year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Signature

Retention Period / Date of transaction subject to legislation or the termination of the legal relationship 10 years starting from the following year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Website Usage

Retention Period / Data 2 years from the transaction date Following the end of the retention period during the first periodic destruction period Reputation Management Information 2 years from the transaction date

Destruction Period / Following the end of the retention period during the first periodic destruction period

---

Data Category / Reputation Management

Retention Period / Information 2 years from the transaction date

Destruction Period / Following the end of the retention period during the first periodic destruction period

---

Data Category / Incident Management Knowledge

Retention Period / Date of transaction subject to legislation or the termination of the legal relationship 10 years starting from the following year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Insurance Information

Retention Period / Following the termination of the employment relationship 10 years starting from the year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Vehicle Information

Retention Period / Date of transaction subject to legislation or the termination of the legal relationship 10 years starting from the following year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Compliance Information

Retention Period / Date of transaction subject to legislation or the termination of the legal relationship 10 years starting from the following year

Destruction Period / Following the end of the storage period during the first periodic destruction period

---

Data Category / Audit and Inspection Information

Retention Period / Date of transaction subject to legislation or the termination of the legal relationship 10 years starting from the following year

Destruction Period / Following the end of the storage period during the first periodic destruction periodForeign Residence Permit

---

Data Category / Information

Retention Period / Following the termination of the employment relationship 10 years starting from the year

Destruction Period / Following the end of the storage period during the first periodic destruction period

ANNEX-2 Table of Personnel in Charge of Personal Data Storage and Destruction

Financial Affairs Officer Implementation Officer

Processes within its mandate storage period ensuring compliance with periodic destruction period personal data destruction in accordance with process management

Human Resources and Administrative Affairs

Responsible Application responsible Processes within its mandate storage period ensuring compliance with periodic destruction period personal data destruction in accordance with process management

Planning Officer Implementation Officer

Processes within its mandate storage period ensuring compliance with periodic destruction period personal data destruction in accordance with process management

IT Officer Implementation Officer

Processes within its mandate storage period ensuring compliance with periodic destruction period personal data destruction in accordance with management of the process

Note: Destruction is determined by the Management during Retention Periods

Atakul Makine Otomotiv San. ve Tic. A.Ş.