AKKUŞ TEKSTİL SAN. TİC. A.Ş.
PERSONAL DATA RETENTION AND DESTRUCTION POLICY

1- This Personal Data Retention and Destruction Policy (“Policy”) has been prepared by Akkuş Tekstil San. Tic. A.Ş. (“Company”), in its capacity as data controller, in order to determine the procedures and principles regarding our obligations under the Personal Data Protection Law No. 6698 (“KVKK”) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”), and to inform data subjects about the principles for determining the maximum retention period required for the purpose for which personal data are processed, as well as the processes of deletion, destruction, and anonymization.

2- Within the scope of this Policy, the following real persons whose data are processed automatically or non-automatically as part of any data recording system are included: customers, prospective customers, employee candidates, employees, company shareholders, company officials, visitors, business partners, employees, shareholders and officials of institutions we cooperate with, subcontractors and suppliers, and third parties.

This Policy applies to all activities carried out by our Company regarding the processing and protection of all personal data managed by the Company.

3- This Policy is published on our Company’s website (akkustextile.com) and is made accessible to relevant persons upon request.

4- For the purposes of this Policy:

• Relevant Person: Individuals who process personal data within the organization of the data controller or in accordance with the authority and instructions received from the data controller, excluding those responsible for technical storage, protection, and backup of data.
• Destruction: Deletion, destruction, or anonymization of personal data.
• Law: Personal Data Protection Law No. 6698.
• Recording Environment: Any environment where personal data are processed fully or partially automatically or non-automatically as part of a data recording system.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Data Subject: The natural person whose personal data are processed.
• Processing of Personal Data: Any operation performed on personal data such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use.
• Personal Data Processing Inventory: The inventory prepared by data controllers detailing processing activities, purposes, data categories, recipient groups, retention periods, international transfers, and security measures.
• Board: Personal Data Protection Board.
• Authority: Personal Data Protection Authority.
• Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect, appearance, association/foundation/union membership, health, sexual life, criminal conviction and security measures, biometric and genetic data.
• Periodic Destruction: Deletion, destruction, or anonymization carried out ex officio at recurring intervals when processing conditions cease to exist.
• Data Retention and Destruction Policy: This Policy forming the basis for determining retention periods and destruction processes.
• Personal Data Protection, Processing and Privacy Policy: The policy available on the Company’s website governing personal data management.
• Registry: Data Controllers Registry maintained by the Personal Data Protection Authority.
• Data Processor: A natural or legal person processing personal data on behalf of the data controller.
• Data Recording System: A recording system where personal data are structured according to specific criteria.
• Data Controller: The natural or legal person determining the purposes and means of processing personal data and responsible for establishing and managing the data recording system.

Definitions not included herein shall have the meanings set forth in the Law.

5- All department managers support the proper implementation of technical and administrative measures regarding processing, storage, and destruction of personal data within their departments. They ensure employee training and awareness, monitor and supervise processes, and support the prevention of unlawful processing and access.

Titles and responsibilities are as follows:

• General Manager: Responsible for implementation of the policy and all processes related to protection and destruction of personal data.
• Human Resources Manager: Responsible for preparation, development, execution, publication, updates, ensuring compliance with retention periods, managing periodic destruction, and training.
• Accounting Manager: Responsible for compliance with retention periods and destruction processes within their scope.
• Information Systems Manager: Responsible for technical storage, protection, backup, and technical solutions.
• Other Department Managers: Responsible for implementation and supervision within their departments.
• Relevant Users and Data Processors: Responsible for lawful processing and storage.
• Authorized Relevant User: Responsible for safeguarding deleted data until final destruction.

6- Storage Environments

Electronic Environments: Servers, portable disks, software, security devices, employee computers, optical disks, removable drives, printers, scanners and similar digital environments.

Physical Environments: Paper, manual recording systems, printed and visual media.

Cloud Environments: Encrypted internet-based systems used by the Company.

7- Technical and Administrative Measures

Technical Measures

• Use of up-to-date and secure systems.
• Security systems protecting storage environments.
• Security testing and risk analysis.
• Access restriction and logging.
• Employment of sufficient technical staff.
• Irrecoverable destruction methods.
• Encryption of digital environments.

Administrative Measures

• Employee awareness and training programs.
• Legal and technical consultancy services.
• Data protection protocols with third parties.
• Notification to data subjects and the Board in case of breaches.
• Regular audits and remediation of vulnerabilities.

8- Personal data are retained within legal limits for purposes such as maintaining commercial activities, fulfilling legal obligations, managing employee rights, and customer relations. If legal grounds cease, data are deleted, destroyed, or anonymized.

9- Methods of Deletion, Destruction, and Anonymization

Deletion

Redaction of Paper Records: Physical removal or permanent masking of data.

Secure Deletion from Software: Irrecoverable deletion from digital systems.

Destruction

Physical Destruction: Shredding, melting, burning or pulverizing storage media.

De-magnetization: Exposure to high magnetic fields.

Overwriting: Writing random data at least seven times.

Anonymization

Removal of variables, regional masking, generalization, lower/upper limit coding, micro-aggregation, data mixing and distortion.

10- Retention and Destruction Periods

PROCESS	RETENTION PERIOD	DESTRUCTION PERIOD
Recruitment documents and personnel data forming the basis of Social Security notifications	10 years following termination of employment	Within 180 days after expiration
Other personnel records	10 years following termination	Upon expiration
Workplace Personal Health Files	10 years after termination	Within 180 days
Occupational health and safety practices	10 years after termination	Within 180 days
Personnel court/execution information responses	10 years after termination	Within 180 days
Personnel financial processes	10 years after termination	Within 180 days
Business partner/consultant commercial relationship data	10 years pursuant to Turkish Code of Obligations Art.146 and Turkish Commercial Code Art.82	Within 180 days
Visitor name, surname, vehicle plate and camera records	2 years	Within 180 days
Job applicant CV and application data	Maximum 2 years	Within 180 days
Internship files	10 years after termination	Within 180 days
Customer identity, contact and transaction data	10 years pursuant to relevant legislation	Within 180 days
Potential customer negotiation data	2 years	Within 180 days
Corporate communication activities	10 years	Within 180 days
Other data processed for contract establishment/performance	10 years	Within 180 days
Company shareholders and board member data	10 years	Within 180 days
Accident reporting	10 years	Within 180 days
Document preparation	10 years	Within 180 days
Training records	10 years	Within 180 days

11- Where no specific period is set by law, data are retained as long as necessary for the processing purpose or required by statute of limitations.

12- Periodic destruction is carried out every six months (January and July).

13- The Company establishes internal procedures to fulfill its obligations.

14- This Policy is reviewed and updated in line with legislative amendments and Board decisions.