Data Retention and Disposal Policy

BEŞLER YEM VE UN SANAYİ TİCARET ANONİM ŞİRKETİ
PROCESSING AND STORAGE POLICY OF PERSONAL DATA

Effective date:
28.01.2021

CONTENTS

CHAPTER I
PURPOSE, SCOPE AND DEFINITIONS

1. PURPOSE AND SCOPE OF PREPARATION OF THE POLICY
2. DEFINITIONS AND ABBREVIATIONS

CHAPTER II
RESPONSIBILITY AND MATTERS RELATING TO THE REGISTRATION MEDIUM

2.1.SOLIABILITY AND DISTRIBUTION OF DUTIES
2.2. RECORDING ENVIRONMENTS OF PERSONAL DATA

CHAPTER III
STORAGE, PROTECTION AND DISPOSAL OF PERSONAL DATA

1. MATTERS REGARDING THE STORAGE OF PERSONAL DATA
1.1. Storing Personal Data
1.2. Legal Reasons to Keep Personal Data
1.3. Purposes of Processing Personal Data
2. PROTECTION OF PERSONAL DATA
2.1. Administrative Measures
2.2. Technical Measures

3. DISPOSAL OF PERSONAL DATA

3.1. Deletion of Personal Data
3.2. Anonymization of Personal Data
3.3. Periods of Disposal of Personal Data
3.4. Periodic Destruction Period of Personal Data
3.5. Enforcement and Update of the Personal Data Retention and Disposal Policy

--------------------------------------------------------------------------------------------------------------------------

DATA SPEAKER TITLE: Beşler Yem ve Un Sanayi Ticaret A.Ş.
ADDRESS OF DATA SUPPORTER: Organize Sanayi Bolgesi 1.Cad. 4.Sok No:5, 25700 Aziziye/Erzurum
DATA SPEAKER MERSIS NUMBER: 0167000078700017

--------------------------------------------------------------------------------------------------------------------------


CHAPTER I
PURPOSE, SCOPE AND DEFINITIONS

1. PURPOSE AND SCOPE OF PREPARING THE POLICY

Personal Data Processing, Storage and Disposal Policy, personal data carried out by Beşler Yem ve Un Sanayi Ticaret A.Ş. (Beşler Yem ve Un A.Ş. or Company), which is the data controller within the scope of the Personal Data Protection Law No. 6698. It has been prepared in order to determine the procedures and principles on business and transactions related to data processing, storage and destruction activities.

Beşler Yem ve Un A.Ş. In the capacity of data controller, personal data of company employees, job applicants, business partners/subcontractors, customers, suppliers, visitors and people who visit the company's website at http://www.beslerunyem.com.tr/ in line with basic principles, T.R. Its Constitution, International Conventions, the Law on the Protection of Personal Data No. 6698 and other relevant legislation determines that it is processed and that the rights of the relevant persons are used effectively as a principle.

Beşler Yem ve Un A.Ş. employees are obliged to act in accordance with the regulations introduced by this Policy, KVKK and all other relevant legislation while performing their duties.

In line with this Policy, necessary trainings are provided for the processing and protection of personal data within the Company's activities and for raising personal data awareness. Periodic audit processes will be carried out by taking all necessary administrative and technical measures for the Company, its shareholders, officials, employees and commercial business partners to comply with the KVKK.

Works and transactions regarding the processing, storage and destruction of personal data Beşler Yem ve Un A.Ş. This will take place in accordance with this PERSONAL DATA STORAGE AND DISPOSAL POLICY prepared by the Company within the scope of the Law on the Protection of Personal Data No. 6698.

2. DEFINITIONS AND ABBREVIATIONS

ABBREVIATION DEFINITION
BUYER GROUP: Natural or legal person category to whom personal data is transferred by the data controller
OPEN CONSENT: Consent on a specific subject, based on information and expressed with free will
Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching with other data
EMPLOYEE: Personal Data Protection Agency personnel
EBYS: Electronic Document Management System
ELECTRONIC ENVIRONMENT: Environments where personal data can be created, read, changed and written with electronic devices
NON-ELECTRONIC MEDIA: All written, printed, visual etc. other than electronic media. other environments.
SERVICE PROVIDER: Natural or legal person providing services within the framework of a specific contract with the Personal Data Protection Authority.
RELATED PERSON: The natural person whose personal data is processed
RELATED USER: Persons who process personal data within the data controller organization or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for technical storage, protection and backup of the data.
DESTROY: Deletion, destruction or anonymization of personal data
LAW/KVKK: Law No. 6698 on the Protection of Personal Data
RECORDING MEDIUM: Any environment in which personal data is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.
PERSONAL DATA: Any information relating to an identified or identifiable natural person.
PERSONAL DATA PROCESSING INVENTORY: Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data with the processing purposes and legal reason, the data category, the transferred recipient group and the data subject group, explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.
PROCESSING OF PERSONAL DATA: Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying, or reorganizing personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. All kinds of operations carried out on the data, such as preventing the use of
BOARD Personal Data Protection Board
SPECIAL QUALIFIED PERSONAL DATA: Data about the race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures. biometric and genetic data
PERIODIC DISPOSAL: In case all of the personal data processing conditions in the Law are eliminated, the deletion, destruction or anonymization process that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy
POLICY Personal Data Retention and Disposal Policy
DATA PROCESSOR: is the natural or legal person who processes personal data on behalf of the data controller based on the authority given by him.
DATA RECORD SYSTEM: Registration system in which personal data is processed and structured according to certain criteria
DATA RESPONSIBLE: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers REGISTER INFORMATION SYSTEM The information system created and managed by the Presidency, accessible over the internet, to be used by data controllers in their application to the Registry and in other related transactions related to the Registry.
VERBIS: Data Controllers Registry Information System
REGULATION: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017

CHAPTER II
RESPONSIBILITY AND MATTERS RELATING TO THE REGISTRATION MEDIUM

1. DISTRIBUTION OF RESPONSIBILITY AND DUTIES

All units and employees of the company are responsible for the implementation of the technical and administrative measures taken within the scope of the Policy, training and awareness of the unit employees, prevention of illegal processing of personal data by monitoring and continuous inspection, prevention of illegal access to personal data and protection of personal data. It actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to ensure that it is stored in accordance with the law. The distribution of the titles, units and job descriptions of those involved in the storage and destruction processes of personal data is shown in the Table below.

TITLE UNIT TASKS
Institutional KVKK Responsible President Founder Representative Responsible for the employees to act in accordance with the policies.
Data Management
Responsible Founder Representative is responsible for the preparation, development, execution, publication and updating of the policies in the relevant media.
Data security
Responsible Information Processing is responsible for providing the technical solutions needed in the implementation of the Policies.

Data Processing, Storage, Deletion Officers are responsible for the execution of the Policies in accordance with their Information Processing Duties.
Responsible for the execution of the Policies in accordance with Human Resources Duties.
Responsible for the execution of the Policies in accordance with the Financial Affairs Duties.

2. RECORDING MEDIA OF PERSONAL DATA

Personal data is stored safely by the Company in the environments listed in the table below, in accordance with the law.

Electronic Media Non-Electronic Media
Servers (Domain, backup, email, database, web, file sharing, etc.) Paper
Software (office software, portal, EBYS, VERBIS.) Manual data recording systems (survey forms, visitor logbook)
Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.) Written, printed, visual media
Personal computers (Desktop, laptop)
Mobile devices (phone, tablet, etc.)
Optical discs (CD, DVD, etc.)
Removable memories (USB, Memory Card etc.)
Printer, scanner, copier

CHAPTER III
STORAGE, PROTECTION AND DISPOSAL OF PERSONAL DATA

1. MATTERS REGARDING THE STORAGE OF PERSONAL DATA

The personal data we obtain is securely stored in physical or electronic environment for an appropriate period of time in order to carry out the Company's activities. The company acts in accordance with the obligations in all relevant legislation, especially the KVKK, of the personal data it obtains. In the case of the purposes of processing personal data or the expiration of the storage period, it is deleted, destroyed or anonymized by the Company ex officio in periodic destructions made at least every 6 (six) months or upon the request of the relevant parties.

Personal data is destroyed in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data.

In cases where the Data Controller Company has a legitimate interest, personal data may be processed until the statute of limitations in the Code of Obligations, Commercial Code, Labor Law, Consumer Law and other relevant legislation expires, in a way that does not harm the fundamental rights and freedoms of the persons concerned, despite the expiration of the processing purpose and the periods specified in the relevant laws. Personal data will be deleted, destroyed or anonymized after the expiry of the aforementioned statute of limitations.

1.1. Retention of Personal Data

Pursuant to Article 4 of the KVKK, personal data are kept for the period required for the purpose for which they are processed, limited and measured in connection with the purpose for which they are processed, or stipulated in the relevant legislation.

1.2. Legal Reasons to Keep Personal Data

The personal data recorded by the company are stored in accordance with the legislation listed below and the provisions of the legislation published or to be published, including but not limited to those listed.

• Law on Protection of Personal Data No. 6698
• Turkish Code of Obligations No. 6098
• Turkish Commercial Code No. 6102
• Labor Law No. 4857
• Social Insurance and General Health Insurance Law No. 5510
• Tax Procedure Law No. 213
• Occupational Health and Safety Law No. 6331
• Law No. 6563 on the Regulation of Electronic Commerce
• Law No. 5651 on Regulating Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts
• Law on Consumer Protection No. 6502
• Turkish Penal Code No. 5237
• Anti-Terror Law No. 5237
• Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Attachments,
• Regulation on Archive Services
• It is stored for as long as the storage periods stipulated in the framework of other secondary regulations in force in accordance with these laws.

1.3. Purposes of Processing Personal Data

Personal data is stored by the Company securely in physical or electronic environments, especially for the purpose of planning and managing employee processes, maintaining commercial activities, managing legal disputes, developing customer marketing techniques, and developing the website within the scope of KVKK and other legislation. Details are listed below.

Main Purposes Sub-Aims

Planning and Execution of Human Resources Processes:

Carrying out the processes of employee entry and exit, creation of personnel file for employees
Execution of fringe benefits and benefits processes for employees
Fulfilling the obligations arising from the employment contract and legislation for the employees
Execution of employee performance evaluation processes
Conducting talent/career development activities
Execution of employee satisfaction and loyalty processes
Conducting intern admission and training processes
Execution of application, selection and placement processes of employee candidates
Execution of assignment processes
Foreign personnel work and residence permit procedures

Ensuring the Company's Commercial Continuity and Execution and Supervision of Business:

Activities The Company's execution of contractual processes with people with whom it has business relations
Carrying out communication activities with the persons with whom the Company has business relations
Execution of finance and accounting works
Carrying out business continuity activities
Carrying out the processes of creating the wage policy
Execution of goods/services production and operation processes
Execution of marketing processes of products/services
Execution of marketing analysis studies
Execution of goods/services purchasing processes
Execution of goods/services sales processes
Execution of after-sales support services for goods/services
Execution of customer relationship management processes
Carrying out activities for customer satisfaction
Execution of company/product/service commitment processes
Execution of logistics activities
Execution of organization and event management processes
Execution of investment processes
Execution of supply chain management processes
Execution of advertising/campaign and promotion processes

Carrying out the Company's Activities to Ensure Physical, Transactional and Legal Security:

Execution of information security processes
Execution of emergency management processes
Execution of risk management processes
Execution of occupational health and safety activities
Carrying out activities to take and evaluate measures and suggestions for the improvement of business processes
Execution of physical space security activities
Creating and tracking visitor records
Carrying out activities to ensure the safety of movable goods and resources
Carrying out activities to ensure the security of the operations of the data controller

Execution of Activities Related to the Company's Use of Administrative:

Duties and Authorities Execution of audit/ethical activities
Use/execution of access privileges
Carrying out internal audit/investigation and intelligence activities
Execution of strategic planning activities
Execution of storage and archiving activities
Follow-up of requests and complaints

Execution of Legal Affairs of the Company:

Follow-up and execution of legal affairs
Execution of activities in accordance with the legislation
Execution of legal compliance activities
Providing information to authorized persons, institutions and organizations

Other:

Carrying out other social responsibility and civil society activities
Execution of sponsorship activities

2. PROTECTION OF PERSONAL DATA

The Company takes the necessary technical and administrative measures to prevent the unlawful processing of the personal data it processes, to prevent illegal access and to ensure the safe keeping of the data, as well as making the necessary inspections and having them done.

Despite all the technical and administrative measures taken, the company informs the relevant units and institutions as soon as possible if the processed personal data is obtained by third parties illegally.

2.1. Administrative Measures

a. Employees are given training on KVKK and personal data awareness and importance by the Company Legal Counsel.
b. Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
c. There are disciplinary regulations that include data security provisions for employees.
d. The company employs experienced people who interact with personal data and provides training on measures to prevent unlawful access to personal data.
to. Confidentiality commitments are made.
f. Access to personal data has been restricted within the company, and access to personal data has been blocked by using encrypted software, except for authorized duties.
g. Personal data security policies and procedures have been determined.
h. Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format.
I. The authorizations of employees who have a change in duty or quit their job in this field are removed.
j. Personal data security issues are reported quickly.
k. Personal data security is monitored.
l. Personal data is reduced as much as possible.
m. The signed contracts contain data security provisions.
n. Employees are told that the personal data they learn through the Company cannot be disclosed in violation of the provisions of KVKK and that this obligation will never be used for purposes other than processing the data, and that this obligation will continue after they leave the job, and the necessary commitments are taken from the employees in this regard.
He. Protocols and procedures for special quality personal data security have been determined and implemented.
p. In contracts made with third parties, it is stated that personal data cannot be transferred within the scope of KVKK, that the third party will be penalized in case of transfer, and that the compensation or administrative fine to be imposed on the Company as a result of the third party's transfer of personal data will be recourse to the third party.
q. Data processing service providers are periodically audited on data security.
r. Awareness of data processing service providers on data security is provided.
s. The company periodically carries out/has the necessary inspections made in order to implement the provisions of the KVKK. It fixes the vulnerabilities that arise as a result of the audit.

2.2. Technical Measures

a. Network security and application security are provided.
b. Current anti-virus systems are used.
c. Firewalls are used.
d. Access logs are kept regularly.
to. Log records are kept without user intervention.
f. Data masking is applied when necessary.
g. With penetration tests, risks, threats, vulnerabilities and vulnerabilities, if any, regarding the Company's information systems are revealed and necessary precautions are taken.
h. In order to ensure the security of information systems against environmental threats, hardware (encrypted access control system that allows only authorized personnel to enter the system room, 24/7 employee monitoring system, physical security of the edge keys that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, network access control, systems preventing malware, etc.) measures are taken.
I. Access to the storage areas where personal data is stored is protected with a lock opened with a password, and inappropriate access or access attempts are kept under control by recording the areas.
j. Data loss prevention software is used.
k. The institution ensures that the deleted personal data is destroyed by the subject expert so that it cannot be accessed and reused for the relevant users.
l. Security vulnerabilities are followed and appropriate security patches are installed and information systems are kept up-to-date.
m. Personal data is backed up and the security of the backed up personal data is also ensured.
n. User account management and authorization control system are implemented and these are also followed.
h. Intrusion detection and prevention systems are used.
p. Penetration test is applied.
q. Encryption is done.
r. If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using KEP or corporate mail account.

s. Access to personal data stored in electronic or non-electronic media is closed to external access by authorized persons according to access principles.
t. A policy for the security of sensitive personal data has been determined.
u. Special quality personal data security trainings have been provided for employees involved in special quality personal data processing, confidentiality agreements have been made, and the authorizations of users who have access to data have been defined.
v. Electronic environments in which sensitive personal data are processed, stored and/or accessed are preserved using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of environments are constantly monitored, necessary security tests are regularly performed/have the test results recorded, to be taken under,
w. Adequate security measures are taken for physical environments where sensitive personal data is processed, stored and/or accessed, and unauthorized entry and exit is prevented by ensuring physical security.

3. DISPOSAL OF PERSONAL DATA

The data processed by the company is destroyed by the following techniques, ex officio or upon the application of the relevant person, again in accordance with the provisions of the relevant legislation, at the end of the period stipulated in the KVKK and the relevant legislation or the storage period required for the purpose for which they are processed.

3.1. Deletion of Personal Data

a. Personal Data on the Servers are deleted by the technical personnel.
b. Personal Data in the Electronic Media are deleted by the technical personnel or the unit manager.
c. Personal Data in the Physical Environment, the personal data determined by the responsible person are rendered inaccessible, scratched or darkened in a way that cannot be erased.
d. Personal Data in the Physical Environment, the personal data determined by the responsible person are destroyed by the paper shredder.
e. Personal Data in Optical/Magnetic (Harddisk) Media are destroyed by technical personnel.

3.2. Anonymization of Personal Data

Anonymization or anonymization means making the data incapable of being associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. In this context, if it is possible to understand who the data belongs to after matching and supporting with other data by making a follow-up on the remaining data, it cannot be accepted that this data has been anonymized.

In accordance with the deletion of personal data, the policy of destruction is implemented within the company; The method of anonymization of personal data is not applied.



3.3. Periods of Storage and Disposal of Personal Data

Obligations brought by legal regulations are taken into account when determining the retention period of personal data processed by the company. Apart from legal regulations, the period stipulated in the KVKK and the relevant legislation or the storage period required for the purpose for which they are processed is determined, taking into account the purposes of processing personal data. In the event that the purpose of data processing disappears, the data is deleted, destroyed or anonymized by the company unless there is another legal reason or basis that allows the data to be kept.

The purpose of processing personal data has ended; If the period stipulated in the KVKK and the relevant legislation or the storage period required for the purpose for which they are processed has expired; Personal data can only be stored to provide evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. In the establishment of the periods here, the statute of limitations for asserting the aforementioned right is determined. After these periods expire, personal data is deleted, destroyed or anonymized.

In the event that the period stipulated in the legislation expires in relation to the storage of the personal data in question, or if no period is stipulated in the relevant legislation for the storage of the said data, the data is deleted, destroyed or anonymized by the data controller at the latest in 6-month periods. Unless a contrary decision is taken by the Institution, the appropriate method of deleting, destroying or anonymizing personal data is chosen by the Company. Storage and destruction periods on the basis of personal data are shown in the table below.

3.4. Periodic Destruction Period of Personal Data

The company has evaluated the periodical destruction period within the scope of KVKK and determined it as 6 months. The company attaches importance to the destruction of personal data. According to this period, periodic destruction is carried out in the Company in June and December every year.

3.5. Enforcement and Update of Personal Data Storage and Disposal Policy

The most recent policy is considered in effect until the most current version is published.
If the policy is deemed necessary by the company, the necessary sections are updated.

This policy entered into force on 28.01.2021.