Personal Data Retention and Destruction Policy

1. PURPOSE

The Personal Data Retention and Destruction Policy (“Policy”) has been created to provide explanations regarding the methods adopted and implemented by FORTE with respect to FORTE’s personal data retention and destruction activities, and to inform all relevant parties.

All personal data retention and destruction activities carried out by FORTE are performed in accordance with this Policy.

2. SCOPE

This document covers all personal data processing processes in which personal data are processed by FORTE and on behalf of FORTE.

3. DEFINITIONS AND ABBREVIATIONS

The abbreviations and definitions used in this document are as follows:

Recipient Group: Real or legal persons to whom FORTE transfers personal data.

Explicit Consent: Consent given with free will, based on being informed, regarding a specific subject.

Anonymization: Rendering personal data anonymous, meaning making personal data impossible to be associated with an identified or identifiable natural person in any manner whatsoever, even if matched with other data.

Employee: FORTE employees.

Electronic Environment: Environments where personal data can be created, read, modified, and written using electronic devices.

Non-Electronic Environment: All written, printed, visual, and other environments outside electronic environments.

Inventory: The inventory in which FORTE details the personal data processing activities it carries out depending on its business processes by associating such activities with the purposes and legal basis of processing personal data, data category, transferred recipient group, and data subject group, and by explaining the maximum retention period required for the purposes for which personal data are processed, personal data planned to be transferred abroad, and measures taken regarding data security.

Data Subject: The natural person whose personal data are processed.

Relevant User: Persons who process personal data within the data controller organization, or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.

Destruction: Deletion, destruction, or anonymization of personal data.

Recording Medium: Any environment where personal data processed wholly or partially by automatic means or non-automatic means provided that it forms part of any data recording system are located.

Personal Data Processing/Processing: Any operation performed on data such as obtaining, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, wholly or partially by automatic means or non-automatic means provided that it forms part of any data recording system.

Board: Personal Data Protection Board.

Special Category Personal Data: Data relating to individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Periodic Destruction: The deletion, destruction, or anonymization process to be carried out ex officio at repeating intervals specified in the personal data retention and destruction policy in cases where all of the conditions for processing personal data set forth in the Law cease to exist.

Policy: Personal Data Retention and Destruction Policy.

Deletion: Rendering personal data inaccessible and non-reusable in any manner whatsoever for relevant users.

Data Processor: The natural or legal person who processes personal data on behalf of FORTE based on the authority granted by FORTE.

Data Recording System: The recording system where personal data are processed by being structured according to certain criteria.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

VERBIS: The Information System of the Registry of Data Controllers, an IT system created and managed by the Authority, accessible via the internet, which data controllers use for applications to the Registry and other related transactions.

Regulation: The Regulation on the Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette dated 28 October 2017.

Destruction/To be destroyed: Rendering personal data inaccessible, irretrievable, and non-reusable by anyone in any manner whatsoever.

4. RECORDING MEDIA

Electronic Environments Non-Electronic Environments

FORTE EBYS, R&D Portal Paper

Servers Files

Software Office Cabinets

Information security devices Archive

Personal computers (desktop, laptop)

Removable storage (USB, External Disk, etc.)

5. EXPLANATIONS REGARDING THE REASONS REQUIRING RETENTION AND DESTRUCTION

5.1 EXPLANATIONS REGARDING RETENTION

Article 3 of the Law defines the concept of processing personal data; Article 4 states that processed personal data must be relevant, limited, and proportionate to the purposes for which they are processed and must be retained for the period stipulated in the relevant legislation or required for the purposes for which they are processed; and Articles 5 and 6 set out the conditions for processing personal data. Accordingly, within the scope of FORTE’s activities, personal data are retained for the period stipulated in the relevant legislation or appropriate for the purposes of processing.

Accordingly, personal data are retained within the framework of business activities in line with the period stipulated in the relevant legislation or appropriate for the purposes of processing and for the period specified in Article 8 of this procedure.

5.2 PROCESSING PURPOSES REQUIRING RETENTION

Personal data processed within the scope of FORTE’s activities are retained for the following purposes:

• Conducting Information Security Processes

• Conducting Candidate Employee / Intern / Student Selection and Placement Processes

• Conducting Application Processes of Candidate Employees

• Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees

• Conducting Fringe Benefits and Interests Processes for Employees

• Conducting Audit / Ethics Activities

• Conducting Training Activities

• Conducting Access Authorizations

• Conducting Activities in Compliance with Legislation

• Ensuring Physical Premises Security

• Conducting Assignment Processes

• Monitoring and Conducting Legal Affairs

• Conducting Internal Audit / Investigation / Intelligence Activities

• Conducting Communication Activities

• Planning Human Resources Processes

• Conducting / Auditing Business Activities

• Conducting Occupational Health / Safety Activities

• Receiving and Evaluating Suggestions for the Improvement of Business Processes

• Conducting Logistics Activities

• Conducting Goods / Service Procurement Processes

• Conducting After-Sales Support Services Processes for Goods / Services

• Conducting Goods / Service Sales Processes

• Conducting Goods / Service Production and Operation Processes

• Conducting Activities for Customer Satisfaction

• Conducting Performance Evaluation Processes

• Conducting Contract Processes

• Ensuring the Security of Movable Goods and Resources

• Conducting Supply Chain Management Processes

• Ensuring the Security of Data Controller Operations

• Providing Information to Authorized Persons, Institutions, and Organizations

• Creating and Monitoring Visitor Records

5.3 EXPLANATIONS REGARDING DESTRUCTION

• Amendment or repeal of the relevant legislation provisions forming the basis for the processing or retention of personal data,

• Disappearance of the purpose requiring the processing or retention of personal data,

• In cases where personal data are processed based on the condition of explicit consent, withdrawal of the data subject’s consent,

• Disappearance of the conditions requiring the processing of personal data under Articles 5 and 6 of the Law,

Acceptance by FORTE of the data subject’s application within the scope of the rights arising from Article 11 of the Law regarding the deletion, destruction, or anonymization of personal data; or, upon FORTE’s rejection of the request, acceptance of the data subject’s request by the Board upon the data subject’s application to the Board and notification of this situation to FORTE.

6. TECHNICAL AND ADMINISTRATIVE MEASURES IMPLEMENTED

FORTE takes the technical and administrative measures determined by the Board in its decisions and guidelines pursuant to Articles 12 and 6/4 of the Law in order to ensure the secure retention of personal data, prevent unlawful processing and access, and ensure lawful destruction of personal data.

6.1 ADMINISTRATIVE MEASURES

• Disciplinary regulations containing data security provisions for employees exist.

• Undertakings and confidentiality agreements are signed with the organization’s personnel and relevant parties.

• Risk analyses are carried out on business processes.

• Personal data inventories are created.

• Trainings are organized and evaluated regarding personal data processing activities.

• Signed agreements include data security provisions.

• Additional security measures are taken for personal data transferred via paper, and the relevant documents are sent in the format of a classified document.

• Personal data security policies and procedures are determined.

• Personal data security issues are reported rapidly.

• Awareness activities and awareness trainings are organized for employees within the scope of the Personal Data Protection Law.

• Personal data security policies and procedures have been determined.

6.2 TECHNICAL MEASURES

• Network security and application security are ensured.

• A closed system network is used in personal data transfers via the network.

• The security of personal data stored in the cloud is ensured.

• An authorization matrix has been created for employees.

• Access logs are kept regularly.

• Corporate policies on access, information security, use, retention, and destruction have been prepared and implementation has started.

• Authorizations in this area are removed for employees who change duties or leave employment.

• Up-to-date anti-virus systems are used.

• Firewalls are used.

• Monitoring of personal data security is carried out.

• Necessary security measures are taken regarding entry and exit to physical environments containing personal data.

• Physical environments containing personal data are secured against external risks (fire, flood, etc.).

• The security of environments containing personal data is ensured.

• Personal data are minimized as much as possible.

• Personal data are backed up, and the security of backed-up personal data is also ensured.

• A user account management and authorization control system is implemented and monitored.

• Log records are kept in a manner that does not allow user intervention.

• Existing risks and threats have been identified.

• Policies and procedures for the security of special category personal data have been determined and implemented.

• Penetration tests are carried out.

• Cybersecurity measures have been taken and their implementation is continuously monitored.

• Special category personal data transferred via portable memory, CD, DVD media are transferred by being encrypted.

7. PERSONAL DATA DESTRUCTION METHODS

If the conditions specified in Article 6 above cease to exist under this Policy, personal data are deleted, destroyed, or anonymized by FORTE ex officio or upon the request of the data subject. In case the data subject applies to FORTE in this regard;

• Requests submitted are concluded no later than 30 (thirty) days and the data subject is informed,

• If the data subject data have been transferred to third parties, this situation is notified to the third party to whom the data were transferred and it is ensured that necessary actions are taken before third parties,

• If all of the conditions for processing personal data have not ceased to exist, this request may be rejected by the data controller in accordance with the third paragraph of Article 13 of the Law by explaining the reason, and the rejection response is notified to the data subject in writing or electronically within thirty days at the latest.

Unless otherwise decided by the Board, the appropriate one of the methods of deletion, destruction, or anonymization of personal data ex officio is selected by us; however, if requested by the data subject, the appropriate method is selected by explaining its reason.

7.1 DELETION

On Printed Documents: Personal data are rendered invisible to relevant Users by using permanent ink in a manner that cannot be reversed and cannot be read with technological solutions.

On the File Server: Data located on the file server are deleted with the delete command, or the access rights of users who have the authority to access the data on the file or the directory where the file is located are removed.

On Portable Media: Personal data on flash-based storage media are stored in encrypted form, and when the data are to be deleted, they are formatted in a manner that cannot be restored.

In the Database: The relevant rows containing personal data are deleted using database commands (DELETE, etc.).

On Workplace Computer: Access to personal data is provided through authentication, and they are deleted using operating system commands.

7.2 DESTRUCTION

On Printed Documents: Paper environments containing personal data are destroyed in paper shredding machines.

On Portable Media: Flash-based portable memories are destroyed by degaussing or by being physically fragmented.

Hard Disks: Hard disks containing personal data are destroyed by the degaussing method or by being physically fragmented.

7.3 ANONYMIZATION

FORTE uses one of the methods of variable removal, adding noise, or micro-aggregation for anonymization depending on the environment where the data are located and the type of processing.

Variable Removal: By removing “highly descriptive” variables from the data set created after the collected data are brought together through the method of removing descriptive data, the existing data set is anonymized.

Adding Noise: Especially in a data set where numerical data are predominant, data are anonymized by adding certain deviations in the plus or minus direction to existing data at a determined rate.

Micro-Aggregation: In the micro-aggregation method, all data are first arranged in a meaningful order (such as from largest to smallest) and divided into groups, and anonymization is achieved by taking the average of the groups and writing the obtained value in place of the relevant data in the existing group.

8. DATA RETENTION AND DESTRUCTION PERIODS

Data retention and destruction periods are kept in detail in the personal data inventory. The retention and destruction periods of the data are as stated below and in the Information System of the Registry of Data Controllers (VERBIS, https://verbis.kvkk.gov.tr):

Process Retention Period Periodic Destruction Period

Human Resources Processes Regarding Employees 10 years, Health Information 15 years In the first periodic destruction period following the end of the retention period

Data regarding customers 10 years as of the end of the commercial relationship In the first periodic destruction period following the end of the retention period

Contract Processes 10 years as of the end of the legal relationship In the first periodic destruction period following the end of the retention period

Information notice, information, permission and explicit consent processes 10 years In the first periodic destruction period following the end of the retention period

9. PERIODIC DESTRUCTION PERIOD

FORTE has determined the periodic destruction period as 6 months in accordance with Article 11 of the Regulation. Accordingly, FORTE carries out periodic destruction in January and July each year.

10. UPDATE PERIOD

FORTE may amend or update this Policy due to amendments in the Law, in line with the Board decisions, in line with developments in the sector or in the field of information technologies, or for any reason if it deems necessary.

Amendments made to this Policy are carried out by Forte Quality Assurance Department in accordance with the FORTE-PRS-19 QMS Update Procedure.

11. SANCTIONS THAT FORTE EMPLOYEES MAY FACE

For Employees who partially or completely fail to comply with the matters set forth in this text, FORTE-KB-06 Disciplinary Principles shall be applied.

In order to ensure that the rules within the scope of the PDPL, primarily this text, are understood in the best possible manner and that these rules find an area of application in daily business processes, FORTE will start conducting the necessary training activities for its employees and ensure the continuity of such training activities.