Personal Data Retention and Destruction Policy

TERAPIZY TEKNOLOJİ ANONİM ŞİRKETİ

PERSONAL DATA PROTECTION AND PROCESSING POLICY

INTRODUCTION

Purpose of the Policy

In accordance with Article 20 of the Constitution titled “Privacy of Private Life,” the Personal Data Protection Law No. 6698 (“Law”), and applicable regulations and communiqués, this Policy aims to establish the principles for the processing, protection, retention, and, when necessary, destruction of personal data obtained by Terapizy Teknoloji Anonim Şirketi (“Terapizy”). The Policy prioritizes safeguarding the fundamental rights and freedoms of data subjects (including interns, employees, employee candidates, clients, potential clients, suppliers, shareholders/partners, Terapizy representatives, visitors, business partners, and other third parties), particularly the right to privacy, and ensuring that the data controller processes personal data in compliance with the law.

Scope of the Policy

The Policy covers the establishment of procedures and principles for Terapizy’s data processing activities, considering that any information relating to an identified or identifiable natural person constitutes personal data. Such data may be processed by Terapizy, acting as the data controller, through fully or partially automated means or non-automated means as part of a data recording system. This includes operations such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use.

Application of the Policy and Relevant Legislation

This Policy is prepared in compliance with applicable legislation, particularly the Law No. 6698, as well as regulations, communiqués, decisions, and guidelines issued by the Personal Data Protection Board. If amendments to the Law or other relevant legislation render this Policy inconsistent after its publication, the amended provisions and rules will apply. Terapizy monitors all communiqués, decisions, and guidelines issued by the Board to ensure the Policy’s rules remain up to date.

Enforcement of the Policy

The Policy is published on Terapizy’s website at www.terapizy.com and takes effect upon publication.

MATTERS RELATED TO THE PROTECTION OF PERSONAL DATA

2.1. Ensuring the Security of Personal Data

Under Article 12 of the Law No. 6698, the data controller is obliged to take all necessary administrative and technical measures to ensure an appropriate level of security to:

• Prevent unlawful processing of personal data,
• Prevent unlawful access to personal data,
• Ensure the preservation of personal data.

To this end, Terapizy implements security measures to prevent unlawful processing, transfer, or disclosure of personal data, unauthorized access, and other security vulnerabilities. Details of the administrative and technical measures taken are provided in Section VI: Administrative and Technical Measures Taken for Personal Data Protection.

2.2. Protection of Special Categories of Personal Data

Special categories of personal data are those that, if disclosed, could lead to discrimination or harm to the data subject. These require stricter protection compared to other personal data. Special categories of personal data may only be processed with the explicit consent of the data subject or in limited cases specified by the Law.

The Law defines special categories of personal data exhaustively, including data related to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance, membership in associations, foundations, or unions, health, sexual life, criminal convictions, security measures, and biometric and genetic data. These categories cannot be expanded by interpretation.

The Law distinguishes between special categories of personal data. Health and sexual life data are subject to stricter conditions for processing without explicit consent compared to other special categories. According to the Law, special categories of personal data may be processed without explicit consent in the following cases:

• Special categories of personal data (excluding health and sexual life) may be processed in cases explicitly provided for by law.
• Health and sexual life data may be processed by persons or authorized institutions under a confidentiality obligation for purposes such as public health protection, preventive medicine, medical diagnosis, treatment, care services, and the planning and management of healthcare services and financing.

Terapizy takes all necessary measures to protect special categories of personal data and prioritizes avoiding their collection and processing whenever possible.

MATTERS RELATED TO THE PROCESSING OF PERSONAL DATA

3.1. Processing Personal Data in Accordance with Legal Principles

As per Article 4 of the Law, personal data processing must adhere to the following principles:

• Compliance with the law and good faith,
• Accuracy and, where necessary, being up to date,
• Processing for specific, explicit, and legitimate purposes,
• Being relevant, limited, and proportionate to the purpose of processing,
• Retention for the period prescribed by relevant legislation or necessary for the purpose of processing.

3.2. Conditions for Processing Personal Data

Personal data obtained by Terapizy may not be processed without the explicit consent of the data subject, except in cases provided by the Law. Personal data may be processed without explicit consent in the following circumstances:

• Where explicitly provided for by law,
• Where necessary to protect the life or physical integrity of the data subject or another person who is unable to provide consent due to physical impossibility or whose consent lacks legal validity,
• Where necessary for the establishment or performance of a contract, provided it relates directly to the parties of the contract,
• Where necessary for the data controller to fulfill a legal obligation,
• Where the data has been made public by the data subject,
• Where necessary for the establishment, exercise, or protection of a right,
• Where necessary for the legitimate interests of the data controller, provided it does not harm the fundamental rights and freedoms of the data subject.

3.3. Exceptions to the Obligation to Obtain Explicit Consent

The following cases do not require explicit consent for processing personal data:

• Explicitly Provided by Law: Provisions in laws allowing the processing of personal data constitute a condition for processing without explicit consent.
• Physical Impossibility: Personal data may be processed without consent to protect the life or physical integrity of a person unable to provide consent due to physical impossibility or whose consent lacks legal validity.
• Contract Necessity: Personal data may be processed without consent if necessary for the establishment or performance of a contract to which the data subject is a party.
• Legal Obligation: Personal data may be processed without consent to fulfill Terapizy’s legal obligations as a data controller.
• Publicized by the Data Subject: Personal data made public by the data subject may be processed without consent, provided it is used for its intended purpose.
• Establishment, Exercise, or Protection of a Right: Personal data may be processed without consent if necessary for the establishment, exercise, or protection of a right.
• Legitimate Interests: Personal data may be processed without consent if necessary for the legitimate interests of the data controller, provided it does not harm the fundamental rights and freedoms of the data subject. The legitimate interest must be lawful, effective, specific, and currently existing, related to the data controller’s ongoing activities, and capable of providing future benefits.

3.4. Processing of Special Categories of Personal Data

The processing of special categories of personal data is governed by Article 6 of the Law and is prohibited without the explicit consent of the data subject. Special categories include data related to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance, membership in associations, foundations, or unions, health, sexual life, criminal convictions, security measures, and biometric and genetic data. These categories are exhaustive and cannot be expanded by interpretation.

Due to their nature, special categories of personal data could lead to discrimination or harm if disclosed and thus require stricter protection. The processing conditions are as follows:

• Special Categories Excluding Health and Sexual Life: These may be processed without explicit consent in cases explicitly provided for by law.
• Health and Sexual Life Data: These may be processed without explicit consent by persons or authorized institutions under a confidentiality obligation for purposes such as public health protection, preventive medicine, medical diagnosis, treatment, care services, and the planning and management of healthcare services and financing.

3.5. Informing and Notifying the Data Subject

During the collection of personal data, Terapizy, as the data controller or through authorized persons, informs data subjects. The procedures and principles of this notification are detailed in Terapizy’s Information Notice on Personal Data Protection, which includes the following elements:

• Identity of the data controller and, if applicable, its representative,
• Purposes for which personal data is processed,
• Recipients and purposes of personal data transfers,
• Method and legal basis for collecting personal data,
• Rights of the data subject as specified in Article 11 of the Law.

Identity of the Data Controller and Representative
Personal data obtained from data subjects (clients, employee candidates, business partners, suppliers, shareholders, Terapizy representatives, visitors, and other third parties) are processed by Terapizy Teknoloji Anonim Şirketi as the data controller. Contact can be made via the email address kvk@terapizy.com or the website www.terapizy.com.

Purposes of Processing Personal Data
Personal data is processed for specific, explicit, and legitimate purposes, with data subjects informed accordingly. The purposes for processing personal data are detailed in Section V: Categorization and Purposes of Personal Data Processed by Our Company.

Recipients and Purposes of Personal Data Transfers
As part of the data controller’s obligation to inform, the recipients and purposes of personal data transfers must be clearly specified. Personal data may not be transferred to third parties without the explicit consent of the data subject. The recipient groups and transfer purposes are outlined in Section IV: Transfer of Personal Data.

Method and Legal Basis for Collecting Personal Data
In accordance with Articles 5 and 6 of the Law, the data controller must clearly specify the legal basis for processing personal data. The method and means of data collection are determined by the data controller. The conditions for processing personal data, as lawful grounds, are exhaustively listed in Articles 5 and 6 of the Law and cannot be expanded.

Terapizy assesses whether the purpose of the data processing activity is based on a condition other than explicit consent. If the purpose does not meet at least one of the conditions specified in the Law, explicit consent is obtained to continue the data processing activity.

TRANSFER OF PERSONAL DATA

4.1. Domestic Transfer

Personal data may not be transferred without the explicit consent of the data subject. However, transfers may occur without explicit consent if one of the conditions specified in Article 5(2) or, with adequate safeguards, Article 6(3) of the Law is met. These conditions include:

• Explicit provision in laws,
• Necessity to protect the life or physical integrity of a person unable to provide consent due to physical impossibility or whose consent lacks legal validity,
• Necessity for the establishment or performance of a contract, provided it relates directly to the parties of the contract,
• Necessity for the data controller to fulfill a legal obligation,
• Data made public by the data subject,
• Necessity for the establishment, exercise, or protection of a right,
• Necessity for the legitimate interests of the data controller, provided it does not harm the fundamental rights and freedoms of the data subject.

Additionally, special categories of personal data (excluding health and sexual life) may be transferred without explicit consent in cases provided for by law, while health and sexual life data may be transferred without consent by persons or authorized institutions under a confidentiality obligation for purposes such as public health protection, preventive medicine, medical diagnosis, treatment, care services, and the planning and management of healthcare services and financing.

Details of the recipient groups to which Terapizy transfers personal data are provided in Annex 4: Third Parties to Whom Personal Data is Transferred and Purposes of Transfer.

4.2. International Transfer

Personal data may not be transferred abroad without the explicit consent of the data subject. However, transfers may occur without explicit consent if one of the conditions in Article 5(2) or Article 6(3) of the Law is met and:

• Adequate protection exists in the foreign country,
• In the absence of adequate protection, the data controllers in Turkey and the foreign country commit in writing to provide adequate protection, and the Board’s approval is obtained.

CATEGORIZATION AND PURPOSES OF PERSONAL DATA PROCESSED BY OUR COMPANY

The purposes for processing personal data provided to Terapizy by data subjects include:

Management Activities of Terapizy

• Managing relationships with business partners and suppliers,
• Organizing and managing events,
• Conducting strategic planning activities,
• Planning and executing corporate communication activities,
• Planning and executing corporate governance activities,
• Planning and conducting Terapizy’s audit activities,
• Ensuring Terapizy’s operations comply with its procedures and/or relevant legislation,
• Ensuring the security of Terapizy’s operations,
• Conducting company and partnership law transactions,
• Monitoring financial and accounting activities,
• Conducting internal audits, investigations, and intelligence activities,
• Managing risk processes,
• Managing emergency processes.

Client Relationship Activities

• Managing loyalty processes for company products/services,
• Managing client relationship processes,
• Conducting activities to ensure client satisfaction,
• Tracking requests and complaints,
• Managing marketing processes for services.

Human Resources Policies and Management of Terapizy

• Managing employee candidate/intern/student selection and placement processes,
• Managing employee candidate application processes,
• Conducting employee satisfaction and loyalty processes,
• Fulfilling obligations arising from employment contracts and legislation for employees,
• Managing new rights and benefits processes for employees,
• Planning and executing employees’ access to information,
• Monitoring and/or auditing employees’ work activities,
• Managing assignment processes,
• Managing compensation policies,
• Conducting performance evaluation processes,
• Planning and/or executing internal training activities,
• Planning and executing internal orientation activities,
• Conducting talent and career development activities.

Technical and Physical Security Processes of Terapizy

• Managing information security processes,
• Establishing and managing IT infrastructure,
• Conducting audit/ethical activities,
• Managing access authorizations,
• Ensuring compliance with legislation,
• Ensuring physical premises security,
• Monitoring and executing legal affairs,
• Conducting storage and archiving activities,
• Ensuring the security of movable assets and resources,
• Ensuring the security of data controller operations,
• Providing information to authorized persons, institutions, and organizations,
• Creating and tracking visitor records.

Personal data processed by Terapizy is categorized and processed in accordance with the data processing conditions specified in the Law and relevant legislation. The categorization of processed personal data is provided in Annex 3: Personal Data Categories.

ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN FOR PERSONAL DATA PROTECTION

Terapizy implements administrative and technical measures to ensure the secure storage of personal data, prevent unlawful processing, and unauthorized access.

To ensure personal data security, Terapizy identifies all personal data processed, assesses the likelihood of risks to data protection, considering:

1. Whether the data is a special category of personal data,
2. The level of confidentiality required by its nature,
3. The nature and extent of potential harm to the data subject in case of a security breach.

After identifying and prioritizing risks, control and solution alternatives to mitigate or eliminate these risks are evaluated based on cost, applicability, and effectiveness. Necessary technical and administrative measures are planned and implemented.

6.1. Administrative Measures

Attacks or cybersecurity threats that could compromise personal data security underscore the importance of employee awareness and initial response capabilities, even with limited knowledge. To this end, Terapizy conducts awareness and training activities within its organization.

Employees are trained on preventing unlawful disclosure or sharing of personal data, and awareness activities are conducted to create an environment where security risks can be identified. The roles and responsibilities of all employees regarding personal data security are defined in their job descriptions, ensuring awareness of their obligations.

As part of the hiring process, employees sign confidentiality agreements, and a disciplinary process is in place for non-compliance with security policies and procedures. Changes to security policies and procedures are communicated to employees through training to keep information on data security and threats up to date.

Under Article 4(b) and (d) of the Law, personal data must be accurate, up to date when necessary, and retained for the period prescribed by relevant legislation or necessary for the purpose of processing. Processed data is handled in accordance with applicable principles and rules, and retained only for the necessary duration. The retention periods for personal data processed by Terapizy are specified in Section VIII: Retention and Destruction of Personal Data.

The following table summarizes the administrative measures taken to ensure data security:

6.2. Technical Measures

To protect information technology systems containing personal data from unauthorized access and threats via the internet, measures such as firewalls and gateways are employed. Firewalls prevent breaches in the information network, while gateways restrict employee access to websites or online platforms posing security risks.

Regular checks ensure that software and hardware function correctly and that security measures are adequate. Access to systems containing personal data is restricted, with employees granted access only to the extent necessary for their roles and responsibilities, using usernames and passwords. Passwords are created to avoid easily guessable sequences or personal information.

Access authorization and control matrices are established within the organization, and antivirus, antispam, and other products are used to scan the information system network regularly and detect threats. Physical security measures ensure that paper documents, servers, backup devices, CDs, DVDs, USBs, and other storage media containing personal data are accessible only to authorized personnel.

The following table summarizes the technical measures taken to ensure data security:

RETENTION AND DESTRUCTION OF PERSONAL DATA

7.1. Retention Periods for Personal Data

Personal data held by Terapizy is retained for the duration necessary for the data processing activity. Upon the emergence of an obligation to delete, destroy, or anonymize personal data, such actions are performed within the first periodic destruction period following the obligation’s emergence. The maximum interval for periodic destruction is 6 months.

Terapizy complies with the general principles in Article 4 and the technical and administrative measures in Article 12 of the Law when deleting, destroying, or anonymizing personal data. All actions related to the deletion, destruction, or anonymization of personal data are recorded and retained for at least 3 years as required by legal obligations.

A designated personal data specialist at Terapizy is responsible for overseeing and implementing the personal data retention and destruction policy.

7.2. Obligation to Delete, Destroy, and Anonymize Personal Data

Personal data processed by Terapizy is deleted, destroyed, or anonymized, either on its own initiative or upon the data subject’s request, in accordance with Article 7 of the Law and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette dated 28 October 2017, issue 30224, once the reasons for processing no longer exist.

Deletion of Personal Data
Deletion involves rendering personal data inaccessible and unusable for relevant users. Terapizy takes all necessary technical and administrative measures to ensure deleted personal data remains inaccessible and unusable.

Destruction of Personal Data
Destruction involves rendering personal data inaccessible, irretrievable, and unusable by anyone. Terapizy is obliged to take all necessary technical and administrative measures for the destruction of personal data.

Anonymization of Personal Data
Anonymization involves rendering personal data unassociable with an identified or identifiable natural person, even when matched with other data. Terapizy applies methods compliant with its personal data retention and destruction policy to anonymize personal data, taking all necessary technical and administrative measures.

7.3. Techniques for Deletion, Destruction, and Anonymization of Personal Data

The techniques for deleting, destroying, or anonymizing personal data processed by Terapizy vary depending on the nature of the data. These include:

1. Identifying the personal data subject to deletion, destruction, or anonymization,
2. Identifying relevant users for each personal data using an access authorization and control matrix or similar system,
3. Determining the access, retrieval, and reuse permissions and methods of relevant users,
4. Revoking and eliminating the access, retrieval, and reuse permissions and methods of relevant users.

Deletion Techniques:

• Issuing deletion commands for cloud or application-based solutions,
• Blacking out, cutting, or rendering invisible data in paper format,
• Using appropriate software to delete data on portable media.

Destruction Techniques:

• Physically destroying optical and magnetic media by melting, burning, or pulverizing,
• Other destruction methods for paper or electronic media.

RIGHTS OF THE DATA SUBJECT AND THEIR EXERCISE

8.1. Rights of the Data Subject

Under the Law No. 6698, data subjects have the following rights:

• Learn whether their personal data is processed,
• Request information regarding the processing of their personal data, if processed,
• Learn the purpose of processing and whether the data is used in accordance with that purpose,
• Know the third parties to whom personal data is transferred, domestically or abroad,
• Request correction of incomplete or inaccurate personal data,
• Request deletion or destruction of personal data under the conditions specified in Article 7,
• Request notification of corrections, deletions, or destructions to third parties to whom the data was transferred,
• Object to any adverse outcome resulting from the analysis of processed data solely through automated systems,
• Demand compensation for damages incurred due to the unlawful processing of personal data.

8.2. Exercise of the Data Subject’s Rights

Requests related to the application of the Law must be submitted in writing to Terapizy at kvk@terapizy.com or Maslak Mahallesi Hadımkoru Yolu Caddesi B1 Blok No:2b1 No:108 Maslak/İstanbul. The “Data Subject Application Form” published on Terapizy’s website must be used for such requests.

8.3. Terapizy’s Response to Applications

Applications are processed by Terapizy as soon as possible, within a maximum of 30 days, depending on the nature of the request. If the process incurs costs, a fee may be charged as determined by the Personal Data Protection Board.

ANNEX 1: Definitions

• Explicit Consent: Consent given freely, based on information, and specific to a particular subject.
• Anonymization: Rendering personal data unassociable with an identified or identifiable natural person, even when matched with other data.
• Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller.
• Direct Identifiers: Identifiers that directly reveal, disclose, or distinguish the related person.
• Indirect Identifiers: Identifiers that, when combined with others, reveal, disclose, or distinguish the related person.
• Data Subject: The natural person whose personal data is processed.
• Relevant User: Natural or legal persons processing personal data within the data controller’s organization or based on the data controller’s authorization, excluding those responsible for technical storage, protection, and backup.
• Destruction: Deletion, destruction, or anonymization of personal data.
• Law: Personal Data Protection Law No. 6698, dated 24/03/2016.
• Blackout: Operations such as crossing out, painting, or blurring personal data to render it unassociable with an identified or identifiable natural person.
• Storage Medium: Any medium containing personal data processed fully or partially through automated or non-automated means as part of a data recording system.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing of Personal Data: Any operation performed on personal data, such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use.
• Board: Personal Data Protection Board.
• Authority: Personal Data Protection Authority.
• Data Processor: A natural or legal person processing personal data on behalf of the data controller based on granted authority.
• Data Recording System: A system where personal data is structured and processed according to specific criteria.
• Data Controller: The natural or legal person determining the purposes and means of processing personal data and responsible for establishing and managing the data recording system.

ANNEX 2: Data Subject Categories

ANNEX 3: Personal Data Categories

• Identity Information: Data related to the identity of natural persons, such as ID cards, driver’s licenses, residence documents, passports, attorney IDs, marriage certificates (e.g., T.C. identity number, passport number, ID serial number, name-surname, photograph, place and date of birth, age, place of registration, family status certificate).
• Contact Information: Information used to communicate with the individual (e.g., phone number, email address, residential address).
• Personnel Information: Personal data related to personnel rights obtained from Terapizy’s suppliers, business partners, or employees (information included in personnel files as per legislation).
• Legal Transaction and Compliance Information: Data processed to fulfill legal obligations, conduct legal proceedings, and pursue claims (e.g., data in court or administrative decisions).
• Client Information: Data obtained from Terapizy’s clients (e.g., name-surname, alias, IBAN information).
• Transaction Security Information: Personal data processed to ensure Terapizy’s information security and administrative, legal, and commercial security.
• Financial Asset Information: Documents and records showing the financial information of individuals with a legal relationship with Terapizy (e.g., current account, debt-credit balances, account, and card information).
• Employee Candidate Information: Data such as name-surname, date and place of birth, signature, marital status, address, phone, mobile number, significant health conditions, emergency contact, certifications, education, foreign language proficiency, professional experience, references, resume content, and interview notes.
• Employee Information: Data related to employee qualifications (e.g., education certificate, certificate name, issuing institution, education location, training/seminar participation, faculty/department, institution name, city, completion date, education level, institution type, department, employer name, city, country, industry, role, start date).
• Employee Transaction Information: Personal data related to activities conducted by employees at Terapizy (e.g., expense reports, international travel information, email correspondence, entry-exit records, meeting attendance).
• Employee Performance and Career Development Information: Personal data processed for employee performance evaluation and career development (e.g., in-service training, performance evaluation reports).
• Family Status Data: Information regarding employees’ family status.
• Marketing Information: Personal data used for Terapizy’s marketing activities, such as habits, targeting information, and cookie records.
• Visual and Audio Data: Visual and audio records associated with the data subject (e.g., photographs, camera, and audio recordings).
• Audit and Inspection Information: Data processed to comply with legal obligations and Terapizy’s policies (e.g., inspection reports, interview records).
• Request/Complaint Management Information: Personal data processed for managing and evaluating requests or complaints directed to Terapizy.
• Special Categories of Personal Data: Data related to health, criminal convictions, and security measures.
• Sexual Life Data: Data related to sexual orientation or sexual life.

ANNEX 4: Third Parties to Whom Personal Data is Transferred and Purposes of Transfer