BLACK FRIDAY %70 OFF ALL PRODUCTS

DATA STORAGE AND DESTROY

DATA STORAGE AND DESTROY

1. PURPOSE AND SCOPE

KEIKEI Tex(le and Clothing Industry and Trade Inc. Personal Data Storage and

Purpose of this Personal Data Retention and Disposal Policy (“Policy”); It is the determination of the processing times of the personal data processed by KEİKEİ Tekstil Ve Giyim Sanayi Ticaret Anonim Şirketi (“Company”) and the criteria and methods for the deletion, destruction or anonymization of the personal data whose processing time and/or purpose of processing has disappeared.

In parallel with the texts of `Clarification` published by our company and the regulations in Article 6 of the `Regulation on the Deletion, Destruction or Anonymization of Personal Data` (`Regulation`) that came into force on 28.10.2017; in line with the principles of compliance with the law, honesty and transparency; The reasons for the storage and destruction of your personal data, the determination of the maximum time required for the purpose for which your personal data is processed, the recording media where your personal data is kept, the measures taken for the protection and destruction of your personal data, the persons and units involved in the storage and destruction of your personal data, personal data storage and is to determine the procedures and principles regarding the deletion, destruction or anonymization of your personal data, which is fully or partially automated or processed by non-automatic means provided that it is a part of any data recording system, by explaining the destruction periods and processes.

This Policy; In accordance with Article 7 of the Law on the Protection of Personal Data No. 6698 (“Law”), KEIKEI Tekstil Ve Giyim Sanayi Ticaret Anonim Şirketi as a “data controller” fully or partially automated or non-automatic means provided that they are part of any data recording system It covers the processes of deletion, destruction or anonymization of all personal data that is processed with, in electronic and/or paper environment and for which there is no legal and/or legitimate interest in processing and storage.

2. DEFINITIONS
2.1. Law: Law on Protection of Personal Data No. 6698.
2.2. Personal Data: Any information relating to an identified or identifiable natural person.

2.3. Personal data of special nature: Data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric data. and genetic data.

2.4. Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory, which is created by associating the

personal data with the purposes of processing, the data category, the transferred recipient group and the data subject group, by explaining the maximum time required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security.

2.5. Relevant Person: The natural person whose personal data is processed.

2.6. Relevant user: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.

2.7. Data Registra(on System: A registration system in which personal data is processed and structured according to certain criteria.

2.8. Recording medium: Any medium that contains personal data that is fully or partially automated or that is processed non-automatically, provided that it is a part of any data recording system, and is extensively explained in Article 3.

2.9. Electronic recording medium: A recording medium where personal data can be processed, stored, read, and modified by electronic devices.

2.10. Non-electronic recording medium: A recording medium in which data is physically stored and processed, other than electronic media.

2.11. Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.

2.12. Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

2.13. Customer: Refers to the persons who purchase and/or benefit from all kinds of services available within the scope of the company`s activities.

2.14. Intermediary service provider:

Intermediary persons, institutions or websites that enable the company to do it through the plaaorms that the Company has an agreement, not directly on the company or company`s website.

2.15. Destruc(on: It is the process of deletion, destruction or anonymization of your personal data.

2.16. Periodic destruc(on: It is the process of deletion, destruction or anonymization that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the processing conditions of the personal data in the Personal Data Protection Law are eliminated.

2.17. Anonymiza(on of personal data: Making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even if it is matched with other data.

2.18. Dele(on of personal data: It is the process of making personal data inaccessible and unusable for the relevant users in any way.

2.19. Destruc(on of personal data: It is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.

2.20.Web site: Refers to hdps://www.keikei.com and other redirected domain portals.

2.21. Policy: Personal Data Retention and Disposal Policy.

2.21. CommiWee: From the implementation of this Policy, internal auditing of personal data processing activities, informing and advising on data protection obligations, monitoring the compliance of personnel with this Policy and Procedures in data processing activities, ensuring that data processing processes and data processing processes comply with the Law and Policy to the Management. Refers to the staff or commidee made up of personnel responsible for reporting on compliance.

2.22. Personnel: Refers to the real persons working in our company.
2.23. Personnel Candidates: Refers to real persons who apply for a job by sending CVs, sending e-

mails, calling phones and other methods to our company.

2.24. Visitors: Refers to real persons who visit our company`s website, referral tool websites, and physical environments such as stores and company headquarters.

2.25. Business/Solu(on Partner, Supplier: Third person and persons from whom our company receives external services in order to carry out its activities and to provide service to you.

2.26.Explicit Consent: Consent on a specific subject, based on information and expressed with free will.

2.27. Recipient Group: The natural or legal person category to which personal data is transferred by the data controller.

2.28. Processing of Personal Data: Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. or any kind of operation performed on the data, such as preventing its use.

2.29. Data Controllers Registry Informa(on System: An information system created and managed by the Presidency, accessible over the internet, to be used by data controllers in their application to the Registry and other related transactions.

2.30. VERBIS: Data Controllers Registry Information System ti.31. Board: Refers to the Personal Data Protection Board.

2.32. Guideline: Refers to the “Guide for the Deletion, Destruction or Anonymization of Personal Data” published by the Board at www.kvkk.gov.tr.

2.33. Regula(on: Refers to the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazede dated ti8 October ti017.

3. RECORDING MEDIA WHERE YOUR PERSONAL DATA IS STORED

3.1. Your personal data, which is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system, according to the purpose of collection and processing;

3.1.1. Electronic Recording Media; Cloud systems, central server, hard disk, portable media, databases, information security devices, computers, mobile devices, optical disks, office portal and sokware, digital media and materials such as printers, scanners, photocopiers.

3.1.2. Non-Electronic Recording Media; Wriden and printed visual media such as paper, personnel file, invoice, receipt, waybill, manual document recording systems.

4. REASONS REQUESTING THE STORAGE AND DISPOSAL OF YOUR PERSONAL DATA

4.1. We keep your personal data for the period required by the purpose of processing the personal data specified in the Clarification Texts announced by our Company, without prejudice to the minimum and maximum storage periods stipulated by the laws, and by complying with the data processing conditions specified in the 5th and 6th articles of the Law. The maximum storage periods stipulated by our company are explained in Article 7.

4.2. Accordingly, your personal data, in accordance with the Clarification Texts; As a rule, with your explicit consent, in exceptional cases stipulated in the law, your explicit consent is required.

can be processed by our Company without being hit.

4.3. In cases clearly foreseen in the law, in cases where there is an actual impossibility to obtain the consent of the data subject, or in cases where data processing is necessary for the life and bodily integrity of the data subject or someone else, in case his consent is not legally valid; If data processing is necessary for the establishment and performance of contracts made directly or indirectly with the data subject, in cases where data processing is necessary for the fulfillment of legal and legal obligations of our Company, which is the data controller; If the data is to be processed to make the personal data of the person concerned public or to establish or protect a right, and finally, your personal data may be processed in accordance with the legitimate interests of the Company without affecting the fundamental rights and freedoms of the person concerned.

4.4. 4.3 of the Policy. The main reasons for keeping your personal data in accordance with the article;

4.4.1. Fulfilling the data processing conditions (legal reasons) specified in Article 5 of the Law (executing the contract, establishing the right, obligatory data processing in accordance with the legitimate interests of our Company, fulfilling the legal obligation, etc.)

4.4.2. Execution of personnel procurement and recruitment processes of our company, personnel productivity evaluation, personnel productivity improvement and personnel training planning and execution,

4.4.3. Execution of financial transactions such as financial reporting, risk planning, risk management, financial planning,

4.4.4. Organizing product or service satisfaction surveys,

4.4.5. Production, development and delivery of goods or services; expanding the range of goods and services, reporting feedback,

4.4.6. Managing, reporting and finalizing customer requests and complaints,

4.4.7. Execution, planning and reporting of corporate communication,

4.4.8. Creating, tracking and reporting visitor/customer records,

4.4.9. Managing and reporting the legal processes of our company, tracking receivables and debts and responding to other legal information requests from official authorities,

4.4.10. Responding to legitimate and legal requests of official institutions and organizations and private institutions and organizations authorized to request information, presenting information and documents,

4.4.11. Making periodic (weekly, monthly, annual, etc.) activities and budget plans of our company,

4.4.12. Carrying out advertising, promotion and marketing activities of our company, increasing service quality, making promotions, organizing campaigns, taking orders, managing order processes, making order feedbacks, organizing satisfaction surveys,

4.4.13. Our company`s central building - its surroundings and / or our company`s store, warehouse, etc. Ensuring the physical security of workplaces and other places,

4.4.14. Fulfilling additional product or service requests from our customers, offering additional products or services to our customers, classifying, reporting and increasing customer tastes.

4.4.15. In each business process by our company, 6698 p. To fulfill the purposes specified within the scope of the illumination notifications to be made in accordance with Article 10 of the Law.

4.5. Reasons for destruction;

4.5.1. 4.3 of this Policy. the expiration of the situations stipulated in the article; In particular, the amendment or repeal of the provisions of the relevant legislation, which is the basis for the

Processing of personal data, or the disappearance of the purpose that requires the processing or storage of personal data,

4.5.2. In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject withdraws his explicit consent,

4.5.3. In accordance with Article 11 of the Law, the application made by the Company for the deletion and destruction of personal data within the framework of the rights of the person concerned is accepted by the Company or by the Institution in case of a negative response,

4.5.4. The maximum period for keeping personal data has passed and there are no conditions to justify keeping personal data for a longer period of time,

In the event that you apply to our Company, your personal data processed by us will be deleted, destroyed or anonymized within 30 days at the latest or in the periodic destruction dates adopted by our Company, even if you do not make any application to our Company.

5. PARTIES IN THE PROCESSES OF THE STORAGE AND DISPOSAL OF YOUR PERSONAL DATA

5.1. Depending on the nature of your personal data and the recording media specified in Article 3, your personal data is stored by the departments in our Company in electronic and/or non-electronic recording media, according to the category.

5.1.1. Your personal data, which is processed within the scope of all your purchases and other uses on the website and your calls to our company`s call center, are stored in the digital environment, and our Company`s E-Commerce Sales and Marketing Department is responsible for the storage and destruction of your personal data.

Manager and IT Department Manager and other employees that these people may assign. E- Commerce Sales and Marketing Department Manager is responsible for the execution, management and organization of our company`s websites and all activities carried out therein in accordance with the law and company policy.

5.1.2. Your personal data, which are physically processed within the scope of purchasing or visiting products from our workplaces or branches, are stored in digital and physical media, and our Company`s Administrative Affairs Department Manager, Sales Department Manager and IT Department Manager and other employees that these people may be assigned take part in the storage and destruction processes of your personal data. The Sales Department Manager is responsible for the execution, management and organization of sales activities, especially all workplaces of our company, in accordance with the law and company policy. The Manager of the Administrative Affairs Department is responsible for the execution, management, supervision and organization of all administrative works and structures within the company.

5.1.3. Your personal data processed within the scope of personal files and other transactions created in accordance with the Labor Law, Occupational Health and Safety Law and other relevant legislation of our employees are stored in digital and physical environment, and in the storage and destruction processes of your personal data, our Company`s Human Resources (HR) Department Manager and IT

Department Manager Our other employees, who can be assigned by individuals, are assigned. The HR Department Manager is responsible for the execution, management, supervision and organization of all employment and employee employment processes of our company, including the pre-interview for recruitment and recruitment processes, and the rights and obligations of its employees in accordance with the law and company policy.

5.1.4. The cameras in our company`s headquarters building (headquarters), stores, warehouse and other workplaces and annexes have been established to ensure your security, and your personal data processed within the scope of the cameras (CCTV) system are stored in digital media, and in the storage and destruction processes of your personal data, our Company`s Administrative Affairs Department Manager and IT Department Manager and other employees he may assign are assigned. The IT Department Manager is responsible for taking all technical and legal measures regarding informatics of our company and for the execution, management and organization of all actions taken in this context in accordance with the law and company policy.

5.1.5. Personal data of financial nature such as salary accounts, payroll, invoices, refund bank account information of employees, customers and other relevant persons are stored in digital and physical environment. is in charge. Accounting Department Manager is responsible for the execution, management and organization of all accounting and financial transactions of the company in accordance with the law and company policy.

5.1.6. Your personal data processed within the scope of contracts or activities, especially the contact information of the persons or institutions from which we purchase services or goods, solution partners and other real or legal persons with whom we work within the scope of business development, are stored in digital and physical environment, and in the storage and destruction processes of your personal data, our Company`s Product Management / Purchase Receiving Department Manager and IT Department Manager and other employees that these people can assign are assigned. The Product Management Department Manager is responsible for the supply of all kinds of goods and services necessary for the company to continue its activities and the execution, management and organization of these transactions in accordance with the law and company policy.

6. MEASURES TAKEN TO PROTECT YOUR PERSONAL DATA

6.1. Our company is commided to keeping your personal data safe, to ensure that your personal data is accessed illegally and to act in accordance with the rule of law and honesty when processing your personal data, to ensure that your personal data is accurate and up-to-date when necessary, to process your personal data for specific, clear and legitimate purposes. It has taken the following technical, legal and administrative measures in order to prevent the unlawful processing of your personal data and to destroy your personal data in accordance with the law, by processing your personal data in connection with the purpose for which they are processed, limited and measured, and by preserving your personal data for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed:

6.1.1.

SPECIAL

TECHNICAL MEASURES

PURPOSE AND EXPLANATION OF SPECIAL TECHNICAL MEASURES

Penetration Tests

In order to ensure the security of your personal data, our company periodically performs a penetration test to determine whether there is any leakage in terms of your data processed electronically.

Determination of Access and Authorization Matrices

In order for the personal data processed by us to be processed only by authorized persons, the access and authorization matrix is determined in our Company, both for all employees of the Company and for each department, so that unauthorized persons cannot access your personal data in any way and perform processing on the data.

Intrusion Detection and Prevention Systems

Prevention systems have been established for all kinds of cyber attacks against the Company database and the software used from the outside, and if there is an attack, necessary technical measures have been taken to detect the attack immediately.

Keeping log records

For each data in the system, log records of both employees, customers and Web Site visitors are kept.

Network and application security

It is aimed to ensure the security of the server networks that our company uses (and may use in the future).

Data Loss Prevention Software

In order to prevent data loss, our company uses a technically sound data backup system and software that allows data recovery.

Current Antivirus and Antispam Systems

Attacks that may come from outside in our company, etc. The most up-to- date and reliable antivirus and antispam systems are used in order to be prepared for situations and to ensure system and data security.

Data Masking

In our company, we use data masking or encryption method in order to ensure data security during the sharing of this data with third parties or persons who are not authorized in the authorization matrix.

Safety Precautions

Security camera system, anti-theft alarm system, controlled entry-exit and lock systems have been installed to prevent personal data kept in the physical environment from being stolen or seen by an unauthorized person.

Fire and Other Disasters

Fire alarm and extinguishing system installed. Fire extinguishers have been placed close to the places where personal data in the physical environment are located. Risk assessments were made against other disasters and events.

6.1.2. The necessary technical infrastructure has been established in order to store your personal data securely, to prevent unlawful access to your personal data and illegal processing of your personal data, and to destroy your personal data in accordance with the law.

Necessary technical and administrative control mechanisms have been established for the healthy functioning of the infrastructure.

6.1.3. Employees with technical expertise are employed in order to store your personal data securely, to prevent unlawful access to your personal data, to prevent unlawful processing of your personal data, and to destroy your personal data in accordance with the law.

6.1.4. In order to ensure business and safety continuity and to overcome emergencies, emergency planning was carried out by forming a risk management team.

6.1.5. Our employees, business partners and other third parties with whom we have a business relationship were informed about legal, technical and administrative risks, and general and event- based technical, administrative and legal awareness trainings were given to our employees regarding the processing, storage, destruction and data security of personal data. Trainings are repeated at certain intervals when necessary. The authorizations of the users who have access to the data are defined. Users who are authorized to access data, scope of authorization and duration are clearly defined. Periodic authorization checks are carried out, the authorization of employees who have a change of job or quit their job in this field is immediately revoked, and the process of returning the inventory allocated to them by the data controller is carried out.

6.1.6. Commitments have been taken from the third parties to whom your personal data is transferred, that they take and/or will take the necessary security measures in order to keep your personal data safe, to prevent illegal access to your personal data, to prevent illegal processing of your personal data, and to ensure that your personal data can be destroyed in accordance with the law. Confidentiality agreements have been signed with the employees.

6.1.7. In order to prevent unlawful access to your personal data and to prevent unlawful processing of your personal data, internal data access authorizations have been made, and access authorities are periodically audited by our managers.

6.1.8. Technical and administrative infrastructure has been established to ensure that all transactions regarding the destruction of your personal data are recorded and that such records are kept for a minimum of ti years.

6.1.9. In order for your personal data to be destroyed in accordance with the law, our employees have been provided with legal, administrative and technical training on the methods of deletion, destruction and anonymization of personal data in digital and physical recording media, and periodic destruction periods and processes.

6.1.10. Necessary technical and administrative measures have been taken to ensure that your deleted personal data is not accessible and reusable for the relevant users. In this context, it has been made impossible for the relevant user to access and/or use your personal data, which has been deleted by the data deletion methods used by our Company.

6.1.11. We periodically update the legal, administrative and technical measures we have taken regarding the safe storage of your personal data, the prevention of illegal access and unlawful processing of your personal data, and the legal destruction of your personal data.

6.1.12. Registered in the Data Controllers Registry Information System as a data controller. (version ti.0)

6.1.13. A Data Processing Inventory has been created in order to ensure the sound execution of this Policy and to control the adequacy of the measures taken.

6.1.14. In addition to the technical and administrative measures listed above, a separate data security policy has been determined for sensitive personal data.

6.1.15. Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units. The transaction records of all movements performed on the data are securely logged, the security updates of the environments where the data is located are constantly monitored, the necessary security tests are carried out regularly, and the test results are recorded. User authorizations for the sokware that access special quality personal data are made, security tests of these sokware are carried out regularly and the test results are recorded. In case of remote access to the data, it is ensured that at least two-stage authentication system is passed.

6.1.16. Awareness and data security trainings on special quality personal data security have been given to employees involved in special quality personal data processing processes, confidentiality agreements have been made, commitments have been made, and the authorizations of users who have access to data have been defined. Users who are authorized to access data, scope of authorization and duration are clearly defined. Periodic authorization checks are carried out, and employees who have a change of job or quit their job.

Its authorizations in this area are immediately revoked and the process of returning the inventory allocated to it by the data controller is carried out.

6.1.17. Adequate security measures are taken for physical environments where sensitive personal data is processed, stored and/or accessed, and unauthorized entry and exit is prevented by ensuring physical security. For this purpose, if this data is transferred via e-mail, it is transferred in encrypted form with a corporate e-mail address or by using a KEP account; Data is transferred between servers by establishing a VPN or using the sFTP method; portable memory etc. In case of data transfer via media, a cryptographic key is created. Again, if these data are printed / printed, in case of a possible data transfer, the said documents are sent in `CONFIDENTIAL` format.

7. TIMES

7.1. Your personal data, without prejudice to the minimum storage periods stipulated in the laws; If the `purpose of processing your personal data` announced within the scope of the `Informative Text on the Processing of Your Personal Data` is completely eliminated, or all the data processing conditions in Articles 5 and 6 of the Law are eliminated, or even if none of these In case the processing becomes technically, administratively or financially impossible, your personal data will be deleted, destroyed or anonymized by our Company ex officio or upon your request in the first periodical destruction process following the emergence of this situation.

7.2. The destrucrion periods adopted by our company are twice a year, at the end of the 4th month and at the end of the 10th month of each year.

7.3. When you request the delerion, destrucrion or anonymizarion of your personal data by applying to our Company in wriring or by other methods to be determined by the Board, pursuant to Arricle 13 of the Law, the following procedures and principles will apply:

7.3.1. If all the condirions for processing personal data have disappeared; Your personal data subject to your request is deleted, destroyed or anonymized. Your request will be finalized within thirty days at the latest and you will be informed.

7.3.2. If all the conditions for processing personal data have been removed and your personal data subject to the request has been transferred to third parties, our Company will notify the third party; It ensures that the necessary actions are taken within the scope of this Regulation before the third party.

7.3.3. If all of the personal data processing conditions have not been eliminated, your request may be rejected by our Company by explaining the reason in accordance with the third paragraph of Article 13 of the Law. In this case, you will be notified in writing or electronically within thirty days at the latest.

7.3.4. Depending on the nature of your request, your request result will be concluded free of charge. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.

7.4. Reserving the maximum and minimum storage periods stipulated in the laws regarding your personal data, the storage periods, destruction and periodic destruction periods according to the data categories are given in the table below:

Personal Data Category

Retention Period of Your Personal Data

Destruction Period of Your Personal Data

Personal Data Obtained from Customers Purchasing Goods and Services in Stores or on the Internet

10 years from the end of the legal relationship

In the first periodical destruction process after the destruction obligation arises, or within 30 days at the latest, upon your application pursuant to Article 13 of the Law, provided that all the conditions for processing personal data have disappeared.

Personal Data Regarding Business Solution Partner/ Suppliers

10 years from the end of the legal relationship

In the first periodical destruction process after the destruction obligation arises, or within 30 days at the latest, upon your application pursuant to Article 13 of the Law, provided that all the conditions for processing personal data have disappeared.

Personal Data Regarding Employee Candidates During Job Application

2 years

In the first periodical destruction process after the destruction obligation arises, or within 30 days at the latest, upon your application pursuant to Article 13 of the Law, provided that all the conditions for processing personal data have disappeared.

Personal Data of Personnel (Identity, Contact, Personal Information, Legal Transaction Data, Professional Experience, Visual and Audio Records, Physical Space Security i)

10 years from the end of the legal relationship; camera records 6 months

In the first periodical destruction process after the destruction obligation arises, or within 30 days at the latest, upon your application pursuant to Article 13 of the Law, provided that all the conditions for processing personal data have disappeared.

Health Data of Personnel Received within the Scope of Criminal Conviction and Occupational Health and Safety Legislation

Health Data 15 years, Criminal Conviction 10 years from the end of the legal relationship

In the first periodical destruction process after the destruction obligation arises, or within 30 days at the latest, upon your application pursuant to Article 13 of the Law, provided that all the conditions for processing personal data have disappeared.

Personal Data Regarding Visitors (Camera Records, log records)

Camera records 6 months; Log records 2 years

İ In the first periodical destruction process following the termination of the obligation, or within 30 days at the latest, upon your application pursuant to Article 13 of the Law, provided that all the conditions for processing personal data have disappeared.

Personal Data Regarding Online Visitors (Cookies etc.)

Online Website Membership Transactions and Personal Data Regarding Members

2 years

10 years from the end of the legal relationship

In the first periodical destruction process after the destruction obligation arises, or within 30 days at the latest, upon your application pursuant to Article 13 of the Law, provided that all the conditions for processing personal data have disappeared.

All Records Related to Accounting and Financial Transactions

10 years from the end of the legal relationship

In the first periodical destruction process after the destruction obligation arises, or within 30 days at the latest, upon your application pursuant to Article 13 of the Law, provided that all the conditions for processing personal data have disappeared.

Personal Data Regarding Company Partners and Officials and Commercial Books and Records Kept under the TCC

10 years

In the first periodical destruction process after the destruction obligation arises, or within 30 days at the latest, upon your application pursuant to Article 13 of the Law, provided that all the conditions for processing personal data have disappeared.

7.5. In the determination of personal data retention periods, in order to defend the rights of both our Company and the relevant persons, to present evidence, to defend and to object to the possibility of possible legal disputes; The statute of limitations for asserting the right subject to a legal dispute that may arise and mandatory periods for legal obligations are taken as basis.

8. METHODS THAT CAN BE USED IN THE DISPOSAL OF YOUR PERSONAL DATA

Personal data in electronic or paper media whose purpose of processing has completely disappeared are deleted, destroyed or anonymized with the methods stipulated in this Guide, in accordance with the `Guideline for the Deletion, Destruction or Anonymization of Personal Data` published by the Personal Data Protection Authority. All deletion, destruction or anonymization operations carried out by the Technical Unit are logged electronically with a time stamp and recorded. In terms of personal data in paper media, a report is prepared and kept by the Technical Unit. Records of deletion, destruction or anonymization of personal data in electronic and paper media are kept for three years. KEIKEI Textile and Clothing Industry Trade Joint Stock Company; It uses the `deletion` method to ensure that only relevant departments have access to personal data during their storage period. If the storage period expires and there is no other purpose that requires keeping personal data, it uses the anonymization method.

1.Dele(on of Personal Data

Deletion of personal data is the process of making personal data inaccessible and non-reusable for the relevant users. Personal data deleted as a data controller

All necessary technical and administrative measures are taken to make it inaccessible and reusable for users.

1.1 Deletion Process of Personal Data

The process to be followed in the deletion of personal data is as follows:

Determining the personal data that will be the subject of the deletion process,

Identifying relevant users for each personal data using an access authorization and control matrix or a similar system,

Determining the authorizations and methods of the relevant users such as access, retrieval, reuse,

Closing and eliminating the access, retrieval, reuse authorization and methods of the relevant users within the scope of personal data.

1.2 Methods of Deletion of Personal Data
A) Application Type Cloud Solutions as a Service (Office 365, Salesforce, Dropbox etc.)

In the cloud system, data is deleted by giving a delete command. While the aforementioned transaction is being performed, the transaction is carried out in such a way that the relevant user does not have the authority to restore the deleted data on the cloud system in any way.

B) Personal Data in Paper Media

Personal data in paper media are deleted using the blackout method. The blackening process is done by curng the personal data on the relevant document when possible, and in cases where it is not possible, erasing it so that it cannot be recovered and read with technological solutions, or by using fixed ink to make it invisible to the users related to the painting process.

C) Office Files on the Central Server

It is done by deleting the file with the delete command in the operating system or by removing the access rights of the relevant user on the file or the directory where the file is located.

D) Personal Data in Portable Media

Personal data in flash-based storage media are stored in secure environments with encryption keys, and deletion is performed using sokware suitable for these environments.

E) Databases

It is the deletion of the relevant lines containing personal data with database commands (delete etc.). While performing the aforementioned operation, it should be noted that the relevant user is not also a database administrator.

ti Destruc(on of Personal Data

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. KEIKEI Tekstil Ve Giyim Sanayi Ticaret Anonim Şirketi is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.

Personal Data Destruction Methods

In order to destroy personal data, all copies of the data are detected and destroyed one by one by using one or more of the following methods, depending on the type of systems in which the data is located.

2.1 Local Systems
One or more of the following methods can be used to destroy the data on the said systems.

De-magnetization: It is the process of exposing the magnetic media to a very high magnetic field by passing it through a special device and corrupting the data on it in an unreadable manner.

Physical Destruction: The physical destruction of optical media and magnetic media, such as melting, incinerating or pulverizing. Data is rendered inaccessible by processes such as melting, incinerating, pulverizing, or passing through a metal grinder to optical or magnetic media. For solid state disks, if the overwriting or demagnetization is not successful, this media is also physically destroyed.

Overwriting: It is the process of preventing the recovery of old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media. This process is done using special sokware.

Environmental Systems: Depending on the type of environment, the disposal methods that can be used are as follows:

Network devices (switches, routers, etc.): The storage media in the devices in question are fixed. Products oken have a delete command, but not a destroy feature. For this reason, it is destroyed by using one or more of the appropriate methods specified in (a).

Flash-based environments: Flash-based hard drives that have an ATA (SATA, SSD, PATA, etc.), SCSI (SCSI Express, etc.) interface, use the <block erase> command if supported, if not, use the manufacturer`s recommended destruction method, or (a) It is destroyed by using one or more of the appropriate methods specified in.

Magnetic tape: It is a medium that stores data with the help of micro magnet pieces on flexible tape. It is destroyed by exposing it to very strong magnetic environments and demagnetizing it or by physical destruction methods such as burning and melting.

Mobile phones (SIM card and fixed memory areas): Fixed memory areas in portable smartphones have a delete command, but most do not have a destroy command. For this reason in (a)

It is destroyed by using one or more of the appropriate methods specified.

Peripherals such as printer, fingerprint door access system with removable data recording media: All data recording media are verified to be removed and destroyed by using one or more of the appropriate methods specified in (a) according to their characteristics.

Peripherals such as printer with fixed data recording medium, fingerprint door access system: Most of these systems have a delete command, but no destroy command. For this reason, it is destroyed by using one or more of the appropriate methods specified in (a).

Paper and Microfiche Media

Since the personal data in the said media is permanently and physically wriden on the media, the main media must be destroyed. During this process, the media is divided into small pieces of incomprehensible size, horizontally and vertically if possible, in a way that cannot be reassembled, with paper shredders or clipping machines. Or it is irreversibly destroyed by the incineration method.

Personal data transferred from the original paper format to the electronic environment by scanning is destroyed by using one or more of the appropriate methods specified in (a) according to the electronic environment in which they are located.

Cloud Environment

During the storage and use of personal data in the aforementioned systems, encryption with cryptographic methods and, where possible, separate encryption keys should be used for personal data, especially for each cloud solution serviced. When the cloud computing service relationship ends, all copies of encryption keys required to make personal data available must be destroyed.

In addition to the above environments, the destruction of personal data in devices that have malfunctioned or sent for maintenance is carried out as follows;

Before transferring the relevant devices to third parties such as manufacturers, vendors, and services for maintenance and repair, the personal data contained in it is destroyed by using one or more of the appropriate methods specified in (a),

In cases where it is not possible or appropriate to destroy, the data storage medium should be disassembled and stored, and other defective parts are sent to third institutions such as the manufacturer, seller, service,

Taking the necessary measures to prevent the personnel coming from outside for purposes such as maintenance and repair from copying personal data and taking them out of the institution.

Anonymization of Personal Data

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. The purpose of anonymization is to break the link between the data and the person identified by this data.

In order for personal data to be anonymized, it is rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant activity, such as returning the personal data by the data controller or recipient groups and/or matching the data with other data.

As the data controller, the Company takes all necessary technical and administrative measures to anonymize personal data. Anonymization of personal data is carried out in accordance with the principles specified in the personal data retention and destruction policy.

9 PUBLICATION AND STORAGE OF THE POLICY

The policy is published in two different environments, with wet signature (printed paper) and electronically, and is announced on the website.

10 UPDATE PERIOD OF THE POLICY

The policy is reviewed as needed and the necessary sections are updated.

11 FORCE

11.1. This Policy (version 2.0) takes effect on the date of publication and supersedes the previous (version 1.0.).

11.2. In case of changes or updates to the Policy, a new version is published, which will also include information about the relevant change.

Changes made in this Policy are listed in the table below: