Çağdaş Kağıt

KVKK Retention and Destruction Policy

ÇAĞDAŞ PAPER PACKAGING IND. AND TRADE CO. LTD.

PERSONAL DATA STORAGE AND DESTRUCTION POLICY

Publication Approval	Board of Directors' Decision dated ......
Destruction Policy Version	Version No. 01

CONTENTS

1. INTRODUCTION

1.1Purpose of the Policy............……………………………………………………………………………………........2

1.2 Scope of the Policy…………………………………………………………………......................…2

1.3Definitions……………………………………………………………….……………...........…............2

2.RECORDING ENVIRONMENTS…………………………………………………….……….................................…3

3.EXPLANATIONS ON STORAGE AND DESTRUCTION……………………………………………………..4

3.1Explanations Regarding Storage……………………………………………………..…….........4

3.1.1Legal Reasons for Storage………………………………………………………..…...4

3.1.2Processing Purposes Requiring Storage……………………………………………………..4

3.2Reasons Requiring Destruction……………………………………..…………………......................4

4. PERSONAL DATA DESTRUCTION TECHNIQUES………………………………………….......….............5

4.1Deletion of Personal Data……………………………………………….……….........….............5

4.2Destruction of Personal Data……………………..………………………………….................….5

4.3Anonymization of Personal Data…………………………..……………………….....................6

5.STORAGE AND DESTRUCTION PERIODS………………………………..………………….........….............7

5.1 Destruction Periods……………………………………..…………………………………..........…............7

5.2 Periodic Destruction…………………………………………..…………………………………..........….........9

6.TECHNICAL AND ADMINISTRATIVE MEASURES…………………………………………………………………..…........9

6.1 Technical Measures…………………………..………………………………………………...........….........9

6.2Administrative Measures………………………….......……………………………………...........…...........10

7.PERSONAL DATA COMMITTEE…………………………..………………………….........….........…..11

8. PUBLICATION AND STORAGE OF THE POLICY…………………………………………..11

9. POLICY UPDATE PERIOD………………………………………….............…11

10. ENFORCEMENT OF THE POLICY........................................................................………..........11

ENTRANCE

1.1 Purpose of the Policy

This storage and destruction policy Contemporary Paper Packaging Industry and Trade Ltd. Co. in short (“Çağdaş Kağıt”), Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti., in its capacity as data controller, regarding the storage, deletion, destruction or anonymization of personal data in accordance with the Law on the Protection of Personal Data No. 6698 and other legislation . It was prepared for the purpose of determining the procedures and principles to be applied by.

In this context, employees, job candidates, customers, visitors and for any reason Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. The personal data of all real persons who have personal data with Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. It is managed in accordance with the law within the framework of the Personal Data Protection and Processing Policy and this Personal Data Storage and Destruction Policy.

1.2 Scope of the Policy

This policy is for the company partners, company shareholders, company officials, employees, employee candidates, interns, intern candidates, company customers, company customer officials and employees, potential product or service buyers, supplier employees, supplier officials, visitors, consultants and third parties and for any reason Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. It covers all real persons who have personal data with them and their personal data. Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. , by publishing this policy on the internet address www.cagdaskagit.com/kvkk, fulfills its obligations in Article 16 of the Personal Data Protection Law and Article 5 of the Regulation on the Deletion, Destruction or Anonymization of Personal Data and informs these personal data owners.

Contemporary Paper Packaging Industry and Trade Ltd. Co. This Policy applies to all recording environments in which personal data is processed and to activities aimed at processing personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

1.3 Definitions

Explicit Consent: The declaration of consent given by the relevant person to the processing of data concerning him/her, freely, with sufficient information on the subject and limited only to that process,

Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller,

Electronic Environment: Environments where personal data can be created, read, changed and written using electronic devices.

Non-Electronic Media: All written, printed, visual, etc. media other than electronic media,

Destruction: Deletion, destruction or anonymization of personal data,

Law: Personal Data Protection Law No. 6698,

Recording Medium: Any medium containing personal data processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system.

Personal Data: Any information relating to an identified or identifiable natural person,

Personal Data Owner/Relevant Person: The natural person whose personal data is processed,

Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, in whole or in part, by automatic means or non-automatic means provided that it is part of any data recording system,

Personal Data Processing Inventory: The inventory created by the data controllers by associating the personal data processing activities they carry out in connection with their business processes with the purposes of processing personal data, data category, the group of recipients to whom the data is transferred and the group of persons subject to the data, and detailing the maximum period required for the purposes for which personal data is processed, the personal data planned to be transferred to foreign countries and the measures taken regarding data security.

Anonymization of Personal Data: Personal data cannot be identified or identifiable in any way, even when matched with other data. to be rendered incapable of being associated with a real person,

Deletion of Personal Data: Making personal data inaccessible and reusable for the relevant users in any way.

Destruction of Personal Data: The process of rendering personal data inaccessible, irreversible and reusable by anyone,

Board: Personal Data Protection Board,

Special Personal Data: Data regarding individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Periodic Destruction: The process of deleting, destroying or anonymizing personal data specified in the personal data storage and destruction policy, which will be carried out ex officio at recurring intervals, in the event that all the processing conditions of personal data specified in the law are eliminated.

Personal Data Processing and Protection Policy : Can be accessed at www.cagdaskagit.com/kvkk , Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. The policy that determines the procedures and principles regarding the management of personal data in its possession, This Policy, which data controllers base on the process of determining the maximum period required for the purpose for which personal data is processed and the process of erasing, destroying and anonymizing personal data,

Registry: The registry of data controllers kept by the Personal Data Protection Authority,

Company: Çağdaş Paper Packaging Industry and Trade Co. Ltd. (In short, “Contemporary Paper” )

Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted to him;

Data Recording System: A recording system in which personal data is structured and processed according to certain criteria;

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

VERBIS: Data Controllers Registry Information System

Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.

For definitions not included in this Policy, the definitions in the Law and Regulation apply.

2. RECORDING MEDIA

Personal data, Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. It is stored securely in accordance with the law in the environments specified below.

Table 1: Recording Media

Electronic Media

Non-Electronic Media

Network devices,
Shared/unshared disk drives used for storing data on the network Software (office software)
Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)
Removable Disks (USB, Memory Card etc.)
Personal Computers (Desktop, Laptop)
Mobile Devices (phone, tablet, etc.)
Optical Discs (CD, DVD, etc.)
Servers (Domain, backup, email, database, web, file sharing, etc.)
Printer, scanner, copier
Software (office software)
Printer, scanner, copier

Archive
Paper
Manual Data Recording Systems (survey forms, visitor logbook)
Written, printed, visual media
Unit cabinets.

3. INSTRUCTIONS ON STORAGE AND DESTRUCTION

Contemporary Paper Packaging Industry and Trade Ltd. Co. by; company partners, company shareholders, company officials, employees, employee candidates, interns, intern candidates, company customers, customer candidates, customer officials and employees, potential product or service buyers, suppliers, supplier employees, supplier officials, visitors, consultants and third parties, business partners, people who receive products or services and for any reason Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. The personal data of all real persons whose personal data is held by us can be processed, stored and destroyed in accordance with the procedures and principles set out in the Law, Regulation and relevant legislation.

In this context, explanations regarding storage and destruction are provided below.

3.1 Explanations Regarding Storage

The concept of processing personal data is defined in Article 3 of the KVKK, and Article 4 states that the personal data processed must be related, limited and proportionate to the purpose for which they are processed and must be stored for the period stipulated in the relevant legislation or required for the purpose for which they are processed . Articles 5 and 6 list the conditions for processing personal data.

Accordingly, Çağdaş Paper Packaging Industry and Trade Co. Ltd. Within the scope of our activities, personal data is stored for a period of time stipulated in the relevant legislation or in accordance with our processing purposes.

3.1.1 Legal Reasons for Storage

Contemporary Paper Packaging Industry and Trade Ltd. Co. Personal data processed within the scope of its activities are kept for the period stipulated in the relevant legislation. Personal data can be processed for the following legal reasons specified in Articles 5 and 6 of the KVKK.

Explicit consent of the person concerned
It is clearly stated in the laws (Law No. 6698 on the Protection of Personal Data, Turkish Code of Obligations No. 6098, Law No. 6502 on the Protection of Consumers, Banking Law No. 5411, Regulation on the Employment of Disabled Persons, Ex-Convicts and Victims of Terrorism, Turkish Commercial Code No. 6102, Tax Procedure Law No. 213, Regulation on Mass Internet Use Providers, Enforcement and Bankruptcy Law No. 2004, Social Security and General Health Insurance Law No. 5510, Occupational Health and Safety Law No. 6331, Occupational Health and Safety Services Regulation, Labor Law No. 4857, Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes, Regulation on Archive Services, Other Regulations in Force According to These Laws)
If it is necessary for the protection of the life or physical integrity of a person or someone else who is unable to give his consent due to a physical impossibility or whose consent is not legally valid.
The processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of a contract.
It is mandatory for the data controller to fulfill its legal obligations.
It has been made public by the relevant person himself
Data processing is necessary for the establishment, exercise or protection of a right.
Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.

3.1.2 Processing Purposes Requiring Storage

Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. stores the personal data it processes within the scope of its activities for the following purposes.

Execution of Emergency Management Processes
Execution of Information Security Processes
Conducting the Selection and Placement Processes of Employee Candidates / Interns / Students
Conducting the Application Process of Employee Candidates
Implementation of Employee Satisfaction and Loyalty Processes
Fulfillment of Employment Contract and Legislative Obligations for Employees
Conducting Employee Benefits and Side Benefits Processes
Conducting Audit / Ethics Activities
Conducting Training Activities
Execution of Access Permissions
Carrying out activities in accordance with legislation
Carrying out financial and accounting affairs
Execution of Loyalty Processes to Company / Products / Services
Ensuring Physical Space Security
Conducting Assignment Processes
Monitoring and Execution of Legal Affairs
Conducting Internal Audit/Investigation/Intelligence Activities
Conducting Communication Activities
Planning Human Resources Processes
Conducting/Supervising Business Activities
Conducting Occupational Health / Safety Activities
Obtaining and Evaluating Suggestions for Improving Business Processes
Carrying out activities to ensure business continuity
Ensuring Quality Standards
Keeping Entrances and Exits to the Institution Building Under Control and Preventing Unauthorized Entry
Carrying out logistics activities
Carrying out the purchasing processes of goods / services
Carrying out After-Sales Support Services for Goods/Services
Execution of Goods / Services Sales Processes
Execution of Goods / Services Production and Operation Processes
Execution of Customer Relationship Management Processes
Carrying out activities aimed at customer satisfaction
Organization and Event Management
Conducting Marketing Analysis Studies
Conducting Performance Evaluation Processes
Carrying out advertising / campaign / promotion processes
Carrying out storage and archive activities
Carrying out social responsibility and civil society activities
Execution of Contract Processes
Conducting Sponsorship Activities
Tracking of Requests / Complaints
Execution of Supply Chain Management Processes
Implementation of the Wage Policy
Carrying out marketing processes for products/services
Ensuring the Security of Data Controller Operations
Conducting Investment Processes
Conducting Talent / Career Development Activities
Providing Information to Authorized Persons, Institutions and Organizations
Carrying out management activities
Creating and Tracking Visitor Records
Ensuring the Security of Movable Goods and Resources
Issuance of Product Invoices
Execution of Product Sales Policy
Fulfillment of the Obligations of the Board Members Arising from the Turkish Commercial Code Legislation

3.2 Reasons Requiring Destruction

Your Personal Data;

Amendment or abolition of the relevant legislative provisions that form the basis of processing,
The purpose requiring processing or storage is eliminated,
In cases where personal data is processed only based on explicit consent, the person concerned must withdraw his/her explicit consent,
In accordance with Article 11 of the KVKK, the application made by the relevant person regarding the deletion and destruction of his/her personal data within the framework of his/her rights was submitted to Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. accepted by,
The elimination of the conditions for processing personal data in Articles 5 and 6 of the Law,
Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. rejects the application made by the relevant person requesting the deletion, destruction or anonymization of his/her personal data, finds the response insufficient or does not respond within the period stipulated in the KVKK; he/she may complain to the Board and this request is deemed appropriate by the Board,
The maximum period for which personal data must be stored has passed and there are no circumstances that would justify storing personal data for a longer period,

In their markets, Contemporary Paper Packaging Industry and Trade Ltd. Co. Upon the request of the person concerned, it is deleted, destroyed or deleted ex officio, or made anonymous.

4. PERSONAL DATA DESTRUCTION TECHNIQUES

At the end of the retention period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data will be transferred to Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. It is destroyed by the following techniques, either ex officio or upon the application of the Relevant Person, in accordance with the relevant legislation.

Unless otherwise decided by the Board, the appropriate method of automatically deleting, destroying or anonymizing personal data is Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. However, if the relevant person requests, the appropriate method is selected by explaining the reason.

4.1 Deletion of Personal Data

Deletion of personal data is the process of making personal data inaccessible and non-reusable for the relevant users. Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. Personal data processed by us are deleted from the storage media in which they are located in the ways specified in Table 2 below;

Table 2: Deletion of Personal Data

Data Recording Environment	Explanations
Personal Data Located on Servers	For personal data on the servers whose storage period has expired, the system administrator will delete the data by revoking the access rights of the relevant users.
Personal Data in Electronic Environment	Personal data in electronic media, whose storage period has expired, are rendered inaccessible and non-reusable by any means for employees (relevant users), except for the database administrator.
Personal Data in the Physical Environment	For personal data kept in a physical environment, the period requiring storage has expired and they are rendered inaccessible and non-reusable by all employees except for the unit manager responsible for the document archive. In addition, they are blackened by drawing/painting/erasing them so that they cannot be read.
Personal Data on Portable Media	Personal data kept in flash-based storage media, for which the period requiring storage has expired, are encrypted by the system administrator and stored in secure environments with encryption keys, with access authorization granted only to the system administrator.
In the Database	The relevant rows containing personal data are deleted with database commands (DELETE etc.).
On Company Computers	Personal data is accessed through authentication and deleted using operating system commands.

4.2 Destruction of Personal Data

Destruction of personal data is the process of making personal data inaccessible, irreversible and reusable by anyone. Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. Personal data processed by us are destroyed from the storage media in which they are located in the ways specified in Table 3 below;

Table 3: Destruction of Personal Data

Data Recording Environment	Explanations
Personal Data in the Physical Environment
Physical Destruction	Personal data in paper form, whose storage period has expired, is destroyed irreversibly in document shredders.
Destruction Methods for Personal Data Held in Local Digital Environment
Physical Destruction	It is the process of physically destroying optical and magnetic media that contain Personal Data, such as melting, burning or pulverizing them. Data is rendered inaccessible by processes such as melting, burning, pulverizing or passing optical or magnetic media through a metal grinder.
Methods for Destroying Personal Data Held in the Cloud
Safely Delete Software	Personal data stored in the cloud environment is digitally deleted in a way that it cannot be recovered again, and when the cloud service relationship ends, all copies of the encryption keys required to make personal data usable are destroyed. Data deleted in this way cannot be accessed again.

4.3 Anonymization of Personal Data

Anonymization of personal data means making personal data incapable of being associated with an identified or identifiable natural person in any way, even when matched with other data. Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. Personal data processed by us are anonymized from the recording media in which they are located, as specified in Table 4 below;

Table 4: Anonymization of Personal Data

Data Recording Environment	Explanations
Regional Hiding	It is the process of deleting information that may be distinctive about data that is an exception within the data table where personal data is collectively and anonymously stored.
Removing Variables	It is the removal of one or more direct identifiers contained in the personal data of the relevant person that would allow the relevant person to be identified in any way. This method can be used to anonymize personal data, or to delete personal data if it contains information that is not compatible with the purpose of data processing.
Generalization	It is the process of bringing together personal data belonging to many people and turning them into statistical data by removing distinguishing information.
Masking	Data masking is a method of anonymizing personal data by removing the basic identifying information of personal data from the data set.
Data Exchange	Direct or indirect identifiers in personal data are mixed with other values or corrupted, thus severing their relationship with the relevant person and causing them to lose their identifying qualities.

5. STORAGE AND DESTRUCTION PERIODS

When determining the storage periods of personal data, the obligations imposed by legal regulations are taken into consideration by Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti . In addition to legal regulations, the storage period is determined by taking into consideration the purposes of processing personal data and the legitimate interests of Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. in processing the personal data in question. In this context, first of all, it is determined whether a period is foreseen in the relevant legislation for the storage of personal data, and if a period is foreseen in the relevant legislation, personal data is stored for this period. If a period is not foreseen in the relevant legislation, personal data is stored for the period necessary for the purpose for which they are processed. Unless otherwise decided by the Board, the most appropriate method among the methods of deleting, destroying or anonymizing personal data is selected by Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti.

Table 5: Storage Periods

GROUP OF PERSONS WHOSE DATA IS PROCESSED	DATA CATEGORY	DATA STORAGE PERIOD
Worker	Identity, Location, Contact, Personnel, Legal Process, Physical Space Security, Process Security, Professional Experience, Audio-Visual Records, Biometric Data, Position and Title Data, Employee Relative Information.	It is kept for a period of 10 (ten) years after the termination of the employment contract.
Worker	Health	It is kept for 15 (fifteen) years from the termination of the employment contract. (Occupational Health and Safety Services Regulation Art. 7)
Employee Candidate	Identity, Contact, Legal Process, Professional Experience, Audiovisual Records, Biometric Data, Position and Title Data.	6 Months from the Date of Application, 10 Years from the Termination of the Employment Contract
Employee Relative	Identity, Contact	10 Years from Termination of Employment Contract
Workplace Physician	Identity, Contact, Signature	15 Years from the date of leaving the job
Customer	Marketing, Audiovisual Data	10 Years from Purchase
Customer	Identity, Contact	10 Years from Purchase
Customer Company Representative	Identity, Contact, Signature	10 Years from Purchase
Customer Employee	Identity, Contact	10 Years from Purchase
Visitor	Identity, Physical Space Security	6 Months from the Date of Creation of Visitor Record
Website Visitor	Identity, Communication, Transaction Security	2 Years from the Date of Creation of the Record
Person Receiving Product/Service	Identity, Communication, Transaction Security, Customer Transaction,	Each product/service purchased by the service recipient shall be kept for a period of 10 (ten) years, as per the Turkish Code of Obligations Article 146 and Turkish Commercial Code Article 82, starting from the date of provision.
Person Receiving Product/Service	Physical Space Security	3 Months in Ordinary Times, Statute of Limitations in Legal Cases
Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. cooperates with (Supplier, Dealer/Franchise)	Identity, Contact Information, Financial Information,	It is kept for 10 years during the business/commercial relationship and after its termination, in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.

If a longer period is stipulated by legislation or if a longer period is stipulated by legislation for statute of limitations, limitation periods, storage periods, etc., the periods stipulated in the legislation shall be accepted as the maximum storage period.

5.1 Destruction Periods

Contemporary Paper Packaging Industry and Trade Ltd. Co. In accordance with the KVKK, the relevant legislation, the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy, the Company deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data for which it is responsible arises.

to Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. pursuant to Article 13 of the KVKK and requests the deletion or destruction of his/her personal data;

If all the conditions for processing personal data have been eliminated; Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. The personal data subject to the request is deleted, destroyed or anonymized by an appropriate destruction method within 30 (thirty) days from the day it receives the request, explaining its reason. In order for Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. to be deemed to have received the request , the relevant person must submit the request to Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti., which is announced on its official website . It must be done in accordance with the Personal Data Processing and Protection Policy . Çağdaş Kağıt informs the relevant person about the transaction in any case.

If all the conditions for processing personal data have not been eliminated, this request can be made to Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. The rejection may be made by the relevant person in writing or electronically within thirty days at the latest, by explaining the reason in accordance with the third paragraph of Article 13 of the KVKK.

5.2 Periodic Destruction

In case all the conditions for processing personal data stipulated in the law are eliminated; Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. It deletes, destroys or anonymizes personal data, the processing conditions of which have ceased to exist, through a process specified in this Personal Data Storage and Destruction Policy and carried out ex officio at recurring intervals.

Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. has determined the periodic destruction period as 6 months in accordance with Article 11 of the Regulation.

6.TECHNICAL AND ADMINISTRATIVE MEASURES

In order to securely store personal data, prevent unlawful processing and access, and lawfully destroy personal data, within the framework of sufficient measures determined and announced by the Board for special personal data in accordance with Article 12 of the KVKK and the fourth paragraph of Article 6 of the KVKK, Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. Technical and administrative measures are taken by.

6.1 Technical Measures

Contemporary Paper Packaging Industry and Trade Ltd. Co. The technical measures taken by the Company regarding the personal data it processes are stated below.

Network security and application security are provided.
Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. maintains technical tools and equipment suitable for each destruction method included in this policy.
Penetration tests and Çağdaş Paper Packaging Industry and Trade Co. Ltd. Necessary measures are taken by identifying risks, threats, weaknesses and vulnerabilities, if any, regarding information systems.
Risks to prevent unlawful processing of personal data are identified, appropriate technical measures are taken against these risks, and technical controls are carried out regarding the measures taken.
Access to storage areas containing personal data is recorded and inappropriate access or access attempts are kept under control.
Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. takes the necessary measures to ensure that deleted personal data is inaccessible and non-reusable for the relevant users.
Data backup programs are used to ensure the safe storage of personal data.
A separate policy has been determined for the security of special personal data.
Training on special personal data security has been provided to employees involved in special personal data processing processes, confidentiality agreements have been made, and the authorities of users authorized to access data have been defined.
Adequate security measures are taken for the physical environments where sensitive personal data is processed, stored and/or accessed, and unauthorized entry and exit are prevented by ensuring physical security.
Training and awareness activities are carried out for employees on data security at regular intervals.
An authority matrix has been created for employees.
Access logs are kept regularly.
The authority of employees who change their duties or leave their jobs is revoked in this area.
Up-to-date anti-virus systems are used.
Firewalls are used.
The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
Personal data is reduced as much as possible.
User account management and authorization control systems are implemented and monitored.
Encryption is being done.

6.2 Administrative Measures

Contemporary Paper Packaging Industry and Trade Ltd. Co. The administrative measures taken by the Company regarding the personal data it processes are set out below.

Efforts are being made to raise awareness and raise awareness of employees who will carry out the destruction process on issues such as information security, personal data and privacy.
Legal and technical consultancy services are received to follow the developments in the fields of information security, privacy, protection of personal data and secure destruction techniques and to take the necessary precautions.
technical or legal requirements, it signs a confidentiality agreement with the relevant third parties for the protection of personal data and takes all necessary care to ensure that the relevant third parties comply with their obligations under this confidentiality agreement.
It periodically checks whether the destruction operations are carried out in accordance with the law and the conditions and obligations specified in this Personal Data Storage and Destruction Policy, and takes the necessary measures.
A personal data processing inventory has been prepared.
Disciplinary regulations have been prepared to be applied to employees who do not comply with security policies and procedures.
Periodic and random audits are carried out within the institution.
Confidentiality agreements are being prepared. Within the scope of confidentiality agreements, provisions regarding the protection of personal data are also regulated.
Contemporary Paper Packaging Industry and Trade Ltd. Co. KVKK Awareness Trainings are provided to Blue Collar/White Collar personnel working within the company.
The Data Controller is Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. Confidentiality Agreements are being prepared between the Data Processor and the Company.
The person appointed as the Contact Person is announced in the Information Texts.
Information Texts for Employees/Visitors/Service Users are being prepared.
Contemporary Paper Packaging Industry and Trade Ltd. Co. The employment contracts of the personnel working within the company are made compatible with KVKK.
Camera Systems Lighting Texts are hung in the form of a table in all places where there are Camera Systems.
Contemporary Paper Packaging Industry and Trade Ltd. Co. Computer Usage Instructions are being prepared for the personnel working within the company.
Contemporary Paper Packaging Industry and Trade Ltd. Co. Access Restrictions are applied to the rooms where personal data of the personnel working within the company is stored.
The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
Information texts regarding the protection of personal data are published on a departmental basis.
The Personal Data Protection Committee has been established.
The authority of employees who change their duties or leave their jobs is revoked in this area.
The signed contracts contain data security provisions.
Personal data security is monitored.

7. PERSONAL DATA PROTECTION COMMITTEE

Contemporary Paper Packaging Industry and Trade Ltd. Co. A Personal Data Protection Committee has been established within the body of Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. based on the decision of the Board of Directors. The Personal Data Protection Committee is responsible for the protection of the data of the relevant persons in accordance with the law. Personal Data Processing and Protection Policy and Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. It is authorized and responsible for carrying out/having the necessary procedures and supervising the processes for the storage and processing of Personal Data in accordance with the Personal Data Storage and Destruction Policy .

The Personal Data Protection Committee consists of at least three people, one being the chairman, one being the administrative expert, and one being the technical expert. Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. is responsible for the Personal Data Protection Committee. The titles and job descriptions of the employees are listed below. The Personal Data Protection Committee derives its duties and responsibilities from the decisions of the Company's board of directors.

Table 6: Personal Data Protection Committee

Title

Job Description

Chairman of the Personal Data Protection Committee

To direct all kinds of planning, analysis, research and risk determination studies in the projects carried out in the process of compliance with the Law; KVKK, Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. Personal Data Processing and Protection Policy and Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. It is responsible for managing the processes that must be carried out in accordance with the Personal Data Storage and Destruction Policy and deciding on the requests received from the relevant persons.

KVKK Expert (Technical and Administrative)

Responsible for examining the requests of the relevant persons and reporting them to the Personal Data Protection Committee Manager for evaluation; carrying out the procedures regarding the requests of the relevant persons evaluated and decided by the Personal Data Protection Committee Manager in accordance with the decision of the Personal Data Committee Manager; auditing the storage and destruction processes and reporting these audits to the Personal Data Committee Manager; carrying out the storage and destruction processes.

8. PUBLICATION AND STORAGE OF THE POLICY

The policy is published in two different media: with wet signature (printed paper) and electronically, and is made public on the website. The printed copy is also kept in the file by the Chairman of the Personal Data Protection Committee.

9. POLICY UPDATE PERIOD

The policy is reviewed and updated in necessary sections when necessary. Changes made to this Personal Data Storage and Destruction Policy are immediately incorporated into the text and explanations regarding the changes are provided at the end of the policy. Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. Updates to the Personal Data Storage and Destruction Policy will be published at www.cagdaskagit.com/kvkk .

10. ENFORCEMENT OF THE POLICY

This policy shall enter into force on ../../.. The policy shall be published on the website of Çağdaş Kağıt Ambalaj San. ve Tic. Ltd. Şti. indefinitely and may be directly communicated to the requesting personal data owner by sharing a text or access link. In the event that a decision is made to revoke the policy, the old copies of this policy with wet signatures shall be cancelled and signed by the relevant unit and kept for a period of 5 years.