Personal Data Retention and Destruction Policy

The Personal Data Retention and Destruction Policy ("Policy") has been prepared to determine the procedures and principles regarding the retention and destruction activities carried out by RYS Rota İnşaat Metal Yapı Sistemleri Sanayi ve Ticaret Limitet Şirketi.

This Policy covers the data of our employees, interns, apprentices, main contractor officials and employees, company officials-shareholders-partners, authorized representatives, visitors, registered individuals, potential and current supplier officials and employees, administrative authority officials, product or service recipients, and all third parties with whom we have a relationship — and is applied in all recording environments where personal data is processed that are owned by or managed by the Company.

Personal data is stored securely in the following environments:

Electronic Environments: Servers, software, personal computers, mobile devices, removable memories, printers/scanners, e-invoice/e-ledger systems, camera recording servers.

Non-Electronic Environments: Paper, non-automated data recording systems, written/printed/visual media, cabinets.

Personal data is retained for the period stipulated in the relevant legislation. In this context, retention periods are determined within the framework of Law No. 6698 (PDPL), Labour Law No. 4857, Social Security Law No. 5510, Tax Procedure Law No. 213, Occupational Health and Safety Law No. 6331, Turkish Code of Obligations No. 6098, Turkish Commercial Code No. 6102, and other relevant legislation.

Personal data is destroyed in the following situations:

• Modification or repeal of the relevant legislative provisions forming the basis for processing • Disappearance of the purpose requiring processing or storage • Withdrawal of explicit consent • Approval by the Board upon the application of the relevant person • Expiry of the maximum retention period required for storing personal data

• Data relating to employment contracts: 10 years after termination of the employment contract • Occupational health and safety files: 15 years after termination of the employment contract • Data relating to legal proceedings: 10 years from the date of finalisation • Data relating to commercial activities: 10 years after the end of the legal relationship • Contract processes: 10 years after the end of the contractual relationship • Camera recordings: 15 days • Log/recording systems: 2 years • Marketing activities: 3 years

Data whose retention period has expired is destroyed by the relevant department manager for physical environments, and by the IT consultant for electronic environments.

Deletion: For data on servers, the data is deleted by the system administrator by removing access rights. Deletion is applied to data stored on portable media.

Destruction: Data in paper form is destroyed by paper shredding machines or by burning. Data on optical/magnetic media is physically destroyed.

Anonymisation: Personal data is rendered unable to be associated with an identified or identifiable natural person in any way, even when matched with other data.

The Company has set the periodic destruction period as 6 months. Periodic destruction is carried out every year in June and December.

This Policy is deemed to have entered into force upon publication on the Company's website.

Address: Saray Mah. Keresteciler Sanayi Sit. 15. Sokak No:25 Kazan / ANKARA

Phone: +90 (312) 815 22 41 | Email: [email protected]