Personel Data Storage and Destruction Policy

7. MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA

ER-AH Aviation Trade Ltd. Co., in accordance with Article 12 of the Law, takes the necessary technical and administrative measures to ensure an appropriate level of security in order to prevent the unlawful processing of personal data it processes, prevent unlawful access to the data, and ensure the preservation of the data, and within this scope, carries out or has carried out the necessary audits. Despite all technical and administrative measures taken, if the processed personal data is obtained by third parties through unlawful means, ER-AH Aviation Trade Ltd. Co. notifies the relevant units as soon as possible.

4.1. Technical Measures

• Network security and application security are ensured.
• A closed system network is used for the transfer of personal data via network.
• Key management is implemented.
• Security measures are taken within the scope of procurement, development, and maintenance of information technology systems.
• The security of personal data stored in the cloud is ensured.
• Disciplinary regulations containing data security provisions for employees are in place.
• Periodic training and awareness activities on data security are conducted for employees.
• An authorization matrix has been created for employees.
• Access logs are regularly kept.
• Data masking measures are applied when necessary.
• Corporate policies on access, information security, usage, storage, and disposal have been prepared and implemented.
• Confidentiality commitments are signed.
• The authorities of employees who have changed duties or left the job are revoked.
• Updated anti-virus systems are used.
• Firewalls are used.
• Signed contracts contain data security provisions.
• Personal data security policies and procedures have been established.
• Personal data security issues are reported quickly.
• Personal data security is monitored.
• Necessary security measures are taken for entering and exiting physical environments containing personal data.
• Physical environments containing personal data are secured against external risks (fire, flood, etc.).
• The security of environments containing personal data is ensured.
• Personal data is minimized as much as possible.
• Personal data is backed up, and the security of the backed-up personal data is ensured.
• User account management and authorization control system are implemented and monitored.
• Periodic and/or random internal audits are conducted.
• Log records are kept in a way that cannot be interfered with by users.
• Existing risks and threats have been identified.
• Protocols and procedures for the security of special categories of personal data have been established and implemented.
• If special categories of personal data are sent via e-mail, they are sent encrypted and using KEP or a corporate e-mail account.
• Intrusion detection and prevention systems are used.
• Cybersecurity measures have been taken and their implementation is continuously monitored.
• Encryption is applied.
• Special categories of personal data transferred via portable memory, CD, or DVD media are encrypted.
• Data processors are periodically audited regarding data security.
• Data processors’ awareness of data security is ensured.
• Data loss prevention software is used.
•  

4.2. Administrative Measures

• Employees are trained on the technical measures to prevent unlawful access to personal data.
• Within ER-AH Aviation Trade Ltd. Co., personal data processing is designed and implemented per business unit in compliance with legal requirements, including access and authorization processes. Special category data and importance levels are also considered when restricting access.
• Clauses have been added to all documents containing personal data and regulating the relationship with ER-AH Aviation Trade Ltd. Co. personnel, stating that personal data must be processed in compliance with the Law, must not be disclosed, must not be used unlawfully, and that the confidentiality obligation continues even after the termination of the employment relationship.
• Employees are informed that they cannot disclose personal data they have learned to others in violation of the Law, cannot use it for purposes other than processing, and that this obligation continues after they leave their duties. Necessary commitments are obtained accordingly.
• Contracts with parties to whom personal data is lawfully transferred include provisions requiring them to take necessary security measures to protect personal data and ensure compliance within their organization.
• If personal data is obtained unlawfully by others, the situation is reported to the data subject and the Board as soon as possible.
• When necessary, experienced and knowledgeable personnel for personal data processing are employed, and staff are trained on personal data protection legislation and data security.
• ER-AH Aviation Trade Ltd. Co. carries out or has carried out the necessary audits to ensure the implementation of the Law and addresses any confidentiality and security weaknesses identified during the audits.
•  

8. TRANSFER OF PERSONAL DATA AND MEASURES TAKEN REGARDING TRANSFER

The categorization of the recipients to whom personal data is transferred is shown in the appendix of this policy as Annex 5 – Groups to Which Personal Data is Transferred.

Our Company shares personal data with the recipient groups listed in Annex 5 – Groups to Which Personal Data is Transferred, in accordance with Articles 8 and 9 of the Law.

The definition of Persons to Whom Data May Be Transferred refers to parties that provide or receive goods or services to support the continuation of our Company’s commercial activities, per our instructions, under our contract, or in line with our legal obligations, business continuity, and legitimate interests.

Our Company transfers personal data to suppliers providing outsourced services to carry out the Company’s commercial activities, ensuring legitimate interests, business continuity, and the security required by our line of business, in a limited scope.

Business/ Solution Partner refers to individuals with whom our Company cooperates for purposes such as the sale, marketing of our products and services, and/or joint customer loyalty programs. Personal data is shared in a limited way to ensure the purpose of the business partnership.

Shareholder refers to shareholders authorized under relevant legislation to design strategies and auditing activities regarding our Company’s commercial activities.

Personal data is shared in a limited manner for purposes of designing strategies and conducting audits under the relevant legislation. Legally Authorized Public Institution refers to public institutions or organizations (such as Courts, Tax Offices, General Directorate of Civil Aviation, State Airports Authority) that are established to provide a public service under relevant legislation and are legally authorized to request information and/or documents from our Company. Personal data is shared in a limited manner for the purpose requested within the legal authority of the relevant public institution.

Legally Authorized Private Institution refers to institutions or organizations (such as Banks, Insurance Companies) established under the relevant legislation and operating within the legal framework. Personal data is shared in a limited manner related to the subjects within the scope of the activities carried out by the relevant private institution.

9. MEASURES TAKEN REGARDING THE DESTRUCTION OF PERSONAL DATA

ER-AH Aviation Trade Ltd. Co. may delete or destroy personal data, even if processed in accordance with the relevant legal provisions, when the reasons requiring processing no longer exist, on its own decision or upon the request of the data subject. Once personal data is deleted, it can no longer be accessed or used under any circumstances. ER-AH Aviation Trade Ltd. Co. will manage an effective data tracking process regarding the identification and monitoring of data destruction processes. The process consists of identifying the data to be deleted, identifying the relevant persons, determining access methods, and immediately deleting the data.

When the data subject applies to ER-AH under Article 13 of the KVKK to request the deletion, destruction, or anonymization of their personal data, the relevant unit examines whether all conditions for processing personal data have ceased. If all conditions have ceased, the requested personal data will be deleted, destroyed, or anonymized. As detailed in this policy, the request will be finalized within thirty days from the application date, and the data subject will be informed via the Personal Data Protection Committee. If the conditions for processing have ceased and the data has been transferred to third parties, the relevant unit will immediately notify the third party to ensure the necessary actions are taken under KVKK.

If all conditions for processing have not ceased, ER-AH may reject the data subject’s request for deletion or destruction with justification under Article 13/3 of the KVKK. The rejection response will be notified to the data subject within 30 days in writing or electronically. Requests for the deletion or destruction of personal data are only evaluated upon the data subject’s personal application.

The deletion, destruction, or anonymization of personal data must comply with the general principles in Article 4 of the KVKK, the technical and administrative measures required under Article 12, relevant legislation, Board decisions, and court rulings.

ER-AH Aviation Trade Ltd. Co. may use one or more of the following methods to delete, destroy, or anonymize personal data depending on the medium in which the data is stored:

6.1. Methods for the Deletion, Destruction, and Anonymization of Personal Data

6.1.1. Deletion of Personal Data

The deletion of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way. ER-AH Aviation Trade Ltd. Co. may use one or more of the following methods for deletion:

• Personal data in paper media will be processed by blacking out, painting over, cutting, or erasing (redaction method).
• Access rights of users to office files in the central directory will be removed.
• Rows or columns containing personal data in databases will be deleted using the ‘Delete’ command.
• When necessary, assistance will be obtained from an expert for secure deletion.

6.1.2. Destruction of Personal Data

• The destruction of personal data is the process of rendering personal data completely inaccessible, irretrievable, and unusable by anyone using the following methods:
• Physical Destruction
• Destruction Using a Paper Shredder
• Degaussing: Passing magnetic media through special devices exposed to high magnetic fields, rendering the data unreadable.
•  

6.1.3. Anonymization of Personal Data

The anonymization of personal data refers to rendering personal data, even when matched with other data, unidentifiable or unrelatable to any identifiable natural person. ER-AH Aviation Trade Ltd. Co. may use one or more of the following anonymization methods:

• Masking: Removing the primary identifying information from the dataset to anonymize it.
• Record Removal: Eliminating unique data rows from the dataset to anonymize the retained data.
• Regional Hiding: Hiding data that could create an identifiable combination to achieve anonymization.
• Global Encoding: Generalizing personal data to ensure it cannot be linked to a person (e.g., using age instead of birth date, or region instead of full address).
• Noise Addition: Applying variations (positive or negative) to numeric datasets to prevent identification (e.g., ±3 kg to weight data). The deviation is applied uniformly to all values.

In accordance with Article 28 of the Law, anonymized personal data may be processed for purposes such as research, planning, and statistics. Such processing is outside the scope of the Law and does not require the explicit consent of the data subject.

ER-AH Aviation Trade Ltd. Co. may decide ex officio to delete, destroy, or anonymize personal data and is free to choose the method according to the selected category. Also, under Article 13 of the Regulation, if the data subject selects one of these categories during the application, ER-AH Aviation Trade Ltd. Co. has full discretion in determining the methods to be used within the chosen category. 

10. PERSONAL DATA RETENTION AND DESTRUCTION PERIODS

ER-AH Aviation Trade Ltd. Co. retains personal data for the durations specified in Annex-1 for the purpose for which they are processed. If a period for retaining the relevant personal data is stipulated in the legislation, that period is observed. If no period is stipulated in the legislation, personal data will be retained for the maximum duration provided in the table in Annex-1 for the retention of the personal data. These periods have been determined by evaluating ER-AH Aviation Trade Ltd. Co.’s data categories and data subject groups; ensuring compliance with legal obligations, and considering the maximum statute of limitations under the Turkish Code of Obligations (10 years).

In cases where the expiry of these periods triggers the obligation to delete, destroy, or anonymize data, ER-AH Aviation Trade Ltd. Co. will delete, destroy, or anonymize the personal data during the first periodic destruction process following that date.

All transactions regarding the deletion, destruction, and anonymization of personal data are recorded, and these records are retained for at least three years, excluding other legal obligations.

11. PERIODIC DESTRUCTION PERIODS

Pursuant to Article 11 of the Regulation, the periodic destruction period has been determined as 6 months. Accordingly, periodic destruction processes are carried out in June and December each year. In the relevant systems, data will be irreversibly deleted, and if stored in media such as documents, files, CDs, diskettes, or hard disks, they will be permanently deleted so as not to be recoverable.

12. PERSONNEL

Within the scope of the Law, ER-AH Aviation Trade Ltd. Co., as the data controller, based on Article 11, paragraph 1 of the Regulation, has determined the titles, units, and job descriptions of the personnel responsible for implementing the data retention and destruction process in the table provided in Annex-2 of the Retention and Destruction Policy.

• These designated individuals are responsible within their authority limits for the transactions and actions carried out under the Turkish Commercial Code, the Code of Obligations, and the Turkish Penal Code. Specifically, Attorney Bartuğ SAYIN (outsourced) has been appointed as the Chairman of the Personal Data Protection Committee, authorized to represent ER-AH Aviation Trade Ltd. Co. and provide statements before law enforcement, prosecutors, public institutions, and courts. Each department head is responsible for monitoring whether relevant users in their departments act in accordance with the Retention and Destruction Policy and the Personal Data Policy prepared under the Law and the Regulation. All department heads must report the operations they perform under this Retention and Destruction Policy during the specified periodic destruction periods to the Chairman of the Personal Data Protection Committee of ER-AH Aviation Trade Ltd. Co. The decisions arising from the results of these reports will be implemented.

⸻

ANNEXES

Annex 1 – Personal Data Retention and Destruction Periods

Annex 2 – Personnel Responsible for Personal Data Retention and Destruction

Annex 3 – Internal Directive of the Personal Data Protection Committee

Annex 4 – Purposes of Personal Data Processing

Annex 5 – Groups to Which Personal Data Are Transferred

⸻

ANNEX 1 – Personal Data Retention and Destruction Periods

Data Category Retention Period Destruction Period

Identity 11 years after the aircraft is withdrawn from operation During the first periodic destruction following the end of the retention period

Contact 11 years from the transaction date or termination of the legal relationship During the first periodic destruction following the end of the retention period

Location 11 years after the aircraft is withdrawn from operation During the first periodic destruction following the end of the retention period

Personnel File 11 years after termination of employment During the first periodic destruction following the end of the retention period

Legal Transaction 11 years from the finalization of the judicial decision During the first periodic destruction following the end of the retention period

Legal Transaction 11 years from the transaction date or termination of the legal relationship During the first periodic destruction following the end of the retention period

Customer Transaction 11 years from the transaction date or termination of the legal relationship During the first periodic destruction following the end of the retention period

Physical Space Security 6 months During the first periodic destruction following the end of the retention period

Transaction Security 3 years from the transaction date or termination of the legal relationship During the first periodic destruction following the end of the retention period

Risk Management 11 years from the transaction date or termination of the legal relationship During the first periodic destruction following the end of the retention period

Finance 11 years from the transaction date or termination of the legal relationship During the first periodic destruction following the end of the retention period

Professional Experience 11 years after termination of employment During the first periodic destruction following the end of the retention period

Marketing 3 years During the first periodic destruction following the end of the retention period

Visual and Audio Records 6 years after the training period ends During the first periodic destruction following the end of the retention period

Health Data 11 years after the end of the service–employment relationship During the first periodic destruction following the end of the retention period

Criminal Conviction and Security Measures 11 years after termination of employment During the first periodic destruction following the end of the retention period

Family/Dependents Information 11 years During the first periodic destruction following the end of the retention period

Website Usage Data 6 years after the end of the education period During the first periodic destruction following the end of the retention period

Request/Complaint Management Information 2 years During the first periodic destruction following the end of the retention period

Signature 11 years after the aircraft is withdrawn from flight During the first periodic destruction following the end of the retention period

Insurance Information 11 years after termination of employment During the first periodic destruction following the end of the retention period

Vehicle Information 11 years During the first periodic destruction following the end of the retention period

Vehicle GPS Records/Location 1 year During the first periodic destruction following the end of the retention period

Audit and Inspection Information 11 years During the first periodic destruction following the end of the retention period

Foreign Residency and Permit Information 11 years after termination of employment During the first periodic destruction following the end of the retention period

Insurance and Private Pension Data 11 years after termination of employment During the first periodic destruction following the end of the retention period

Emergency Contact Information for Employees and Students Throughout the employment/service relationship During the first periodic destruction following the end of the retention period

Uniform and Dress Code 1 year During the first periodic destruction following the end of the retention period

⸻

ANNEX 2 – Personnel Responsible for Personal Data Retention and Destruction

Personnel Role Responsibility

Personnel Officer Implementation Officer Ensuring that the processes within their duty comply with the retention periods and managing the personal data destruction process in accordance with the periodic destruction timeline

Legal Counsel and KVKK (DPA) Contact Person Implementation Officer Ensuring that the processes within their duty comply with the retention periods and managing the personal data destruction process in accordance with the periodic destruction timeline

Marketing Department Implementation Officer Ensuring that the processes within their duty comply with the retention periods and managing the personal data destruction process in accordance with the periodic destruction timeline

ANNEX 3 – Internal Directive of the Personal Data Protection Committee

Within ER-AH, in order to manage the matters governed under the Personal Data Protection Law (KVKK), the Law No. 6563 on the Regulation of Electronic Commerce, the Regulation on Commercial Communication and Commercial Electronic Messages, other applicable legislation, and this Policy, a “Personal Data Protection Committee” has been established by the decision of the Company Director.

All employees, students, visitors, and all relevant third parties within ER-AH are obliged to cooperate with the Personal Data Protection Committee in preventing legal liabilities, risks, and threats that may arise in accordance with the relevant legislation.

⸻

Duties of the Committee

•To prepare the fundamental policies regarding the protection and processing of personal data, and to prepare amendments when necessary.

•To identify the actions required to ensure compliance with the Personal Data Protection Law and relevant legislation; to make recommendations, oversee implementation, and ensure coordination.

•To prepare the “Instruction on the Protection and Processing of Personal Data,” perform the duties assigned within this instruction, monitor its accuracy and currency, and ensure its implementation.

•To identify risks that may arise during the Company’s personal data processing activities and ensure that necessary measures are taken; to submit improvement proposals to the Company Director for approval.

•To follow developments and regulatory changes regarding personal data protection, and to make recommendations on the actions required within ER-AH in line with such changes.

•To design and ensure the execution of trainings on personal data protection and implementation of policies.

•To increase awareness within the Company and among institutions with which ER-AH cooperates regarding personal data protection and processing. To establish mechanisms that inform data subjects about personal data processing activities and their legal rights.

•To make final decisions on applications submitted by data subjects.

•To ensure that all ER-AH employees and students act in compliance with the Policy and KVKK, and adhere to general legal provisions. In the event of non-compliance, in addition to criminal and legal liabilities stipulated by the legislation, internal disciplinary sanctions up to termination of employment for just cause may be imposed depending on the nature of the incident.

•To coordinate communications and relations with the Personal Data Protection Board and Authority.

•To regulate and manage all internal workflows and processes defined in this Policy.

•To carry out other duties assigned by the Company Director regarding personal data protection.

•To establish systems to conduct and ensure necessary audits regarding the functioning of measures taken under KVKK. Measures relating to personal data protection shall be audited at least twice a year by the Company’s quality management system and within the scope of KVKK. Any nonconformities identified during audits must be reported to the Personal Data Protection Committee within 24 hours.

•Corrective and preventive actions, investigations, and disciplinary procedures relating to identified nonconformities shall be organized by the Personal Data Protection Committee. The Committee is responsible, pursuant to Article 12 of KVKK, for ensuring that third parties to whom data is transferred process, store, and access personal data lawfully and in accordance with this Policy and KVKK provisions.

•ER-AH must ensure that agreements and all arrangements executed with third parties during data transfers include commitments that guarantee compliance with these obligations and grant ER-AH the right to audit. All personnel must be specifically informed regarding their responsibilities in personal data transfers to third parties.

⸻

ANNEX 4 – PURPOSES OF PERSONAL DATA PROCESSING

⸻

1. IDENTITY INFORMATION

•Execution of Emergency Management Processes

•Execution of Information Security Processes

•Execution of Recruitment Processes for Employee / Intern / Student Selection and Placement

•Execution of Candidate Application Processes

•Execution of Employee Satisfaction and Engagement Processes

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Employee Benefits and Entitlements Processes

•Execution of Audit / Ethical Conduct Activities

•Execution of Training Activities

•Execution of Access Authorization Processes

•Execution of Activities in Compliance with Legislation

•Execution of Finance and Accounting Processes

•Execution of Company / Product / Service Loyalty Processes

•Ensuring Physical Space Security

•Execution of Assignment Processes

•Follow-up and Execution of Legal Affairs

•Execution of Internal Audit / Investigation / Intelligence Activities

•Execution of Communication Activities

•Planning of Human Resources Processes

•Execution and Supervision of Business Activities

•Execution of Occupational Health and Safety Activities

•Receiving and Evaluating Suggestions for Improvement of Business Processes

•Execution of Business Continuity Activities

•Execution of Logistics Activities

•Execution of Procurement Processes for Goods / Services

•Execution of After-Sales Support Services

•Execution of Sales Processes for Goods / Services

•Execution of Goods / Services Production and Operation Processes

•Execution of Customer Relationship Management Processes

•Execution of Activities Directed Toward Customer Satisfaction

•Organization and Event Management

•Execution of Marketing Analysis Activities

•Execution of Performance Evaluation Processes

•Execution of Advertising / Campaign / Promotion Processes

•Execution of Risk Management Processes

•Execution of Retention and Archiving Activities

•Execution of Contract Processes

•Execution of Strategic Planning Activities

•Tracking of Requests / Complaints

•Ensuring Security of Movable Property and Resources

•Execution of Supply Chain Management Processes

•Execution of Wage Policy

•Execution of Marketing Processes for Products / Services

•Ensuring Security of Data Controller Operations

•Foreign Personnel Work and Residence Permit Procedures

•Execution of Investment Processes

•Execution of Talent / Career Development Activities

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

•Creation and Tracking of Visitor Records

⸻

2. CONTACT INFORMATION

•Execution of Emergency Management Processes

•Execution of Information Security Processes

•Execution of Recruitment Processes for Employee / Intern / Student Selection and Placement

•Execution of Candidate Application Processes

•Execution of Employee Satisfaction and Engagement Processes

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Employee Benefits and Entitlements Processes

•Execution of Audit / Ethical Conduct Activities

•Execution of Training Activities

•Execution of Access Authorization Processes

•Execution of Activities in Compliance with Legislation

•Execution of Finance and Accounting Processes

•Execution of Company / Product / Service Loyalty Processes

•Ensuring Physical Space Security

•Execution of Assignment Processes

•Follow-up and Execution of Legal Affairs

•Execution of Internal Audit / Investigation / Intelligence Activities

•Execution of Communication Activities

•Planning of Human Resources Processes

•Execution and Supervision of Business Activities

•Execution of Occupational Health and Safety Activities

•Receiving and Evaluating Suggestions for Improvement of Business Processes

•Execution of Business Continuity Activities

•Execution of Logistics Activities

•Execution of Procurement Processes for Goods / Services

•Execution of After-Sales Support Services

•Execution of Sales Processes for Goods / Services

•Execution of Goods / Services Production and Operation Processes

•Execution of Customer Relationship Management Processes

•Execution of Activities Directed Toward Customer Satisfaction

•Organization and Event Management

•Execution of Marketing Analysis Activities

•Execution of Performance Evaluation Processes

•Execution of Advertising / Campaign / Promotion Processes

•Execution of Risk Management Processes

•Execution of Retention and Archiving Activities

•Execution of Contract Processes

•Execution of Strategic Planning Activities

•Tracking of Requests / Complaints

•Ensuring Security of Movable Property and Resources

•Execution of Supply Chain Management Processes

•Execution of Marketing Processes for Products / Services

•Ensuring Security of Data Controller Operations

•Foreign Personnel Work and Residence Permit Procedures

•Execution of Investment Processes

•Execution of Talent / Career Development Activities

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

•Creation and Tracking of Visitor Records

3. LOCATION INFORMATION

•Execution of Emergency Management Processes

•Execution of Information Security Processes

•Execution of Recruitment Processes for Employee / Intern / Student Selection and Placement

•Execution of Candidate Application Processes

•Execution of Employee Satisfaction and Engagement Processes

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Employee Benefits and Entitlements Processes

•Execution of Audit / Ethical Conduct Activities

•Execution of Training Activities

•Execution of Activities in Compliance with Legislation

•Execution of Finance and Accounting Processes

•Execution of Company / Product / Service Loyalty Processes

•Execution of Assignment Processes

•Follow-up and Execution of Legal Affairs

•Execution of Internal Audit / Investigation / Intelligence Activities

•Execution of Communication Activities

•Planning of Human Resources Processes

•Execution and Supervision of Business Activities

•Execution of Occupational Health and Safety Activities

•Receiving and Evaluating Suggestions for Improvement of Business Processes

•Execution of Business Continuity Activities

•Execution of Logistics Activities

•Execution of Procurement Processes for Goods / Services

•Execution of After-Sales Support Services

•Execution of Sales Processes for Goods / Services

•Execution of Goods / Services Production and Operation Processes

•Execution of Customer Relationship Management Processes

•Execution of Activities Directed Toward Customer Satisfaction

•Organization and Event Management

•Execution of Marketing Analysis Activities

•Execution of Performance Evaluation Processes

•Execution of Advertising / Campaign / Promotion Processes

•Execution of Risk Management Processes

•Execution of Retention and Archiving Activities

•Execution of Contract Processes

•Execution of Strategic Planning Activities

•Tracking of Requests / Complaints

•Ensuring Security of Movable Property and Resources

•Execution of Supply Chain Management Processes

•Execution of Wage Policy

•Execution of Marketing Processes for Products / Services

•Ensuring Security of Data Controller Operations

•Foreign Personnel Work and Residence Permit Procedures

•Execution of Investment Processes

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

•Creation and Tracking of Visitor Records

⸻

4. PERSONNEL FILE (HUMAN RESOURCES) INFORMATION

•Execution of Emergency Management Processes

•Execution of Information Security Processes

•Execution of Recruitment Processes for Employee / Intern / Student Selection and Placement

•Execution of Candidate Application Processes

•Execution of Employee Satisfaction and Engagement Processes

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Employee Benefits and Entitlements Processes

•Execution of Audit / Ethical Conduct Activities

•Execution of Training Activities

•Execution of Access Authorization Processes

•Execution of Activities in Compliance with Legislation

•Execution of Finance and Accounting Processes

•Ensuring Physical Space Security

•Execution of Assignment Processes

•Follow-up and Execution of Legal Affairs

•Execution of Internal Audit / Investigation / Intelligence Activities

•Execution of Communication Activities

•Planning of Human Resources Processes

•Execution and Supervision of Business Activities

•Execution of Occupational Health and Safety Activities

•Receiving and Evaluating Suggestions for Improvement of Business Processes

•Execution of Business Continuity Activities

•Execution of Logistics Activities

•Execution of Procurement Processes for Goods / Services

•Execution of After-Sales Support Services

•Execution of Sales Processes for Goods / Services

•Execution of Goods / Services Production and Operation Processes

•Execution of Customer Relationship Management Processes

•Execution of Activities Directed Toward Customer Satisfaction

•Execution of Performance Evaluation Processes

•Execution of Retention and Archiving Activities

•Execution of Strategic Planning Activities

•Tracking of Requests / Complaints

•Execution of Wage Policy

•Foreign Personnel Work and Residence Permit Procedures

•Execution of Talent / Career Development Activities

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

⸻

5. LEGAL TRANSACTION INFORMATION

•Execution of Information Security Processes

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Employee Benefits and Entitlements Processes

•Execution of Training Activities

•Execution of Activities in Compliance with Legislation

•Execution of Finance and Accounting Processes

•Follow-up and Execution of Legal Affairs

•Execution of Internal Audit / Investigation / Intelligence Activities

•Execution of Communication Activities

•Planning of Human Resources Processes

•Execution and Supervision of Business Activities

•Execution of Procurement Processes for Goods / Services

•Execution of Sales Processes for Goods / Services

•Execution of Goods / Services Production and Operation Processes

•Execution of Retention and Archiving Activities

•Execution of Contract Processes

•Tracking of Requests / Complaints

•Foreign Personnel Work and Residence Permit Procedures

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

•Creation and Tracking of Visitor Records

⸻

6. CUSTOMER TRANSACTION INFORMATION

•Execution of Information Security Processes

•Other – Management of residence and work permit processes for foreign students/customers

•Execution of Training Activities

•Execution of Activities in Compliance with Legislation

•Execution of Finance and Accounting Processes

•Follow-up and Execution of Legal Affairs

•Execution of Communication Activities

•Execution and Supervision of Business Activities

•Receiving and Evaluating Suggestions for Improvement of Business Processes

•Execution of Business Continuity Activities

•Execution of Logistics Activities

•Execution of Procurement Processes for Goods / Services

•Execution of After-Sales Support Services

•Execution of Sales Processes for Goods / Services

•Execution of Goods / Services Production and Operation Processes

•Execution of Customer Relationship Management Processes

•Execution of Activities Directed Toward Customer Satisfaction

•Organization and Event Management

•Execution of Marketing Analysis Activities

•Execution of Advertising / Campaign / Promotion Processes

•Execution of Risk Management Processes

•Execution of Retention and Archiving Activities

•Execution of Contract Processes

•Execution of Strategic Planning Activities

•Tracking of Requests / Complaints

•Execution of Supply Chain Management Processes

•Execution of Wage Policy

•Execution of Marketing Processes for Products / Services

•Ensuring Security of Data Controller Operations

•Execution of Investment Processes

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

•Creation and Tracking of Visitor Records

⸻

7. PHYSICAL SPACE SECURITY INFORMATION

•Execution of Emergency Management Processes

•Execution of Information Security Processes

•Execution of Audit / Ethical Conduct Activities

•Execution of Training Activities

•Execution of Access Authorization Processes

•Execution of Activities in Compliance with Legislation

•Ensuring Physical Space Security

•Execution of Assignment Processes

•Execution of Internal Audit / Investigation / Intelligence Activities

•Planning of Human Resources Processes

•Execution and Supervision of Business Activities

•Execution of Occupational Health and Safety Activities

•Receiving and Evaluating Suggestions for Improvement of Business Processes

•Execution of Business Continuity Activities

•Execution of Logistics Activities

•Execution of Procurement Processes for Goods / Services

•Execution of After-Sales Support Services

•Execution of Sales Processes for Goods / Services

•Execution of Goods / Services Production and Operation Processes

•Organization and Event Management

•Execution of Marketing Analysis Activities

•Execution of Risk Management Processes

•Execution of Retention and Archiving Activities

•Execution of Contract Processes

•Execution of Strategic Planning Activities

•Tracking of Requests / Complaints

•Ensuring Security of Movable Property and Resources

•Ensuring Security of Data Controller Operations

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

•Creation and Tracking of Visitor Records

⸻

8. TRANSACTION SECURITY INFORMATION

•Execution of Emergency Management Processes

•Execution of Information Security Processes

•Execution of Recruitment Processes for Employee / Intern / Student Selection and Placement

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Employee Benefits and Entitlements Processes

•Execution of Audit / Ethical Conduct Activities

•Execution of Training Activities

•Execution of Access Authorization Processes

•Execution of Activities in Compliance with Legislation

•Execution of Finance and Accounting Processes

•Ensuring Physical Space Security

•Execution of Assignment Processes

•Follow-up and Execution of Legal Affairs

•Execution of Communication Activities

•Execution and Supervision of Business Activities

•Execution of Business Continuity Activities

•Execution of Logistics Activities

•Execution of Procurement Processes for Goods / Services

•Execution of After-Sales Support Services

•Execution of Sales Processes for Goods / Services

•Execution of Goods / Services Production and Operation Processes

•Execution of Customer Relationship Management Processes

•Execution of Activities Directed Toward Customer Satisfaction

•Organization and Event Management

•Execution of Marketing Analysis Activities

•Execution of Performance Evaluation Processes

•Execution of Advertising / Campaign / Promotion Processes

•Execution of Risk Management Processes

•Execution of Retention and Archiving Activities

•Execution of Contract Processes

•Execution of Strategic Planning Activities

•Tracking of Requests / Complaints

•Execution of Supply Chain Management Processes

•Execution of Wage Policy

•Execution of Marketing Processes for Products / Services

•Ensuring Security of Data Controller Operations

•Execution of Investment Processes

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

⸻

9. RISK MANAGEMENT INFORMATION

•Execution of Emergency Management Processes

•Execution of Information Security Processes

•Execution of Recruitment Processes for Employee / Intern / Student Selection and Placement

•Execution of Employee Satisfaction and Engagement Processes

•Execution of Training Activities

•Execution of Access Authorization Processes

•Execution of Activities in Compliance with Legislation

•Execution of Finance and Accounting Processes

•Ensuring Physical Space Security

•Execution of Assignment Processes

•Execution of Internal Audit / Investigation / Intelligence Activities

•Execution of Communication Activities

•Planning of Human Resources Processes

•Execution and Supervision of Business Activities

•Execution of Occupational Health and Safety Activities

•Receiving and Evaluating Suggestions for Improvement of Business Processes

•Execution of Business Continuity Activities

•Execution of Risk Management Processes

•Execution of Retention and Archiving Activities

•Ensuring Security of Movable Property and Resources

•Execution of Marketing Processes for Products / Services

•Ensuring Security of Data Controller Operations

•Execution of Talent / Career Development Activities

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

•Creation and Tracking of Visitor Records

⸻

10. FINANCE INFORMATION

•Execution of Candidate Application Processes

•Execution of Employee Satisfaction and Engagement Processes

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Employee Benefits and Entitlements Processes

•Execution of Training Activities

•Execution of Finance and Accounting Processes

•Execution of Company / Product / Service Loyalty Processes

•Execution of Assignment Processes

•Follow-up and Execution of Legal Affairs

•Planning of Human Resources Processes

•Execution and Supervision of Business Activities

•Execution of Occupational Health and Safety Activities

•Execution of Logistics Activities

•Execution of Procurement Processes for Goods / Services

•Execution of After-Sales Support Services

•Execution of Sales Processes for Goods / Services

•Execution of Goods / Services Production and Operation Processes

•Execution of Customer Relationship Management Processes

•Execution of Advertising / Campaign / Promotion Processes

•Execution of Risk Management Processes

•Execution of Strategic Planning Activities

•Tracking of Requests / Complaints

•Ensuring Security of Movable Property and Resources

•Execution of Supply Chain Management Processes

•Execution of Wage Policy

•Execution of Marketing Processes for Products / Services

•Ensuring Security of Data Controller Operations

•Foreign Personnel Work and Residence Permit Procedures

•Execution of Investment Processes

•Execution of Management Activities

⸻

11. PROFESSIONAL EXPERIENCE INFORMATION

•Execution of Emergency Management Processes

•Execution of Information Security Processes

•Execution of Recruitment Processes for Employee / Intern / Student Selection and Placement

•Execution of Candidate Application Processes

•Execution of Employee Satisfaction and Engagement Processes

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Employee Benefits and Entitlements Processes

•Execution of Audit / Ethical Conduct Activities

•Execution of Training Activities

•Execution of Access Authorization Processes

•Execution of Activities in Compliance with Legislation

•Execution of Finance and Accounting Processes

•Execution of Company / Product / Service Loyalty Processes

•Ensuring Physical Space Security

•Execution of Assignment Processes

•Follow-up and Execution of Legal Affairs

•Execution of Internal Audit / Investigation / Intelligence Activities

•Execution of Communication Activities

•Planning of Human Resources Processes

•Execution and Supervision of Business Activities

•Execution of Occupational Health and Safety Activities

•Receiving and Evaluating Suggestions for Improvement of Business Processes

•Execution of Business Continuity Activities

•Execution of Logistics Activities

•Execution of Procurement Processes for Goods / Services

•Execution of After-Sales Support Services

•Execution of Sales Processes for Goods / Services

•Execution of Goods / Services Production and Operation Processes

•Execution of Customer Relationship Management Processes

•Execution of Activities Directed Toward Customer Satisfaction

•Organization and Event Management

•Execution of Marketing Analysis Activities

•Execution of Performance Evaluation Processes

•Execution of Advertising / Campaign / Promotion Processes

•Execution of Risk Management Processes

•Execution of Retention and Archiving Activities

•Execution of Contract Processes

•Execution of Strategic Planning Activities

•Ensuring Security of Movable Property and Resources

•Execution of Supply Chain Management Processes

•Execution of Wage Policy

•Execution of Marketing Processes for Products / Services

•Ensuring Security of Data Controller Operations

•Foreign Personnel Work and Residence Permit Procedures

•Execution of Investment Processes

•Execution of Talent / Career Development Activities

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

⸻

12. MARKETING INFORMATION

•Execution of Information Security Processes

•Execution of Training Activities

•Execution of Activities in Compliance with Legislation

•Execution of Finance and Accounting Processes

•Execution of Company / Product / Service Loyalty Processes

•Execution of Communication Activities

•Planning of Human Resources Processes

•Execution and Supervision of Business Activities

•Receiving and Evaluating Suggestions for Improvement of Business Processes

•Execution of Logistics Activities

•Execution of Procurement Processes for Goods / Services

•Execution of After-Sales Support Services

•Execution of Sales Processes for Goods / Services

•Execution of Goods / Services Production and Operation Processes

•Execution of Customer Relationship Management Processes

•Execution of Activities Directed Toward Customer Satisfaction

•Organization and Event Management

•Execution of Marketing Analysis Activities

•Execution of Performance Evaluation Processes

•Execution of Advertising / Campaign / Promotion Processes

•Execution of Contract Processes

•Execution of Strategic Planning Activities

•Tracking of Requests / Complaints

•Execution of Supply Chain Management Processes

•Execution of Marketing Processes for Products / Services

•Ensuring Security of Data Controller Operations

•Execution of Investment Processes

•Execution of Talent / Career Development Activities

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

⸻

13. VISUAL AND AUDIO RECORDINGS

•Execution of Emergency Management Processes

•Execution of Information Security Processes

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Audit / Ethical Conduct Activities

•Execution of Training Activities

•Execution of Access Authorization Processes

•Execution of Activities in Compliance with Legislation

•Execution of Company / Product / Service Loyalty Processes

•Ensuring Physical Space Security

•Execution of Assignment Processes

•Execution of Internal Audit / Investigation / Intelligence Activities

•Execution of Communication Activities

•Execution and Supervision of Business Activities

•Execution of Occupational Health and Safety Activities

•Execution of Business Continuity Activities

•Execution of Sales Processes for Goods / Services

•Execution of Goods / Services Production and Operation Processes

•Organization and Event Management

•Execution of Performance Evaluation Processes

•Execution of Advertising / Campaign / Promotion Processes

•Execution of Risk Management Processes

•Execution of Retention and Archiving Activities

•Execution of Strategic Planning Activities

•Tracking of Requests / Complaints

•Ensuring Security of Movable Property and Resources

•Ensuring Security of Data Controller Operations

•Execution of Talent / Career Development Activities

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

⸻

14. UNIFORM AND DRESS CODE INFORMATION

•Execution of Emergency Management Processes

•Execution of Information Security Processes

•Execution of Recruitment Processes for Employee / Intern / Student Selection and Placement

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Employee Benefits and Entitlements Processes

•Execution of Audit / Ethical Conduct Activities

•Execution of Training Activities

•Execution of Activities in Compliance with Legislation

•Ensuring Physical Space Security

•Planning of Human Resources Processes

•Execution and Supervision of Business Activities

•Execution of Occupational Health and Safety Activities

•Execution of Logistics Activities

•Execution of Sales Processes for Goods / Services

•Execution of Goods / Services Production and Operation Processes

•Execution of Activities Directed Toward Customer Satisfaction

•Organization and Event Management

•Execution of Risk Management Processes

•Execution of Contract Processes

•Tracking of Requests / Complaints

•Ensuring Security of Movable Property and Resources

•Ensuring Security of Data Controller Operations

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

⸻

15. HEALTH INFORMATION

•Execution of Emergency Management Processes

•Execution of Recruitment Processes for Employee / Intern / Student Selection and Placement

•Execution of Candidate Application Processes

•Execution of Employee Satisfaction and Engagement Processes

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Employee Benefits and Entitlements Processes

•Execution of Training Activities

•Execution of Activities in Compliance with Legislation

•Execution of Assignment Processes

•Execution of Internal Audit / Investigation / Intelligence Activities

•Planning of Human Resources Processes

•Execution and Supervision of Business Activities

•Execution of Occupational Health and Safety Activities

•Execution of Business Continuity Activities

•Execution of Sales Processes for Goods / Services

•Execution of Goods / Services Production and Operation Processes

•Execution of Customer Relationship Management Processes

•Organization and Event Management

•Execution of Risk Management Processes

•Execution of Contract Processes

•Execution of Strategic Planning Activities

•Foreign Personnel Work and Residence Permit Procedures

•Execution of Talent / Career Development Activities

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

⸻

16. CRIMINAL CONVICTION AND SECURITY MEASURES INFORMATION

•Execution of Recruitment Processes for Employee / Intern / Student Selection and Placement

•Execution of Candidate Application Processes

•Execution of Employee Satisfaction and Engagement Processes

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Training Activities

•Execution of Access Authorization Processes

•Execution of Activities in Compliance with Legislation

•Ensuring Physical Space Security

•Execution of Assignment Processes

•Execution of Internal Audit / Investigation / Intelligence Activities

•Planning of Human Resources Processes

•Execution and Supervision of Business Activities

•Execution of Business Continuity Activities

•Execution of Logistics Activities

•Execution of Sales Processes for Goods / Services

•Execution of Goods / Services Production and Operation Processes

•Organization and Event Management

•Execution of Risk Management Processes

•Execution of Retention and Archiving Activities

•Execution of Contract Processes

•Execution of Strategic Planning Activities

•Ensuring Security of Data Controller Operations

•Foreign Personnel Work and Residence Permit Procedures

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

⸻

17. BIOMETRIC DATA

•Execution of Information Security Processes

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Employee Benefits and Entitlements Processes

•Execution of Audit / Ethical Conduct Activities

•Execution of Training Activities

•Execution of Access Authorization Processes

•Execution of Activities in Compliance with Legislation

•Ensuring Physical Space Security

•Execution of Assignment Processes

•Execution of Internal Audit / Investigation / Intelligence Activities

•Planning of Human Resources Processes

•Execution and Supervision of Business Activities

•Execution of Occupational Health and Safety Activities

•Execution of Business Continuity Activities

•Execution of Logistics Activities

•Organization and Event Management

•Execution of Risk Management Processes

•Ensuring Security of Movable Property and Resources

•Ensuring Security of Data Controller Operations

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

⸻

18. INSURANCE AND PRIVATE PENSION INFORMATION

•Execution of Employee Satisfaction and Engagement Processes

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Employee Benefits and Entitlements Processes

•Execution of Activities in Compliance with Legislation

•Execution of Management Activities

⸻

19. EMERGENCY CONTACT INFORMATION (FOR EMPLOYEES AND STUDENTS)

•Execution of Emergency Management Processes

•Execution of Information Security Processes

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Employee Benefits and Entitlements Processes

•Execution of Risk Management Processes

•Execution of Retention and Archiving Activities

•Execution of Management Activities

⸻

20. FOREIGN INDIVIDUAL RESIDENCE AND WORK PERMIT INFORMATION

•Execution of Emergency Management Processes

•Execution of Recruitment Processes for Employee / Intern / Student Selection and Placement

•Execution of Candidate Application Processes

•Execution of Employee Satisfaction and Engagement Processes

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Employee Benefits and Entitlements Processes

•Execution of Activities in Compliance with Legislation

•Execution and Supervision of Business Activities

•Execution of Business Continuity Activities

•Execution of Contract Processes

•Ensuring Security of Data Controller Operations

•Foreign Personnel Work and Residence Permit Procedures

•Provision of Information to Authorized Persons, Institutions, and Organizations

•Execution of Management Activities

⸻

21. SIGNATURE INFORMATION

•Execution of Information Security Processes

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Employee Benefits and Entitlements Processes

•Execution of Training Activities

•Execution of Access Authorization Processes

•Execution of Activities in Compliance with Legislation

•Ensuring Physical Space Security

•Execution of Assignment Processes

•Follow-up and Execution of Legal Affairs

•Execution of Internal Audit / Investigation / Intelligence Activities

•Planning of Human Resources Processes

•Execution and Supervision of Business Activities

•Execution of Logistics Activities

•Execution of Procurement Processes for Goods / Services

•Execution of After-Sales Support Services

•Execution of Sales Processes for Goods / Services

•Execution of Goods / Services Production and Operation Processes

•Organization and Event Management

•Execution of Retention and Archiving Activities

•Execution of Contract Processes

•Tracking of Requests / Complaints

•Execution of Supply Chain Management Processes

•Ensuring Security of Data Controller Operations

•Foreign Personnel Work and Residence Permit Procedures

•Execution of Management Activities

⸻

22. EMPLOYEE FAMILY INFORMATION

•Execution of Employee Satisfaction and Engagement Processes

•Fulfillment of Employment Contract and Legally Mandated Obligations for Employees

•Execution of Employee Benefits and Entitlements Processes

•Execution of Finance and Accounting Processes

•Execution of Management Activities

⸻

ANNEX 5 – GROUPS TO WHICH PERSONAL DATA ARE TRANSFERRED

•Natural persons or private law legal entities

•Business partners, shareholders, employees, and employee candidates

•Authorized public institutions and organizations

•Students receiving education on their own behalf or on behalf of another