NEXT PLASTİK KAUÇUK SANAYİ ANONİM ŞİRKETİ
PERSONAL DATA PROCESSING, STORAGE, AND DISPOSAL POLICY

1. INTRODUCTION

The Regulation on the Deletion, Destruction, or Anonymization of Personal Data (“Regulation”) imposes an obligation on data controllers required to register with the Data Controllers Registry to prepare a personal data storage and disposal policy in accordance with their personal data processing inventory. As Next Plastik Kauçuk Sanayi ve Ticaret Anonim Şirketi (“Company”), we diligently fulfill our obligations arising from the law and secondary legislation. To this end, we regulate the storage and disposal processes of the personal data we process, along with their details, under this Personal Data Storage and Disposal Policy (“Policy”).

As Next Plastik Kauçuk Sanayi ve Ticaret Anonim Şirketi, we place great importance on the processing and protection of all personal data belonging to individuals within the scope of our business activities, including but not limited to customers, potential customers, suppliers, service providers, public institutions and organizations, legal entity representatives and employees, business partners, company shareholders, company employees, job applicants, intern applicants, and interns, as well as representatives and employees of authorized public institutions and private law legal entities. We ensure that personal data is processed and protected in compliance with the Law on the Protection of Personal Data No. 6698 (“KVKK”). To achieve this, our company takes necessary administrative and technical measures in accordance with legal regulations and issued decisions.

This Personal Data Protection, Processing, Storage, and Disposal Policy and its annexes have been prepared by Next Plastik Kauçuk Sanayi ve Ticaret Anonim Şirketi, in its capacity as a data controller, within the framework of the Law on the Protection of Personal Data No. 6698 (“Law”) and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.

2. PURPOSE

The Personal Data Storage and Disposal Policy (“Policy”) has been prepared to establish the procedures and principles that must be followed concerning the storage and disposal activities carried out by our Company.

With this Policy, our Company aims to ensure full compliance with the Law on the Protection of Personal Data, in accordance with the following fundamental principles: The processing of personal data belonging to the relevant individuals mentioned above in compliance with the decisions and principles set forth by the Personal Data Protection Authority (KVK Authority), Adherence to the principles established by the Constitution of the Republic of Turkey, International Agreements, the Law on the Protection of Personal Data No. 6698, and related regulations, Ensuring that relevant individuals can exercise their rights effectively. All storage and disposal activities related to personal data are carried out in compliance with this Policy.

3. SCOPE

Within the scope of our company's activities, the personal data of our customers who purchase products or services, potential buyers of products or services, suppliers, service providers, legal entity representatives and their employees, business partners, company shareholders, company employees, job applicants, intern applicants, interns, authorized public institutions and organizations, as well as representatives and employees of private law legal entities, and other relevant third parties, fall under the scope of this Policy. This Policy applies to all records and environments where personal data is processed, whether by automated means or non-automated means, and to all company activities involving the processing of personal data.

4. ABBREVIATIONS AND DEFINITIONS

Explicit Consent Consent given regarding a specific subject, based on information and expressed with free will.
Recipient Group The category of natural or legal persons to whom personal data is transferred by the data controller.
Anonymization The process of making personal data unidentifiable and unlinkable to any specific individual, even when matched with other data.
Employee Includes both company employees and employees hired through suppliers
Electronic Environment Environments where personal data can be created, read, modified, and written using electronic devices.
Non-Electronic Environment: All written, printed, visual, and other formats that are not classified as electronic environments.
Service Provider A natural or legal person providing services to the company under a specific contractual framework.
Relevant User Persons processing personal data within the organization of the data controller or under its authorization and instructions, excluding those responsible for the technical storage, protection, and backup of data
Relevant Person / Personal Data Subject The natural person whose personal data is processed
Destruction The process of deleting, destroying, or anonymizing personal data
Personal Data Processing Inventory: A document created by data controllers that details their personal data processing activities based on their business processes, associating them with processing purposes, legal grounds, data categories, recipient groups, and data subject groups. It also specifies the maximum retention period necessary for the processing purpose, personal data transfers to foreign countries, and the security measures taken to protect personal data.
Data Recording Environment Any environment where personal data is processed, either fully or partially by automated means, or by non-automated means provided that it is part of a data recording system.
Personal Data Any information relating to an identified or identifiable natural person.
Processing of Personal Data Any operation performed on personal data, whether fully or partially automated or non-automated, provided that it is part of a data recording system. This includes collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or preventing the use of data.
Anonymization of Personal Data: The process of making personal data unidentifiable and unlinkable to any specific individual, even when matched with other data
Deletion of Personal Data: The process of making personal data completely inaccessible and unusable for Relevant Users.
Destruction of Personal Data The process of making personal data completely inaccessible, unrecoverable, and unusable by anyone.
Law Law No. 6698 on the Protection of Personal Data
Board The Personal Data Protection Board
Authority The Personal Data Protection Authority.
Personal Data Contact Person A natural person designated during registration to the Registry, responsible for ensuring communication with the Authority regarding obligations under the Law and related secondary regulations. This applies to data controllers established in Turkey, as well as representatives of data controllers not based in Turkey
Sensitive Personal Data Personal data related to an individual’s race, ethnicity, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal record, security measures, biometric and genetic data.
Periodic Disposal The process of deleting, destroying, or anonymizing personal data at recurring intervals specified in the Personal Data Storage and Disposal Policy when all conditions for processing personal data under the Law are no longer applicable
Policy The General Policy on the Processing, Storage, and Disposal of Personal Data
Company Next Plastik Kauçuk Sanayi ve Ticaret Anonim Şirketi
Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller
Data Recording System A structured recording system where personal data is processed according to specific criteria.
Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry Information System: An information system created and managed by the Authority, accessible via the internet, which data controllers use for registration and other related transactions with the Registry.
VERBIS The Data Controllers Registry Information System
Regulations The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017

5. RESPONSIBILITIES AND DUTY DISTRIBUTION

In accordance with Law No. 6698 on the Protection of Personal Data (KVKK) and related regulations, a Personal Data Contact Person has been designated within the company to ensure compliance with personal data protection legislation, its maintenance, and continuity. The responsibilities and duties of this person have been defined, necessary decisions have been made, and relevant parties have been notified.

To ensure the proper implementation of the technical and administrative measures taken under this Policy, to increase the training and awareness of employees in the relevant units, to conduct audits, and to prevent the unlawful processing and unauthorized access to personal data, as well as to ensure the lawful storage of personal data, technical and administrative measures for data security are implemented by the Personal Data Contact Person in all environments where personal data is processed.

6. ENVIRONMENTS WHERE PERSONAL DATA IS RECORDED

Personal data held by our company is recorded in electronic environments such as servers, software used by the company, personal computers, mobile devices (phones, tablets), optical disks, and removable storage devices. Additionally, personal data stored in paper format includes printed forms, contracts between the company and third parties, manual data recording systems (employment contracts, leave forms, occupational safety forms), and personal data stored in written, printed, and visual formats in department cabinets and archive rooms, which are classified as non-electronic physical environments.

All personal data is securely stored in compliance with Law No. 6698 on the Protection of Personal Data, relevant regulations, and international data security principles. Your personal data may be collected, recorded, stored, modified, reorganized, and processed by our company, either fully or partially through automated means or non-automated means, provided that it is part of a data recording system.

7. PROCESSING OF PERSONAL DATA AND GENERAL PRINCIPLES

7.1. Principle of Confidentiality

As explained in this Policy, the data of all individuals, including employees and those in contact with our company, are confidential. Except for the cases specified by law, no one may use, reproduce, copy, transfer to others, or use personal data for purposes other than those determined in this policy and applicable regulations.

7.2. Fundamental Principles

Personal Data processed by our company is handled in compliance with the principles set out in Article 4 of Law No. 6698 on the Protection of Personal Data (KVKK). The company ensures that personal data is processed, protected, deleted, and disposed of in accordance with the following principles and the procedures set forth in the law:

8. CONDITIONS FOR PROCESSING PERSONAL DATA

Personal data processed by our company is handled in accordance with Article 5 of Law No. 6698. As a general rule, personal data cannot be processed without the explicit consent of the data subject. However, in cases where one of the following conditions applies, personal data may be processed without requiring the explicit consent of the data subject:

9. CONDITIONS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

Special categories of personal data processed by our company are handled in accordance with Article 6 of Law No. 6698 on the Protection of Personal Data. Special categories of personal data include information related to an individual’s race, ethnic origin, political opinion, philosophical beliefs, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal record, security measures, biometric, and genetic data.

As stated in the Law, the processing of special categories of personal data is prohibited without the explicit consent of the data subject. Therefore, such data cannot be processed without the explicit consent of the relevant person. However, as specified in the Law, except for personal data related to health and sexual life, other special categories of personal data may be processed without explicit consent if explicitly stipulated by law.

Personal data related to health and sexual life may be processed without the explicit consent of the data subject only under the following conditions:

Our company processes special categories of personal data in full compliance with Law No. 6698 and other applicable legal regulations, taking adequate measures prescribed by the Personal Data Protection Board.

10. PROCESSING, COLLECTION, AND LEGAL BASIS OF PERSONAL DATA

Personal data may be processed by fully or partially automated means or non-automated means, provided that it is part of a data recording system. Data may be collected through oral, written, or electronic means, including but not limited to application forms, declarations, personnel files, contracts, financial and social rights records, invoicing, purchasing, marketing, planning, quality control, and corporate development activities.

As a general rule, personal data is processed based on the explicit consent of the data subject. However, in cases where one of the following conditions applies, personal data may be processed without requiring explicit consent:

Personal data is processed, collected, and transferred in accordance with Articles 5 and 6 of Law No. 6698 on the Protection of Personal Data and Article 5/1-h of the Communiqué on the Principles and Procedures for Fulfilling the Obligation to Inform, limited to the purposes specified.

11. PRINCIPLES REGARDING THE STORAGE AND DISPOSAL OF PERSONAL DATA

Through this Policy, our company ensures that personal data is stored and disposed of in compliance with relevant legislation, procedures, and legal regulations. Detailed explanations regarding the storage and disposal of personal data are provided below.

11.1. Storage of Personal Data

Article 3 of Law No. 6698 defines the processing of personal data, while Article 4 states that processed personal data must be relevant, limited, and proportionate to the purposes for which they are processed and must be retained only for the period required by relevant legislation or necessary for the processing purpose. Additionally, Articles 5 and 6 of Law No. 6698 outline the conditions for processing personal data.

As detailed in this Policy, personal data within the scope of company activities is stored for the period prescribed by the relevant legislation or as required for the purpose of processing, with appropriate administrative and technical measures in place.

11.2. Legal Grounds for Storing Personal Data

Personal data processed within the scope of our company's activities is stored for the duration specified in the relevant legislation. The retention periods specified by laws governing individuals subject to company activities, secondary regulations, and statutory limitation periods for crimes specified in the laws are observed.

In addition to the legal retention periods, our company considers statutory limitation periods applicable to processed personal data, potential disputes with third parties that may arise from legal relations, corporate memory, and commercial transactions and activities. Beyond the legally mandated periods, the storage and disposal periods of personal data are determined by corporate decisions, considering the company’s legitimate interests and contractual obligations with relevant data subjects.

11.3. Purposes of Storing Personal Data

Our company stores the personal data it processes in compliance with Articles 5 and 6 of Law No. 6698, limited to company activities, and in accordance with the relevant legal regulations. The purposes for storing personal data include:

11.4. Reasons Requiring the Disposal of Personal Data

Personal data is deleted, destroyed, or anonymized upon the request of the data subject by completing an application form, in accordance with the procedures and principles stipulated in the company policy, law, and regulations. Personal data is disposed of in the following cases:

12. TECHNICAL AND ADMINISTRATIVE MEASURES FOR THE STORAGE AND DISPOSAL OF PERSONAL DATA

Within the scope of the regulations set out in this Policy, our company takes the necessary technical and administrative measures to ensure the secure and lawful storage of personal data, prevent unauthorized processing and access, avoid data breaches, and ensure the lawful disposal of personal data. According to Article 6/4 of Law No. 6698, the processing of special categories of personal data must comply with the adequate security measures determined by the KVK Board. Additionally, under Article 12, our company, as the data controller, implements the necessary technical and administrative measures in compliance with the KVK Board’s publicly announced security guidelines to ensure the security of personal data.

12.1. Technical Measures

The technical measures announced by the Personal Data Protection Authority (KVK Authority) on its official website (https://www.kvkk.gov.tr) are implemented by the company as the data controller. The necessary technical measures have been identified, and risk assessments have been conducted. As a result of on-site and real-time security analyses, potential risks and threats that may affect the continuity of the company’s IT systems have been identified and are continuously monitored. Our company has implemented security measures for IT infrastructure, software, and physical security of data. The technical measures taken are detailed below:

12.2. Administrative Measures

The necessary administrative measures have been implemented by the company as the data controller, in compliance with the administrative measures announced by the Personal Data Protection Board. In alignment with Law No. 6698 on the Protection of Personal Data, the company has made the necessary corporate decisions, started fulfilling its legal obligations, and published required policies. Accordingly:

13. EXPLANATION OF PERSONAL DATA DISPOSAL TECHNIQUES

As outlined in the policy and personal data processing inventory created by our company, personal data is disposed of at the end of the legally required retention period or when the purpose for which they were processed no longer exists. This process is carried out either automatically by the authorized company units or upon the request of the data subject, in compliance with Law No. 6698 and relevant regulations, using the following methods and techniques.

13.1. Deletion of Personal Data

13.2. Destruction of Personal Data

13.3. Anonymization of Personal Data

Anonymization of personal data refers to the process in which personal data is rendered unidentifiable and cannot be linked to a specific individual, even when matched with other data belonging to third parties.

To ensure personal data is truly anonymized, it must be processed in such a way that the data cannot be restored or linked to an identifiable individual by the data controller or any third parties, even through data matching or other technical methods relevant to the storage medium and processing activities.

14. PERSONAL DATA STORAGE AND DISPOSAL PERIODS

Within the scope of our company’s activities, the storage periods for all personal data processed as part of company operations are determined as follows: Personal data retention periods on a data basis are recorded in the Personal Data Processing Inventory. Data category-based storage periods are registered in VERBIS. Process-based retention periods are defined in the Personal Data Storage and Disposal Policy.

If the specified retention period expires or if no storage duration is prescribed in the relevant legislation, personal data is categorized into regular personal data and special categories of personal data in accordance with Article 6 of Law No. 6698 (KVKK). All special categories of personal data identified are disposed of. The method of disposal is determined based on the nature of the data and its significance to the company. In cases where the company does not have a legitimate purpose for retaining the data, or if storage violates the principles stated in Article 4 of KVKK, the data is deleted, destroyed, or anonymized. If the data falls within the exceptions outlined in Articles 5 and 6 of KVKK, an appropriate reasonable retention period is determined, after which the data is deleted, destroyed, or anonymized.

The Personal Data Contact Person is responsible for monitoring and updating storage periods when necessary. Personal data that has reached the end of its retention period is deleted, destroyed, or anonymized by the Personal Data Contact Person, based on their designated authority, duties, and responsibilities. The process-based personal data retention and disposal periods are provided in a table format in the appendix.

15. DATA CONTROLLER'S OBLIGATION TO INFORM

In accordance with Article 10 of KVKK, as a data controller, our company has implemented all necessary technical and administrative measures to: Prevent the unlawful processing of personal data, Prevent unauthorized access to personal data, Ensure the secure storage of personal data.

To this end, necessary policies and privacy notices have been prepared to cover the personal data of customers who purchase products or services, potential buyers of products or services, suppliers, service providers, legal entity representatives and employees, business partners, company shareholders, company employees, job applicants, intern applicants, interns, authorized public institutions and organizations, and representatives, employees, and related third parties of private legal entities.

In accordance with the obligation to inform, the following information must be provided to data subjects, as stipulated in the law:

In compliance with Article 10 of Law No. 6698 (the "Law") and the Communiqué on the Procedures and Principles for Fulfilling the Obligation to Inform, separate privacy notices have been prepared for different categories of data subjects. The Privacy Notice prepared by our company in its capacity as the data controller can be obtained from our company upon request.

16. RIGHTS OF THE PERSONAL DATA SUBJECT (RIGHT TO APPLY)

Pursuant to Article 11 of Law No. 6698 on the Protection of Personal Data, which regulates the rights of data subjects, and the Communiqué on the Procedures and Principles for Applications to the Data Controller, our company, as the data controller, has prepared an Application Form. This Application Form can be obtained from our company upon request.

16.1. Right to Apply for the Personal Data Subject

According to Article 11 of the Law, any individual has the right to apply to the data controller and request:

16.2. Procedure, Timeframe, and Principles for the Data Controller's Response to Applications

Pursuant to Article 13/1 of Law No. 6698 on the Protection of Personal Data, applications regarding the exercise of the rights mentioned above must be submitted in writing or through the methods determined by the Personal Data Protection Authority (KVK Authority). Our company will conclude the application as soon as possible and within a maximum period of thirty (30) days, free of charge, depending on the nature of the request. However, if the process incurs an additional cost, the fee specified in the tariff set by the KVK Authority will be charged. If the application results from an error on the part of the data controller, any fee collected will be refunded to the applicant.

16.3. Right of the Data Subject to File a Complaint with the Authority

If an application is rejected, the response is deemed insufficient, or no response is provided within the specified time, the data subject may lodge a complaint with the KVK Board within thirty (30) days from the date they learned of the response or within sixty (60) days from the date of the application. Pursuant to Article 13 of the Law, the data subject must first exhaust the application process before submitting a complaint.

17. CASES WHERE THE DATA SUBJECT CANNOT EXERCISE THEIR RIGHTS (EXCEPTIONS)

Pursuant to Article 28/1 of Law No. 6698, the following cases are excluded from the scope of the law (exceptions), and data subjects cannot exercise the rights specified in Article 16 above:

Pursuant to Article 28/2 of Law No. 6698, provided that it is consistent with the purpose and fundamental principles of the law and remains proportionate, the following provisions shall not apply in the cases listed below: Article 10, which regulates the data controller's obligation to inform. Article 11, which regulates the rights of data subjects, except for the right to claim compensation for damages. Article 16, which regulates the obligation to register with the Data Controllers Registry. In these cases, the following exceptions apply:

18. PERIODIC DISPOSAL AND AUDIT PERIOD FOR PERSONAL DATA

The timeframes for the deletion, destruction, or anonymization of personal data are regulated in Article 11 of the Regulation as follows: A data controller that has prepared a Personal Data Storage and Disposal Policy must delete, destroy, or anonymize personal data during the first periodic disposal process following the date on which the obligation to dispose of the personal data arises.

The frequency of periodic disposal is determined in the Personal Data Storage and Disposal Policy of the data controller, but in any case, it cannot exceed six (6) months. A data controller not required to prepare a Personal Data Storage and Disposal Policy must delete, destroy, or anonymize personal data within six (6) months from the date when the obligation to dispose of the data arises. Additionally, data protection units and the data controller will conduct regular audits at intervals not exceeding six (6) months. If a violation of the law is identified, or if an action results in irreparable harm, the Personal Data Protection Board may shorten the disposal periods specified in the Regulation.

19. TIMEFRAMES FOR DELETION AND DESTRUCTION OF PERSONAL DATA UPON REQUEST

The timeframes for deletion and destruction of personal data upon request by the data subject are regulated under Article 12 of the Regulation, as follows: If all conditions for processing personal data no longer exist, the data controller must delete, destroy, or anonymize the personal data related to the request. The data controller must respond to the data subject’s request within thirty (30) days and provide them with the necessary information. If the relevant personal data has been transferred to third parties, the data controller must notify the third party, ensuring that the necessary actions are taken under the Regulation. If the conditions for processing personal data still exist, the data controller may reject the request, providing a justification in accordance with Article 13(3) of the Law, and must notify the data subject in writing or electronically within thirty (30) days.

20. PUBLICATION, STORAGE, AND UPDATING OF THE POLICY

This policy has been approved by the company representatives and entered into force as a printed document with a wet signature. The hard copy of the policy is stored in the KVK file by the Personal Data Contact Person. The policy is reviewed by the designated Personal Data Contact Person and updated as necessary at least once per year, at the end of each year, or when required.

21. ENFORCEMENT AND TERMINATION OF THE POLICY

This policy shall be deemed effective upon approval by the company representative. If a decision is made to repeal the policy with the approval of the data controller and the decision of the Personal Data Contact Person, all previous printed versions of the policy will be canceled by applying a cancellation stamp or marking them as canceled, and these documents will be stored at the company's headquarters for a minimum period of five (5) years under the custody of the Personal Data Contact Person.

NEXT PLASTİK KAUÇUK SANAYİ VE TİCARET A.Ş.

Address İstiklal OSB 1 Mahallesi 3. Sk. No:1, Merkez, Düzce, Türkiye

Tax Office/Tax Number: İlyasbey Tax Office Directorate / 6311325194

Email: info@nextrubber.com - nextplastikas@hs01.kep.tr

Phone: +90 (380) 502 09 13

Let's Talk