1- By determining the procedures and principles regarding our obligations in accordance with the Personal Data Retention and Destruction Policy (“Policy”), the Law on the Protection of Personal Data No. 6698 (“KVKK”) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”) It has been prepared by MNE MAGAZACILIK ANONİM ŞİRKETİ (“Company”) as the data controller in order to inform the data owners about the principles of determining the maximum storage period required for the purpose of processing personal data and the processes of deletion, destruction and anonymization.

2- Within the scope of this Policy, customers, prospective employees, employee candidates, employees, company shareholders, company officials, visitors, business partners, institutions we cooperate with, sub-contractors as real persons processed automatically or non-automatically, provided that they are part of any data recording system. Employers, shareholders and officials of employers and suppliers, as well as third parties.

The policy is implemented in the activities carried out for the processing and protection of all personal data managed by our Company.

3-This policy is published on the website of our company (www.midnight.com.tr) and made available to the relevant persons upon the request of the personal data owners.

4-The category in the implementation of this Policy,

• Relevant Person: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data,
• Destruction: Deletion, destruction or anonymization of personal data, Law: Law on Protection of Personal Data No. 6698,
• Recording medium: Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system,
• Personal data: Any information relating to an identified or identifiable natural person,
• Personal data owner: The real person whose personal data is processed,
• Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, of personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system, all kinds of operations carried out on the data, such as the classification or prevention of its use,
• Personal data processing inventory: The maximum time required for the purposes for which personal data is processed, which data controllers create by associating the personal data processing activities they carry out depending on their business processes, personal data processing purposes, data category, transferred recipient group and data subject group, and transfer to foreign countries. the inventory detailed by explaining the personal data envisaged and the measures taken regarding data security,
• Board: Personal Data Protection Board,
• Institution: Personal Data Protection Authority,
• Special categories of personal data: Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric data. and genetic data,
• Periodic destruction: The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the conditions for processing personal data in the law are eliminated,
• Data Retention and Destruction Policy: This Policy, on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization, Protection,
• Processing and Privacy Policy of Personal Data: The policy on the company’s website that determines the procedures and principles regarding the management of personal data,
• Registry: The registry of data controllers kept by the Presidency of the Personal Data Protection Authority,
• Data processor: Real and legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,
• Data registration system: The registration system in which personal data is processed and structured according to certain criteria,
• Data controller: It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

For definitions not included in this Policy, the definitions in the Law are valid.

5-All unit managers of the company give effective support to the proper implementation of technical and administrative measures regarding the processing, storage and destruction of personal data in their units. For this purpose, unit managers; It provides training and awareness raising of the unit employees, monitors and supervises the transactions, helps to prevent the illegal processing of personal data and illegal access to the processed data, and to take and implement technical and administrative measures for data security.

By increasing the knowledge and awareness of the relevant users on the protection of personal data, it actively supports the fulfillment of the processing, storage and destruction of personal data in accordance with the legislation.

The titles, units and job descriptions of those involved in the storage and destruction of personal data are as follows:

• General Manager: As the representative of the data controller, he is responsible for the implementation of all procedures regarding the protection and destruction of personal data and the implementation of the policy.
• Human Resources Manager: Responsible for the preparation, development, execution of the policy, its publication and updating in the relevant media, ensuring the compliance of the processes within its scope with the retention period, and the management of the personal data destruction process in accordance with the periodical destruction period, training and informing.
• Accounting Manager: Responsible for the preparation, development, execution of the policy, its publication and updating in the relevant media, ensuring the compliance of the processes within its duty with the retention period, and the management of the personal data destruction process in accordance with the periodic destruction period.
• Information Systems Manager: Responsible for technical storage, protection and backup of data, determination and implementation of technical solutions needed in the implementation of the policy.
• Other Unit Managers: Responsible for the implementation of the policy in their own units, monitoring and supervision of the implementation, ensuring the compliance of the processes within their duty with the retention period, and the management of the personal data destruction process in accordance with the periodic destruction period.
• Relevant User and Data Processors: Responsible for compliance with procedures and laws regarding data processing and storage.
• Specially Authorized Relevant User: Responsible for the protection, storage, and inaccessibility of personal data deleted by the relevant users until they are destroyed, upon the request of the procedure or the relevant person.

6-Personal data stored with the Company are kept in a recording environment suitable for the nature of the relevant data. The recording media used for the storage of personal data are listed below. On the other hand, due to their nature, personal data may be placed in a different environment than those specified here. In any case, the data controller company processes and protects personal data within the framework of international data security principles in accordance with the Law, Personal Data Protection, Processing and Privacy Policy and this Personal Data Retention and Disposal Policy.

Electronic Media; Other digital media such as servers, portable disks, software, information security devices, employee computers, optical discs, removable memories, printers, scanners and copiers.

Physical Environments; Paper is other media where data is kept by printing on paper or microfilms, such as manual data recording systems, written, printed and visual media.

Cloud Environments; They are the environments where encrypted internet-based systems are used by the company, although they are not owned by the company.

7- All the administrative and technical measures taken within the framework of the principles in Article 12 of the KVKK in order to keep your personal data safe, to process it unlawfully, to prevent its access and to destroy the data in accordance with the law are listed below.

Technical Measures

It takes the following technical measures in accordance with the characteristics of all environments where personal data is stored and the environment in which the data is kept:

• Only up-to-date and secure systems suitable for technological developments are used in environments where personal data is kept. Security systems are used for environments where personal data is kept.
• Security tests and research are carried out to detect security vulnerabilities on information systems, and the existing or potential risky issues identified as a result of the tests and researches are eliminated.
• Access to the data is restricted to the environments where personal data is kept, and only authorized persons are allowed to access this data limited to the purpose of storing personal data, and all accesses are recorded.
• Whether the data is of a special nature or not and the degree of importance are also taken into account in limiting the access. The Company has sufficient technical personnel to ensure the security of the environments where personal data is kept.
• It ensures that the access to personal data of employees in information technology units is kept under control. The destruction of personal data is ensured in a way that cannot be recycled and leaves no audit trail.
• Pursuant to Article 12 of the Law, all kinds of digital media where personal data are stored are protected with encrypted methods to meet information security requirements.

Administrative Measures

It takes the following administrative measures in accordance with the characteristics of all environments where personal data is stored and the environment in which the data is kept:

• Efforts are made to raise awareness and raise awareness of all company employees who have access to personal data on information security, personal data and privacy.
• Legal and technical consultancy services are obtained in order to follow the developments in the field of information security, privacy and protection of personal data and to take necessary actions.
• In the event that personal data is transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties in order to protect personal data, and all necessary care is taken to ensure that the relevant third parties comply with their obligations in these protocols.
• In case the processed personal data is obtained by others unlawfully, it notifies the person concerned and the Board as soon as possible. It carries out the necessary inspections and has them done in order to ensure the implementation of the provisions of the Law before the company.
• Eliminates privacy and security vulnerabilities that arise as a result of audits.

8- The personal data of the data owners are kept safe in physical or electronic environments by the company, especially for the purpose of maintaining commercial activities, fulfilling legal obligations, planning and performance of employee rights and fringe benefits, managing customer relations and for other purposes specified in the Protection, Processing and Privacy Policy of Personal Data. are stored within the limits specified in the KVKK and other relevant legislation. Personal data held by the Company are deleted, destroyed or anonymized ex officio in accordance with this destruction policy, upon the request of the person concerned or if the reasons listed in Articles 5 and 6 of the Law are eliminated. The reasons listed in Articles 5 and 6 of the Law consist of the following:

• expressly stipulated in the law. It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid.
• It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
• It is mandatory for the data controller to fulfill its legal obligation. Being made public by the person concerned.
• Data processing is mandatory for the establishment, exercise or protection of a right.
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

9-The procedures and principles regarding the techniques of deletion and destruction of personal data by the Company are listed below.

DELETING PERSONAL DATA

Blackening of Personal Data in Paper Media: It is the method of removing the personal data on the relevant document from the document by physically cutting it or rendering it invisible by using fixed ink, which cannot be returned and read with technological solutions.

Secure Deletion from Software: It is a method of deleting personal data kept in the cloud or local digital environments and making them inaccessible again.

DESTRUCTION OF PERSONAL DATA

Physical Destruction: A system of physical destruction of personal data in a way that it cannot be used later is implemented. Documents in paper media are destroyed in such a way that they cannot be reassembled with document shredders. Optical and magnetic media containing personal data are physically destroyed by melting, burning or pulverizing.

De-magnetization: It is the method of corrupting the data on it in an unreadable way by passing the magnetic media through special devices where it will be exposed to high magnetic fields.

Overwriting: It is a method of destruction that eliminates the ability to read and recover old data by writing random data consisting of 0s and 1s at least seven times over magnetic media and rewritable optical media via special software.

ANONIMIZATION OF PERSONAL DATA

Removing variables: It is the method of removing the highly descriptive variables from the variables in the data set created after the collected data of the relevant person is brought together and anonymized.

Regional hiding: Because a single data creates a very rarely visible combination, if it has a determining feature, hiding the relevant data provides anonymization. It is the process of deleting the information that may be distinctive about the exceptional data.

Generalization: It is the process of bringing together the personal data of many people and turning them into statistical data by removing their distinctive information.

Lower and Upper Bound Coding: It is a method of anonymizing the values ​​in a data group containing predefined categories by combining them by determining a certain criterion.

Micro-aggregation: Anonymization is achieved by first arranging all the data in a meaningful order, dividing them into groups, and replacing the relevant data in the current group with the value obtained by taking the average of the groups.

Data mixing and corruption: Direct or indirect identifiers in personal data are mixed with other values ​​or their relationship with the relevant person is broken and they lose their descriptive qualities.

11- Although no period has been determined for the storage of personal data within the scope of the Law, it is essential that personal data be kept for the period required for the purpose for which they are processed or stipulated in the relevant legislation in accordance with the general principles. The Data Controller Company makes an assessment based on the legislation in force and the purpose of the process in relation to each data processing process, in order to determine the retention periods in accordance with the aforementioned principle. It is regulated for a longer period in accordance with the legislation or the statute of limitations, foreclosure period, retention periods, etc. If a longer period is foreseen for the storage period, the periods in the provisions of the legislation are considered as the maximum storage period. In this respect, personal data is kept at least until the period required by legal obligations and the statute of limitations subject to the relevant Law expires.

Personal data may be stored in order to make the necessary defenses within the scope of the dispute in case of any dispute that may arise between you and the Data Controller. Personal data is anonymized, deleted or destroyed in accordance with the Law, with the disappearance of the purpose of processing the relevant personal data within the scope of any process, including the expiration of the aforementioned periods.

12- Personal data whose storage period has expired or whose purpose for storage is no longer available is deleted, destroyed or anonymized by being destroyed every six months through a process to be carried out ex officio at repetitive intervals as specified in this Personal Data Retention and Disposal Policy. Periodic destruction is also carried out in January and July of each year.

13- Our company makes the necessary assignments within the Company in order to fulfill the obligations in the KVK Law and to implement the issues specified in this Policy and establish the procedures accordingly.

14- This policy is reviewed according to the emerging need by following the company activities and possible changes in the personal data groups, changes to be made in the legal legislation and the Personal Data Protection Board policy decisions, and the necessary sections are updated, changed or re-created.