Personal Data Protection and Destruction Policy

1. Purpose

The purpose of the Omega Nonwoven Tekstil Sentetik ve Dokuma Tic. A.Ş. Personal Data Retention and Destruction Policy is to determine, in accordance with Article 20 of the Constitution, Law No. 6698 on the Protection of Personal Data (KVKK), the “Regulation on Deletion, Destruction or Anonymization of Personal Data” dated 28.10.2017, and relevant secondary regulations, the principles for the deletion, destruction, or anonymization of personal data and the standards of data destruction concerning current and potential service recipients, customers, business partners, visitors, employees, employee candidates, and employees of institutions we cooperate with, as well as third parties whose personal data are processed within Omega Nonwoven Tekstil Sentetik ve Dokuma Tic. A.Ş..

2. Scope

The provisions of this “Policy” cover any information and documents—whether in physical or digital media—that can be associated with an identified or identifiable natural person. Principles regarding deletion, destruction, or anonymization of such information and the standards of data destruction fall within the scope of this Policy.

3. Record Media at Omega Nonwoven Tekstil Sentetik ve Dokuma Tic. A.Ş.

At Omega Nonwoven Tekstil Sentetik ve Dokuma Tic. A.Ş., Personal Data are recorded in physical documents, digital documents, and database environments.

4. Legal and Technical Terms

• Clarification Statement: Activities and/or documents regarding informing data subjects by data controllers or their authorized persons during the collection of personal data, as required by Article 10 of KVKK No. 6698.
• Relevant Person Group: The category of the person whose personal data are processed (employee, customer, visitor, etc.).
• Relevant Person: The natural person (Data Subject) whose personal data are processed.
• Authorized User: Persons who process personal data within the data controller’s organization or on behalf of the data controller under its authorization and job description, excluding those responsible solely for the technical storage, protection, and backup of data.
• Destruction: Deletion, destruction, or anonymization of personal data.
• Record Medium: Any environment in which personal data are kept, whether fully or partially automated, or non-automated provided they form part of a data recording system.
• Processing of Personal Data: Any operation performed on personal data such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use—whether fully or partially automated or non-automated as part of a data recording system.
• Personal Data Retention and Destruction Policy: Policies that form the basis for the processes of determining the maximum retention period necessary for the purpose of processing personal data, and for deletion, destruction, and anonymization.
• Personal Data (PD): Any information relating to an identified or identifiable natural person.
• PD: Personal Data.
• PD Inventory: The list in which Personal Data processed (kept) by the company and related information are classified.
• PDP: Personal Data Protection.
• PDP Breach: Regardless of whether data subjects suffer any damage, any matters contrary to KVKK No. 6698 and/or company procedures, arising when information assets containing personal data under the responsibility of Omega Nonwoven Tekstil Sentetik ve Dokuma Tic. A.Ş. are taken outside the control of the company.
• PDPA: Personal Data Processing Agreement; a contract whereby the data processor undertakes to process personal data in accordance with the instructions, benefit, and will of the data controller, in return for which the data controller undertakes to pay a fee for such service.
• KVKK: Law on the Protection of Personal Data (No. 6698).
• PDMS: Personal Data Management System.
• SPPD: Special Categories of Personal Data.
• Periodic Destruction: In cases where all conditions for processing personal data set forth in the Law no longer apply, the deletion, destruction, or anonymization of personal data to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy.
• Data Processor: According to Article 3/ğ of KVKK, a natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the controller.
• Data Recording System: A recording system in which personal data are processed by being structured according to specific criteria.
• Data Controller: The organization that processes personal data: Omega Nonwoven Tekstil Sentetik ve Dokuma Tic. A.Ş.

5. Destruction of Personal Data

Destruction of personal data is carried out by three different methods: deletion, destruction, or anonymization. Data to be destroyed are deleted/destroyed in a manner that prevents access by the relevant person or anonymized so that they no longer qualify as personal data, in accordance with the Law and internal regulations. All destruction processes are recorded and conducted based on auditability.

6. PD Destruction Organization (Titles, Units, and Job Descriptions)

The management of PD destruction processes is under the responsibility of the PDMS Management Representative. There is a separate procedure identifying the PDMS Management Representative and all other organizational units. In the general organization, roles and responsibilities—especially concerning data destruction—are clearly defined through procedures.

7. Table Showing Retention and Destruction Periods

Retention periods are determined by the company’s PD Inventory. The relevant retention and destruction periods are regularly reviewed and revised in line with current legislation and operational needs.

Omega Nonwoven – Data Controller