PERSONAL DATA PROTECTION AND DESTRUCTION POLICY

1. Objective

This policy aims to describe the methods adopted for the processing, protection, storage and destruction of personal data processed in all kinds of activities carried out by ZZGTECH LTD (ZZGTECH) in the capacity of data controller and to fulfil the obligation of disclosure in accordance with Article 13-14 of the European Union General Data Protection Regulation and UK Data Protection Regulation (EU GDPR and UK GDPR hereinafter referred to as GDPR). This policy includes the principles applied in the collection, use, sharing, storage and destruction of personal data by ZZGTECH. It aims to inform the relevant persons about the personal data of employees, candidate employees, relatives of employees, references, supplier employees, company partners, suppliers and candidate suppliers, prospective suppliers, prospective customers, online visitors, outsource employees, partner employees, partner company officials, customers and related persons of customers processed by ZZGTECH.

2. Scope

This policy; It covers all recording media and activities for personal data processing where personal data belonging to employees, candidate employees, employee relatives, references, supplier employees, company partners, suppliers and candidate suppliers, customer candidates, online visitors, outsource employees, partner employees, partner company officials, customers and customers' related persons owned by ZZGTECH or managed by ZZGTECH are processed.

3. Authorisations and Responsibilities

All employees, external service providers and anyone else who stores and processes personal data within the organisation are responsible for fulfilling the requirements for the storage and destruction of personal data processed within the organisation. Each business unit is obliged to store and protect the data produced in its own business processes.

The Data Protection Officer (DPO) is responsible for notifying or accepting notifications or correspondence with the ICO Authority on behalf of the data controller and for registration in the register.

The distribution of the titles, units and job descriptions of those involved in the storage and destruction of personal data is detailed below;

Data Protection Officer (DPO): On behalf of the Data Controller, to design, plan, perform the works and transactions to be carried out within the framework of the procedures and principles set out in the Law, to organise the relevant actions and to ensure audits.

Archive Officer To carry out the processes of processing, storage, deletion, editing, destruction and anonymisation of personal data stored in the archive.

Information Security Committee Member: Assists the DPO to design, plan, realise the works and transactions to be carried out within the framework of the procedures and principles set out in the Law on behalf of the Data Controller and to ensure the relevant audits and helps to maintain the processes related to personal data security by supporting the DPO. It takes part in the evaluation and response stages of personal data requests from data subjects. In addition, the Information Security Committee Member takes part in ISO 27001 Information Security Management System, ISO 27701 Personal Data Management System and ISO 9001 Quality Management System standard studies.

4. Definitions and Abbreviations

Definition / Abbreviation	Description
Open Consent	Consent on a specific subject, based on information and expressed with free will.
Related User	Persons who process personal data within the organisation of the data controller or in accordance with the authority and instructions received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.
Data Owner/Related Person	The natural person whose personal data is processed.
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Processor	A natural or legal person who processes personal data on behalf of the data controller based on the authorisation granted by the data controller.
Destruction	Deletion, destruction or anonymisation of personal data.
Periodic Disposal	In the event that all of the conditions for the processing of personal data specified in the Law disappear, the deletion, destruction or anonymisation process to be carried out ex officio at recurring intervals specified in this policy.
Law	UK Data Protection Regulation
EU GDPR	European Union Data Protection Regulation
UK GDPR	UK Data Protection Regulation
Anonymisation	Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Recording Media	All kinds of media containing personal data that are fully or partially automated or processed by non-automated means, provided that they are part of any data recording system.
Personal Data	Any information relating to an identified or identifiable natural person.
Personal Data Inventory	Inventory in which data controllers elaborate the personal data processing activities they carry out depending on their business processes by associating them with the purposes of processing personal data, data category, transferred recipient group and data subject group and by explaining the maximum period required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and measures taken regarding data security.
Processing of Personal Data	Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganising, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Anonymisation of Personal Data	Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Deletion of Personal Data	Deletion of personal data; making personal data inaccessible and non-reusable in any way for the Relevant Users.
Destruction of Personal Data	The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way.
Board	European and UK Data Protection Authority (ICO) supervisory authorities
ICO	UK Data Protection Authority
Electronic Media	Environments where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Media	All written, printed, visual, etc. other media other than electronic media.
Sensitive Personal Data (Intimate Data)	Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Data Recording System	Recording system in which personal data are structured and processed according to certain criteria.
Employee	ZZGTECH staff.
Service Provider	A natural or legal person who provides services under a specific contract with ZZGTECH.
Online Visitor	Site visitors who visit ZZGTECH's website and whose cookie information is obtained
Customer	Legal and natural persons with whom ZZGTECH has an agreement and who benefit from ZZGTECH's services
Customer Contact Person	In cases where ZZGTECH is a data processor, natural persons who are the data controller of the Customer with whom ZZGTECH has an agreement and who are under the responsibility of ZZGTECH
SSL VPN	It is a virtual private network technology that provides secure access.

5. Personal Data Processing and Protection Policy

ZZGTECH sets out the necessary measures and the process applied for the protection and processing of personal data in a concrete manner with this policy. In cases where this policy is incompatible with the relevant laws and regulations or if the policy is outdated in line with the updated legislation, ZZGTECH agrees to comply with the applicable legislation. According to the changes in laws, regulations and legislation, this policy is updated and revised in order for ZZGTECH to fulfil the legal requirements.

5.1 Personal Data Owners and Processed Personal Data

ZZGTECH processes the following personal data:

Data Owner	Data Categories
Employees	Criminal records, bank and salary information, audio-visual records, legal files, contact information, identity information, log records, professional information, personal and health information
Employee Candidates	Photograph, credentials, contact details, professional and personal information
Employee Relatives	Name, surname and telephone number
Online Visitor	IP address, browser information, website logs (anonymised) and cookie information
Customers	Bank and financial information, legal documents, identity information, contact information, log records, complaint and support records, company and tax office information, service and offer information
Contact Person for Customers	Finance, visual and audio recordings, communication, transaction security, identity, location, customer transaction, personal data, cookie information
Partners	Bank and financial information, identity information, contact information, signature circular and power of attorney
Outsourced Employees	Bank and financial information, contact, log records, identity, personal and embezzlement information
Partner Employee	Identity, communication
Partner Officer	Identity, communication
Potential Customers	Identity, contact, log records, service content and offer information, company information
Potential Suppliers	Name, surname, title, contact and offer information
References	Name, surname, title, contact and company information
Supplier Employee	Name, surname, contact information
Supplier Authorised	Identity information, contact information, log records, bank and financial information, legal files, tax office information

5.2 Purposes of Processing Personal Data

ZZGTECH processes personal data for the following purposes;

Purpose of Data Processing	Data Subjects
Execution of Emergency Management Processes	Employee Relatives
Execution of Information Security Processes	Employees, Outsourced Employees
Execution of Application Processes of Employee Candidates	Employee Candidates, References
Fulfilment of Labour Contract and Legislative Obligations for Employees	Employees
Management of Disciplinary Processes	Employees
Execution of Training Activities	Employees, Outsourced Employees
Execution of Access Authorisations	Employees, Customers, Outsource Employees, Supplier Authorised
Execution of Activities in Accordance with the Legislation	Employees, Online Visitors, Customers, Outsource Employees
Execution of Finance and Accounting Affairs	Employees, Customers, Partners, Supplier Authorised
Ensuring Physical Space Security	Employees
Execution of Assignment Processes	Employees
Follow-up and Execution of Legal Affairs	Employees, Customers, Supplier Authorised
Execution of Communication Activities	Employees, Employee Candidates, Outsource Employees, Supplier Employees
Planning Human Resources Processes	Employees, Relatives of Employees, Outsourced Employees
Execution / Supervision of Business Activities	Employees, Partners, Outsource Employees, Partner Employee, Partner Officer
Execution of Occupational Health / Safety Activities	Employees
Receiving and Evaluating Suggestions for Improvement of Business Processes	Partner Employee, Partner Officer
Execution of Business Continuity Ensuring Activities	Employees, Outsourced Employees
Execution of Goods / Service Procurement Processes	Supplier Employee, Supplier Authorised
Execution of Goods / Services After Sales Support Services	Customers
Execution of Goods / Service Sales Processes	Customers, Partner Employee, Partner Officer
Execution of Goods / Service Production and Operation Processes	Customers, Customer Contact Person
Conducting Marketing Analysis Studies	Online Visitor
Execution of Contract Processes	Employees, Outsourced Employees
Follow-up of Requests / Complaints	Customers, Potential Customers
Ensuring the Security of Movable Property and Resources	Employees, Outsourced Employees
Execution of Supply Chain Management Processes	Potential Suppliers
Execution of Wage Policy	Employees
Execution of Marketing Processes of Products / Services	Customers, Potential Customers
Ensuring the Security of Data Controller Operations	Employees
Providing Information to Authorised Persons, Institutions and Organisations	Employees

5.3 Process Based Processed Personal Data

ZZGTECH processes personal data according to the following sub-processes;

Unit	Process	Data Categories
IT Operations and Infrastructure	Access Authorisation Controls	Communication, Identity
	User Support	Identity
	Mail Service	Communication, Identity
	Application Log Management	Communications, Log Records, Identity
	Remote Working	Communications, Log Records, Identity
	Obtaining Cookie Information	IP address, Browser information, Website logs (anonymised)
	Customer Accounts Management Process	Communication, Log Records, Identity
	Application Activation Process	Communication, Identity, Personality
	Software Deployment Process	Finance, Audiovisual records, Communication, Log Records, Identity, Location, Customer transaction, Personnel, Marketing
	Software Support Process	Contact, Identity, Customer Transaction, Personnel,
Human Resources	Payroll Process	Finance, Contact, Identity, Personal, Health Information
	Personnel File Creation Process	Criminal Record Information, Finance, Audio-visual records, Identity, Contact, Professional experience, Personal, Health information
	Disciplinary Process	Identity, Personal
	Education Process	Finance, Identity
	Legal Processes	Finance, Legal action, Communication, Identity, Personnel
	Recruitment Candidate Selection	Audiovisual records, Communication, Identity, Professional experience, Personnel
	Signature of Dismissal Documents	Finance, Communication, Identity, Personnel
	Consent Form Process	Identity
	Outsourced Employees	Finance, Communication, Identity
	Contract Process	Finance, Communication, Identity
	Receiving Commitments	Identity, Personal
	Embezzlement Processes	Identity, Personal
Human Resources / Administrative Affairs	Purchasing Processes	Finance, Communication, Identity, Personnel
Business Development	Business Development Process	Communication, Identity
Financial Affairs	Finance Process	Finance, Communication, Identity, Personnel
	Customer Operations	Finance, Communication, Identity, Personnel
	Supplier Operations	Finance, Communication, Identity, Personnel
Sales Marketing	Sales Marketing Process	Contact, Log Record, Identity, Personality, cookie information
Sales Marketing	Obtaining Cookie Information	IP address, browser information, cookie information (anonymised)
Senior Management	Execution of Legal Processes	Finance, Legal action, Communication, Identity
Software Development and R&D	Development of Artificial Intelligence Models	Audiovisual Records, Customer Processing, Marketing
	Software Analysis Process	Communication, Identity
	Software Development Process	Log Records, Identity
	Software Testing Process	Communication, Identity

5.4 Data Collection Methods

ZZGTECH methods of obtaining personal data are set out below:

Data Categories	Method of Obtaining
Criminal Records	Hand delivery, paper media
Finance Knowledge	Electronic records and paper forms, customer and supplier current cards, mail, hand delivery, invoice, stamp information, accounting programme, executive declarations, verbal declaration, payroll, personnel files, personnel employment contract, purchasing contracts, customer contracts, written declaration, software database
Audio and Visual Recordings	Hand delivery, job application site interface, mail, customer data sources, software database, HR Company
Legal Action	Enforcement correspondence, customer and supplier current cards, contracts, personal files
Contact Details	Electronic records and paper forms, visual, verbal declaration, IT application, customer and supplier current cards, support panel, mail, hand delivery, invoice, job application site interface, stamp information, accounting programme, release document, executive correspondence, employment document list form, customer and supplier contracts, written declaration, application panel, personnel files, personnel employment contract, project management application, social media platforms, software database, HR Company
Transaction Security Information	IT application, mail, application panel, project management application, oral statement, software database, website
Credentials	Electronic records and paper forms, visual, verbal declaration, IT application, mail, support panel, HR documents (disciplinary documents, defence letters, minutes, disclosure and explicit consents, embezzlement forms, release, consent and agreements, expense form, personnel leave form, executive paper, resignation letter), hand delivery, invoice, training attendance forms, job application site interface, stamps, accounting programme, recruitment document list form, paper media, business cards, customer and supplier contracts, application panel, customer and supplier current cards, personnel files, policy document, project management application, social media platforms, software database, HR Company
Location Information	Software database
Occupational Information	Hand delivery, job application site interface, mail, HR Company
Customer Transaction Information	Support panel, mail, customer data sources, software database
Personal Information	Electronic records and paper forms, visual, verbal declaration, current card, mail, contract, support panel, HR documents (disciplinary documents, defence letters, minutes, release document, resignation letter, notice of dismissal, personnel leave form, embezzlement forms), hand delivery, invoice, job application site interface, stamps, accounting program, application panel, personnel files, purchase contracts, written declaration, software database, HR Company
Marketing Information	Mail, customer data sources, software database, website, electronic registration forms
Health Information	Hand delivery

5.5 Legal Reasons for Data Processing

ZZGTECH processes personal data due to legal obligations and to ensure business continuity. Your personal data; In the light of the principles stipulated in Article 5 of the GDPR, it is processed by obtaining explicit consent or in the cases specified in Article 5 of the GDPR. In data processing, it is essential to obtain explicit consent in case the requirements of the Law are not met.

5.5.1 Reason for Processing Personal Data

Explicitly stipulated in the laws,
It is necessary for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract,
It is mandatory for the data controller to fulfil its legal obligation,
It has been made public by the data subject himself/herself,
Data processing is mandatory for the establishment, exercise or protection of a right,
Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

The relevant laws regarding foreseen in the law are detailed in this policy.

5.5.2 Justification for Processing Sensitive (Private) Personal Data

Provided that adequate measures are taken; it is stipulated in the laws in terms of personal data of special nature other than health and sexual life, and in terms of personal data of special nature related to health and sexual life;

Protection of public health,
Preventive medicine,
Medical diagnosis,
Carrying out treatment and care services,
Your personal data may be transferred without obtaining explicit consent for purposes such as planning and management of health services and financing.

The legal grounds used by ZZGTECH to process data are detailed in the "Personal Data Inventory" document.

5.6 Principles for Processing Personal Data

The GDPR regulations set out principles for the processing of personal data. ZZGTECH processes personal data in accordance with the determined principles.

The processing of personal data is carried out in accordance with the following principles;

Compliance with the law and honesty rules,
Being accurate and up to date when necessary,
Processing for specific, explicit and legitimate purposes,
Being relevant, limited and proportionate to the purpose for which they are processed,
Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

Transfer of Personal Data

Personal data of customers, suppliers and employees are processed in accordance with the basic principles stipulated in the GDPR, provided that public interest is observed. Within the scope of the personal data processing conditions and purposes specified in Section V of the GDPR, it may be shared with the following domestic and/or foreign related parties.

5.7.1 Transfer of Personal Data to Domestic Persons

ZZGTECH carefully complies with the conditions regulated in the Law regarding the sharing of personal data with third parties, without prejudice to the provisions of other laws. Within this framework, personal data are not transferred to third parties without the explicit consent of the data subject. However, in the presence of one of the following conditions specified in the Law, personal data may be transferred without obtaining the explicit consent of the data subject:

Explicitly stipulated in the laws,
It is necessary for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract,
It is mandatory for the data controller to fulfil its legal obligation,
It has been made public by the data subject himself/herself,
Data processing is mandatory for the establishment, exercise or protection of a right,
Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Protection of public health,
Preventive medicine,
Medical diagnosis,
Carrying out treatment and care services,
Your personal data may be transferred without obtaining explicit consent for purposes such as planning and management of health services and financing.

In the transfer of special categories of personal data, the conditions specified in the terms of processing of such data are complied with.

Domestic parties to whom personal data are transferred are detailed below;

Related Party	Reason for Transfer	Transfer Method	Legal Basis
Contracted Banks	To be able to make profit distributions, to carry out the financial processes of partners and stakeholders, to deposit personnel salaries,	By mail, hand delivery, by mail using bulk instruction	Foreseen in the Law
Contracted Law Offices	User access logs can be shared with the contracted lawyer for contract control, resolution of possible disputes, execution of lawsuits related to the employee and employer, and in case of a legal request. In case of termination of the employment contract before the end of the advance repayment, the corporate lawyer can be informed. Execution of enforcement processes are shared with the enforcement office through contracted law offices. It is shared so that employees' legal objections or complaints can be evaluated.	Cargo, mail, media device	Foreseen in the Law Legitimate Interest Performance of Contract Fulfilment of Legal Obligation
Contracted Customers	Personal data obtained within the scope of the contract with the Contracted Customer, which is the Data Controller, must be visible to the customer	Software Offered to the Customer	Explicit consent obtained by the customer who is the Data Controller Performance of Contract
Contracted Suppliers	Shared in order to fulfil the terms of the agreement	Mail, Written Declaration	Open Consent Performance of Contract Legitimate Interest
Contracted HR Companies	Personal data can be shared in order to carry out outsourced employee employment processes	Mail	Open Consent Publicisation Performance of Contract Legitimate Interest
Authorised Courts	In case of a legal problem related to employees and in case of a legal request, user access logs are shared through the Contracted Law Office to be submitted to the court. In case of possible disputes with customers, employees and suppliers, they are shared with the competent courts through the corporate lawyer	By hand delivery through a contracted law firm or by media device	Foreseen in the Law Legitimate Interest Performance of Contract Fulfilment of Legal Obligation
Authorised Public Institutions and Organisations	It can be shared with the persons / institutions requesting for the continuity of the activities and operations of the institution.	Hand Delivery Photocopy, Mail,	Foreseen in the Law
Advertising Publishers	On behalf of ZZGTECH and the Contracted Customer, cookie information and, where necessary, the relevant personal data of the Customer Contact Person are shared with the advertisement publisher for the promotion of products or services.	Cookie Forwarding, Client software, Ad Publisher API	Open Consent Performance of Contract

5.7.2 Transfer of Personal Data to Persons Abroad

ZZGTECH can process personal data on foreign servers based on the agreement made with its customers who are Data Controllers, and data transfers can be made to Advertisement Publishers.

ZZGTECH is able to carry out its operations on overseas cloud systems while managing customer accounts, application activation processes and software distribution, development and testing processes.

In cases where foreign cloud use is required; security measures determined by the cloud service provider are applied. In addition, ZZGTECH has taken all technical measures that may be needed, especially data masking, hashing and authorisation limitations. The measures taken are detailed under the heading "Technical Measures".

5.8 Personal Data of Website Visitors and Personal Data Received for Internet Access Point Service

Cookie information is received on the websites owned by ZZGTECH. Detailed information can be found in the Cookie Policy document on the website. The obligation to inform and the purposes of processing the personal data received are detailed in the Cookie Policy.

ZZGTECH uses mobile internet for internet access. ZZGTECH therefore does not process internet access logs.

System and application access logs of customers, suppliers and employees can be processed during the management of customer accounts, software distribution, application log management, remote working and software development processes. Authorisation restrictions have been made to prevent unauthorised access to logs. There is also a time stamp on the logs. In order to ensure remote access security, access is provided with VPN. In addition, static ip and mac addresses are checked. Detailed information can be found under the heading "Technical Measures".

5.9 Rights of the Personal Data Owner

The rights of personal data subjects specified in Part III of the GDPR are detailed below:

To learn whether your personal data is being processed or not. Request access to processed personal data,
Request information if your personal data has been processed
To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
To know the third parties to whom your personal data is transferred domestically or abroad,
To request correction of your personal data in case of incomplete or incorrect processing,
Request deletion or destruction of your personal data
In case your personal data is corrected, deleted or destroyed, to request that these transactions be notified to third parties to whom your personal data has been transferred. Request restriction of the processed personal data, request the transfer of the data,
Object to the occurrence of a result against you by analysing your processed data exclusively through automated systems,
In case you suffer damage due to unlawful processing of your personal data, you have the right to demand compensation for the damage.

6. Storage and Destruction of Personal Data

6.1 Data Controller Organisation and Data Environments

All employees of ZZGTECH take an active role in the implementation of the technical and administrative measures taken by the responsible units within the scope of the Policy. Measures are taken to ensure data security in all environments where personal data is processed in order to prevent unlawful processing and access of personal data by training and raising awareness of unit employees, monitoring and continuous supervision.

Personal data are securely stored by ZZGTECH in accordance with the law in the following environments;

Electronic Media	Non-Electronic Media
Servers (Domain, application servers, database) Office applications Accounting practice Cloud system IT applications Telephone directories Information security devices (firewall, log file) Personal computers (desktop, laptop) Mobile devices (phone, tablet, etc.) Portable media (Usb, portable disc) Cookie information Mail	Paper Written, printed, visual media Folders Personal files Lockers of the units Job Application Forms

ZZGTECH stores and destroys personal data belonging to Data Subject Main Category, employee, candidate employee, employee relative, reference, supplier employees, company partners, supplier and candidate supplier, customer candidate, online visitor, outsource employee, partner employee, partner company official, customer and customers' related persons in accordance with the Law.

Article 3 of the Law defines the concept of processing personal data. It is addressed in the GDPR that personal data should be linked, limited and proportionate to the purpose for which they are processed and should be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed. Accordingly, ZZGTECH stores personal data within the framework of its activities for the period stipulated in the relevant legislation or in accordance with our processing purposes.

6.2 Legal Grounds Requiring Retention

Your personal data are processed without the requirement of explicit consent based on the stipulation of the provisions of the law in force in the UK, legitimate interest, fulfilment of ZZGTECH's legal obligation, establishment of a right, publicisation and/or performance of the contract.

6.2.1 Reasons for Destruction

Personal data;

Changing the provisions of the relevant legislation that constitute the basis for processing,
Disappearance of the purpose requiring processing or storage,
In cases where the processing of personal data is carried out only on the basis of explicit consent, the person concerned may withdraw his/her explicit consent,
Acceptance by ZZGTECH of the application for the deletion and destruction of personal data within the framework of the rights of the data subject specified in Part III of the GDPR,
In cases where ZZGTECH rejects the application made by the person concerned with the request for the deletion, destruction or anonymisation of his personal data, finds the answer insufficient or does not respond within the period stipulated in the Law; To make a complaint to the Board and this request is approved by the Board or the relevant authority,
The maximum period of time required for the retention of personal data has expired and there are no circumstances that justify the retention of personal data for a longer period of time,
In such cases, it shall be deleted, destroyed or ex officio deleted or anonymised by ZZGTECH upon the request of the person concerned.

6.3 Ensuring the Security of Personal Data

ZZGTECH takes all necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data.

The measures taken by ZZGTECH to ensure the security of personal data are detailed in the sub-articles:

6.3.1 Technical Measures

It is ensured that necessary infrastructure investments are made in the field of information security in accordance with the developing technology.
It is ensured that the access authorisations of IT and other unit employees to personal data are kept under control. Access authorisations are defined to be limited to the services provided in authorisation definitions. Security layers are applied for remote access.
ZZGTECH performs access restrictions to personal data according to the principle of minimum authorisation. Access to servers, applications and files in the digital environment are checked periodically within the scope of ISO 27001 Information Security Management System and ISO 27701 Personal Data Management System standards. In cases where privileged authorisation is required, actions are taken by limiting the time.
ZZGTECH makes access and authorisation definitions. It checks the compliance of accesses with authorisations. The information obtained as a result of checking the security of the systems is reported. Points that pose a risk are identified and necessary technical measures are taken.
The institution receives system and application access logs within the scope of Law No. 5651. Access requests of third party suppliers are received in writing. SSL VPN connection is provided for the received requests. SSL VPN external dual authentication security measures are taken. Access is restricted by using Mac filtering and static ip addresses.
Access to networks containing personal data is restricted. There is no guest network. Network access logs are kept by security systems. Networks are separated between servers.
In our institution, penetration tests are carried out periodically every year, taking into account the criteria of ISO 27001 Information Security Management System standard. Social engineering drills are carried out. Action is taken quickly according to the findings.
Software and hardware including virus protection systems and firewalls are installed. Licensed antivirus is used in all user systems. The security of the systems in the cloud environment is ensured by using the infrastructure offered by the cloud service provider. Up-to-date versions of the systems with the necessary security measures against known vulnerabilities are used and log records of the systems are taken.
Automatic backups are taken regularly for the environments where personal data are stored.
In order to maintain the security of personal data, awareness is spread so that technical measures are part of the corporate culture with a model that continuously operates. Technical issues are explained in in-house trainings.
It is ensured to be kept alive continuously with the measures and controls taken.
User accounts are managed centrally. User accounts assigned to customers are centrally managed. User and employee passwords are set as complex.
SSL certificate security is available in environments where web services are used and on the ZZGTECH web page.
ZZGTECH carries out security operations by including applications and web services in the security tests it performs. Authorisation checks are carried out for access to applications. Masking measures are taken in accordance with the environments where personal data are processed. Encryption and hashing operations are performed in data transfers over the application. Development and test environments are separated and necessary controls are carried out before the applications are taken live.
Logs of the applications sold by ZZGTECH are taken and analyses are performed. Personal data security is kept at a high level with warning systems in abnormal situations.
Backups of systems containing personal data are taken periodically and the backups are checked.
Personal data security is provided with firewall applications to ensure the security of the server and connected environment.
In the processes of deletion, destruction and anonymisation of personal data, personal data are processed by taking into account customer agreements and personal data processing purposes. In cases where the purpose of processing personal data no longer exists, personal data is hashed by using the sole feature in databases. In cases where employee media and computers, which are of critical importance and contain personal data, have completed their useful life, are delivered to third parties, or are allocated to other personnel, they are wiped and formatted.

6.3.2 Administrative Measures

ZZGTECH has created a Personal Data Inventory in order to identify, analyse and audit personal data. The Personal Data Inventory is updated in case a new personal data is obtained or the purpose of use of existing personal data changes.
ZZGTECH employs knowledgeable and experienced people to ensure data security and provides its personnel with the necessary information and awareness training on personal data security.
Procedures, policies and instructions have been established within the scope of ISO 27001 Information Security Management System and ISO 27701 Personal Data Management System standards regarding personal data and information security. Data security measures are taken according to the rules specified in the created documents.
Contracts containing personal and information security issues are signed with employees and persons and institutions with whom ZZGTECH shares data due to its business. Contracts contain responsibilities specific to data confidentiality. Third parties with whom personal data is shared accept the provisions that they will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organisations. Internal audits and independent institutions check whether the contents of the contract are complied with.
The established systems are controlled by competent personnel with the necessary internal audits. ZZGTECH takes the necessary administrative measures to ensure the security of personal data and supervises the work of employees according to these measures.
Risk analyses are performed within the scope of ISO 27001 Information Security Management System and ISO 27701 Personal Data Management System standard. Apart from risk analyses, data classification, information security risk assessment and business impact analyses are performed and processes are operated. In line with these processes, technical measures are taken in accordance with the developments in technology.
The contents of the employment contracts of the personnel have been updated regarding personal data security. Employees are informed that they cannot disclose the personal data they have learnt to others in violation of the provisions of the Law, cannot use them for purposes other than processing, and that this obligation will continue after they leave their duties. Necessary commitments are obtained from employees in this direction. Apart from this, ZZGTECH's disciplinary processes are carried out in accordance with the laws.
Internal communication methods have been determined. DPO was appointed within the organisation. In addition, an Information Security Committee was established for personal data security. Job descriptions of the committee members were created and roles, authorities and responsibilities were detailed. Internal employees, external parties and organisations that need to be contacted in case of emergency have been identified.

6.3.3 Audits for the Sustainability of Personal Data Protection

ZZGTECH carries out or has the necessary audits carried out to ensure personal data security. It ensures that internal audits are carried out to ensure the sustainability of personal data security. ZZGTECH provides controls according to ISO 27001 Information Security Management System and ISO 27701 Personal Data Management System standards to increase the efficiency of internal audits. It regularly performs penetration tests for technical vulnerabilities that may occur in the systems. The systems are regularly monitored by IT. When unlawful access or processing of personal data is detected in the audits, the DPO is informed.

6.3.4 Measures Implemented to Ensure Protection of Personal Data by Third Parties

ZZGTECH, in its contracts with third parties; It includes the necessary sanction clauses to prevent unlawful processing of personal data, to prevent unlawful access to data and to ensure the preservation of data. Confidentiality agreements are signed before sharing information with third parties. Necessary information is provided to third parties to raise awareness. In cases where third parties need to access the systems, audit trails related to access are kept.

6.3.5 Measures Implemented for the Protection of Sensitive Personal Data

Adequate measures must be taken for personal data of special nature both due to their nature and because they may lead to victimisation or discrimination. In Article 6 of the Law, personal data that have the risk of causing victimisation or discrimination when processed unlawfully are defined as "Special Categories".

These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

ZZGTECH takes the necessary measures to protect personal data of special nature, which are determined as "special quality" by the Law and processed in accordance with the law. Sensitivity is shown for special quality personal data in technical and administrative measures taken to protect personal data.

Employees are informed about the use of special categories of personal data through policies and procedures. Sensitive personal data are not processed in the absence of the consent of the person. In cases where sensitive personal data may be processed, it is not shared with anyone other than 3rd party persons / organisations that have been informed and whose explicit consent has been obtained.

6.3.6 Raising Awareness to Ensure Protection of Personal Data

Necessary information is provided to employees in order to raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the preservation of data. Trainings are organised and their effectiveness is measured.

In case of changes in the relevant laws, regulations or legislation, the policies are revised and the relevant changes are re-announced to the personnel.

6.4 Personal Data Destruction Techniques

ZZGTECH destroys the personal data it obtains in line with the request of the personal data owners, if it is not mandatory to use it due to legal obligations, due to legal obligations or for the protection of public order and provided that it does not affect business processes. Personal data belonging to data owners are destroyed based on the decision to be taken by the organisation when the retention periods determined by the relevant laws expire or when the requirements for planning disappear in the event that the condition for the use of the relevant data disappears. Personal data that do not need to be stored on the dates determined by the DPO every year are destroyed by the following techniques in accordance with the legislation. Destruction operations are carried out in three different methods as deletion, destruction and anonymisation.

6.4.1 Deletion of Personal Data

The methods of deletion of personal data are specified in the table below;

Data Recording Environment	Description
Personal Data on Servers	For the personal data on the servers, deletion is made by the system administrator by removing the access authorisation of the relevant users for those whose retention period has expired.
Personal Data in Electronic Media	Personal data in the electronic environment, which expires from the personal data requiring storage, is rendered inaccessible and non-reusable in any way for other employees (relevant users) except the database administrator. In operational processes, personal data environments whose file has been finalised and completed are deleted in such a way that only the authorised administrator can access them.
Personal Data in Physical Environment	For personal data that expires from the personal data kept in the physical environment, it is made inaccessible and non-reusable in any way for other employees, except for the unit manager responsible for the document archive. In addition, the blackout process is also applied by scratching/painting/erasing in such a way that it cannot be read.
Personal Data on Portable Media	The personal data kept in Flash-based storage media and those whose period of retention has expired are encrypted by the system administrator and access authorisation is given only to the system administrator and stored in secure environments with encryption keys.

6.4.2 Destruction of Personal Data

Destruction of personal data is specified in the table below;

Data Recording Environment	Description
Personal Data in Physical Environment	Those of the personal data in paper media, whose retention period has expired, are irreversibly destroyed in paper shredding machines.
Personal Data in Optical / Magnetic Media	Personal data contained in optical media and magnetic media that expire after the expiry of the period for which they are required to be retained shall be rendered physically unreadable in an irreversible manner. Destruction is carried out using the Destruction Record Form.

6.4.3 Anonymisation of Personal Data

Anonymisation of personal data means making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data.

In order for personal data to be anonymised; personal data must be rendered unassociable with an identified or identifiable natural person, even through the use of appropriate techniques for the recording medium and the relevant field of activity, such as the return of personal data by the data controller or third parties and / or matching the data with other data.

6.5 Storage and Destruction Periods

The retention periods for personal data processed by ZZGTECH within the scope of its activities, all personal data within the scope of the activities carried out depending on the processes are detailed in the Data Inventory document.

Retention periods have been determined by taking into account the laws to which ZZGTECH is subject, the provisions of the contract with the relevant parties and the periods required for ZZGTECH's operational activities.

Such retention periods are updated by the Personal Data Contact Person if necessary.

Personal data whose retention periods have expired are destroyed ex officio. The category-based maximum retention periods of personal data are as follows;

Data	Data Owner	Storage Periods
Criminal Records	Employees	10 years from the end of the employment contract
Finance Knowledge	Employees	10 years from the end of the employment contract
	Customers	10 Years
	Customer Contact Person	2 Years
	Partners	10 Years
	Outsourced Employees	10 years from the end of the employment contract
	Potential Supplier	10 Years
	Supplier Authorised	10 Years
Audio and Visual Recordings	Employees	10 years from the end of the employment contract
	Employee Candidates	1 Year
	Customer Contact Person	10 Years
Legal Action	Employee	10 Years
	Customers	10 Years
	Supplier Authorised	10 Years
Contact Details	Employees	10 years from the end of the employment contract
	Employee Candidates	1 Year
	Employee Relative	10 years from the end of the employment contract
	Customers	10 Years
	Customer Contact Person	2 Years
	Partners	10 Years
	Outsourced Employees	10 years from the end of the employment contract
	Partner Employee	10 Years
	Partner Officer	10 Years
	Potential Customer	5 Years
	Potential Supplier	10 Years
	References	1 Year
	Supplier Employee	10 Years
	Supplier Authorised	10 Years
Transaction Security Information	Employees	10 Years
	Online Visitors	2 Years
	Customers	10 Years
	Customer Contact Person	2 years from the end of the service contract
	Outsourced Employees	2 Years
	Potential Customer	5 Years
	Supplier Authorised	2 Years
Credentials	Employees	10 years from the end of the employment contract
	Employee Candidates	1 Year
	Employee Relative	10 years from the end of the employment contract
	Customers	10 Years
	Customer Contact Person	2 Years
	Partners	10 Years
	Outsourced Employees	10 Years
	Partner Employee	10 Years
	Partner Officer	10 Years
	Potential Customer	5 Years
	Potential Supplier	10 Years
	References	1 Year
	Supplier Employee	10 Years
	Supplier Authorised	10 Years
Location Information	Customer Contact Person	2 years from the end of the service contract
Occupational Information	Employees	10 years from the end of the employment contract
Occupational Information	Employee Candidates	1 Year
Customer Transaction Information	Customers	2 years from the end of the service contract
Customer Transaction Information	Customer Contact Person	10 Years
Personal Information	Employees	10 years from the end of the employment contract
	Employee Candidates	1 Year
	Customers	10 Years
	Customer Contact Person	2 years from the end of the service contract
	Partners	10 Years
	Outsourced Employees	10 Years
	Potential Customer	5 Years
	References	1 Year
	Supplier Authorised	10 Years
Marketing Information	Customer Contact Person	10 Years
	Customer	5 Years
	Potential Customer	5 Years
	Online Visitors	2 Years
Health Information	Employees	10 years from the end of the employment contract

7. Application Methods

You can realise your rights regarding your personal data within the scope of GDPR by using the following methods;

Data Controller: ZZGTECH LTD

Data Protection Officer (DPO): Rugül ÇINAR- [email protected]

You can make your personal data applications by filling out the Personal Data Application Form document. Clarification application methods are as follows;

Method	Contact Details	Description
Hand Delivery	124 City Road, London, United Kingdom, EC1V 2NX	During the hand delivery of the Personal Data Application Form, please have one of the documents indicating your identity such as driving licence, identity card, passport, etc. with you.
Mail	[email protected]	After the Personal Data Application Form is sent to us by e-mail, identity verification can be made by checking the systems or by contacting us to confirm your identity information.

Personal data applications will be accepted following the identity verification to be made by us, and the relevant persons will be answered in writing or electronically within the legal periods.