INTRODUCTION AND PURPOSE OF PREPARING THE POLICY
This Personal Data Retention and Destruction Policy (“Policy”), Personal Data Protection Law No. 6698 (“KVKK” or “Law”) and Personal Data Enforcement, which entered into force after being published in the Official Gazette dated 28 October 2017, which constitutes the secondary regulation of the Law. Regarding the fulfillment of our obligations pursuant to the Regulation on Deletion, Destruction or Anonymization (“Regulation”) and the determination of the maximum storage period necessary for the purpose for which personal data is processed, and its use as a basis for deletion, destruction and anonymization, and about these transactions. In order to inform the relevant persons, Vepamed Kozmetik ve Tıp Ürünler SAN. TRADE. Inc. Prepared by (“Vepamed Kozmetik”).

SCOPE
This policy covers all employees, consultants and affiliates of the institution, suppliers and natural and legal persons with whom the institution has legal relations in all cases where personal data sharing is in question, these data are fully or partially automated or are part of any data recording system. It covers personal data defined by law and sensitive personal data processed by non-automatic means. Unless otherwise stated in the policy, personal data and sensitive personal data will be collectively referred to as "Personal Data".

DEFINITIONS
Explicit Consent: Consent about a specific subject, based on information and expressed with free will.
Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
Destruction: Deletion, destruction or anonymization of personal data.
Law/KVKK: Law on Protection of Personal Data No. 6698.
Recording Media: Any environment where personal data is processed wholly or partially automatically or non-automatically, provided that it is a part of any data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use.
Anonymization of Personal Data: Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.
Board: Personal Data Protection Board.
Sensitive Personal Data: Data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric data. and genetic data.
Periodic Destruction: The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all the conditions for processing personal data in the Law are eliminated.
Data Owner/Relevant Person: The natural person whose personal data is processed.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on October 28, 2017.
RULES
Vepamed Kozmetik acts within the framework of the following principles in the storage and destruction of personal data:

In the deletion, destruction and anonymization of personal data, the principles listed in Article 4 of the Law and the technical and administrative measures specified in this Policy, which must be taken within the scope of Article 12, the provisions of the relevant legislation, Board decisions and this Policy are fully complied with.
All transactions regarding the deletion, destruction and anonymization of personal data are recorded by Vepamed Kozmetik and these records are kept for at least 1 year, excluding other legal obligations.
Unless a contrary decision is taken by the Board, the appropriate method of deleting, destroying or anonymizing personal data ex officio is chosen by us. However, upon the request of the Relevant Person, the appropriate method will be chosen by explaining the reason.
In the event that the conditions for processing personal data in Articles 5 and 6 of the Law are no longer valid, personal data is deleted, destroyed or anonymized by Vepamed Kozmetik, ex officio or upon the request of the person concerned. If Vepamed Kozmetik is applied by the Related Person in this regard;
a. Requests submitted are finalized within 30 (thirty) days at the latest and the relevant person is informed,
b. In case the data subject to the request has been transferred to third parties, this situation is notified to the third party to which the data is transferred and necessary actions are taken before the third parties.

• Compliance with the rules of law and honesty

• Being accurate and up-to-date when needed

• Processing for specific, explicit and legitimate purposes

• Being connected, limited and restrained with the purpose for which they are processed

• To be kept for the period required by the relevant legislation or for the purpose for which they are processed.

EXPLANATIONS ON REASONS REQUESTING STORAGE AND DISPOSAL
The personal data of the data owners, especially by Vepamed Kozmetik, to (i) maintain service activities, (ii) fulfill legal obligations, (iii) plan and perform employee rights and fringe benefits (iv) manage customer relations (v) sell goods/services. In order to carry out its activities, it is stored securely in the physical or electronic media listed above, within the limits specified in the KVKK and other relevant legislation.

The reasons for keeping it are as follows:

a. Storing personal data as it is directly related to the establishment and performance of contracts,
b. Storing personal data for the purpose of establishing, exercising or protecting a right,
c. It is obligatory to keep personal data for the legitimate interests of Vepamed Kozmetik, provided that it does not harm the fundamental rights and freedoms of individuals,
D. Keeping personal data in order for Vepamed Kozmetik to fulfill any of its legal obligations,
to. Explicitly stipulating the storage of personal data in the legislation,
f. Explicit consent of data owners in terms of storage activities that require the explicit consent of data owners. In accordance with the Regulation, the personal data of the data owners are deleted, destroyed or anonymized by Vepamed Kozmetik, ex officio or upon request, in the following cases:
In accordance with the Regulation, the personal data of the data owners are deleted, destroyed or anonymized by Vepamed Kozmetik, ex officio or upon request, in the following cases:

a. Changing or repealing the provisions of the relevant legislation, which is the basis for the processing or storage of personal data,
b. The disappearance of the purpose that requires the processing or storage of personal data,
c. Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law.
D. In cases where the processing of personal data takes place only on the basis of express consent, the data subject withdraws his consent,
to. The data controller accepts the application made by the data subject regarding the deletion, destruction or anonymization of his personal data within the framework of his rights in subparagraphs (e) and (f) of Article 11 of the Law,
f. In cases where the data controller rejects the application made by the data subject to the request for the deletion, destruction or anonymization of his personal data, his response is found to be insufficient or he does not respond within the time stipulated in the Law; Complaining to the Board and approval of this request by the Board,
g. The absence of any conditions justifying the retention of personal data for a longer period of time, although the maximum period for keeping personal data has passed.
STORAGE AND DISPOSAL TIMES
The following criteria are used to determine the storage and destruction periods of your personal data obtained by Vepamed Kozmetik in accordance with the provisions of the KVKK and other relevant legislation:

1. If a period of time is stipulated in the legislation regarding the storage of the personal data in question, this period shall be complied with. Following the expiry of the aforementioned period, the data is processed within the scope of the second paragraph.
2. In the event that the period stipulated in the legislation regarding the storage of the said personal data expires or if no period is stipulated in the relevant legislation regarding the storage of the said data, respectively;
a. Personal data is classified as personal data and sensitive personal data, based on the definition in Article 6 of the KVKK. All personal data determined to be of a private nature will be destroyed. The method to be applied in the destruction of the said data is determined according to the nature of the data and the importance of its storage for Vepamed Kozmetik.
b. Compliance of data storage with the principles specified in Article 4 of the KVKK, for example; It is questioned whether Vepamed Kozmetik has a legitimate purpose in storing the data. Data that are detected to be kept in violation of the principles set forth in Article 4 of the KVKK are deleted, destroyed or anonymized.
c. It is determined which of the exceptions stipulated in the 5th and 6th articles of the KVKK that data storage can be evaluated within the scope of. Within the framework of the detected exceptions, reasonable periods for data storage are determined. In the event of the expiration of these periods, the data is deleted, destroyed or anonymized.
The storage, destruction and periodic destruction periods determined by Vepamed Kozmetik are defined as once in 6 months. Personal data whose storage period has expired are destroyed in 6-month periods in accordance with the procedures set forth in the Policy. All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.
PROCEDURES FOR STORAGE AND DISPOSAL OF PERSONAL DATA BY Vepamed Kozmetik
I. RECORDING ENVIRONMENTS
The personal data of the data owners are securely stored by Vepamed Kozmetik in the environments listed in the table below, in accordance with the relevant legislation, especially the provisions of the KVKK, and within the framework of international data security principles:

• Electronic media:

• Servers (Domain, backup, email, database, web, file sharing, etc.)

• Software (office software, portal, EBYS, VERBIS.)

• Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)

• Personal computers (Desktop, laptop)

• Mobile devices (phone, tablet, etc.)

• Optical discs (CD, DVD, etc.)

• Removable memories (USB, Memory Card etc.)

• Printer, scanner, copier

• Physical environments:

• Paper

• Manual data recording systems (survey forms, visitor logbook)

• Written, printed, visual media

TECHNICAL AND ADMINISTRATIVE MEASURES

All the administrative and technical measures taken by Vepamed Kozmetik, within the framework of the principles in Article 12 of the KVKK, in order to keep your personal data safe, to process it unlawfully, to prevent access and to destroy the data in accordance with the law, are listed below:

Administrative Measures:
Within the scope of administrative measures of Vepamed Kozmetik;

It limits the internal access to the stored personal data to the personnel required to access it as per the job description. In limiting access, whether the data is of a special nature and its importance are also taken into account.
In case the processed personal data is obtained by others unlawfully, it notifies the person concerned and the Board as soon as possible.
Regarding the sharing of personal data, it provides data security with the persons to whom personal data is shared, by signing a framework agreement on the protection of personal data and data security, or by the provisions added to the existing agreement.
It employs knowledgeable and experienced personnel about the processing of personal data and provides its personnel with the necessary training within the scope of personal data protection legislation and data security.
It carries out and has the necessary inspections made in order to ensure the implementation of the provisions of the Law within its own legal entity. Eliminates privacy and security vulnerabilities that arise as a result of audits.
Technical Measures:
Within the scope of technical measures of Vepamed Kozmetik;

a. Performs necessary internal controls within the scope of established systems.
b. It carries out the processes of information technology risk assessment and business impact analysis within the scope of established systems.
c. It ensures the provision of the technical infrastructure to prevent or monitor the leakage of data outside the institution and the creation of relevant matrices.
D. Provides control of system vulnerabilities by receiving penetration test service regularly and when needed.
to. It ensures that the access to personal data of employees in information technology units is kept under control.
f. The destruction of personal data is ensured in a way that cannot be recycled and leaves no audit trail.
g. Pursuant to Article 12 of the Law, all kinds of digital media where personal data are stored are protected by encrypted or cryptographic methods to meet information security requirements.
EMPLOYEE
Personnel involved in the personal data storage and destruction process are determined annually by the KVK Committee and announced within the institution.

DISPOSAL OF PERSONAL DATA
Personal data obtained by Vepamed Kozmetik in accordance with the KVKK and other relevant legislation, in case the personal data processing purposes listed in the Law and the Regulation are no longer available, are processed by Vepamed Kozmetik, ex officio or upon the application of the Relevant Person, with the techniques specified below, in accordance with the provisions of the Law and relevant legislation. will be destroyed.

a. Deletion and Destruction Techniques of Personal Data:
The procedures and principles regarding the techniques of deletion and destruction of personal data by Vepamed Kozmetik are listed below:

Deletion of Personal Data:
Secure Deletion from Software: While deleting data processed by fully or partially automated means and stored in digital media; Methods for deleting the data from the relevant software are used so that it cannot be accessed and reused in any way for the Relevant Users.

Deletion of relevant data in the cloud system by issuing a delete command; removing the access rights of the relevant user on the file or the directory where the file is located on the central server; deletion of related rows in databases with database commands; The deletion of data in flash media or portable media, using appropriate software, can be counted within this scope.

However, if the deletion of personal data will result in the inaccessibility of other data within the system and the inability to use this data, the personal data will also be deemed deleted if the personal data is archived in a way that cannot be associated with the data subject, provided that the following conditions are met.

− It is closed to the access of any other institution, organization or person,
− Taking all necessary technical and administrative measures to ensure that only authorized persons can access personal data.
Secure Deletion by Expert: In some cases, it may hire an expert to delete personal data on its behalf. In this case, the personal data is securely deleted by the person who is an expert on this subject so that it cannot be accessed and reused in any way for the Relevant Users.

Blackening of Personal Data in Paper Media: It is a method of physically cutting and removing the relevant personal data from the document in order to prevent the unintended use of personal data or to delete the data requested to be deleted, or to make them invisible by using fixed ink, which cannot be returned and read with technological solutions.

Destruction of Personal Data:
De-magnetization: It is the method of corrupting the data on it in an unreadable way by passing the magnetic media through special devices where it will be exposed to high magnetic fields. It should be noted that if destruction with this method is not successful, only the physical destruction of the media will be able to complete the destruction.

Physical Destruction: Personal data can also be processed by non-automatic means, provided that they are part of any data recording system. When such data is destroyed, a system of physical destruction of personal data is applied so that it cannot be used later. The destruction of data in paper and microfiche media should also be carried out in this way, since it is not possible to destroy them in any other way.

Overwriting: The overwriting method is a data destruction method that makes it impossible to read and recover old data by writing random data consisting of 0s and 1s at least seven times over magnetic media and rewritable optical media via special software.

Vepamed Kozmetik; It fully complies with the provisions of the KVKK, the Regulation and other relevant legislation in order to ensure data security and takes all necessary administrative and technical measures.

Techniques for Anonymization of Personal Data:
The procedures and principles regarding the techniques of anonymization of personal data by Vepamed Kozmetik are listed below:

Anonymization Methods That Do Not Ensure Value Distortion
Anonymization methods that do not provide value irregularity, without any change or addition/removal of stored personal data; are the methods of anonymization applied by generalizing any personal data group, replacing each other or removing a certain data or sub-data group from the group.

Variable Extraction: The existing data set is anonymized by subtracting the "high degree descriptive" variables from the variables in the data set created after the data collected by the method of extracting the descriptive data.

Removing Records: In the deregistration method, the data line containing singularity is removed from the records, and the stored data is anonymized. For example, if there is only one senior manager in an Institution, the remaining data can be anonymized by removing the data belonging to this person from the records where the seniority, salary and gender data of the employees at the same level with each other.

Regional Concealment: In the regional concealment method, since a single data creates a very rarely visible combination, if it has a determining feature, hiding the relevant data provides anonymization. For example, if only one of the relevant data controllers in the reserve list of Kurumin football team is 65 years old, writing 'Unknown' instead of 'Age:65' or leaving this part blank in a dataset where the information about whether or not he can play football in terms of age, gender and health status is stored together. will provide anonymization.

Lower and Upper Bound Coding: With the lower and upper bound coding method, the values in a data group containing predefined categories are anonymized by determining a certain criterion and combining them.

Generalization: With the data aggregation method, many data are aggregated and personal data is rendered unrelated to any person. E.g; revealing that there are as many as Z employees at the age of X without showing the age of the employees one by one.

Global Coding: With the data derivation method, a more general content is created than the content of personal data and it is ensured that personal data cannot be associated with any person.

Anonymization Methods That Provide Value Irregularity
Anonymization methods that provide value irregularity create corruption by changing some data in personal data groups, unlike those that do not provide value irregularity. When using these methods, deviations will need to be applied carefully in line with the expected/desired benefit to be obtained. By ensuring that the total statistics are not deteriorated, the expected benefit from the data can be continued.

Adding Noise: The method of adding noise to the data is anonymized by adding some positive or negative deviations to the existing data at a determined rate, especially in a data set where numerical data is predominant. The deviation applies equally to each value.

Micro-Aggregation: In the micro-joining method, all data will first be grouped in a meaningful order (such as from large to small), and the value obtained by taking the average of the groups will be written instead of the relevant data in the current group, thereby providing anonymity.

Data Exchange: In the data exchange method, the values of a variable are exchanged between the pairs selected from the stored data. In this method, which is used for data that can be categorized in general, the aim is to transform the database by replacing the data of the data owners with each other.

Pursuant to Article 28 of the KVKK, in the event that personal data is processed for purposes such as research, planning and statistics by anonymizing with official statistics, this situation will be outside the scope of the Law and express consent will not be required.

OTHER MATTERS
In case of inconsistency between KVKK and other relevant legislation provisions and this Policy, KVKK and other relevant legislation provisions will be applied first.

This Policy prepared by Vepamed Kozmetik entered into force on 10.11.2020. In case of a change in the Policy, the effective date of the Policy and related articles will be updated accordingly.