Data Subject Request Form

Policy on the Retention, Transfer, and Destruction of Personal Data Pursuant to Law No. 6698 on the Protection of Personal Data

This Policy on the Retention, Transfer, and Destruction of Personal Data (the “Policy”) has been prepared by Happy Place to Work Research Education Consultancy Ltd. Co. (“Company” or “HPW”) pursuant to Article 16 of the Personal Data Protection Law (“PDPL”) and Article 5 of the Regulation on the Deletion, Destruction, or Anonymization of Personal Data (the “Regulation”), as required by legal obligations set forth therein.

This Policy applies to personal data of employees, employee candidates, business partners, visitors, clients, clients’ employees, and other third parties. The provisions of this Policy are applied in all recording environments where personal data is processed or managed by the Company.

Definitions

Personal Data Protection Law (“PDPL”): Law No. 6698 on the Protection of Personal Data.

Disclosure Statement: The HPW PDPL Disclosure Statement.

Processing of Personal Data: Any operation performed on personal data, including obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, sharing, classifying, or rendering it inaccessible, up to and including deletion, destruction, or anonymization.

Data Subject: The natural person whose personal data is processed.

Explicit Consent: Consent that is specific to the subject matter, informed, and freely given.

Data Controller: The natural or legal person responsible for determining the purposes and means of processing personal data and managing the data recording system.

Destruction: Deletion, destruction, or anonymization of personal data.

Deletion of Personal Data: Rendering personal data completely inaccessible and unusable by relevant users.

Destruction of Personal Data: Rendering personal data completely inaccessible, irretrievable, and unusable by anyone.

Anonymization of Personal Data: Rendering personal data non-associable with an identified or identifiable natural person, even when matched with other data.

Primary Methods for Obtaining Personal Data

The Company prioritizes the security of personal data at the highest level. Personal data primarily originates from corporate entities receiving services from the Company, with clients transferring the personal data of their employees. Responsibility for obtaining necessary permissions for such transfers lies exclusively with the data controller client. The Company has no legal obligation to verify or investigate such permissions but informs participants through a comprehensive Disclosure Statement about how personal data is collected, processed, and protected.

Internal Responsibilities

The Company ensures that personal data is processed and stored in compliance with applicable laws and sectoral standards through administrative and technical measures. Employees are required to adhere to this Policy and the provisions outlined in the Disclosure Statement. The Policy is regularly updated to align with legal changes.

Personal Data Storage Environments

Personal data is stored electronically on Company computers, email servers, and secured networks, as well as physically in written, printed, or visual formats. Electronic storage includes secure databases and cloud systems protected by encryption and firewall measures. Physical storage environments are accessible only to authorized personnel.

Retention and Destruction Principles

The Company retains and destroys personal data in compliance with legal requirements. Data destruction includes deletion, destruction, or anonymization methods, as outlined in the Policy.

Administrative Measures:

• Confidentiality agreements with employees.

• Disciplinary procedures for non-compliance with security policies.

• Periodic and random audits.

• Information security training for employees.

• Prohibition of sharing personal data outside operational requirements.

Technical Measures:

• Use of secure storage environments.

• Encryption for data transmission and storage.

• Monitoring unauthorized access attempts.

• Regular system penetration tests.

• Use of secure passwords and data backup systems.

Retention Periods

Personal data is retained for the duration specified in applicable laws and regulations. Examples include:

• Contracts: Retained for 10 years after expiration.

• Customer complaints and requests: Retained for 10 years.

• Visitor records: Retained for 2 years.

• Camera footage: Retained for 3 months.

Data Transfer

Personal data may be transferred domestically or internationally within the framework of Articles 5 and 6 of the PDPL, ensuring compliance with data processing principles.

Domestic Transfers:

Data may be shared with local business partners and authorized recipients.

International Transfers:

Data may be transferred to countries with adequate data protection standards. If not, transfers occur using standard contractual clauses or equivalent guarantees.

Data Destruction Techniques

Deletion:

• Data stored electronically is rendered inaccessible to all except database administrators.

• Data in physical form is shredded or rendered unreadable.

Destruction:

• Paper records are destroyed using shredders.

• Optical and magnetic media are physically destroyed or exposed to high magnetic fields.

Anonymization:

• Techniques include variable removal, regional masking, and k-anonymity to ensure data cannot be linked to an individual.

Periodic Destruction

Periodic destruction of expired data is conducted twice annually, in June and December, by the IT Department.

Publication, Storage, and Updates

This Policy is available in both electronic and physical formats. It is updated as needed due to legislative changes or process modifications. Older versions are retained for five years after deactivation.

This Policy is effective upon publication and compliance with updates is mandatory for all employees and relevant stakeholders.