​​​​

1. Purpose​

​

This Policy has been prepared to set out the procedures and principles regarding the retention and destruction of personal data processed by İstanbul Ekspres Ticaret ve Nakliyat A.Ş. within the scope of the Law on the Protection of Personal Data No. 6698 (“KVKK”); and to transparently define the management of data retention periods as well as the processes of deletion, destruction, and anonymization.

​

2. Scope

​

This Policy covers all personal data belonging to our customers, potential customers, employees, employee candidates, interns and students, supplier/subcontractor employees and representatives, shareholders/partners, visitors, and other third parties whose data is processed.
It applies to all data processed through automated means or by non-automated means, provided that it is part of a data recording system.

​

3. Legal Basis​

​

This Policy is based on KVKK, secondary legislation, decisions/guidelines of the Personal Data Protection Board, and other relevant legal provisions.​

​

4. Definitions

​

• Law/KVKK: Law on the Protection of Personal Data No. 6698

• Personal Data / Special Categories of Personal Data

• Destruction: The entirety of deletion, destruction, or anonymization processes

• Periodic Destruction: Destruction carried out at regular intervals once the reasons requiring processing under the Law no longer exist

• Data Controller: İstanbul Ekspres Ticaret ve Nakliyat A.Ş.

• VERBİS: Data Controllers’ Registry Information System

​

5. Roles and Responsibilities

​

Processes related to personal data protection are carried out under the supervision of senior management and coordinated by the KVKK Compliance Team/Committee.

​

• Unit managers are responsible for implementing retention–destruction procedures within their areas.

• The Information Security Department applies technical measures.

• The Human Resources and Legal Departments monitor compliance with legislation and internal procedures.

​

6. Retention Principles and Legal Grounds​

​

Personal data shall be:

​

• Processed lawfully and fairly,

• Accurate and kept up to date when necessary,

• Collected for specific, explicit, and legitimate purposes,

• Relevant, limited, and proportionate to the purposes for which they are processed,

• Retained for the period stipulated in relevant legislation or required for the processing purpose.​

​

Data is retained on the legal grounds specified in Articles 5 and 6 of the KVKK (e.g., establishment/performance of a contract, legal obligation, legitimate interest, compliance with law, establishment/protection of a right, explicit consent, etc.).

​​

​

7. Retention Periods​

​

İstanbul Ekspres Ticaret ve Nakliyat A.Ş. retains data for periods explicitly prescribed in legislation or for as long as required for the processing purpose. Once the period expires or the reason for processing no longer exists, destruction processes are initiated.

Note: An internal “Retention Periods Table” defines practical timeframes for each data category (e.g., CCTV recordings – 30 days; payroll/personnel files – 10 years; contracts and financial documents – 10 years; visitor logs – 2 years) and is updated periodically.

​

8. Access, Security, and Technical/Administrative Measures​

​

• Access rights are managed on a need-to-know basis; an authorization matrix is applied.

• Strong passwords, 2FA, logging, network security components, patch management, and anti-malware protections are implemented.

• Encryption and, where necessary, masking techniques are applied.

• Physical storage includes locked systems, prevention of unauthorized access, and safeguards against environmental risks.

• Contracts with third parties include confidentiality and security provisions in line with KVKK.

• Employees receive regular KVKK awareness training.

​

9. Destruction Processes​

​

9.1 Reasons for Destruction​

​

• Expiration of the retention period,

• Elimination of the purpose of processing,

• Valid requests for deletion/destruction/anonymization by the data subject under the Law,

• Mandatory destruction pursuant to Board decisions or legislation.

​

9.2 Methods of Destruction

​

• • Deletion: Secure deletion from application databases, removal of user-based access, clearing of directories/indexes.

  • Destruction: Physical destruction (shredding/grinding), magnetic destruction, or making data irreversibly unusable.

  • Anonymization: Techniques such as masking, derivation, generalization, randomization, or aggregation to render data non-identifiable.

​

9.3 Periodic Destruction

​

Periodic destruction is carried out at least every six months. Destruction decisions, methods, and dates are recorded in Destruction Logs.​

​

9.4 Destruction upon Request

​

Upon data subject application, deletion/destruction/anonymization is carried out using the appropriate method after evaluating legal retention obligations and legitimate interests. The applicant is informed of the outcome.​

​

10. Records and Audits​

​

Destruction records are kept for at least 3 years. The Company conducts regular internal audits under Article 12 of KVKK and improves processes when necessary.​

​

11. VERBİS and Updates​

​

Where the Company is subject to VERBİS obligations, registrations and notifications are made accordingly. This Policy is published on our Company’s website and updated in line with legislative changes and operational needs.​

​

12. Management of Applications​

​

Data subjects may exercise their rights under Article 11 of KVKK through:

​

• Written applications to the Company address,

• Secure electronic signature applications via KEP,

• Application channels available on the Company’s website.

• ​

Applications are finalized within 30 days. If the process incurs additional costs, fees may be charged according to the tariff set by the Board.

​

13. Enforcement and Execution

​

This Policy enters into force with the approval of senior management and is executed by İstanbul Ekspres Ticaret ve Nakliyat A.Ş.​