Personal Data Storage and Disposal Policy (Policy), PİLOT GARAGE OTOMOTİV INCORPORATED COMPANY (“Company”), whose personal data is processed; Personal data of employee, employee candidate, dealer employee, dealer official, apprentice, supplier, product or service buyer, web page visitor It aims to determine and announce the business rules of storage and destruction by the Constitution, international conventions, the Law on the Protection of Personal Data No. 6698 (Law) and other relevant legislation.

1.2. Definitions

Receiver Group	:	The category of natural or legal persons to whom the data controller transfers personal data.
Express Assent	:	Consent on a particular subject is based on the information and expressed with free will.
Anonymization	:	Making the personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Employee	:	Company staff
Electronic Media	:	Environments where personal data can be created, read, changed, and written by electronic devices.
Non-Electronic Media	:	All written, printed, visual etc. other than electronic media. other environments.
Service Provider	:	A natural or legal person who provides services within the framework of a certain contract with the company.
Related Person	:	The natural person whose personal data is processed.
Related User	:	Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.
Destruction	:	Deletion, destruction, or anonymization of personal data
Law	:	Law No. 6698 on the Protection of Personal Data.
Board	:	Personal Data Protection Board.
Recording Media	:	Any environment where personal data is processed wholly or partially automatically or by non-automatic means provided that it is a part of any data recording system.
Personal Data	:	Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory	:	Personal data processing activities are carried out by data controllers depending on their business processes; The inventory, which is created by associating the personal data processing purposes and legal reason, the data category, the transferred recipient group, and the data subject group, by explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures are taken regarding data security.
Processing of Personal Data	:	Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system Any operation performed on data such as
Company	:	PİLOT GARAGE OTOMOTİV INCORPORATED COMPANY
Special Qualified Personal Data	:	Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Periodic Destruction	:	The deletion, destruction, or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all of the personal data processing conditions in the law are eliminated.
Policy	:	Personal Data Retention and Disposal Policy
Data Processor	:	The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Recording System	:	The registration system in which personal data is processed and structured according to certain criteria.
Data Controller	:	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry Information System	:	An information system created and managed by the Presidency, accessible over the internet, to be used by the data controllers in the application to the Registry and other related transactions related to the Registry.
VERBİS	:	Data Controllers Registry Information System
Regulations	:	Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.

2. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES

All units and employees of the company are responsible for the implementation of the technical and administrative measures taken within the scope of the Policy, training, and awareness of the unit employees, prevention of illegal processing of personal data by monitoring and continuous inspection, prevention of illegal access to personal data and protection of personal data. It actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to ensure that it is stored in accordance with the law.

The distribution of the titles and job descriptions of those involved in the storage and destruction processes of personal data is given in the table below.

DEGREE	JOB DESCRIPTION
Data Controller Contact Person	The main duties of the contact person are to design, plan, perform and organize the relevant actions, to ensure the audits, the work, and transactions that need to be done within the framework of the procedures and principles set forth in the PDPL on behalf of the data controller.
Archive Officer	Carrying out the processes of processing, storing, deleting, destroying, and anonymizing the personal data kept in the archive.
PDP Team Member	On behalf of the Data Controller, it helps to keep the PDPL processes alive by supporting the Data Controller's Contact Person to design, plan, and perform the work and operations that need to be performed within the framework of the procedures and principles set out in the PDPL and to provide the relevant audits

3. RECORDING MEDIUM

Personal data is stored securely by the Company in accordance with the law in the environments listed in the table below.

ELECTRONIC MEDIA

NON-ELECTRONIC MEDIA

Servers (backup, email, database, web, file sharing, etc.)
Software (Office Software, Pilot Garage Auto Expertise Online, OPOS, ATIKER, ATIKSE, Amazon Web S3)
Information security devices (firewall, log log file, anti virus, etc.)
Personal computers (Desktop, laptop)
Mobile devices (phone, tablet, etc.)
Optical discs (CD, DVD, etc.)
Removable memories (USB, Memory
Card etc.)
Printer, Scanner, Copier Machines

Paper
Written, printed, and visual media

4. STORAGE AND DESTRUCTION OF PERSONAL DATA

The personal data belonging to the employee, employee candidate, dealer employee, dealer official, apprentice, supplier, product or service buyer, and web page visitor are stored and destroyed by the Company in accordance with the Law.

In this context, detailed explanations about storage and destruction are given below, respectively.

4.1. Explanation Of Storage

Article 3 of the law defined the concept of the processing of personal data in Article 4, the personal data processed in connection with the purpose they are processed, limited and restrained to be stipulated in the relevant legislation or for the purpose they are processed, and retained as long as required should be indicated that in terms of the processing of personal data in Article 5 and 6 were counted. Accordingly, the Company stores personal data within the framework of its activities for the period stipulated in the relevant legislation or in accordance with our processing purposes.

4.2. Legal Reasons for Concealment

The personal data processed in the Company within the framework of its activities are kept for the period stipulated in the relevant legislation. In this context, personal data;

Law No. 6698 on the Protection of Personal Data,
Turkish Code of Obligations No. 6098,
Tax Procedure Law No. 213,
Income Tax Law No. 193,
Social Insurance and General Health Insurance Law No. 5510,
Law No. 5651 on the Regulation of Publications Made on the Internet and the Fight against Crimes Committed Through These Publications,
Occupational Health and Safety Law No. 6331,
Labor Law No. 4857,
Regulation on the Supervision And Control of Food Safety And Quality,
Regulation on the trade of second-hand motor vehicles
Regulation,
Contracts,
Other secondary regulations in force in accordance with these laws

It is stored within the framework of the prescribed storage periods.

4.3. Processing Purposes Requiring Storage

The company is responsible for carrying out emergency management processes, information security processes, employee candidate/trainee/student selection, and placement processes, application processes for employee candidates, employee satisfaction and loyalty processes, employment contract, and legislation for employees. Fulfillment of obligations arising from, the execution of fringe benefits and benefits processes for employees

executing audit / ethical activities, executing vehicle inquiry processes, executing dealer opening processes, executing appointment processes, executing training activities, executing access authorizations, executing activities by the legislation, executing financial and accounting works, executing company/product/services loyalty processes, physical providing space security, executing assignment processes, following and executing legal affairs, conducting internal audit/investigation/intelligence activities, conducting communication activities, planning human resources processes, conducting / auditing business activities, carrying out occupational health/safety activities, improving business processes. purchase and evaluation, execution of business continuity activities, execution of goods / services purchasing processes, execution of goods / services after-sales support services, goods / services Execution of meat sales processes, execution of goods / services production and operation processes, execution of customer relations management processes, execution of activities for customer satisfaction, organization and event management, execution of marketing analysis studies, execution of performance evaluation processes, execution of advertising / campaign / promotion processes, risk execution of management processes, execution of storage and archive activities, execution of contract processes, follow-up of requests / complaints, ensuring the security of movable goods and resources, conducting supply chain management processes, conducting wage policy, conducting marketing processes of products / services, ensuring the security of data controller operations, investment processes, carrying out talent / career development activities, informing authorized persons, institutions and organizations, and carrying out management activities.

4.4. Reasons for Destruction

Personal data;

Amendment or interest of the relevant legislation provisions that constitute the basis for processing,
The disappearance of the purpose that requires its processing or storage,
In cases where the processing of personal data takes place only in accordance with the condition of explicit consent, the person concerned should withdraw his/her explicit consent,
Acceptance of the application made by the Company regarding the deletion and destruction of personal data within the framework of the rights of the relevant person in accordance with Article 11 of the Law,
Of personal data by the company's related person deletion, destruction, or anonymization to reject the reference to find out the answer with the demand itself or in the law in cases that do not respond within the stipulated time; and this request is approved by the board to file a complaint to the board,
The maximum period requiring the storage of personal data has elapsed and there are no conditions that justify storing personal data for a longer period of time,

In their case, they are deleted, destroyed or ex officio deleted, destroyed, or anonymized by the Company at the request of the person concerned.

5. TECHNICAL AND ADMINISTRATIVE MEASURES

Secure storage of personal data, unlawful processing, and access with the Prevention of personal data to be disposed of in accordance with the law with Article 12 of the law pursuant to the fourth paragraph of Article 6 of the act, for adequate measures to be determined by the board of a private nature within the framework of personal data by the company technical and administrative measures, are taken.

5.1. Technical Measures

The company employs knowledgeable and experienced people in order to ensure data security. Infrastructure investments are made in accordance with the developing technology. It provides the installation of software and hardware that includes virus protection systems and firewalls. It uses the versions of its systems that have taken the necessary security measures against current and known vulnerabilities, and log records of the systems are taken. Access permissions are checked at certain periods. Reports the information obtained as a result of checking the security of the systems to the relevant persons. The points that pose a risk are identified and the necessary technical measures are taken. It ensures that the measures taken are kept alive continuously with the controls. Physical security measures are kept at the highest level with camera systems within the company. Media monitoring of the digital media where personal data is kept is provided.

5.2. Administrative Measures

The company takes the necessary administrative measures in order to ensure the security of personal data and supervises the employees' work according to these measures. Controls access permissions. Employees are informed that they cannot disclose the personal data they have learned to anyone else in violation of the provisions of the Law, that they cannot use it outside the processing purpose, and that this obligation will continue after they leave their positions. For the improvement of the quality of employees, to prevent unlawful processing of personal data, personal data, and to prevent access and the provision of unlawful storage of personal data, communication techniques, and training is provided. The necessary commitments are taken from the employees in this direction. A personal data inventory is being prepared. In relation to the sharing of personal data with third parties, it signs a confidentiality agreement with the persons to whom personal data is shared or ensures the security of personal data with the provisions that it will add to the contracts. The third parties to whom personal data is shared accept the provisions that they will take the necessary security measures for the protection of personal data and ensure that these measures are complied with in their organizations. The Company takes the necessary measures to protect the special quality personal data, which is determined as “special quality” by Law and processed in accordance with the law. Sensitivity is shown for special quality personal data in the technical and administrative measures taken to protect personal data. It provides the necessary Information Security Awareness Training and PDP training to employees.

6. PERSONAL DATA DISPOSAL TECHNIQUES

The Company destroys the personal data obtained in accordance with the request of the personal data owners, provided that it is not required to use it for legal obligations, due to or for the protection of public order, and provided that it does not affect business processes.

6.1. Deletion of Personal Data

The methods of deletion of personal data are indicated in the table below.

Data Recording Environment	Description
Personal Data Contained in the Servers	For those who have expired the period requiring storage of personal data contained in the servers, the deletion process is performed by the system administrator by removing the access authorization of the relevant users.
Personal Data Contained in Electronic Environment	The expired period requiring storage of personal data contained in electronic media is made inaccessible and unusable in any way for other employees (related users), except for the database administrator.
Personal Data Contained in the Physical Environment	For those who have expired the period requiring storage of personal data stored in a physical environment, it is made inaccessible and unusable in any way for other employees, except for the unit manager responsible for the document archive. In addition, the dimming process is also applied by drawing/ painting/erasing in a way that cannot be read.
Personal Data Contained in Portable Environment	The period of time that requires the storage of personal data stored on Flash-based storage media is encrypted by the system administrator, access is authorized only to the system administrator, and stored in secure environments with encryption keys.

6.2. Destruction of Personal Data

The methods of destruction of personal data are indicated in the table below.

Data Recording Environment	Description
Personal Data in Physical Environment	Of the personal data in the paper medium, the ones that need to be kept, which have expired, are irreversibly destroyed in the paper clipping machines.
Personal Data in Optical / Magnetic Environment	Personal data on optical media and magnetic media, which require their storage, are rendered physically unreadable, irreversibly.

6.3. Anonymization of Personal Data

Anonymization of personal data is to make personal data unable to be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.

To be " anonymized personal data; personal data or third parties responsible for the data to be returned by and/or with other data, such as data recording media in terms of matching the field through the use of appropriate techniques and related activity, or even specific ID cannot be associated with an identified or identifiable natural person must be made.

7. STORAGE AND DISPOSAL TIMES

In relation to the personal data processed by the Company within the scope of its activities;

The retention periods on the basis of personal data related to all personal data within the scope of the activities carried out depending on the processes are included in the Personal Data Processing Inventory.;
Storage periods based on data categories are registered to VERBIS;

is located.

Updates are made by the PDP team on these retention periods, if necessary.

For personal data whose retention periods have expired, the process of deleting, destroying, or anonymizing them ex officio is carried out by the PDP team.

The storage periods of personal data are indicated in the table below.

Data	STORAGE PERIOD
Personal Data	15 Years From The End Of Business Activity
Employee Health Data	15 Years From The End Of Business Activity
Camera Recordings	2 years
Internet Logs	2 years
Employee Candidate Information	1 year
Accounting Records	10 years

8. PERIODIC DISPOSAL TIME

In accordance with Article 11 of the Regulation, the Institution has determined the periodic destruction period as 6 months. June December Accordingly, periodic disposal is carried out in the company every year in June and December.

9. PUBLICATION AND STORAGE OF THE POLICY

The policy is published in two different media, wet signed (printed paper) and electronic, and disclosed to the public on the website. The printed paper copy is also stored in the PDPL file by the PDP team leader.

10. POLICY UPDATE PERIOD

The policy is reviewed as needed and the necessary sections are updated.

11. ENFORCEMENT AND ANNOUNCEMENT OF THE POLICY

The policy is considered to have entered into force after its publication on the Company's website. In case it is decided to repeal, the old copies of the Policy with wet signature are canceled by the PDP team leader and signed (cancellation is written) and stored in the PDPL folder for at least 5 years.