Introduction

Objective

At Oragon Portfolio Management Company, with respect to the personal data of our employees, job candidates, trainees, and candidates for training, as well as our shareholders/partners, and the authorized representatives of the suppliers we deal with (both natural and legal persons), and the employees of the suppliers we deal with, our clients, and the employees of our clients, the members of the boards of directors/management, and the authorized representatives of our clients (both natural and legal persons), and the authorized representatives of our partners (both natural and legal persons), as well as the personal data of our visitors, we place great importance on the processes of retaining, destroying, or anonymizing this personal data within the appropriate time frame in accordance with the Constitution of the Republic of Turkey and the Personal Data Protection Law No. 6698 and the Regulation No. 30224 on the Deletion and Anonymization of Personal Data ("Regulation") which came into force upon its publication in the Official Gazette on 28-10-2017, and other relevant laws related to personal data.

For this reason, we determine and implement the maximum period required for the purpose for which all personal data obtained during our business operations is retained and the time and procedures for destroying it in accordance with the Personal Data Retention and Destruction Policy ("Policy").

Additionally, while storing and destroying personal data, we take all kinds of technical and administrative measures to prevent the illegal storage and destruction of this data. At Oragon Portfolio Management, we place importance on protecting the privacy of personal data and ensure the highest level of data security during the storage and destruction of personal data. This Policy contains explanations about the methods we follow regarding the storage and destruction of personal data that we obtain during our activities.

 Scope

This Policy covers all personal data of natural persons processed by Oragon Portfolio Management, including employees, job candidates, trainees, candidates for training, shareholders/partners, suppliers (natural persons)/officials of supplier companies (legal persons), employees of suppliers, potential suppliers, clients, potential clients, directors/members of the board of directors, clients (natural persons)/officials or employees of client companies (legal persons), business partners (natural persons)/officials of business partner companies (legal persons), and visitors.

 This Policy relates to the storage and destruction of this personal data processed by Oragon Portfolio Management in all types of electronic and printed media and has been processed and prepared in consideration of the Personal Data Protection Law, other relevant personal data legislation, international regulations, executive regulations, and guiding documents in this field.

Definitions and Abbreviations

Concept	Definition
Electronic Medium	Media where personal data can be created, read, altered, and written using electronic devices.
Destruction	The process of deleting, destroying, anonymizing, or erasing personal data.
Data Subject	The person whose personal data is being processed.
Relevant User	The person who processes personal data within the institution affiliated with the data controller or as per the authorizations and instructions from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.
Law	Law No. 6698 on the Protection of Personal Data.
Anonymization	Actions such as deletion, masking, or binding of all personal data in a way that it is not associated with identified or identifiable real individuals.
Personal Data	Any information relating to an identified or identifiable natural person.
Board	Personal Data Protection Board.
Policy	The policy that data controllers rely on to determine the maximum time required for the purpose of processing personal data, as well as the process of deletion, destruction, and anonymization.
Anonymization of Personal Data	Rendering personal data anonymized in such a way that it is impossible to link the data to a specific individual, even when matched with other data.
Deletion of Personal Data	Making personal data that is processed entirely or partially inaccessible and unusable by relevant users in any way.
Destruction of Personal Data	Making personal data inaccessible, irretrievable, and unusable by any person in any way.
Periodic Destruction	The process of deletion, destruction, or anonymization carried out ex officio at regular intervals specified in the personal data retention and destruction policy, in cases where all conditions for processing personal data no longer exist as determined by the Personal Data Protection Board.
Personal Data Processor	The person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Personal Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

 

Regulation

The Executive Regulation on the Deletion, Destruction, or Anonymization of Personal Data, which came into force upon its publication in the Official Gazette on 28.10.2017 and bears the number 30224.

Recording media

At Oragon Portfolio Management Company, we utilize the following recording media to store the personal data we obtain during the performance of our activities in accordance with legal timeframes.

Electronic Media	Non-Electronic Media
●       Email and file server ●       Mobile devices (such as phones and tablets) ●       Portable storage devices ●       Desktops and laptops ●       Databases ●       External disks ●       Cloud environments	●       Classifiers ●       Hard copy files

Explanations Related to Retention and Destruction

 Oragon Portfolio Management Company retains personal data of employees, job candidates, trainees, candidates for training, shareholders/partners, suppliers (natural persons) /officials of supplier companies (legal persons), employees of suppliers, potential suppliers, clients, potential clients, directors/members of the board of directors, clients (natural persons)/officials or employees of client companies (legal persons), business partners (natural persons)/officials of business partner companies (legal persons), and visitors, and destroys data in accordance with the Personal Data Protection Law. In this context, we list below the detailed explanations related to retention and destruction in order.

Explanations Related to Retention

Many regulations within the legislation require the retention of personal data for a specified period. Therefore, we store the personal data we process for the period stipulated in the relevant legislation or retain it for the period necessary for processing if no specific timeframe is provided.

In cases where personal data is processed for multiple purposes, the data is deleted, destroyed, or anonymized as required by law once all purposes of processing have been fulfilled, or if there are no legal impediments to deletion, and the data subject requests it.

 Legal Requirements for Retention

 At Oragon Portfolio Management Company, personal data processed during the company's activities are retained for the period stipulated by law. In this context, the following laws and secondary regulations are complied with:

• Personal Data Protection Law No. 6698
• Turkish Obligations Law No. 6098
• Turkish Commercial Code No. 6102
• Turkish Penal Code No. 5237
• Labor Law No. 4857
• Tax Procedure Law No. 213
• Law No. 5651 on Regulating Broadcasting on the Internet and Combating Cyber Crimes
• Printing Law No. 5681
• Law No. 5846 on Intellectual and Artistic Works
• Law No. 6279 on Collecting Reproduced Intellectual and Artistic Works.

Legal Requirements for Destruction

 Personal data is deleted, destroyed, or anonymized by Oragon Portfolio Management Company directly or at the request of the data subject in the following cases:

• Amendment or repeal of the relevant legislative provisions that form the basis for processing.
• The purpose requiring processing or storage is eliminated.
• In cases where personal data is processed only based on explicit consent, the data subject may withdraw their explicit consent.
• According to Article 11 of the Personal Data Protection Law, Oragon accepts the request submitted by the data subject to delete or destroy personal data within the framework of exercising their rights.
• If Oragon rejects the request submitted by the data subject to delete, destroy, or anonymize their personal data if it finds the request unjustified, or if a request for deletion contrary to the provisions of the Personal Data Protection Law is submitted, or if Oragon files a complaint related to the request to the board and its objection is approved.
• The maximum period required for retaining personal data has expired and there is no reason to justify retaining personal data for a longer period.

Administrative and Technical Measures

 Technical and administrative measures are taken by Oragon Portfolio Management Company within the framework of the appropriate measures determined and announced by its Board of Directors, with respect to special personal data according to Article 12 and paragraph 4 of Article 6 of the Personal Data Protection Law to securely store personal data, prevent illegal processing and access, and destroy personal data according to the law. Below is a statement of the measures taken by Oragon Portfolio Management Company regarding the personal data it processes:

• Network security and application security are ensured.
• A closed network system is used to transfer personal data across the network.
• Necessary measures for key management are taken.
• Necessary security measures are taken to ensure the security of personal data within the scope of purchasing, developing, and maintaining IT systems.
• The security of personal data stored in the cloud network is ensured.
• Disciplinary regulations include data security provisions for employees.
• Data security training and awareness activities for employees are organized regularly.
• An authorization matrix is prepared for employees.
• Access records are kept regularly.
• Company policies on access, information security, use, storage, and disposal are prepared and implemented.
• Confidentiality commitments are made.
• Authorizations of employees who change roles or leave their jobs are canceled.
• Modern antivirus systems are used.
• Firewalls are used.
• Signed contracts include data security provisions.
• Data security policies and procedures are determined.
• Data security issues are reported promptly.
• Data security is monitored.
• Necessary security measures are taken to enter and exit physical environments containing personal data.
• Physical environments containing personal data are secured against external risks (fires, floods, etc.).
• The security of environments containing personal data is ensured.
• Personal data is minimized as much as possible.
• Personal data is backed up, and the security of backed-up personal data is ensured.
• A user account management and authorization control system is implemented and monitored.
• Regular and/or random internal audits are carried out and implemented.
• Log records are kept without user intervention.
• Existing risks and threats are identified.
• Intrusion detection and prevention systems are used.
• Penetration testing is applied.
• Cybersecurity measures are taken and continuously monitored.
• Data processors are periodically audited for data security.
• Data processor awareness is ensured.

Techniques for Destroying Personal Data

 At the end of the period stipulated by the relevant law or at the end of the retention period required for the purpose for which it is processed, personal data is destroyed by Oragon by law or at the request of the data subject using the following techniques.

 Deletion of Personal Data

 At Oragon Portfolio Management Company, we delete personal data in compliance with the law using the following techniques:

Data Recording Media	Explanation
Personal data in physical media	Personal data in physical media is deleted using the anonymization method or by storing the document in a secure environment that relevant users cannot access in any way.
Personal data in databases	Relevant users are prevented from accessing personal data in the database by defining roles and permissions.
Personal data in central servers	The access rights of the relevant user to the folder containing personal data files are removed.
Personal data in portable devices (such as USB, Hard disk, CD, DVD)	The relevant user is prevented from accessing the file.

Destruction of Personal Data

The techniques we use at Oragon Portfolio Management for the destruction of personal data in accordance with the law are as follows:

Data Recording Media	Explanation
Personal data in physical media	Personal data in physical media is destroyed by shredding or burning with a paper shredder.
Personal data on peripheral devices (network devices, flash-based media, optical systems, etc.) and local systems	Devices containing personal data are destroyed through physical processes such as burning, shredding into small pieces, or dissolving. Additionally, the personal data on the device is made unreadable by demagnetization and conducting the destruction process. Furthermore, old data is destroyed by randomly inputting existing data using special software, preventing the recovery of old data.
Personal data in cloud environments	Personal data in cloud environments is encrypted using encryption methods during storage and use, and personal data in these environments is destroyed by destroying the passwords used.

Anonymization of Personal Data

Anonymization of personal data means rendering personal data unidentifiable or not linked to any specific individual under any circumstances, even if the personal data is matched with other data. For personal data to be anonymized, the data must be rendered unidentifiable to any specific natural person, even using techniques suitable for the recording medium and related field of activity, such as restoring personal data by the data controller or third parties and/or matching the data with other data.

Retention and Destruction Periods

 The IT Unit deletes, destroys, or anonymizes personal data that has reached the end of its retention period by law. The retention periods for personal data are determined within the framework of the periods specified in the relevant legislation. In this context, if the retention of the relevant data by Oragon Portfolio Management is considered within the scope of legal compliance reasons specified in Articles 5 and 6 of the Personal Data Protection Law regarding personal data and special categories of data, the retention periods for the relevant personal data are determined based on the legal compliance reasons. The destruction of personal data is carried out by Oragon in accordance with the retention periods determined by considering the relevant legislation for each case. Personal data that has reached the end of its retention period is deleted, destroyed, or anonymized during the periodic destruction periods determined by Oragon.

Operations	Retention Period	Destruction Period
Operations related to job candidates	2 years from the date of application if the process ended negatively; 10 years from the end of the employment relationship if the process ended positively	During the first periodic destruction period after the end of the retention period
Operations related to contractual relationships	10 years from the date of contract termination	During the first periodic destruction period after the end of the retention period
Record tracking systems	2 years from the date of registration	During the first periodic destruction period after the end of the retention period
Retention of camera records	6 months from the date of recording	During the first periodic destruction period after the end of the retention period
Litigation and enforcement procedures	3 years from completion for court case files; 10 years from contract termination for contracts	During the first periodic destruction period after the end of the retention period

Periodic Destruction Interval

 The period has been set by Oragon at 6 months, based on Article 11 of the relevant executive regulation.

Publication and Retention of the Policy

 This policy is published by Oragon on its website www.oragonpy.com and is announced to the relevant employees via email.

Policy Update Cycle

 The policy is reviewed once a year and updated as needed and when changes necessitate amendment.

Implementation and Suspension of the Policy

 This policy comes into effect on 01.01.2024. In case of cancellation or amendment of the policy, this will be announced by Oragon to the relevant employees via email. Oragon retains the canceled policy for 5 years.