Personal Data Retention And Destruction Policy

COSMIC TICKETS & AUDIOS
PERSONAL DATA RETENTION AND DESTRUCTION POLICY

INTRODUCTION
- Purpose
- Scope
  1. AbbreviaBons and DeﬁniBons

RESPONSIBILITIES AND TASK DISTRIBUTION
RECORDING ENVIRONMENTS
EXPLANATIONS REGARDING RETENTION AND DESTRUCTION
ExplanaBons Regarding RetenBon and ProtecBon
- Legal Reasons NecessitaBng Storage
- Reasons for RetenBon Based on Processing Purposes
ExplanaBon of DestrucBon and Reasons NecessitaBng DestrucBon
TECHNICAL AND ADMINISTRATIVE MEASURES FOR SECURE RETENTION
Technical Measures
AdministraBve Measures
AddiBonal Measures for the ProtecBon of Special Categories of Personal Data
TECHNIQUES FOR THE DESTRUCTION OF PERSONAL DATA
- DeleBon of Personal Data
- DestrucBon of Personal Data
- AnonymizaBon of Personal Data
RETENTION AND DESTRUCTION PERIODS
PERIODIC DESTRUCTION PERIOD
PUBLICATION AND STORAGE OF THE POLICY
UPDATE PERIOD OF THE POLICY
ENTRY INTO FORCE AND WITHDRAWAL OF THE POLICY

1. INTRODUCTION

1.1. Purpose

This Personal Data Retention and Destruction Policy (“Policy”) is prepared by COSMIC TICKETS AUDIOS TURİZM VE TİCARET A. Ş. (“Company”), in its capacity as the data controller, to establish the procedures and principles related to personal data retention and destruction activities carried out by the Company.

Our Company, in line with its fundamental principles, prioritizes the processing, retention, and destruction of personal data belonging to its employees, former employees, employee candidates, shareholders, customers, potential customers, service providers, suppliers, business partners, their representatives and employees, visitors, and other relevant third parties, in compliance with the Constitution of the Republic of Turkey, international agreements, the Personal Data Protection Law No. 6698 (“KVKK”), and other applicable legislation. The Company is also committed to ensuring that the rights of the data subjects regarding their personal data are effectively protected.

All personal data retention and destruction processes are carried out by the Company in accordance with this Policy. In this way, the Company ensures the necessary transparency by informing personal data subjects and showing all their rights and the methods and procedures for exercising these rights. With full awareness of our responsibility in this regard, your personal data is processed and retained within the scope of this Policy.

1.2. Scope

All personal data processed automatically or through non-automated means, provided that they are part of a data recording system, concerning the Company’s employees, former employees, employee candidates, shareholders, customers, potential customers, service providers, suppliers, agents, business partners, their representatives and employees, visitors, and other third parties in contact with our Company, fall within the scope of this Policy.

This Policy applies to all recording environments where personal data and special categories of personal data are processed, such as physical records, electronic systems, websites, and social media platforms owned or managed by the Company, as well as to all activities related to the processing of personal data.

Under the Personal Data Protection Law No. 6698 (“KVKK”), special importance is attached to certain personal data due to the risk of causing harm or discrimination if processed unlawfully. These data are the special categories of personal data described in the Abbreviations and Definitions Table below. Our Company is committed to protecting special categories of personal data, which are classified as “special categories” under the KVKK, and processed in accordance with the law.

In this context, the technical and administrative measures taken by the Company for data retention are applied with greater care concerning special categories of personal data, and necessary audits are conducted within the Company. Additional measures for the retention of special categories of personal data are detailed in sections 5.1 and 5.2 of this Policy.

In matters concerning the processing, retention, and destruction of personal data, the relevant legal regulations in force will take precedence. In the event of any inconsistency between the applicable legislation and this Policy, our Company acknowledges that the applicable legislation will take precedence. This Policy is designed to concretize and regulate the rules established by the relevant legislation within the framework of the Company’s practices.

3. Abbreviations and Definitions

Recipient Group	The category of natural or legal persons to whom personal data is transferred by the data controller.
Explicit Consent	A freely given, specific, informed, and unambiguous indication of the data subject’s wishes, signifying agreement to the processing of their personal data.
Anonymization	The process of removing or altering personal data so that individuals cannot be identified or linked to the data, ensuring that the data can no longer be attributed to a specific person.
Employee / Former Employee	Individuals who are currently or have previously been employed by the Company.
Employee Candidate	Individuals who have not yet established an employment contract with COSMIC TICKETS AUDIOS TURİZM VE TİCARET A. Ş. but are being considered for potential employment.
Electronic Environment	Environments where personal data can be created, read, modified, and written using electronic devices.
Non-Electronic (Physical) Environment	All written, printed, visual, and other media that are outside of electronic environments.
Service / Expertise Provider	A natural or legal person who provides services or specialized expertise, such as accounting, workplace health and safety, information technology, or legal consultancy, to COSMIC TICKETS AUDIOS TURİZM VE TİCARET A. Ş. under a specific contract.
Data Subject	The natural person whose personal data is being processed.
Relevant Employee	Individuals within the data controller organization or those processing personal data under the authority and instructions received from the data controller.
Destruction	The process of deleting, eliminating, or anonymizing personal data.
Law	The Personal Data Protection Law No. 6698.

Recording Environment	Any environment where personal data is stored, whether processed wholly or partly through automated means or as part of a non-automated data recording system.
Personal Data	Any information related to an identified or identifiable natural person.
Personal Data Processing Inventory	A detailed record maintained by data controllers that outlines the personal data processing activities related to their business processes. It includes information on the purposes and legal grounds for processing personal data, data categories, recipient groups to whom the data is transferred, and data subject groups. It also specifies the maximum retention periods required for the data, any anticipated transfers to foreign countries, and the measures taken to ensure data security.
Processing of Personal Data	Any operation or set of operations performed on personal data, either wholly or partly automated, or non-automated as part of a data recording system. This includes obtaining, recording, storing, retaining, modifying, rearranging, disclosing, transferring, acquiring, making accessible, classifying, or preventing the use of personal data.
Board	The Personal Data Protection Board
KVKK	The Personal Data Protection Law No. 6698
S p e c i a l C a t e g o r i e s o f Personal Data	Data related to an individual’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, appearance and attire, membership in associations, foundations, or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Destruction	The process of deleting, eliminating, or anonymizing personal data at regular intervals, as stipulated in the data retention and destruction policy, once all conditions for processing personal data under the law have ceased to exist. This process is conducted automatically at specified intervals.
Policy	The Personal Data Retention and Destruction Policy.
Company	COSMIC TICKETS AUDIOS TURİZM VE TİCARET A. Ş.
Data Processor	A natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller.
Data Recording System	A system where personal data is processed and structured according to specific criteria.
Data Subject	The natural person whose personal data is being processed.

Data Controller	Kişisel verilerin işleme amaçlarını ve vasıtalarını belirleyen, veri kayıt sisteminin kurulmasında ve yönetilmesinden sorumlu gerçek veya tüzel kişi.
Veri Sorumluları Sicil Bilgi Sistemi (VERBİS)	A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
VERBİS	Data Controllers Registry Information System.
Regulation	The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017.

2. RESPONSIBILITIES AND TASK DISTRIBUTION

The Company’s units and employees actively support the responsible departments in ensuring the proper implementation of technical and administrative measures taken under the Policy. This includes training and raising awareness among unit employees, monitoring and continuous auditing, preventing unlawful processing of personal data, preventing unauthorized access to personal data, ensuring lawful storage of personal data, and ensuring the destruction of personal data once the specified retention periods have expired.

Furthermore, regarding personal data processed and requiring destruction, both the data controller representatives and employees acting in their capacity as data controllers and those processing data on behalf of the Company must not disclose or use the personal data they learn in violation of this Policy and the provisions of the KVKK. This obligation continues indefinitely, including after they leave their positions, in accordance with Article 12/4 of the KVKK.

The titles, departments, and job descriptions of those involved in the personal data retention and destruction processes are provided in Table 1.

Table 1: Distribution of Responsibilities for Retention and Destruction Processes

TITLE	DEPARTMENT	RESPONSIBILITY
Company’s Personal Data Protection Officer	COSMIC TICKETS AUDIOS TURİZM VE TİCARET A.Ş.	Responsible for: The preparation, development, implementation, publication in relevant environments, updating of the Policy, and ensuring that employees act in accordance with the Policy.
Company Data Controller Contact Person	Sales and Marketing	Responsible for: Providing and monitoring the administrative, physical, and technical solutions required for the implementation of the Policy.

Administrative,	Other Departments	Responsible for: Implementing this	Policy	in
Financial Affairs,		accordance with their respective duties.
Finance and
Accounting, Sales,
Marketing, IT
Departments

3. RECORDING ENVIRONMENTS

Personal data is stored securely and in compliance with the law in the environments listed in Table 2 by the Company.

Table 2: Personal Data Storage Environments

Electronic Environments

Non-Electronic Environments

– Servers (domain, backup, email, database, web, file sharing, etc.)

– Office Programs

– Software (portal, office applications)

– Information security devices (log files, antivirus, etc.)

– Personal computers (desktop, laptop)

– Mobile devices (phones, tablets, etc.)

– Optical disks (CDs, DVDs, etc.)

– Removable storage devices (USB drives, memory cards, etc.)

– Printers, scanners, photocopiers

– Paper

– Manual data recording systems (e.g., occupational health and safety exam assessments and other completed form documents)

– Written, printed, and visual media

4. EXPLANATIONS REGARDING RETENTION AND DESTRUCTION

The Company ensures that personal data related to all natural persons listed under the “1.2. Scope” section of this Policy is retained and destroyed in accordance with this Policy and the KVKK.

In this context, detailed explanations regarding retention and destruction are provided below.

1. Explanations Regarding Retention and Protection

Article 3 of Law No. 6698 defines the concept of personal data processing, while Article 4 stipulates that processed personal data must be relevant, limited, and proportionate to the purpose for which it is processed and must be retained for the period required by the relevant legislation or for the duration necessary for the processing purpose. Articles 5 and 6 outline the conditions for processing personal data.

Accordingly, within the scope of the Company’s activities, personal data is retained for the duration specified by the relevant legislation or for the period necessary to fulfill the processing purposes.

In accordance with Article 12 of Law No. 6698, our Company takes the necessary measures to prevent the unlawful disclosure, access, transmission, or other security deficiencies related to personal data, based on the nature of the data being protected. We implement and maintain technical and administrative measures to ensure the required level of security, as outlined in the guidelines published by the Board, and conduct or have conducted audits.

Our Company ensures that necessary training is provided to business units to increase awareness about preventing the unlawful processing of personal data, unauthorized access to data, and ensuring the proper retention of data.

Personal data that is sensitive is given special importance under Law No. 6698 due to the risk of causing harm or discrimination when processed unlawfully. These “special categories” of personal data include information related to race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, appearance and attire, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data.

In this context, the technical and administrative measures taken by our Company for the storage of personal data are also meticulously applied to special categories of personal data. While necessary controls are implemented within our Company, additional measures are also taken for the storage and protection of special categories of personal data. Detailed and sufficient measures regarding the storage and protection of special categories of personal data are outlined in sections 5.1 and 5.2 of this Policy.

Legal Reasons Necessitating Storage

In our company, personal data processed as part of our activities is retained for the period specified by the relevant legislation. In this context, personal data is retained in accordance with the following laws and regulations:

Law 6698 on the Protection of Personal Data
Law 6098 on the Turkish Code of Obligations
Law 6102 on the Turkish Commercial Code
Law 213 on the Tax Procedure
Law 4734 on Public Procurement
Law 4857 on the Labor Law and the Labor Courts Law
Law 6331 on Occupational Health and Safety
Law 5510 on Social Insurance and General Health Insurance
Law 5434 on the Retirement Health Law
Law 2828 on Social Services
Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications
Law 6563 on the Regulation of Electronic Commerce
Law 5070 on Electronic Signature
Law 5809 on Electronic Communications

Law 4982 on the Right to Information
Law 3071 on the Right to Petition
Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Extensions
Other secondary regulations in force under these laws
Other relevant legal provisions

The data is retained for the periods specified within the framework of these regulations and is subsequently destroyed.

Reasons for Retention Based on Processing Purposes

The company retains personal data for the following purposes within the scope of its activities:

Managing human resources
Ensuring corporate
Securing the company’s physical premises, assets, and its commercial, legal, and cyber security in relation to business partners, suppliers, and customers.
Conducting statistical
Executing business transactions and operations resulting from signed contracts and
Creating and updating VERBİS records as
Fulfilling legal obligations required or mandated by legal
Establishing contact with individuals or entities engaged in a business relationship with the
Conducting marketing, market research, analysis, and reporting within legal
Managing call center
Providing evidence for potential future legal disputes

2. Explanation of Destruction and Reasons Necessitating Destruction

Our company retains personal data for the duration necessary to achieve the purposes for which it was processed and for the minimum period specified by the relevant legal regulations. In this context, our company first determines whether a retention period is prescribed by the applicable regulations. If a period is specified, we comply with it. If no legal period is specified, personal data is retained for the duration necessary to fulfill the processing purposes, taking into account the relevant regulations, general and commercial practices. At the end of the specified retention periods, personal data is destroyed in accordance with periodic destruction intervals or upon the data subject’s request, using the designated destruction methods (such as deletion, destruction, or anonymization).

Personal data will be erased, destroyed, or anonymized by the Company, either ex officio or upon the request of the data subject, during the first periodic destruction process following the date when the obligation to erase, destroy, or anonymize personal data arises pursuant to Article 11/1 of the Regulation, in the following cases:

If the relevant legislation provisions, which form the basis for processing, are amended or repealed;
Pursuant to Article 7/1 of Law 6698, if the purpose/reasons requiring its processing or

retention cease to exist;

In cases where personal data processing is based solely on explicit consent, if the data subject withdraws their consent;
If the Company accepts the data subject’s request for the erasure or destruction of their

personal data within the scope of their rights under Article 11 of the Law;

If the data subject lodges a complaint with the Board because the Company has refused their request for the erasure, destruction, or anonymization of personal data, found the response insufficient, or did not respond within the period specified in the Law, and the Board deems the request appropriate;
If the maximum retention periods specified in this Policy for retaining personal data have

expired, and there are no conditions justifying retaining the data for a longer period.

5. TECHNICAL AND ADMINISTRATIVE MEASURES FOR SECURE RETENTION

In accordance with Article 12 of the Law on the Protection of Personal Data (KVKK), our company takes the necessary technical and administrative measures listed below to ensure the secure retention of personal data, to prevent unlawful processing and access, and to ensure that personal data is stored and destroyed in compliance with the law. Additionally, pursuant to Article 6, paragraph 4 of the KVKK and the Board’s decision dated 31/01/2018 and numbered 2018/10, adequate additional measures specified and announced by the Board for special categories of personal data are also taken as described below.

1. Technical Measures

The technical measures taken by the Company regarding the personal data it processes are as follows:

Network security and application security are In this context, security vulnerabilities

are monitored, appropriate security patches are applied, and information systems are kept up to date. Security updates are also monitored, and test results are reported.

A closed network system is used for the transfer of personal data over the
Secure protocols are used to encrypt access to the Company’s website, and the security updates of the environments are continuously monitored.
Key management is
Security measures related to the procurement, development, and maintenance of information technology systems are taken. In this context, necessary precautions are taken to ensure the physical security of the Company’s IT equipment, software, and data. Software measures (such as firewalls, intrusion prevention systems, network access control, and anti-malware systems) are taken to protect against environmental threats.
The security of personal data stored in the cloud is

An authorization matrix is created for employees. Thus, access to IT systems and user authorization is managed through an access and authorization matrix in accordance with corporate policies.
The authorities of employees who have changed roles or left the Company are
Access logs are kept regularly. Access to personal data stored electronically is also restricted according to access principles.
Strong passwords are used in electronic environments where personal data is
Data masking measures are applied when
Up-to-date antivirus systems are
Firewalls are
Personal data security issues are reported
Monitoring of personal data security is
Personal data is minimized as much as
Personal data is backed up, and the security of the backed-up personal data is ensured. Secure backups are performed on servers, external drives, and secure cloud programs used for our office, accounting, and other systems located domestically and internationally.
A user account management and authorization control system is applied and
Log records are kept in a manner that does not allow user
Intrusion detection and prevention systems are
Cybersecurity measures are implemented, and their application is continuously
Encryption is
Penetration testing is
Special categories of personal data transferred via portable media (USB drives, CDs, DVDs) are encrypted.
Data loss prevention software is
Risks related to the unlawful processing of personal data are identified, and appropriate technical measures are taken to mitigate these risks. Technical controls are conducted for the measures taken.
Necessary measures are taken to ensure that deleted personal data is inaccessible and

unrecoverable for relevant users.

2. Administrative Measures

Administrative Measures Taken by the Company Regarding Personal Data Processing:

Disciplinary Regulations: There are disciplinary regulations containing data security provisions for Within this scope, disciplinary measures to be applied to employees who do not comply with data privacy and security policies and procedures have been defined (including Privacy Declarations and other regulations, as well as general provisions in cases where specific regulations are not included).
Training and Awareness: Regular training and awareness activities are conducted for

employees regarding data and information security. These trainings aim to enhance employees’ capabilities in preventing unlawful processing of personal data, preventing unlawful access to personal data, ensuring the protection of personal data, and compliance with laws such as the KVKK (Personal Data Protection Law) No. 6698, the Labor Law, and other relevant regulations, thereby fostering a corporate culture.

Corporate Policies: Policies related to access, information security, usage, storage, and destruction have been prepared and implemented.
Privacy Declarations: Privacy declarations are In this context, all users and employees

involved in processing personal and sensitive data related to the Company’s activities are required to sign confidentiality agreements.

Authorization Matrix: An authorization matrix for employees has been Thus,

access to personal data and user authorization are managed according to corporate policies through the access and authorization matrix, and access to personal data stored in physical environments is restricted according to these principles.

Role Changes: The authorizations of employees who change roles or leave the company are

revoked.

Contractual Provisions: Contracts signed contain data security
Paper-Based Data Security: Extra security measures are taken for personal data transmitted via paper, and such documents are sent in confidentiality-rated formats.
Data Security Policies and Procedures: Personal data security policies and procedures have

been established. Comprehensive policy and procedure documents covering all personal data processing activities within the Company have been created and enforced. The Company has first prepared a “Personal Data Processing Inventory.” If a new category of personal data needs to be processed, it will be added to the inventory and updated according to the 6-month periodic destruction times defined in the “Personal Data Retention and Destruction Policy.” Moreover, before starting personal data processing, the Company carefully fulfills its obligation to inform data subjects in all cases.

Incident Reporting: Personal data security issues are reported
Security Monitoring: Personal data security is
Physical Access Security: Necessary security measures are taken regarding access to physical environments containing personal data.
Access Logging: Access to storage areas containing personal data is recorded, and

unauthorized access or access attempts are monitored.

Environmental Security: Physical environments containing personal data are secured against external risks (such as fire, flooding, etc.). Measures for ensuring the security of information systems against environmental threats include hardware solutions (such as access control systems for the server room, 24/7 operational and storage facility access monitoring systems, fire suppression systems, climate control systems, etc.).
Data Security: The security of environments containing personal data is
Data Minimization: Personal data is minimized as much as
Data Backup: Personal data is backed up, and the security of backed-up data is
Internal Audits: Periodic and/or random audits are conducted
Risk Identification: Existing risks and threats have been
Service Providers’ Awareness: Awareness of data security among data processing service providers is ensured.
Registry Compliance: Measures have been taken regarding the registration with the Data

Controllers’ Registry as per Article 13 of the Regulation on the Data Controllers’ Registry; this includes registering within the legal time frame when necessary and notifying the Authority of any changes in the registered information within 7 days.

Comprehensive Policies: Besides the “Personal Data Retention and Destruction Policy,” a

more comprehensive “Personal Data Protection and Processing Policy” has been developed to

provide data subjects and employees with detailed information about data processing and protection activities and to increase awareness.

Breach Reporting System: A system and infrastructure have been created to notify relevant

individuals and the Authority if personal data is unlawfully obtained by others.

Breach Response Plan: A “Data Breach Response Plan” has been prepared in accordance with the Authority’s decision dated 24.01.2019 and numbered 2019/10. This plan will be reviewed at least twice a year during the annual personal data destruction periods.

Summary of the Data Breach Response Plan:

Evaluation and Response: The Company has established necessary measures to continuously evaluate and monitor potential data breaches related to the personal data we process and transfer, and to respond immediately if such an issue arises.
Notification to the Authority: The Company is required to notify the Authority without delay

and within a maximum of 72 hours from the date the breach is learned, in accordance with Article 12 of the Law and the Authority’s decision. If notification cannot be made within 72 hours due to valid reasons, the delay and its reasons must be explained to the Authority along with the notification.

Notification Form: It has been decided to use the “Personal Data Breach Notification Form”

published by the Authority and obtained by us for notifications to the Authority.

Record Keeping: The Company has decided to record information about data breaches, their impacts, and the measures taken, and to keep this information ready for review by the
Notification to Affected Individuals: After identifying the affected individuals, the Company

will notify them as soon as reasonably possible, directly if their contact details are available, or by publishing the information on the Company’s website if direct contact is not possible.

Notification by Data Processors: Measures have been taken to ensure that if the data breach

occurs at the data processor level, the processor notifies the Company without any delay.

International Data Breaches: If a data breach occurs with a data controller located abroad and affects individuals residing in Turkey, or if individuals in Turkey benefit from the products and services provided, the data controller must also notify the Authority in Turkey under the same principles.

3. Additional Measures for the Protection of Special Categories of Personal Data

Under a separate policy (protocols and procedures) established by the Company, the following additional technical and administrative measures have been implemented for the protection of special categories of personal data processed by the Company:

Special categories of personal data sent via email must be encrypted and transmitted using KEP (Secure Electronic Mail) or corporate email accounts. If data needs to be transferred via portable media, such as USB drives, CDs, or DVDs, it must be encrypted. Data transfers between servers in different physical locations are conducted using firewalls, or via FTP and VPN methods for data transfer and remote access. If data must be transmitted on paper, necessary precautions are taken to prevent theft, loss, or unauthorized viewing, and the documents are sent in a “confidential” format.

Secure encryption and cryptographic keys are used for special categories of personal data and are managed by different units.
Employees involved in the processing of special categories of personal data and having

access to such data receive regular training on data security. Confidentiality agreements are made with these employees, and their access rights are defined. Access scopes and durations for employees with access to special categories of personal data are clearly and precisely determined in the “Retention and Access Rights” directive issued by the Data Protection Officer. Periodic checks on access rights are conducted, and any changes in roles or departures result in immediate revocation of access rights, with all related information, documents, and tools being returned.

Physical environments where special categories of personal data are processed, stored, or

accessed are equipped with adequate security measures. Physical security is ensured through staff, continuous closed-circuit camera monitoring, and technical equipment to prevent unauthorized access. Additionally, measures are taken to protect against fire, flooding, electrical faults, and theft, based on the specific characteristics of these locations.

6. TECHNIQUES FOR THE DESTRUCTION OF PERSONAL DATA

At the end of the retention period specified by relevant legislation or the duration necessary for the purposes for which the data was processed, personal data will be destroyed by the Company either automatically or upon the request of the data subject, in accordance with the relevant legislative provisions, using the techniques specified below.

6.1. Deletion of Personal Data

Personal data is deleted using the methods specified in Table-3.

Table 3: Deletion of Personal Data

Data Storage Medium	Description
Personal Data Stored on Servers	For personal data stored on servers, when the retention period expires, the system administrator will revoke access rights for the relevant users and proceed with the deletion process.
Personal Data in Electronic Environments	Personal data in electronic environments, for which the retention period has expired, will be rendered inaccessible and unusable for all employees except the database administrator.
Personal Data in Physical Environments	For personal data stored in physical environments, when the retention period expires, the data will be rendered inaccessible and unusable for all employees except the unit manager responsible for document archiving. Additionally, the data will be obscured through methods such as crossing out, painting over, or erasing to ensure it cannot be read.

Personal Data on Portable Media

Personal data on flash-based storage media, for which the retention period has expired, will be encrypted by the system administrator and stored in secure environments with access rights granted only to the system administrator. The encryption keys will also be managed securely.

6.2. Destruction of Personal Data

Personal data is destroyed by the Company using the methods specified in Table-4.

Table 4: Destruction of Personal Data

Data Storage Medium	Description
Personal Data in Physical Environments	Personal data on paper, for which the retention period has expired, is destroyed in an irreversible manner using a paper shredder.
Personal Data on Optical/Magnetic Media	Personal data on optical and magnetic media, for which the retention period has expired, is physically destroyed by methods such as melting, burning, or grinding into dust. Additionally, magnetic media is processed through a special device to expose it to a high-strength magnetic field, rendering the data unreadable.

6.3. Anonymization of Personal Data

Anonymization of Personal Data refers to the process of making personal data irreversibly unidentifiable, so that it cannot be associated with any identifiable or identifiable person, even when matched with other data.

For personal data to be considered anonymized, it must be made impossible to associate it with an identifiable or identifiable person through the use of appropriate technical methods relevant to the data environment and activity area, including any potential re-identification by the data controller or third parties, or matching with other data. These processes are conducted by our Company in accordance with the procedures and techniques specified in the “Guide on the Deletion, Destruction, or Anonymization of Personal Data” published by the Board.

7. RETENTION AND DESTRUCTION PERIODS

Regarding the personal data processed by the Company within the scope of its activities:

For all personal data related to activities carried out according to processes, the retention periods for each personal data are specified in the Personal Data Processing Inventory.
Retention periods for data categories are recorded in VERBİS (if registration with VERBİS is

required).

Retention periods by process are detailed in the Personal Data Retention and Destruction

Updates to these retention periods may be made as needed with the proposal of the Company’s Data Controller Contact Person and the approval of the Company’s Data Controller Representative.

For personal data whose retention periods have expired, the automatic deletion, destruction, or anonymization is carried out by the Personal Data Controller Contact Person, who is the designated employee of the Company, as shown in Table 5 below.

Table 5: Process-Based Retention and Destruction Periods Table

PROCESS	RETENTION PERIOD	DESTRUCTION PERIOD
Security camera footage	6 months from the recording (10 years from the recording if it serves as evidence under Law No. 6331, or for the statute of limitations if it is evidence of a crime)	Within 180 days following the end of the retention period
Call center voice recordings	6 months from the recording (10 years if a legal evidence, or for the statute of limitations period if evidence of a crime)	Within 180 days following the end of the retention period
Biometric Images and Audio Recordings Related to Remote/ Video Conference Work Activities	6 months from the recording	Within 180 days following the end of the retention period
Candidate and reference information (if no employment contract has been established)	6 months from processing (10 years from termination if hired)	Within 180 days after the end of the retention period
Information and documents related to trainers, consultants, and service providers for in-service training and service procurement activities	1 year from the completion of the training or service activity	Within 180 days after the end of the retention period
Shareholder and Employee passport information (Obtained in the context of overseas business travel activities)	1 year from the date of leaving the partnership or employment	Within 180 days following the end of the retention period
Mail-Cargo Document Receipt and Delivery Transactions, Incoming- Outgoing Documents	1 Year from the Transaction	Within 180 days following the expiration of the retention period
Information related to visitor logs	1 year from the date of visit	Within 180 days following the end of the retention period

IP and cookie data related to website users	1 year from the date of access	Within 180 days following the end of the retention period
Internet access data provided to employees within the company	1 year from the date of access	Within 180 days following the expiration of the retention period
Receipt and Z-report information for transactions made by customers using bank or credit cards	5 years from the end of the legal relationship	Within 180 days following the end of the retention period
Data related to employees and shareholders retained under labor law	10 years after the termination of the employment relationship	Within 180 days following the expiration of the retention period
Employee and shareholder data retained under social security regulations and other relevant legislation	10 years after the end of the employment relationship	Within 180 days following the end of the retention period
Employment contract and its annexes, as part of the contract process	10 years after the termination of the employment relationship	Within 180 days following the end of the retention period
All documents related to employee training activities	10 years after leaving the job	Within 180 days following the end of the retention period
Data collected on employees under occupational health and safety regulations	10 years after the end of the employment relationship (for health data related to occupational health such as temporary incapacity reports, chest X-rays, pulmonary function tests, hemograms, eye and hearing tests). However, data that may be subject to work accident or occupational disease claims, indicating symptoms of illness, is retained for 15 years	Within 180 days following the end of the retention period
Documents related to the allocation and use of vehicles, computers, phones, and other tools and equipment provided to employees	10 years	Within 180 days following the expiration of the retention period

Documents related to personnel finance processes (salaries and other payments)	10 years following the termination of the employment relationship	Within 180 days following the expiration of the retention period
Personal data related to suppliers and business partners	10 years after the termination of the legal relationship	Within 180 days following the expiration of the retention period
Payment transactions	10 years after the end of the business relationship	Within 180 days following the expiration of the retention period
Contracts concluded with third parties	10 years	Within 180 days following the expiration of the retention period
Customer data	10 years after the termination of the legal relationship	Within 180 days following the expiration of the retention period
Request and complaint data	10 years after the termination of the legal relationship	Within 180 days following the expiration of the retention period
KVKK (Personal Data Protection Law) clarification notice, consent declaration, and other approval documents	10 years after the termination of the legal relationship (or on the date specified if the primary document has a shorter retention period)	Within 180 days following the expiration of the retention period
Personal data destruction records and revoked policy texts	10 years from the date of the transaction	Within 180 days following the expiration of the retention period
Filing of all other types of documents	10 years from the date of the transaction	Within 180 days following the expiration of the retention period
Data collected in accordance with other relevant legislation	For the duration specified by the relevant legislation	Within 180 days following the expiration of the retention period
The personal data being involved in a crime under the Turkish Penal Code or other criminal legislation	Throughout the statute of limitations for the legal action	Within 180 days following the expiration of the retention period

8. PERIODIC DESTRUCTION PERIOD

According to Article 11 of the Regulation, the Company has set the periodic destruction period to 6 months. Therefore, periodic destruction processes are carried out at the Company every June and December.

9. PUBLICATION AND STORAGE OF THE POLICY

The Policy is published in two formats: printed (wet-signed) and electronic. It is made publicly available on the company’s website. The printed copy is also stored in the file of the Personal Data Protection Officer, who is the designated contact person within the Company.

10. UPDATE PERIOD OF THE POLICY

The Policy is reviewed as needed, and the necessary sections are updated.

11. ENTRY INTO FORCE AND WITHDRAWAL OF THE POLICY

This Policy, issued by our Company, is dated 01.06.2024. The Policy is considered to have entered into force and become accessible to personal data owners following its publication on our company’s website at www.cosmic-tickets-audios.com/tourscco. In the event of any updates to the entire Policy or specific sections, the effective date will be revised accordingly. If a decision is made to withdraw the Policy, the old signed copies will be canceled by the Company Data Protection Officer (by stamping or writing ‘canceled’) and will be signed. These copies will be kept in the file of the Personal Data Protection Officer, who is the designated contact person within the Company, for a period of 10 years.