PERSONAL DATA STORAGE AND DISPOSAL POLICY

The purpose of this Personal Data Storage and Disposal Policy (“Policy”) is to set forth the principles and procedures regarding the determination of storage periods for personal data processed by Geberit Tesisat Sistemleri Ticaret Limited Şirketi (“Geberit” or “the Company”), and the criteria and methods regarding the erasure, disposal or anonymization of personal data whose processing period and/or purpose of processing has ceased.

This Policy also includes the technical and administrative measures taken to ensure data security as set out in Article 6 of the By-Law on Erasure, Destruction or Anonymization of Personal Data (“By-Law”), which entered into force on 28 October 2017 and was amended on 28 April 2019. The provisions of the By-Law on Data Controllers Registry dated 30 December 2017 and amended on 28 April 2019, as well as the Guideline on the Erasure, Destruction and Anonymization of Personal Data, have also been taken into consideration within this framework.

This Policy covers the erasure, destruction or anonymization of all personal data processed by Geberit, in its capacity as a data controller, through wholly or partly automatic means, or by non-automatic means provided that they form part of a data filing system, and stored in electronic and/or physical media, whose processing conditions have ceased to exist, pursuant to Article 7 of the Personal Data Protection Law No. 6698 (“Law”).

In the processes for the disposal of personal data, Geberit acts in accordance with the principles set out in Article 4 of the Law and explained in Article 6 of the Geberit Personal Data Protection and Privacy Policy. Geberit records all transactions regarding the erasure, destruction and anonymization of personal data and stores these records for at least 3 years.

The disposal of personal data refers to the erasure, destruction or anonymization of personal data. In this context,

• Erasure of personal data means rendering personal data inaccessible and non-reusable for users concerned.
• Destruction of personal data means rendering personal data permanently inaccessible, irretrievable and non-reusable by anyone.
• Anonymization of personal data means rendering personal data impossible to associate with an identified or identifiable natural person, even if matched with other data.

To carry out the business processes conducted by various departments within its organization in line with job descriptions and the activities dependent on these processes, Geberit processes personal data of employees, employee candidates, employee relatives, business partners, suppliers, customers, customer relatives, customer employees, potential customers, visitors, online visitors and third parties. For procedures and principles on the processing of personal data, please see Geberit Personal Data Protection and Privacy Policy. It stores these personal data for the periods prescribed in the legislation or determined by the relevant department within the scope of the purpose of personal data processing. All this flow is included in the Personal Data Processing Inventory. When the relevant storage periods expire, personal data for which the purpose of processing has ceased are disposed of by the erasure, destruction or anonymization methods set out in this Policy.

Geberit takes all administrative and technical measures made possible by current technologies, within the framework of the cost balance of the relevant application, for the protection and security of your personal data, and within this scope keeps its security practices up to date in line with the relevant legal regulations and the decisions of the Personal Data Protection Board. For the technical and administrative measures taken by Geberit, please review the Geberit Personal Data Protection and Privacy Policy available on the Company’s official website.

Geberit has established an internal Technical Unit to ensure the lawful disposal of the personal data it processes. The Technical Unit ensures that the erasure of personal data is carried out in such a way that personal data can be processed only by users concerned and cannot be processed by all other units that are not related. Data masking methods are used for electronic personal data to the extent necessary. For personal data in physical media, the erasure process is carried out by redaction of the personal data to be erased.

7.1. Erasure of Personal Data
Erasure of personal data is the process of rendering personal data inaccessible and non-reusable for users concerned. Geberit takes all necessary technical and administrative measures to ensure that erased personal data are inaccessible and non-reusable for users concerned.

7.1.1. Process for the Erasure of Personal Data

The process followed in the erasure of personal data is as follows:

• Determination of the personal data to be subject to erasure
• Identification of users concerned for each personal data item by using an access authorization and control matrix or a similar system – Identification of the authorizations and methods of users concerned such as access, restore and reuse
• Closing and eliminating the authorizations and methods of users concerned for access, restore and reuse within the scope of personal data

7.1.2. Methods for the Erasure of Personal Data

Cloud solutions offered as a service

Personal data in the cloud system are erased by issuing the delete command. During the performance of this process, attention is paid to ensuring that the user concerned does not have the authority to restore erased data on the cloud system.

Personal data in physical media

Personal data in physical media are erased by using the redaction method. The redaction process is carried out by cutting out the personal data on the relevant document where possible, or where not possible, by making them invisible to users concerned using permanent ink in a way that cannot be reversed and cannot be read with technological solutions.

Office files on the central server

The file is erased by the delete command in the operating system or the access rights of the user concerned to the file or the directory in which the file is located are removed. During the performance of this process, attention is paid to ensuring that the user concerned is not also a system administrator.

Personal data on portable media
Personal data on flash-based storage media are stored in encrypted form and are erased by using software appropriate to these media.

Databases
The relevant rows containing personal data are erased by database commands (such as DELETE). During the performance of this process, attention is paid to ensuring that the user concerned is not also a database administrator. Personal data in physical and electronic media for which the purpose of processing has completely ceased are disposed of in accordance with the Guideline published by the Authority or anonymized by the methods stipulated in this Guideline. All erasure, destruction or anonymization processes carried out by the Technical Unit are logged electronically with a timestamp. For personal data in physical media, minutes are drawn up regarding the performance of these processes and are retained by the Technical Unit. Records regarding the erasure, destruction or anonymization of personal data in electronic and physical media are stored for three years. During storage periods, Geberit uses the “erasure” method in such a way as to ensure access to these data only by relevant departments. When storage periods end and there is no other purpose requiring the storage of personal data, the anonymization method is used.

7.2. Destruction of Personal Data

Destruction of personal data is the process of rendering personal data permanently inaccessible, irretrievable and non-reusable by anyone. Geberit takes all necessary technical and administrative measures regarding the destruction of personal data.

7.2.1. Methods for the Destruction of Personal Data
For the destruction of personal data, all copies of the data are identified and the data are destructed one by one by using one or more of the methods set out below, depending on the types of systems in which the data are located.

Local systems

One or more of the methods below may be used for the destruction of personal data on these systems.

Physical destruction: This is the physical destruction of optical media and magnetic media by melting, incinerating or pulverizing them. Rendering data inaccessible is ensured by processes such as melting, incinerating, pulverizing optical or magnetic media or passing them through a metal shredder. In the case of solid disks, if overwriting or degaussing is not successful, these media are also physically destroyed.

Overwriting: This is the process of preventing the recovery of old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media. This process is carried out using special software.

Peripheral systems

The destruction methods that can be used depending on the type of medium are set out below:
Network devices (switches, routers, etc.): The storage media inside these devices are fixed. The products mostly have a delete command but do not have a destruction feature. They are destroyed by using one or more of the appropriate methods mentioned above.
Flash-based media: For flash-based solid-state disks with ATA (SATA, SSD, PATA, etc.) or SCSI (SCSI Express, etc.) interfaces, if supported, use the command; if not supported, use the destruction method recommended by the manufacturer or destroy of them by using one or more of the appropriate methods mentioned above.
Mobile phones (SIM card and internal memory areas): Portable smartphones have a delete command in the internal memory areas, but most do not have a destruction command. They are destroyed by using one or more of the appropriate methods mentioned above.
Peripherals such as printers with removable storage media: It is ensured that all storage media are removed and, after verification, destroyed by using one or more of the appropriate methods mentioned above depending on their characteristics.
Peripherals such as printers with fixed storage media: Most of these systems have a delete command but do not have a destruction command. They are destroyed by using one or more of the appropriate methods mentioned above.

Paper media
Since personal data in these media are permanently and physically written on the medium, the primary medium is destroyed. During this process, the medium is cut into pieces that are incomprehensible, preferably horizontally and vertically, and in a way that cannot be reassembled, with paper shredders or choppers. Personal data transferred from the original paper format to electronic media by scanning are destroyed by using one or more of the appropriate methods mentioned above according to the electronic medium in which they are located.

Cloud environment
During the storage and use of personal data in these systems, they are encrypted by cryptographic methods and, where possible, separate encryption keys are used for each cloud solution from which the service is obtained. When the cloud computing service relationship ends, all copies of the encryption keys required to render personal data usable are disposed of. In addition to the environments above, the destruction of personal data on devices that malfunction or are sent for maintenance is carried out as follows: Before devices are transferred to third parties such as the manufacturer, seller or service for maintenance and repair, the personal data contained therein are destroyed by using one or more of the appropriate methods mentioned above; where destruction is not possible or appropriate, the storage medium is removed and kept, and other faulty parts are sent to third parties such as the manufacturer, seller or service; necessary measures are taken to prevent external personnel coming for purposes such as maintenance and repair from copying personal data and taking them out of the organization.

7.3. Anonymization of Personal Data

Anonymization of personal data is the process of rendering personal data impossible to associate with an identified or identifiable natural person, even if matched with other data. For personal data to be anonymized, personal data cannot be associated with an identified or identifiable natural person even by Geberit or recipient groups through the use of techniques appropriate to the recording medium and the relevant activity, such as the reversal of data or matching the data with other data. The data controller is obliged to take all necessary technical and administrative measures for the anonymization of personal data. The anonymization of personal data is carried out in accordance with the principles set out in the personal data storage and disposal policy and by the methods set out below.

Within the scope of the Policy, Geberit assigns persons with the following titles, units and job descriptions regarding storage and disposal processes:
a) “Data Owners” of all departments within Geberit that process personal data: Data owners may assign another person working in their department both to ensure that their department’s personal data processing inventory is kept up to date and to monitor personal data storage and disposal processes.
b) Technical Unit.

Storage and disposal periods are included under Annex-1 of this Policy.

Geberit anonymizes personal data within 6 months following the end of the storage period, provided that there is no other purpose requiring the storage of personal data whose storage period has expired.

When the data subject applies to Geberit and requests the erasure or destruction of their personal data;

• If all conditions for processing personal data have ceased to exist; Geberit erases, destructs or anonymizes the personal data subject to the request. Geberit finalizes the erasure or destruction requests of data subjects within “thirty days” at the latest.

• If all conditions for processing personal data have ceased to exist and the personal data subject to the request have been transferred to third parties; Geberit notifies this situation to the third party and requests the erasure or destruct of the personal data in question. If not all conditions for processing personal data have ceased to exist, this request may be rejected by Geberit with justification pursuant to Article 13(3) of the Law, and the rejection response is notified to the data subject in writing or electronically within “thirty days” at the latest. For detailed information regarding your requests concerning your personal data, please review the Geberit Personal Data Protection and Privacy Policy.

After submitting the updates to this Policy for the approval of the relevant Company managers, Geberit publishes the revised provisions together with the revision and approval dates.

The Geberit Personal Data Protection and Privacy Policy All amendments made to this Policy are documented in the table below.

DOCUMENT HISTORY
Version | Publication Date | Description of Change

Unless it is required to be retained for a longer period under the relevant legislation or Company practices, personal data shall be stored for the periods indicated below on average.

You can read more about our processing of your personal data in relation to the use of cookies in our data privacy policy.

If you have any questions about our use of cookies and similar technologies, please contact us via dataprotection@geberit.com or the contact information provided in the imprint.