ANSA Ambalaj Sanayi ve Ticaret A.Ş. aims to provide a working environment where employees can fully utilize their talents, increase their commitment and satisfaction, and contribute to the company’s sustainability goals.

Within this framework, ANSA Ambalaj Sanayi ve Ticaret A.Ş. is committed to:

• Providing equal opportunities for all employees, preventing discrimination, and ensuring a fair working environment,
• Offering training and career development opportunities to enhance employee competencies,
• Creating an open, honest, and effective communication environment,
• Prioritizing employee health and safety by ensuring safe working conditions,
• Evaluating employee performance fairly and regularly, and providing constructive feedback,
• Developing reward and recognition systems to increase employee motivation,
• Promoting quality, occupational health and safety, and environmental awareness, and making these a sustainable value,
• Conducting all activities in compliance with applicable laws and regulations.

ANSA Ambalaj Sanayi ve Ticaret A.Ş. always places people first in its production and management systems, acting with a sense of responsibility towards its employees, society, and the environment.

The company’s approach to social compliance is based on increasing employee awareness, continuously improving working conditions, providing periodic training to ensure employees gain knowledge, skills, and understanding, enabling employee participation and consultation, and ensuring that all legal rights of employees are respected.

Within this framework, to create a socially compliant working environment, ANSA Ambalaj Sanayi ve Ticaret A.Ş. is committed to:

• Not requiring employees to work overtime or perform tasks outside their employment contracts without their consent,
• Prohibiting forced labor in any form, including bonded labor, military labor, slave labor, and all forms of human trafficking,
• Complying with child labor and young worker regulations and never employing anyone below the legal minimum age,
• Ensuring compliance with applicable laws and obligations regarding working hours, respecting the principle of voluntary overtime, and adhering to legal and customer standards for weekly and annual overtime limits, while paying overtime wages as required by law,
• Minimizing risks of accidents, injuries, and exposure to health hazards through the ISO 45001 Occupational Health and Safety Management System, thereby ensuring a safe, healthy, and productive work environment,
• Respecting employees’ legal rights to rest and holidays,
• Ensuring lawful and non-discriminatory employment practices (regardless of nationality, status, wages, gender, orientation, religion, language, or race) for all required positions,
• Preparing an Indefinite-Term Employment Contract that outlines the offered conditions and providing a signed copy to employees upon acceptance,
• Maintaining workplace discipline in line with the company’s disciplinary regulations without any wage deductions,
• Identifying and implementing all improvement and development activities aimed at eliminating or minimizing environmental impacts and using natural resources in the most efficient way.

This Retention and Destruction Policy has been prepared by ANSA AMBALAJ SANAYİ VE TİCARET A.Ş. (hereinafter referred to as the “Company”), acting in its capacity as the Data Controller, in order to set out the principles and procedures to be applied by the Company with regard to the deletion, destruction, or anonymization of personal data in compliance with the Law on the Protection of Personal Data No. 6698 (“KVKK”) and other applicable legislation.

Within this scope, the personal data of our employees, employee candidates, customers, and all natural persons whose personal data is processed by the Company for any reason, are managed in accordance with the Policy on the Processing and Protection of Personal Data and this Personal Data Retention and Destruction Policy, in compliance with the law.

Definitions

• Explicit Consent: Consent on a specific matter, based on information and given with free will.
• Recipient Group: Categories of natural or legal persons to whom personal data are transferred by the data controller.
• Anonymization: Rendering personal data impossible to link with an identified or identifiable natural person, even if matched with other data.
• Employee: Company personnel.
• Electronic Medium: Media where personal data can be created, read, modified, or written using electronic devices.
• Non-Electronic Medium: Written, printed, visual, and other types of media outside electronic environments.
• Data Subject: A natural person whose personal data is processed.
• Destruction: The deletion, destruction, or anonymization of personal data.
• Recording Medium: Any environment where personal data is processed, whether fully or partially automated or non-automated, provided it is part of a data recording system.
• Personal Data: Any information relating to an identified or identifiable natural person.
• KVKK: Law on the Protection of Personal Data.
• Board: Personal Data Protection Board.
• Periodic Destruction: Deletion, destruction, or anonymization of personal data conducted ex officio at recurring intervals, when the conditions for processing have ceased.
• Processing of Personal Data: Any operation performed on personal data, fully or partially automated, or non-automated provided it forms part of a data system (collection, recording, storage, alteration, disclosure, transfer, classification, etc.).
• Special Categories of Personal Data: Data relating to race, ethnicity, political opinion, philosophical belief, religion, sect, appearance, association/union membership, health, sexual life, criminal records, biometric and genetic data.
• Policy on the Retention and Destruction of Personal Data: The policy serving as the basis for determining maximum retention periods and for deletion, destruction, or anonymization procedures.

Reasons for Retention of Personal Data

Personal data retained by the Company are stored in line with the purposes specified under Law No. 6698 and our Personal Data Protection Policy, accessible at ansa.tr.

Environments for Retention of Personal Data

Personal data are stored in environments suitable for their nature and our legal obligations, including but not limited to:

• Physical environments: Filing cabinets, archives, paper-based or microfilm storage.
• Local digital environments: Company servers, fixed or portable disks.
• Cloud environments: Internet-based systems with cryptographic encryption.
• Electronic environments: LOGO Payroll, File Server, SQL Server, PACS systems.

Ensuring Security of Data Environments

In order to ensure secure retention, prevent unlawful processing, and avoid unauthorized access to personal data, and to carry out destruction in line with the KVKK, Article 12, the Company implements all necessary technical and administrative measures, including but not limited to:

• Use of up-to-date and secure systems,
• Security controls and penetration testing,
• Restricted access based on authorization,
• Encryption of digital storage,
• Training of employees with data access,
• Contractual safeguards with third parties,
• Internal audits and corrective actions.

Destruction of Personal Data

Personal data shall be deleted, destroyed, or anonymized when the reasons for processing cease to exist, either upon the data subject’s request or ex officio by the Company.

• Methods include:
• Deletion: Making data inaccessible and unusable (e.g., blacking out paper records, deleting database entries).
• Destruction: Rendering data irretrievable (e.g., de-magnetization, physical destruction, overwriting).
• Anonymization: Ensuring that personal data cannot be linked to an individual under any circumstances.

Retention and Destruction Periods

⚖️ In accordance with the Regulation, the Company has set the periodic destruction interval at 6 months. Accordingly, periodic destruction is carried out in June and December every year.

Rights of Data Subjects

Data subjects may request the deletion, destruction, or anonymization of their personal data. The Company evaluates such requests within 30 days and takes appropriate action in line with Article 13 of the KVKK. If personal data has been transferred to third parties, the Company ensures that these parties also comply with the destruction request.

Updates to the Policy

The Company reserves the right to amend this policy in line with changes in the law, decisions of the Authority, or technological and sectoral developments. Updates shall take effect upon publication, and the most recent version of the policy shall be available on the Company’s website.

The protection of personal data is of utmost importance to Ansa Ambalaj Sanayi ve Ticaret A.Ş. (“Company”). Any information/data shared with the Company for any reason and required by the Company is safeguarded with diligence. All necessary administrative and technical measures are implemented within the Company to ensure the security of this information/data. With full confidence that your personal data remains secure when processing with our Company—and in line with the universal principle of transparency in personal data security—we present our Corporate Privacy Policy to all relevant parties.

Purpose

Due to the sensitive nature of our business activities, personal data collected by the Company has always been kept confidential and never shared with third parties for purposes other than those intended. Ensuring compliance with applicable laws and protecting personal data is a fundamental policy of our Company. Even prior to specific legal regulations, the Company attached great importance to data confidentiality and adopted it as a core working principle. In line with the Law No. 6698 on the Protection of Personal Data (KVKK), all necessary technical and administrative measures have been taken, and the Company regards compliance with all obligations arising from the KVKK as a principle.

Scope

This Privacy Policy aims to protect and regulate the processing of personal data obtained wholly or partially by automated means or non-automated means as part of a data recording system, relating to our customers, prospective customers, employees, the customers and employees of our solution partners, and other relevant parties. This Policy has been prepared in compliance with KVKK. Your personal data and/or special categories of personal data are obtained with your consent or under the lawful bases provided by the law. Such data are used for: ensuring Company security; implementing HR policies; fulfilling statutory obligations; providing you with complete services; conducting our commercial operations; resolving any Company-related issues swiftly; and improving our service quality. The Company reserves the right to amend the Company Policy and the Directive on Personal Data in compliance with the law and to ensure better protection of personal data.

Fundamental Principles for Processing Personal Data

• Lawfulness and fairness: The Company questions the source of data collected or received from other entities and prioritizes obtaining data lawfully and fairly.
• Accuracy and, where necessary, up-to-dateness: The Company strives to ensure that all data it holds is accurate, free of errors, and updated when notified of changes by the data subject.
• Specified, explicit, and legitimate purposes: The Company processes data only for the purposes for which consent has been obtained and services are provided. It does not process, use, or allow the use of data beyond these purposes.
• Data minimization (limited, relevant, proportionate): The Company uses data only to the extent necessary and limited to the stated purposes.
• Storage limitation: Contract-related data is retained for periods required by law (e.g., limitation periods, commercial and tax requirements). When the purpose ceases to exist, the data is deleted, destroyed, or anonymized ex officio or upon request.

Rights of the Data Subject under KVKK Article 11

Data subjects have the right to:

• Learn whether personal data is processed;
• Request information if personal data has been processed;
• Learn the purpose of processing and whether it is used in accordance with its purpose;
• Know the third parties to whom personal data is transferred domestically or abroad;
• Request correction if personal data is incomplete or inaccurate, and request notification of such correction to third parties;
• Request deletion or destruction of personal data within the framework of KVKK Article 7 when the reasons for processing cease, and request notification of such action to third parties;
• Object to outcomes to their detriment arising from analysis of data exclusively through automated systems;
• Claim compensation for damages incurred due to unlawful processing of personal data.

For these rights, the Company has prepared an Application Form within the Information Notice on the Processing and Protection of Personal Data. The form must be submitted to us in writing or by methods determined by the Authority.

Data Minimization / Principle of Maximum Savings

In line with this principle, only data necessary for the relevant purpose is processed into Company systems. The categories of data collected are determined according to the purpose. Unnecessary data is not collected. Excess data, if received, is not recorded in Company systems; it is deleted or anonymized. Such data may be used for statistical purposes.

Deletion of Personal Data

When statutory retention periods expire, judicial processes conclude, or other requirements cease to exist, personal data is deleted, destroyed, or anonymized by the Company, either ex officio or upon request of the data subject. These actions are carried out in accordance with the Policy on the Retention, Transfer, Deletion, and Anonymization of Personal Data.

Accuracy and Data Currency

As a rule, data held by the Company is processed based on the declarations of the relevant individuals. The Company is neither obliged nor expected (in line with law and our operating principles) to verify such declarations. Data declared by individuals is considered accurate. If official documents are submitted to the Company or if the data subject requests an update, personal data is updated and retained for the prescribed period. The Company takes necessary measures to ensure data security.

Confidentiality and Data Security

The Company attaches great importance to the confidentiality of your personal data and/or special categories of personal data. Accordingly, any personal data that reaches our Company by any means is confidential. Access to personal data within the Company is restricted to authorized persons and Company shareholders. All necessary technical and administrative measures are taken to protect personal data collected or otherwise obtained, to prevent unauthorized access, and to avoid any harm to the data subject. This includes ensuring software conforms to standards, carefully selecting third parties, and ensuring internal compliance with this Privacy Policy. Companies with whom we lawfully share data are also required to protect such data. Security measures are continuously updated and improved.

Processing of Employees’ Special Categories of Personal Data

Special categories of personal data include, as defined by law: race, ethnic origin, political opinion, philosophical belief, religion, sect, appearance, association/foundation/union membership, health, sexual life, criminal records, biometric and genetic data. In processing such data, the Company takes the additional measures determined by the Authority, in addition to obtaining the data subject’s consent where required. Special categories of personal data may be processed without consent only in cases permitted by law, and within the scope and limitations of such permission. Within the Company, special categories of personal data are processed in accordance with the Policy on the Protection and Processing of Special Categories of Personal Data.

Personal Data Processed via Automated Systems

Certain personal data of employees may be processed through automated systems. Such data may be used for performance evaluations, statistical reporting, promotions, and scoring within the Company. Employees have the right to object to adverse outcomes related to them. Objections must comply with internal rules and procedures and are evaluated by the Company.

Processing Personal Data for the Benefit of Employees

Personal data of employees may be processed by the Company without additional consent for transactions in the employee’s interest. The Company may also process employees’ personal data in the context of employment-related disputes.

Internal Telecommunications, Internet, and Communication

To facilitate work performance, the Company may allocate computers, tablets, phones, vehicles, applications, software, and e-mail accounts to employees. Personal data on such tools may be monitored and audited by the Company under the principle of proportionality. Employees may not use these tools for private purposes and must use them solely for business. From the start of employment, the employee accepts, declares, and undertakes not to store any unnecessary data on such devices.

Processing of Video Recordings

For the purpose of ensuring the general and commercial security of Company facilities and operations—and in line with KVKK principles—image recordings of visitors, employees, and other relevant individuals may be taken and stored securely in physical or electronic media for periods appropriate to the purposes of processing. In areas where video recording is in place, visible notices are provided to inform data subjects. Areas requiring a high degree of privacy are not monitored. All activities are conducted in compliance with KVKK and related legislation.

Updates and Compliance

In the event of any inconsistency between KVKK and other applicable legislation and this Policy, KVKK and the relevant legislation shall prevail. The Company reserves the right to amend this Policy and any related policies in line with legislative changes, decisions of the Personal Data Protection Board, and sectoral/technological developments. Any amendments will be promptly incorporated into this document, with explanations recorded at the end of the Policy.

Entry into Force

This Policy was adopted by the Company on 17.12.2019 and entered into force on that date. It is published on the Company website and communicated to third parties and Company employees.

Other Provisions

Where a contractual relationship exists with customers, potential customers, employees, or other relevant parties, personal data collected may be used without additional consent, limited to the purpose of the contract. Data is used to the extent necessary to perform the contract and provide the service, and updated when necessary by contacting the data subjects.

Personal data may also be processed without consent where explicitly permitted by law and/or where necessary for fulfilling a legal obligation. The type and scope of data processed must be necessary for the lawful processing activity and comply with the relevant legal provisions.

All necessary technical and administrative measures are taken to protect personal data collected by the Company and to prevent unauthorized access, thereby avoiding harm to our customers, potential customers, employees, and other relevant individuals. Software compliance with standards is ensured, third parties are selected with due care, and internal adherence to this Privacy Policy is maintained. Security measures are continually updated and improved.

The Company conducts necessary internal and external audits regarding the protection of personal data.

Employees’ personal data may be processed by the Company without additional consent where explicitly provided for in law or where necessary to fulfill legal obligations, limited to such purposes and to the extent required for managing the employment relationship. The Company, in all circumstances, undertakes to protect the confidentiality and security of employees’ personal data and to take all necessary measures.

Subject to conditions determined by the Authority and in compliance with other legal bases in the KVKK—and where the data subject’s consent is obtained—the Company may transfer personal data domestically and abroad.

Commercial electronic messages (advertising/marketing) may be sent only to recipients who have provided prior consent, in compliance with the Law on the Regulation of Electronic Commerce and the Regulation on Commercial Communication and Commercial Electronic Messages. Consent may be obtained in writing or through any electronic communication tool. The consent must cover all commercial electronic messages sent to increase brand awareness or promote the Company’s goods and services.

In the event of any personal data breach, the Company immediately takes action to remedy the incident, adopts all necessary measures to minimize and compensate the damage, and promptly notifies the Personal Data Protection Authority where required. Notifications must be submitted in accordance with the procedures specified on the Company’s website.