Personal Data Storage and Destruction Policy

1. INTRODUCTION

1.1 Purpose

This Personal Data Storage and Destruction Policy (“ Policy ”) is applied to the entire Serhat Saat AŞ (hereinafter referred to as the “Company” ) within the framework of the applicable legislation and is based on nationally accepted basic principles regarding personal data destruction. It contains the framework and principles for carrying out the necessary destruction activities within the scope of the relevant legislation.

The third paragraph of Article 7 of the Personal Data Protection Law ("Law") contains the provision "The procedures and principles regarding the deletion, destruction or anonymization of personal data are regulated by the regulation." Based on this provision and subparagraph (e) of the first paragraph of Article 22 of the Law, the Regulation on Deletion, Destruction or Anonymization of Personal Data ("Regulation") has been prepared by the Personal Data Protection Board ("Board") and dated 28 October 2017. It was published in the Official Gazette No. 30224.

Based on the above regulation, the purpose of this Policy is to determine the procedures and principles regarding the deletion, destruction or anonymization of personal data processed by the Company in the conduct of its activities, in accordance with the Regulation.

 

1.2.Scope

Personal data belonging to employees working in the Company, employee candidates, visitors, third parties we cooperate with and employees of third parties are within the scope of this Policy, and this Policy applies to all recording environments where personal data owned or managed by the Company is processed and activities related to personal data processing. .

 

1.3. Abbreviations and Definitions

Concept

Definition

recipient group

Category of natural or legal person to whom personal data is transferred by the data controller

Explicit Consent

Consent regarding a specific issue, based on information and expressed with free will

Anonymization

Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data

Electronic environment

Environments where personal data can be created, read, changed and written with electronic devices.

Non-Electronic Media

All written, printed, visual, etc. except electronic media. other environments.

Related person

Real person whose personal data is processed

Related user

Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.

Destruction

Deletion, destruction or anonymization of personal data

Law

Personal Data Protection Law No. 6698

recording media

Any environment containing personal data processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system

personal data

Any information regarding an identified or identifiable natural person

Personal data owner

Real person whose personal data is processed

Processing of personal data

Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any action performed on data, such as blocking

Personal data processing inventory

Personal data processing activities carried out by data controllers depending on their business processes; The inventory they create by associating personal data with the purposes of processing personal data, data category, transferred recipient group and data subject person group, and detailing the maximum period required for the purposes for which personal data are processed, personal data envisaged to be transferred to foreign countries and measures taken regarding data security.

Board

Personal Data Protection Board

Organisation

Personal Data Protection Authority

Special personal data

Data regarding people's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data

periodic destruction

If all the conditions for processing personal data specified in the law are eliminated, the process of deletion, destruction or anonymization is specified in the personal data storage and destruction policy and will be carried out ex officio at recurring intervals.

Policy

The policy on which data controllers base the process of determining the maximum period necessary for the purpose for which personal data is processed and the deletion, destruction and anonymization of personal data.

Record

Data controllers' registry kept by the Personal Data Protection Authority

data processor

Real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller

Data recording system

Registration system where personal data is structured and processed according to certain criteria

Data controller

It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

regulation

Regulation on Deletion, Destruction or Anonymization of Personal Data, which came into force after being published in the Official Gazette No. 30224 dated 28.10.2017.

 

 

  1. RESPONSIBILITIES AND DUTIES DISTRIBUTION

All units and employees of the company will ensure that the technical and administrative measures taken by the responsible units within the scope of the Policy are properly implemented, the training and awareness of the unit employees are increased, their monitoring and continuous supervision are prevented, preventing the unlawful processing of personal data, preventing unlawful access to personal data and preventing personal data from being accessed unlawfully. It actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to ensure that personal data is stored in accordance with the law.

The distribution of the titles, units and job descriptions of those involved in the storage and destruction processes of personal data is given below.

Table 1: Task distribution of storage and destruction processes

Title

Unit

Job Description

Information Technology Officer

Computing

Ensuring that the processes within its scope comply with the retention period, managing the periodic destruction process, carrying out the necessary audits and controls to respond to the requests of Data Owners.

Accounting Department Manager

Accounting

Ensuring that the processes within its scope comply with the retention period, managing the periodic destruction period, controlling the continuation of book and document retention obligations arising from TCC No. 6100 and Tax Legislation and whether the obligations have been eliminated.

Director of human resources

Human Resources

Ensuring compliance with the retention period of personnel personal data, managing the periodic destruction process, receiving and responding to requests for information about the personnel's rights specified in the Law.

 

3. RECORDING MEDIA

Personal data is stored securely by the Institution in accordance with the law in the environments listed in Table 2.

Table 2: Personal data storage environments

Electronic Media

Non-Electronic Media

· Servers (Domain, backup, email, database, web, file sharing, etc.)

· Software (office software) Information security devices (firewall, log file, antivirus, etc.)

· Mobile devices (phone, tablet, etc.)

· Optical discs (CD, DVD, etc.)

· Removable memories (USB, Memory Card, etc.)

· Printer, scanner, photocopier

· Removable memories such as USB, hard disk

· Desktop and laptop

· Paper

· Manual data recording systems

· Written, printed and visual media

· Folders

· Folders

 

  1. EXPLANATIONS ON STORAGE AND DISPOSAL

By the company; Personal data of real persons, including employees, employee candidates, supplier representatives, supplier employees, product or service buyers, potential product or service buyers, shareholders/partners, visitors and other third parties, are stored and destroyed in accordance with KVKK.

In this context, detailed explanations regarding storage and disposal are given below.

4.1 Information on Storage

In Article 3 of the Law, the concept of processing personal data is defined, in Article 4, it is stated that the personal data processed should be related to the purpose for which they are processed, limited and proportionate and should be kept for the period foreseen in the relevant legislation or for the period required for the purpose for which they are processed, and in Articles 5 and 6, it is stated that the processing conditions of personal data has been counted.

Accordingly, within the framework of the Company's activities, personal data is stored for a period of time stipulated in the relevant legislation or in accordance with our processing purposes.

 

4.1.1 Legal Reasons Requiring Storage

The Company retains personal data processed within the scope of its activities for the period stipulated in the relevant legislation. In this context, personal data;

  • Tax Procedure Law No. 213
  • Labor Law No. 4857
  • Social Insurance and General Health Insurance Law No. 5510
  • Law No. 5651 on Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications
  • Turkish Code of Obligations No. 6098
  • Turkish Commercial Code No. 6102
  • Occupational Health and Safety Law No. 6361
  • Personal Data Protection Law No. 6698

It is stored for the duration of the retention periods specified in other secondary legislation in force.

4.1.2. Processing Purposes Requiring Storage

The company stores the personal data it processes within the scope of its activities for the following purposes:

  • Execution of information security processes
  • Fulfillment of obligations arising from employment contracts and legislation for employees
  • Audit / Conducting ethical activities
  • Carrying out financial and accounting affairs
  • Providing physical space security
  • Follow-up and execution of legal affairs
  • Carrying out communication activities
  • Carrying out human resources processes
  • Carrying out activities to ensure business continuity
  • Carrying out Logistics Activities
  • Carrying out goods/service purchasing processes
  • Execution of goods/service sales processes
  • Execution of contract processes
  • Providing information to authorized persons, institutions and organizations

4.2. Reasons Requiring Destruction

Personal data;

  • Amendment or abolition of the relevant legislative provisions that constitute the basis for processing,
  • The purpose that requires processing or storage is eliminated,
  • In cases where processing of personal data occurs only on the basis of explicit consent, the relevant person must withdraw his/her explicit consent,
  • Marina Vista accepts the application made by the relevant person regarding the deletion and destruction of personal data within the framework of the rights of the relevant person in accordance with Article 11 of the KVKK,
  • In cases where the company rejects the application made by the relevant person requesting the deletion or destruction of personal data, finds the answer given insufficient, or does not respond within the time period stipulated in KVKK; Complaint to the Board and this request is approved by the Board and
  • The maximum period requiring personal data to be stored has passed and there are no conditions that justify storing personal data for a longer period of time.

In such cases, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by the Company upon the request of the relevant person.

  1. TECHNICAL AND ADMINISTRATIVE MEASURES

Within the framework of adequate measures determined and announced by the Board for special personal data in accordance with Article 12 of the KVKK and paragraph 4 of Article 6 of the KVKK, for the safe storage of personal data, prevention of unlawful processing and access, and lawful destruction of personal data. Technical and administrative measures are taken by the company.

5.1. Technical Measures

The measures taken by the company regarding the personal data it processes are listed below;

  • Network security and application security are ensured.
  • A closed system network is used for personal data transfer via the network.
  • Key management is implemented.
  • Security measures are taken within the scope of supply, development and maintenance of information technology systems.
  • An authority matrix has been created for employees.
  • Up-to-date anti-virus systems are used.
  • Firewalls are used.
  • Personal data is backed up and the security of the backed up personal data is ensured.
  • Intrusion detection and prevention systems are used.
  • Cyber ​​security measures have been taken and their implementation is constantly monitored.
  • Encryption is done.

5.2. Administrative Measures

The measures taken by the company regarding the personal data it processes are listed below;

  • The authorities of employees who change their duties or leave their jobs in this area are removed.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
  • The security of environments containing personal data is ensured.
  • Personal data is reduced as much as possible.

 

  1. PERSONAL DATA DESTRUCTION TECHNIQUES

At the end of the period stipulated in the relevant legislation or the storage period required for the purpose for which they are processed, personal data are destroyed by the Company ex officio or upon the application of the relevant person, using the techniques specified below, in accordance with the relevant legislation.

6.1. Deletion of Personal Data

Personal data is deleted by the methods given in Table-3.

Table 3: Deletion of personal data

Data Recording Environment

Explanation

Personal data in physical environment

Personal data in the physical environment is deleted by using the obfuscation method or by storing the document in a secure environment so that it cannot be accessed by the relevant users in any way.

Personal Data on Servers

For personal data on the servers whose retention period has expired, the system administrator removes the access authorization of the relevant users and deletes them.

Personal data in databases

By assigning roles and permissions, the relevant user is prevented from accessing personal data in the database.

Personal data located on central servers

The access rights of the relevant user on the directory where the file containing personal data is located are removed.

Personal data contained in portable devices (such as USB, Hard disk, CD, DVD)

The relevant user is prevented from accessing the file.

6.2. Destruction of Personal Data

As a company, the methods we use to destroy personal data in accordance with the law are as follows:

Table 4: Destruction of Personal Data

Data Recording Environment

Explanation

Personal data in physical environment

Personal data stored on paper that have expired are irreversibly destroyed in paper shredding machines.

Personal data located in environmental (network devices, flash-based environments, optical systems, etc.) and local systems

Devices containing personal data; It is destroyed by physical processes such as burning, breaking into small pieces and melting. In addition, personal data on the device is destroyed by making it unreadable with the demagnetization method. With this; As a result of random data entry on existing data with special software, the old data is destroyed and the recovery is prevented.

6.3. Anonymization of Personal Data

Anonymization of personal data means ensuring that personal data cannot be associated with an identified or identifiable natural person in any way, even if it is matched with other data.

In order for personal data to be anonymized; Personal data must be returned by the data controller or third parties and/or made impossible to associate with an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording environment and relevant field of activity, such as matching the data with other data.

  1. STORAGE AND DISPOSAL PERIOD

Regarding personal data being processed by the Company within the scope of its activities;

  • Personal data-based retention periods for all personal data within the scope of activities carried out depending on the processes are included in the Personal Data Processing Inventory;
  • Retention periods based on data categories are recorded in VERBIS;
  • Process-based retention periods are included in this Personal Data Storage and Destruction Policy.

The destruction process of personal data is carried out by the Company in accordance with the retention periods determined by the relevant legislation in accordance with each relationship. Personal data whose storage period has expired is deleted, destroyed or anonymized within the periodic destruction periods determined by the Company.

Table 5: Table of Storage and Destruction Times by Process

PERIOD

STORAGE PERIOD

DESTRUCTION PERIOD

Execution of human resources employee processes

10 years from the date of termination of the employee

During the periodic destruction of the first 6 months following the end of the storage period

Conducting contractual relationships

10 years following the termination of the contract

During the first periodic destruction following the end of the storage period

Biometric Data

1 month following the termination of the employment relationship

During the first periodic destruction following the end of the storage period

Camera Recordings

15 days after registration

During the first periodic destruction following the end of the storage period

Accounting and Finance Processes

execution

to be recorded

following 10 years

During the first periodic destruction following the end of the storage period

For personal data whose storage period has expired, ex officio deletion, destruction or anonymization is carried out by the departments listed under the heading "2. RESPONSIBILITIES AND DUTIES DISTRIBUTION".

  1. PERIODIC DESTRUCTION PERIOD

In accordance with Article 11 of the Regulation, the periodic destruction period has been determined by the Company as [6] months. Accordingly, the Company carries out periodic destruction in June and December every year.

  1. PUBLISHING AND STORAGE OF THE POLICY

The policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website. The printed paper copy is also kept on file in the Human Resources Department.

  1. UPDATE PERIOD OF THE POLICY

The policy is updated as needed and when processes change.

  1. ENFORCEMENT AND REPEAL OF THE POLICY

This Policy is deemed to have entered into force upon its publication on the Company's website.

If it is decided to abolish the policy, the old signed copies of the Policy are canceled and signed (with a cancellation stamp or written cancellation) with the company stamp and the signature of the company official and are kept by the Human Resources Department for at least 5 years.