Personal data Storage and disposal policy

Table of Contents

1. Definitions

Explicit Consent: consent that is related to a specific issue based on information and expressed with free will.

Constitution: Republic of Turkey Constitution No. 2709 dated 7 November 1982, promulgated in Official Gazette No. 17863 dated 9 November 1982

Anonymization of Personal Data: to render data in such a way that it can no longer be associated with an identified or identifiable person even when the personal data is matched with other data.

Deleting Personal Data: to delete or to render personal data in such a way that it is no longer accessible or reusable for the users

Destroying Personal Data: rendering the personal data to make it inaccessible, unrecoverable, and not useable by anyone

Anonymizing personal data: To render data in such a way that it can no longer be associated with an identified or identifiable person, even when the personal data is matched with other data.

Employee: Natural person who is a GEM  employee.

Job Candidate: Natural person who is not a GEM employee but a candidate to become one through various methods.

Personal Data: Any type of information concerning an identified or identifiable natural person.

Processing of Personal Data: Any kind of operation performed on data such as obtaining, recording, storing, preservation, modification, reorganization, disclosure, transfer, takeover, making available, classification or preventing the use of personal data in fully or partially automated or non-automated ways, provided that it is part of any data recording system

Data Subject: a natural person, includes but is not limited to an employee, customer, business partners, stakeholders, authorities, leads, candidate for recruitment, intern, visitors, volunteers, suppliers, employees of business partners, third parties of GEM

KVKK: Personal Data Protection Law numbered 6698 published in the Official Gazette of Turkey numbered 29677 dated April 7th, 2016.

KVK Board: Turkish Personal Data Protection Board

Sensitive Personal Data: personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions, and security measures, and the biometric and genetic data.

Partners: persons with which GEM’ has become partners in a contractual relationship as part of its activities.

Data Controller: the one who defines the purpose and the means of processing personal data and is responsible of the data recording system management

2. Purpose and Scope

GEM’, is aware of its responsibility to protect personal data, the security of which is a constitutional right, and to provide a constitutional guarantee of this, and places importance on using personal data securely. The purpose of this policy is to regulate the methods and principles to follow to ensure that GEM’ processes personal data in line with the Law on the Protection of Personal Data (KVKK) promulgated in Official Gazette No. 29677 dated 7 April 2016, Law No. 4857 dated 1 June 2003 and other relevant law for the protection of personal data and, in this context, to provide transparency by informing the people whose personal data is being processed by GEM.

This Policy applies to all activities managed by GEM regarding the processing and protection of personal data by GEM along with the relevant detailed data procedures.

3. Policy

The relevant regulation provisions shall be first to apply in processing and protecting personal data; and if there happens any contradiction between the articles of this Policy and the legislation, then-current legislation clauses shall prevail.

Herein this Policy is prepared in accordance with the rules and procedures foreseen in KVKK and related law for the protection of personal data. In his context, as Data Controller is also liable to prevent the illegal processing of personal data and access and protect the personal data from being accessed illegally in accordance with KVKK, it must take all necessary technical and administrative measures.

Personal data collected legally prior to the enactment of KVKK on April 7th, 2016, shall be processed and stored in line with the terms and conditions of this Policy.

4. Principles To be Followed While Processing Data

GEM’ acts in accordance with the following general principles in all of its Personal Data Processing activities:

  • Personal data must be processed lawfully, fairly and transparently,
  • Personal data can only be collected for specific, explicit and legitimate purposes,
  • Personal data must be adequate, relevant and limited to what is necessary for processing,
  • Personal data must be accurate and kept up to date with every effort to erase or rectify without delay,
  • Personal data must be kept in a form such that the data subject can be identified only if is necessary for processing,
  • Personal data must be processed in a manner that ensures the appropriate security.

5. Personal Data Collected

Personal data collected by GEM varies according to the type of relationship with GEM  and the legal obligations. Personal data collected can be listed as follows:

  1. Identification: Name, surname, mother-father name, mother’s maiden name, date of birth, place of birth, marital status, identity card serial number, Turkish identity number, etc.
  2. Contact: Address number, E-mail address, Contact address, Registered electronic mail address (KEP), Telephone number, etc.
  3. Personal: Payroll information, Discipline investigation, Recruitment document records, Asset notification information, CV information, Performance evaluation reports, etc.
  4. Professional Experience: Diploma information, Courses attended, In-service training information, Certificates, Transcript information, etc.

6. The Purposes of Processing Personal Data

GEM informs data subjects during obtaining personal data due to KVKK and related legislation. In this context, GEM makes a notification/information regarding the purpose for processing the personal data, to whom and why the processed personal data might be transferred, the method for collecting personal data and the lawful reason for collection, and the rights of the Data Subjects as per Article 11 of KVKK.

The purposes of processing personal data by GEM are as follows:

  • Within the scope of Identity data category;
    • Conducting Management Activities
    • Informing Authorized Persons, Institutions and Organizations
    • Foreign Personnel Work and Residence Permit Procedures
    • Execution of Custody and Archive Activities
    • Organization and Event Management
    • Conducting Business Continuity Activities
    • Receiving and Evaluating Suggestions for the Improvement of Business Processes
    • Conducting Occupational Health / Safety Activities
    • Execution / Supervision of Business Activities
    • Planning of Human Resources Processes
    • Conducting Communication Activities
    • Execution of Finance and Accounting Affairs
    • Execution of Access Authorities
    • Conducting Audit / Ethical Activities
    • Execution of Fringe Benefits and Benefits Processes for Employees
    • Employee Contract and Fulfillment of Obligations Arising from Legislation
    • Execution of Emergency Management Processes
  • Within the scope of Communication data category;
    • Conducting Management Activities
    • Informing Authorized Persons, Institutions and Organizations
    • Foreign Personnel Work and Residence Permit Procedures
    • Execution of Custody and Archive Activities
    • Execution of Logistics Activities
    • Conducting Business Continuity Activities
    • Receiving and Evaluating Suggestions for the Improvement of Business Processes
    • Conducting Occupational Health / Safety Activities
    • Execution / Supervision of Business Activities
    • Planning of Human Resources Processes
    • Conducting Communication Activities
    • Conducting Audit / Ethical Activities
    • Execution of Information Security Processes
    • Execution of Emergency Management Processes
  • Within the scope of Personality data category;
    • Conducting Management Activities
    • Informing Authorized Persons, Institutions and Organizations
    • Foreign Personnel Work and Residence Permit Procedures
    • Execution of Custody and Archive Activities
    • Organization and Event Management
    • Execution of Logistics Activities
    • Conducting Business Continuity Activities
    • Receiving and Evaluating Suggestions for the Improvement of Business Processes
    • Conducting Occupational Health / Safety Activities
    • Execution / Supervision of Business Activities
    • Planning of Human Resources Processes
    • Conducting Communication Activities
    • Conducting Audit / Ethical Activities
    • Execution of Information Security Processes
    • Execution of Emergency Management Processes
  • Within the scope of Professional Experience data category;
    • Conducting Management Activities
    • Informing Authorized Persons, Institutions, and Organizations
    • Conducting Talent / Career Development Activities
    • Foreign Personnel Work and Residence Permit Procedures
    • Execution of Custody and Archive Activities
    • Organization and Event Management
    • Execution of Logistics Activities
    • Conducting Business Continuity Activities
    • Receiving and Evaluating Suggestions for the Improvement of Business Processes
    • Conducting Occupational Health / Safety Activities
    • Planning of Human Resources Processes
    • Conducting Communication Activities
    • Conducting Audit / Ethical Activities
    • Execution of Information Security Processes
    • Execution of Emergency Management Processes

7. Sensitive Personal Data

GEM does not collect without explicit consent Sensitive Personal Data such as personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data.

8. Methods of Processing Personal Data and Its Legal Ground

Personal data can be obtained/received by parties who are data subjects and/or third parties who have explicit consent from the data subject.

The obtained personal data can be processed by collecting, saving, editing, configuring, storing, adapting, changing, using, transferring, deleting, destroying, and anonymizing.

Personal Data may be processed by one or more of the above methods without the explicit consent of the data subject in the presence of one of the legitimate reasons listed in Article 5 of KVKK:

  • Explicitly prescribed in laws and any relevant legislation.
  • Being legally mandatory for the person cannot grant consent due to physical incapability or legally forbidden to grant consent in regards with other’s living rights.
  • Requirement on processing personal data of the parties subject to a contract/agreement, due to the execution of a contract/agreement.
  • Legally being mandatory for the data controller to fulfill the legal liability.
  • Publicized by the Data Subject directly.
  • Legally being mandatory to be processed for granted right to be conducted, used and/or protected.
  • Processing personal data for legitimate purposes without contracting the basic rights and freedom of the Data Subject.

In the absence of other data processing conditions, GEM may process the personal data of the data subject upon the freely given consent of the data subject who is sufficiently informed about the personal data processing activity, leaving no room for doubt and limited to the particular activity in question.

9. Informing the Data Subjects and their Rights

In compliance with the Article 10 of the Law, data subjects shall be notified about the processing of their personal data prior to or during the course of such processing at the very latest.

We would like to state that, as data subjects, you have the following rights as per Article 11 of the Law:

  • To learn whether your personal data are processed or not,
  • In case your personal data are processed, to request information,
  • To learn the purpose of processing your data and whether they are used for the intended purposes or not,
  • To learn the third parties at home or abroad to whom your personal data are transferred,
  • If your personal data are processed incompletely or inaccurately, to request correction, and, accordingly, to request that third parties to whom your personal data were transferred be notified of such action,
  • Even if your personal data are processed in compliance with the Law numbered 6698 and other applicable provisions, if the reasons requiring data processing are no longer valid, to request erasure or destruction of your personal data, and, accordingly, to request that the third parties to whom your personal data were transferred be notified of such action,
  • To raise objections against the analyzing of your processed data exclusively by automatic means if it leads to an unfavorable consequence for you, and
  • To request compensation for the damage arising from the unlawful processing of your personal data.

10. Exercise of the Rights of the Data Subject

Personal Data Subjects can submit their requests related to their rights above to GEM for free along with information and documentation that confirms their identity, using the methods laid out below, or may fill out and sign an application form which was prepared via other methods defined by the KVK Council at LINK  or within the annexes of this policy.

Personal Data Subjects should fill out the form at the link mentioned and send a signed copy through a notary to MÜCAHİTLER Mah. 52083 Nolu Sok. No. 42 YASEM İŞ MRKZ. No. 803 ŞEHİTKAMİL GAZİANTEP, or electronically to zehra.osman@hs03.kep.tr.

For unrelated persons to apply on behalf of personal Data Subjects, a Personal Data Subject must give a power of attorney through a notary to the unrelated person permitting them to apply on behalf of the Data Subject.

If the Personal Data Subject forwards their request to GEM  will finalise the said request within 30 days at most, depending on the nature of the request. If the action the Data Subject requests necessitate an extra fee, the Data Subject may need to pay the fee defined in the tariff determined by the Council. If the application arises from data personnel’s mistake, the fee is refunded to the Data Subject.

GEM may ask for information from the Data Subject to determine whether the applicant is the personal Data Subject. GEM  may ask questions of the Personal Data Subject regarding their application to clarify issues in their application.

GEM may reject an application under the conditions explained below, in which case GEM is required to explain the reason:

  • the personal data is anonymized through official statistics and processed for research, planning, and statistics;
  • the personal data is processed for art, history, literature or scientific reasons or in the scope of freedom of expression, provided this does not constitute a crime, violate the national defense, national security, public safety, public order, economic security, the privacy of personal life or personal rights;
  • the personal data is processed within the scope of preventive, protective or intelligence activities performed by public bodies and institutions given the task and authority by law to ensure national defense, national security, public safety, public order or economic security;
  • the personal data is processed by judicial or executive authorities in relation to investigations, prosecutions, adjudications or enforcement;
  • the processing of personal data is required to prevent crimes or for criminal investigation;
  • the data processing is expressed publicly by the Data Subject;
  • when the personal data processing is necessary to carry out inspection or regulation, or disciplinary investigation or prosecution by official and authorized institutions and entities and occupational organizations which have the nature of public institutions, as per the authorization granted by law;
  • when processing is necessary to protect the economic and financial interests of the state concerning budget, tax, and financial issues;
  • when the Data Subject’s request might possibly obstruct another person’s rights and freedoms;
  • when the request requires disproportionate effort;
  • when the requested information is publicly available.

11. Conditions under which the Personal Data Subjects may not use their rights

As per KVKK Article 28, personal Data Subjects may not use their rights mentioned above under the following conditions since these following conditions are excluded from the KVKK:

  • the personal data is anonymized through official statistics and processed for research, planning, and statistics;
  • the personal data is processed for art, history, literature or scientific reasons or in the scope of freedom of expression, provided this does not constitute a crime, violate the national defense, national security, public safety, public order, economic security, the privacy of personal life or personal rights;
  • the personal data is processed within the scope of preventive, protective or intelligence activities performed by public bodies and institutions given the task and authority by law to ensure national defense, national security, public safety, public order or economic security;
  • the personal data is processed by judicial or executive authorities in relation to investigations, prosecutions, adjudications or enforcement.

As per Article 28/2 of KVKK, the Personal Data Subjects may not claim their rights mentioned in 9, except the right to demand compensation for damages, in the cases listed below:

  • when the processing of personal data is required to prevent crime or for criminal investigation;
  • when the data processing is expressed publicly by the Data Subject;
  • when the personal data processing is necessary to carry out inspection or regulation, or disciplinary investigation or prosecution by official and authorized institutions and entities and occupational organizations which have the nature of public institutions, as per the authorization granted by law;
  • when processing is necessary to protect the economic and financial interests of the state concerning budget, tax, and financial issues.

12. Retention and Destruction of Personal Data

  • In compliance with art. 75 Law No. 4857 dated 1 June 2003, GEM arranges a personal file for each of its employees, where the information about the employee’s identity and all documents and records which it has to arrange in accordance with the law mentioned above and other relevant legislation and is committed to showing them to authorized persons and authorities when requested.
  • GEM takes into account the law and legislation that is in place during processing the of personal data. Within this scope, the retention and period of limitations are taken into account on Personal Data Protection activities. In case the processing activity is disposed of, and there is no further legal ground to store personal data, relevant data is to be deleted, destroyed, and/or anonymized. The personal data shall be subject to retention, disposal or anonymization upon the demand of the data subject and/or GEM’s periodic control in which GEM realizes the reason to process the data is no longer available, due to the Article 7 of KVKK and other related legislation.
  • The personal data transmitted to us by mistake in any way or in cases where it is understood that the will of the data subject is not directed to give explicit consent, is immediately destroyed by GEM by methods in accordance with the Law.
  • GEM will not keep personal data for longer than necessary, in connection with the reason for the collection of the data, so as to allow identification of the data subject.
  • GEM can only store personal data longer than advised, in order to protect the rights and freedoms of the data subject in line with applying technical and organizational precautions only to serve public welfare, scientific or historic research or statistical research

13. Transfer of Personal Data

a. Local Transfers

Within the scope of general principles and data processing conditions specified in Articles 8 and 9 as set forth in the Law, GEM may transfer personal data to the parties categorized below provided that all necessary technical and administrative measures are taken, including the execution of a nondisclosure and data sharing agreement:

  • Authorized Public Institutions and Organizations: public bodies and institutions legally authorized to receive information and documents from GEM. Sharing of personal data is limited to the purpose of meeting the information requests by relevant public bodies and institutions
  • Partners: parties with which GEM develops a working partnership to carry out its working activities. Sharing of personal data is limited to fulfilling the purposes for the establishment of the partnership in question
  • Supplier / Service Provider / Consultant: software companies, intermediary service providers, insurance companies, tourism agencies, etc., that render their services as instructed by GEM in compliance with their contracts with GEM aimed at maintaining GEM`s activities. Transferring of personal data is limited to fulfilling the purpose of receiving services such as sending commercial electronic mails, processing, storing and protecting data, software and consultancy services that are provided from abroad by the supplier
  • Legally Authorized Private Body: private bodies legally authorized to receive information and documents from GEM

Beyond the cases mentioned above, personal data is not transferred to any third party without explicit consent, unless it is legally required due to KVKK, relevant legislation and cases where it is mandatory to be shared with the external parties due to administrative/juridical cases. However, as per to Article 5 and Article 6 of KVKK, in case legal grounds are present and it is legally required, on third-party transferred, consent / explicit consent will not be observed.

GEM  fulfills its obligation to inform the Data Subject regarding this transfer.

b. Transfers to Abroad

GEM  may transfer personal data being processed in Turkey or being processed and stored overseas, as mentioned above, including that data being processed via external resource usage, to unrelated persons in Turkey or overseas, by obtaining explicit consent of the data subject along with taking appropriate and necessary security measures foreseen in KVKK and related legislation. For the situations in which the explicit consent of the data subject is not sought, it is considered whether the country that the data will be transferred, is in “adequate country” stature and has enough protection or not. If the Authority considers that the transferee country is not in adequate country statute, the Authority approval should be taken, and a data transfer protocol should be signed to guarantee enough protection.

14. Measures Regarding the Provision of Data Security

GEM takes technical and administrative measures to prevent data breaches to ensure the security of personal data, such as:

  • Network security and application security are provided.
  • Closed system network is used for personal data transfers via network.
  • Employees who have a change of position or leave their jobs are removed from their authority in this area.
  • Current anti-virus systems are used.
  • Personal data security is monitored.
  • Necessary security measures are taken for entering and exiting physical environments containing personal data.
  • Physical environments containing personal data are secured against external risks (fire, flood, etc.).
  • Personal data is reduced as much as possible.
  • Encryption is done.

GEM prevents personal data from being processed by third parties illegally. In the event that personal data are accessed by third parties through illegal methods, GEM shall give a notification which is due under the Article 12 of KVKK in line with the effective regulations. The data subject will be notified by the data controller and the KVK Board within the shortest time.

15. Update and Compliance

GEM reserves the right to amend the Personal Data Processing and Protection Policy or this Personal Data Storage and Destruction Policy in accordance with the decisions of the Authority or due to changes in the Law or in line with the developments in the sector or in the field of informatics.

Changes to this Personal Data Retention and Disposal Policy are immediately transcribed and the disclosure of any changes is disclosed at the end of the policy.

16. Annexes

The following documents are attached to this policy and have to be considered part of it.

  • The request of the data subject on Personal data right
  • PERSONAL DATA STORAGE AND DISPOSAL POLICY

Law numbered 6698 published in the Official Gazette of Turkey numbered 29677 dated April 7th, 2016, both in Turkish and official English translation.