Personal data Storage and disposal policy

1. Definitions

Direct Identifiers: By themselves, identifiers that directly reveal, disclose and distinguish the person they are in contact with,

Indirect Identifiers: Descriptors that come together with other descriptors to reveal, disclose and distinguish the person they are associated with,

Related Contact: The real person whose personal data is processed,

Disposal: Delete, destroy or anonymize personal data,

Law: Law No. 6698 on the Protection of Personal Data published in the Official News dated 07.04.2016 and numbered 29677,

Regulation: The Regulation on the Deletion, Destruction or Anonymous Making of Personal Data published in the Official News dated 28.10.2017 and numbered 30224

Board: Personal Data Protection Board,

Recording media: Any media containing personal data that is fully or partially automated or processed by non-automated means provided that it is part of any data recording system,

Processing and Protection of Personal Data Policy: The policy that determines the procedures and principles related to the management of personal data available in NAME-OF-ORGANIZATION,

Data recording system: Data recording system in which personal data is structured and processed according to certain criteria.

2. Qualification and Purpose of Disposal Policy

This Personal Data Storage and Disposal Policy has been prepared in order to determine the procedures and principles to be applied by NAME-OF-ORGANIZATION regarding the deletion, destruction or rendering of personal data in accordance with the Personal Data Protection Law no 6698.

The personal data of our employees, employee candidates, beneficiaries and all real persons who have personal data with NAME-OF-ORGANIZATION for any reason are managed in accordance with the laws in accordance with this Personal Data Storage and Disposal Policy.

3. Environments and Safety Precautions

Personal data stored in NAME-OF-ORGANIZATION shall be kept in a recording environment in accordance with the nature of the relevant data and our legal obligations.

The recording media used to store personal data are generally as follows. However, some data may be kept in a different environment than the environments shown here, either because of their particular qualifications or our legal obligations. NAME-OF-ORGANIZATION acts in any case as a data officer and processes and protects personal data in accordance with the Law and this Personal Data Retention and Disposal Policy.

1. Preprinted media: Media where data is printed and kept on paper or microfilm.
2. Local digital media: Other digital media such as servers, fixed or removable disks, optical disks, etc.
3. Cloud media: Although not included in NAME-OF-ORGANIZATION, they are the medias in which NAME-OF-ORGANIZATION are used and internet-based systems encrypted by cryptographic methods are used.

3.1 Environmental Security

NAME-OF-ORGANIZATION takes all necessary technical and administrative measures in accordance with the characteristics of the environment in which it is kept and to protect the personal data in a safe manner and to prevent unlawful processing and access.

These measures include, but are not limited to, the following administrative and technical measures to the extent appropriate to the nature of the personal data and the environment in which they are held.

1. Technical Precautions

NAME-OF-ORGANIZATION takes the following technical measures in accordance with the relevant data of all environments where personal data is stored and the characteristics of the environment in which the data is kept:

• Personal data are only used in environments where kept up to date and secure systems, in line with technological developments.
• Security systems are used in environments where personal data is kept.
• Security tests and investigations are carried out in order to detect security weaknesses on information systems, and existing or potential risks identified as a result of the tests and researches are eliminated.
• Access to data in environments where personal data is held is restricted, and only authorized persons are allowed access to this data for the purpose of storing personal data, and all access is recorded.
• NAME-OF-ORGANIZATION has sufficient technical personnel to ensure the security of the environment in which personal data is kept.

1. Administrative Precautions

NAME-OF-ORGANIZATION takes the following administrative measures in accordance with the relevant data of all environments in which personal data is stored and the characteristics of the environment in which the data is kept:

• Efforts are being made to raise awareness and raise awareness of all NAME-OF-ORGANIZATION employees who have access to personal data on information security, personal data and privacy.
• Legal and technical consultancy services are taken to follow the developments in the area of information security, privacy and protection of personal data and to take necessary actions.
• In the event that personal data are transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties for the protection of personal data and all necessary care is taken to ensure that the relevant third parties comply with their obligations in these protocols.

1. Company Internal Audit

NAME-OF-ORGANIZATION conducts internal audits regarding the implementation of the provisions of the Law and the provisions of this Personal Data Retention and Disposal Policy in accordance with Article 12 of the Law.

As a result of this lack of control within the company or flaws or defects in case of detection of defects relating to the implementation of these provisions is resolved immediately.

In the event that it is understood that the personal data which is under the responsibility of NAME-OF-ORGANIZATION during the audit or in any other way is obtained by the unlawful means, NAME-OF-ORGANIZATION shall inform the relevant person and the Board as soon as possible.

4. Reasons for Disposal

Personal data contained in NAME-OF-ORGANIZATION shall be erased, destroyed or anonymized in accordance with this destruction policy upon the request of the person concerned or in case of the disappearance of the reasons mentioned in articles 5 and 6 of the Law.

The reasons listed in Articles 5 and 6 of the Law consist of the following:

• Clearly foreseen in the law.
• Obligation to protect the life or body integrity of the person or someone else who is unable to disclose his or her consent due to impossibility or whose consent is not granted legal validity.
• The processing of personal data of the parties to the contract is required, provided that it is directly related to the establishment or performance of a contract.
• Obligation for the data officer to fulfill his legal obligation.
• Publication by the person concerned.
• Data processing is mandatory for the establishment, use or protection of a right.
• Providing data is compulsory for the legitimate interests of the data officer, provided that they do not harm the fundamental rights and freedoms of the person concerned.

5. Disposal Methods

NAME-OF-ORGANIZATION deletes the personal data stored in accordance with the Law and other legislation and the Processing and Protection of Personal Data Policy at the request of the person concerned or within the periods specified in this Personal Data Storage and Destruction Policy in case the reasons requiring the processing of the data disappear. anonymous.

The most common deletion, destruction and anonymization techniques used by NAME-OF-ORGANIZATION are listed below:

5.1 Deletion Methods

1. Deletion Methods for Personal Data Stored in Printed Media

Dimming: Personal data on the printed media is deleted using the dimming method. The dimming process is done by cutting personal data on the relevant documents where possible and making them invisible using stationary ink which is irreversible and impossible to read with technological solutions.

1. Deletion Methods for Personal Data Stored in the Cloud and Local Digital Environment

Secure deletion from the software: Personal data stored in the cloud or in local digital media is deleted with a digital command so that it can no longer be recovered. The deleted data cannot be accessed again.

5.2 Destruction Methods

1. Destruction Methods for Personal Data Stored in Printed Media

Physical destruction: Documents kept in printed media are destroyed in such a way that they cannot be reassembled with the document disposal machines.

1. Destruction Methods for Personal Data Stored in Local Digital Media

Physical destruction: The process of physically destroying optical and magnetic media that contain personal data, such as melting, burning or pulverizing. Data is rendered inaccessible by processes such as melting, incinerating, powdering or passing the optical or magnetic media through a metal grinder.

De-magnetization (degauss): It is the process of exposing magnetic media to high magnetic field and unreadable data on it.

Overwriting: Magnetic data and rewritable optical media are overwritten by random data of 0 and 1 at least seven times to prevent reading and recovery of old data.

1. Destruction Methods for Personal Data Stored in the Cloud

Secure deletion from the software: Personal data held in the cloud can be unrecoverable by digital command and all copies of the encryption keys required to make personal data available when the cloud service relationship is terminated are destroyed. The deleted data cannot be accessed again.

5.3 Anonymization Methods

Anonymisation means that personal data cannot be associated with a certain or identifiable real person, even by pairing it with other data.

Subtracting variables: Subtracting one or more of the direct descriptors contained in the personal data of the person concerned and which will be used to identify the person in any way.

This method can be used to anonymize personal data, or it can be used to erase personal information if it contains information that is not intended for data processing purposes.

Regional cloaking: The process of deleting potentially discriminatory information about the exception in the data table where personal data is collectively anonymous.

Generalization: It is the process of bringing personal data belonging to many people together and removing the discriminating information into statistical data.

Upper and lower limit coding / Global coding: For a given variable, the ranges of that variable are defined and classified. If the variable does not contain a numeric value, then the close data within the variable is classified.

Micro Association: With this method, all records in the data set are first ordered in a meaningful order and then the whole set is subdivided into a certain number of subsets. Then, the value of each subset of that variable is replaced with the average value by taking the average of the value of the specified variable. In this way, the indirect identifiers in the data will be corrupted, making it difficult to relate the data to the person concerned.

Data hash and distortion: Direct or indirect identifiers in personal data are mixed or corrupted with other values to break the relationship with the person concerned and lose their descriptive qualities.

NAME-OF-ORGANIZATION uses one or more of these anonymization methods to anonymize personal data, depending on the nature of the data concerned. NAME-OF-ORGANIZATION can use a variety of statistical methods when using these anonymization methods.

6. Storage and Disposal Times

DATA OWNER	DATA CATEGORY	DATA STORAGE TIME *
Employee	Recruitment documents and Social Security Institution; personal data for service period and fee notifications	5 years
Partner / Solution Partner / Consultant	Identity, contact information, financial information, partner / solution partner / consultant employee data regarding the execution of the business relationship between Partner / Solution Partner / Consultant and NAME-OF-ORGANIZATION	5 years
Website Visitor	Navigation movements of Website Visitor	2 years
Employee Candidate	Resume and information on job application form	2 years
Intern and volunteers	Information in the internship file of the trainee	5 years
Beneficiary	Beneficiary’s name, surname, identity number, contact information, Camera footage, license plate information	5 years
Potential Beneficiary	Identity, contact information	5 years

*A longer period in accordance with the legislation; for a longer period of time, the periods in the provisions of the legislation shall be considered as the maximum retention period.

NAME-OF-ORGANIZATION deletes personal data in the first periodic destruction process following the date when the obligation to delete, destroy or anonymize the personal data that it is responsible in accordance with the Law, applicable legislation, the Processing and Protection of Personal Data Policy and this Personal Data Storage and Destruction Policy or anonymously.

When the person concerned applies to NAME-OF-ORGANIZATION in accordance with Article 13 of the Law, he requests that his personal data be deleted or destroyed;

If all the conditions for processing personal data have been removed; NAME-OF-ORGANIZATION deletes, destroys or anonymizes the personal data subject to the request by appropriate disposal method by explaining the reason within 30 (thirty) days after receiving the request. In order for NAME-OF-ORGANIZATION to be deemed to have received the request, the person concerned must have made the request in accordance with the Personal Data Processing and Protection Policy. In any case, NAME-OF-ORGANIZATION informs the relevant person about the operation.

If all conditions relating to the processing of personal data have not been abolished, this request may be rejected by NAME-OF-ORGANIZATION in accordance with the third paragraph of Article 13 of the Law and the rejection response shall be notified in writing or electronically within thirty days.

6.1 Periodic Disposal

In the event that all the conditions for processing personal data in the law are eliminated; NAME-OF-ORGANIZATION deletes, destroys or anonymises personal data whose processing conditions have been abolished by a transaction that will be carried out at regular intervals at repetitive intervals specified in this Personal Data Storage and Destruction Policy.

Periodic destruction repeats every 6 (six) months.

7. Auditing Legal Compliance Of Disposal Process

 

7.1 Technical Precautions

NAME-OF-ORGANIZATION shall provide technical means and equipment suitable for each disposal method included in this policy.

NAME-OF-ORGANIZATION ensures the safety of the place of destruction.

NAME-OF-ORGANIZATION maintains access records of the persons involved in the destruction.

NAME-OF-ORGANIZATION employs competent and experienced personnel to carry out the destruction process or receives services from competent third parties when necessary.

7.2 Administrative Precautions

NAME-OF-ORGANIZATION works to raise awareness and raise awareness of its employees on information security, personal data and privacy issues.

NAME-OF-ORGANIZATION obtains legal and technical consultancy services in order to follow the developments in the field of information security, privacy, protection of personal data and safe destruction techniques.

NAME-OF-ORGANIZATION signs protocols for the protection of personal data with the relevant third parties in cases where it is made to be destroyed by third parties due to technical or legal requirements and takes all necessary care to ensure that third parties comply with their obligations in these protocols.

NAME-OF-ORGANIZATION regularly checks whether the destruction is carried out in accordance with the law and the conditions and obligations specified in this Personal Data Storage and Destruction Policy, and takes the necessary actions.

NAME-OF-ORGANIZATION records all transactions related to the deletion, destruction and anonymization of personal data and keeps such records for at least three years, excluding other legal obligations.

7.3 PERSONAL DATA COMMITTEE

The Personal Data Committee is authorized and responsible for carrying out and supervising the processes required for the storage and processing of the data of the persons concerned in accordance with the law, the Personal Data Processing and Protection Policy and the Personal Data Retention and Disposal Policy.

The Personal Data Committee consists of three persons: a manager, an administrative expert and a technical expert. The titles and job descriptions of NAME-OF-ORGANIZATION employees working in the Personal Data Committee are as follows:

Title	Job Description
Personal Data Comitee Manager	To direct all kinds of planning, analysis, research and risk determination activities in the projects carried out in compliance with the law; The Law is responsible for managing the processes to be carried out in accordance with the Personal Data Processing and Protection Policy and the Personal Data Retention and Disposal Policy and deciding the requests made by the persons concerned.
KVK Specialist (Technical and Administrative)	Reviewing requests of related persons and reporting them to the Personal Data Committee Manager for evaluation; The execution of the transactions related to the requests of the person evaluated and resolved by the Personal Data Committee Manager in accordance with the decision of the Personal Data Committee Manager; auditing the storage and disposal processes and reporting these audits to the Personal Data Committee Manager; responsible for the execution of storage and disposal processes.

8. Update and Compliance

NAME-OF-ORGANIZATION reserves the right to amend the Personal Data Processing and Protection Policy or this Personal Data Storage and Destruction Policy in accordance with the decisions of the Authority or due to changes in the Law or in line with the developments in the sector or in the field of informatics.

Changes to this Personal Data Retention and Disposal Policy are immediately transcribed and the disclosure of any changes is disclosed at the end of the policy.