1. OBJECTIVE AND SCOPE
İnsan Kaynakları Yönetim Sistemleri ve Ticaret A.Ş (Herein shall be referred as “Data Officer”), pays utmost attention to the observance of legal regulations as a requisite of its ethical values supporting commercial assets and success of the corporate, facilitating any structuring necessary for compliance with personal data protection statutes..
Personal Data Storage and Destruction Policy sets forth principles and basis for storage and destruction of personal data processed by Data Officer within the company organization.
Provisions of this Policy shall apply when the reasons for processing the personal data legally processed by Data Officer no longer exists or a request is made by data owner for destruction of personal data.
2. BASIS
Personal Data Destruction Policy is issued pursuant to KVK Act and Regulation on Deletion, Destruction or Anonymization of Personal Data; and prepared in compliance with Personal Data Protection and Processing Policy as well as publications and guidelines published by Personal Data Protection Agency.
3. DATA OFFICER
Data Officer identifies purpose and means of personal data processing within its corporate structure, and is responsible for personal data processing activities; and is the data officer pursuant to KVK Act.
In accordance with this Policy; Data Security Board governs destruction processes of the personal data processed within the organization of Data Officer.
4. DEFINITIONS
Important terms contained in Data Officer Pesonal Data Storage and Destruction Policy and the statutes are provided along with their definitions in the following table:
Personal Data | Any information pertaining to an identified or identifiable natural person |
Personal Privacy Data | Data relating to race, ethnical origin, political view, philosophical beliefs, religion, religious cult or other beliefs, clothing, memberships in associations, foundations or unions, health, sexual orientation, criminal sentence, security measures as well as biometric and genetic data |
Data Owner | Identified or identifiable person whose personal data is processed (Concerned person) |
Destruction of Personal Data | Deletion, destruction or anonymization of personal data |
Personal Data Processing | Any action performed on personal data such as obtaining, recording, storage, maintaining, altering, re-organization, disclosure, transfer, taking over, making it obtainable, classification or preventing their use |
Data Officer | Natural or legal person who determines purpose and means of personal data processing, and responsible for establishment and management of data recording system |
Periodic Destruction | Destruction procedure carried out on periodic intervals and ex officio by Data Officer at the end of personal data processing and storage term |
KVK Act (Act/Law) | Personal Data Protection Act No. 6698, dated 24 March 2016, publicized on the Official Gazette dated 7 April 2016, No. 29677 |
Data Security Board | The Board to ensure necessary coordination within the Company organization in order to facilitate, maintain and sustain compliance with personal data protection statutes by Data Officer |
KVK Agency (Agency) | Personal Data Protection Agency |
Data Breach | In Personal data protection law; Illegal access to processed personal data by third parties |
5. PERSONAL DATA STORAGE
Personal data stored by Data Officer are maintained on a recording media suitable to the nature of such data as well as to our legal obligations. Data Officer shall take necessary administrative and technical measures in place for storage of personal data securely and prevention against illegal attempts. Personal Data Protection and Processing Policy shall apply to the matters relating to measures taken for data security and data storage purposes.
Generic media for personal storage data are listed below. However, certain data can be stored on a media other than those listed below due to their diverse nature or Data Officer’s legal obligations.
Physical Media | Personal data stored on paper and similar physical methods |
Electronic Media | Personal data stored on servers and external hard disks that are located within Data Officer’s organization and can only accessed by authorized Data Officer |
Cloud Media | Personal data stored on internet based systems, protected with encryption methods |
6. DESTRUCTION OF PERSONAL DATA
Destruction of personal data means the process of deleting, destroying or anonymization of personal data of which reason to process no longer exists or upon request of data owner. If the personal data is maintained due to contractual, commercial, legal, administrative actions against possible claims of right, data are stored for prescribed time-out period.
Personal data processed by Data officer shall be deleted, destroyed or anonymized ex official per this Policy upon request of the concerned person or when the reasons for processing personal data listed in articles 5 and 6 of KVK Act and the Data Officer Personal Data Protection and Processing Policy no longer exists.
Data Security Board performs periodic destruction on 6 months intervals for all personal data being processed by Data Officer.
7. DELETION OF PERSONAL DATA
Deletion of personal data is the process of making personal data inaccessible and unusable for relevant users. Users other than the data officer cannot access to deleted data.
In case of a conflict between the request and company policy, an application shall be filed to Personal Data Protection Agency in writing, and action shall be taken in accordance with the principle decision to resolve the conflict.
Relevant users shall be identified for each personal data using access authorization and control matrix or a similar system, and user authorizations and methods such as access, retrieval, re-use are determined, then operations relating to closure and cancellation of access, retrieval, re-use authorizations and methods of relevant users for personal data shall be performed.
7.1 DELETION METHODS
7.1.1 BLACK-OUT
It is the method of making personal data stored on paper media invisible to users by cutting it out if possible or otherwise using ink.
7.1.2 SECURE DELETION FROM DIGITAL MEDIA
Personal data stored on central servers and cloud are securely deleted using deletion command provided in the operating system.
8. DESTRUCTION OF PERSONAL DATA
Destruction of personal data is a the process of making personal data inaccessible, non-retrievable, non-reusable by anyone. Destruction of personal data means, unlike deletion, making such data inaccessible by anyone, including Data Officer.
8.1 DESTRUCTION METHODS
8.1.1 DE-MAGNETIZATION
Magnetic media is passed through a device capable of de-magnetizing to corrupt the data, making it non-readable. De-magnetizing device shall be supplied by Data Officer if needed.
8.1.2 PHYSICAL DESTRUCTION
Optical media or magnetic media is physically destroyed by melting, incineration or crashing.
8.1.3 OVER-WRITING
Random data constituted of 0s and 1s are overwritten on magnetic media and re-writable optical media to prevent recovery of actual data. Company shall procure a software for that purpose if needed.
8.1.4 SECURE DESTRUCTION FROM DIGITAL MEDIA
Personal data stored on central servers are destroyed in an non-retrievable manner via destruction command on the operating system.
9. ANONYMIZATION OF PERSONAL DATA
Anonymization of personal data is the process of making personal data non-linkable to an identified or identifiable natural person even if combined with other data. Data Officer shall take all security measures for anonymization of personal data.
9.1 ANONYMIZATION METHODS
There are methods available for anonymization of personal data such as grouping, masking, derivation, generalization, randomization. Data Officer considers nature and size of personal data, presence structure and variety of personal data on physical media, benefit intended from personal data / purpose of processing, data processing frequency, reliability of rd persons to whom the data will be transferred, meaningfulness of the efforts required for anonymization, magnitude, impact area of the damage that may incur if data anonymization is lost, distributed/centralized data ratio, user access authorization control for the relevant data and potential attacks that may disrupt anonymization when selecting anonymization method.
Storage reasons and terms for the personal data processed by Data Officer are given in the following table. Each data with expired storage term shall be destroyed in the first subsequent periodic destruction process. Such term may vary depending on fulfillment of legal and contractual obligations, and the data shall be destroyed in the first subsequent periodic destruction process after expiry of such obligation.
Data Category | Storage Term | Storage Reason |
Personnel Data | Document storage period is 10 years starting from the first day of subsequent year after creation of the document per Law No. 5510 | Employment contract and fulfillment of obligations arising from statutes for the employees |
Health Information | Personnel health files are maintained for 10 years pursuant to the provisions of Occupational Health and Safety | Fulfillment of occupational health and safety obligations |
Occupational Experience | CV information of candidate employees are maintained for 3 months. | Facilitation of employee candidate application process |
Identification and Contact Information | Contact information of customers and potential customers are maintained for 10 years. | Facilitation of communication |
Legal Actions | Maintained for 10 years following the date of action. | Responding to claims submitted by authorized jurisdiction / administrative organizations and bodies |
Customer Transaction | Maintained for 10 years per provisions of Turkish Obligations Law. | Execution of good / service purchase and sales processes, and ensuring customer satisfaction |
Finance and Accounting Data | Maintained for 10 years per provisions of Turkish Trade Act, Article 82. | Execution of finance and accounting processes |
Marketing Data | Maintained for 10 years after acquisition. | Execution of marketing operations and works |
Criminal Sentence and Security Measures | Maintained for 10 years per provisions of occupational health and safety. | Supervision of Occupational Health / Safety and Legal Affairs |
Physical Premise Security | Security camera records are maintained for 3 months. | Ensuring security of physical premises |
Transaction Security | Maintained for 10 years. | Execution of information security processes |
Other | Maintained for 10 years. | Continuity of company operations |
10. DESTRUCTION REQUESTS BY DATA OWNERS
In case Data Owner submits a request from destruction to Data Officer; it shall be notified to Data Security Board within 24 hours. Data Officer Data Owner Relations Guideline shall apply in request response process.
In case that data owner application submitted to Data Officer contains findings of a data breach, Data Officer Data Breach Procedure shall apply. Breach potential shall be informed to Data Security Board immediately and latest within 24 hours.
11. VIOLATION AND SANCTIONS
In case the policies and procedures for personal data issued by Data Officer are violated by employees; employee’s defense shall be taken pursuant to Employment Contract and Labor Law No. 4857and appropriate disciplinary measure shall be taken. In case the act is also considered as a criminal act under Turkish Criminal Code No. 5237 or other laws, relevant judicial authorities shall be notified.
12. REVISION
This Policy shall become effective upon its approval by Data Security Board. Data Security Board shall govern any changes to be made on this Policy except for abolition of this Policy, as well as how this policy will be put in effect.
Data Officer Personal Data Storage and Destruction Policy shall be reviewed on annual basis under any circumstances, and if changes are necessary, it shall be submitted to Data Security Board approval, and updated. In case of a contradiction between this policy and the applicable statues, KVK Act in particular, provisions of statutes shall prevail.
Data Officer reserves the right to make changes to Data Officer Personal Data Storage and Destruction Policy in line with the legal arrangements by KVK Agency, the administrative authority.
Any revisions to this policy and the statutes shall be included in the policy accompanied with the date and topic, and shall become integral part of the policy after necessary announcements are made.