1. Purpose
Purpose of the Workplace Personal Data Retention and Destruction Policy, Principles of deletion, destruction or anonymization of personal data belonging to third parties related to the suppliers, visitors, employees, employee candidates, customer employees, employees of other collaborating institutions, and the principles of data destruction standards. The procedures and procedures specified by the relevant legislation, in particular the Article 20 of the Constitution, the Law on the Protection of Personal Data No. 6698, the Regulation on the Deletion, Destruction or Anonymization of Personal Data No. 30224 and dated 28.10.2017, and the secondary regulations of this Law. determined on the basis of principles.
2. Scope
The provisions and principles in this policy cover the principles of deletion, destruction or anonymization of all kinds of information and documents in physical and digital media that can be associated with an identified or identifiable natural person, and data destruction standards.
3. Recording Media
Personal Data in the workplace are recorded in physical documents, digital documents and database environments.
4. Destruction of Personal Data
Destruction of Personal Data can be achieved in three different ways as deletion, destruction or anonymization of data. The purpose of the destruction process is that it is not possible to reach the real person or confidential information with the remaining data. The Workplace takes all necessary technical and administrative measures regarding the Legal Deletion, Destruction and Anonymization of Personal Data.
4.1. Deletion of Personal Data
Deletion of Personal Data processed completely or partially by automatic means, taking into account information security standards; It is the process of making the said Personal Data inaccessible and unusable in any way by the relevant users.
4.2. Destruction of Personal Data
Electronic or physical data is destroyed at the end of the storage period or at the request of the person concerned, in a way that cannot be reassembled.
4.3. Anonymization of Personal Data
Anonymization is the process of making Personal Data impossible to be associated with an identified or identifiable natural person, even if it is matched with other data, in cases where the Workplace processes Personal Data completely or automatically.
The workplace may process personal data by anonymizing within the scope of this Policy.
5. HARMONY
5.1. Maximum Retention Periods and Personal Data Retention Period Table
In the Personal Data Inventory table, the workplace has related and detailed the categories of personal data it processes and how long the data categories should be kept in line with legal requirements and business purposes. The Workplace undertakes to keep this table up-to-date and to process the data in accordance with the specified personal data retention periods, in accordance with the principles in the Policy.
While determining the maximum periods required for the purpose of processing the personal data in the Personal Data Inventory table, the workplace determines the Regulation on the Data Controllers Registry and the Regulation on the Deletion, Destruction and Anonymization of Personal Data, taking into account the procedures and principles of the relevant regulations.
- How long is generally customary required in all industries in which the Merchant operates and is involved, for the purpose of processing in relation to the relevant data category,
- How long the legal relationship established with the data subject that requires the processing of personal data in the relevant data category will continue,
- Depending on the purpose of processing the relevant data category, how long the legitimate interest to be obtained by the Workplace will be valid in accordance with the law and honesty rules,
- How long will the risks, costs and responsibilities arising from the storage of the relevant data category continue legally, depending on the purpose of processing,
- Whether the maximum period to be determined is suitable for keeping the relevant data category accurate and up-to-date,
- How long the data containing personal data in the relevant data category has to be kept as required by the legal obligation of the workplace,
- How long is the statute of limitations for asserting a right related to personal data in the relevant personal data category of the workplace,
While determining and applying the maximum periods required for the purpose for which personal data are processed, the workplace monitors the compatibility of the said periods with the information in the Personal Data Processing Inventory and whether the maximum periods are exceeded. In the event that the following situations exist or upon learning by the Workplace, it is accepted that the conditions for processing personal data are eliminated regardless of the maximum periods; Personal data in question are deleted, destroyed or anonymized upon the application of the person concerned or by the Workplace:
- Changing or repealing the provisions of the relevant legislation, which is the basis for processing personal data,
- The fact that the contract between the parties has never been established, the contract is not valid, the contract is automatically terminated, the contract is terminated or the contract is withdrawn,
- The disappearance of the purpose that requires the processing of personal data,
- Processing personal data is against the law or honesty,
- In cases where the processing of personal data takes place only on the basis of express consent, the data subject withdraws his consent,
- The application made by the data subject regarding the processing of personal data within the framework of the rights in subparagraphs (e) and (f) of Article 11 of the Law is accepted by the data controller,
- In cases where the workplace rejects the application made by the person concerned for the deletion or destruction of his personal data, his response is found to be insufficient or he does not respond within the time stipulated in the Law; Complaining to the Board and approval of this request by the Board,
- Although the maximum period for keeping personal data has passed, there are no conditions to justify keeping personal data for a longer period of time,
- Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law.
5.2. Information Security and Measures Taken for Safe Storage and Disposal of Personal Data
While the workplace is obliged to take technical and administrative measures for the safe storage of information security data and personal data, the prevention of unlawful processing and access, and the destruction of personal data in accordance with the law, it is obliged to destroy it when necessary, to announce it to the relevant persons and ensure its implementation.
The administrative and technical measures taken are indicated in the Data Inventory table. The measures are also published on the VERBIS Registry inquiry address.
5.3. Periodic Destruction
In parallel with the Personal Data Processing Inventory, the Workplace undertakes to periodically check the personal data it keeps in its digital and physical environments every six (6) months and to delete, destroy or anonymize the said data ex officio at repetitive intervals when the purpose for which they are processed ends.
6. Personal Data Disposal Organization (Titles, Units and Job Descriptions)
The management of Personal Data destruction processes is under the control of the Workplace Manager.
7. Table Showing Storage and Disposal Times
The retention periods are determined in the Personal Data inventory table and recorded in VERBIS.
Click to Download Personal Data and Information Security Incident Violation Notification Form