PERSONAL DATA STORAGE AND DESTRUCTION POLICY
1.INTRODUCTION
1.1 Purpose
This Personal Data Storage and Destruction Policy (“ Policy ”) is implemented by Fabre within the framework of the current legislation. It is applied to the entire Elevator International Dış Ticaret A.Ş. (Hereinafter referred to as the “Company” ) and is based on nationally accepted basic principles regarding personal data destruction. It includes the framework and principles regarding the necessary destruction work within the scope of the relevant legislation.
The third paragraph of Article 7 of the Law on the Protection of Personal Data (“Law”) states that “The procedures and principles regarding the deletion, destruction or anonymization of personal data shall be regulated by regulation.” Based on this provision and subparagraph (e) of the first paragraph of Article 22 of the Law, the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”) was prepared by the Personal Data Protection Board (“Board”) and published in the Official Gazette dated October 28, 2017 and numbered 30224 .
Based on the above regulation, the purpose of this Policy is to determine the procedures and principles regarding the deletion, destruction or anonymization of personal data processed by the Company in the execution of its activities, in accordance with the Regulation.
1.2.Scope
of employees working in the Company, job candidates, visitors, third parties we cooperate with and employees of third parties are within the scope of this Policy, and this Policy is applied to all recording environments where personal data is processed and activities related to the processing of personal data owned or managed by the Company.
1.3. Abbreviations and Definitions
Concept | Definition |
Buyer group | Category of natural or legal persons to whom personal data is transferred by the data controller |
Explicit Consent | Consent based on informed consent and expressed freely on a specific subject |
Anonymization | Making personal data incapable of being associated with an identified or identifiable natural person in any way, even when matched with other data. |
Electronic Media | Environments where personal data can be created, read, changed and written using electronic devices. |
Non-Electronic Media | All written, printed, visual etc. media other than electronic media. |
Contact Person | The natural person whose personal data is processed |
Related User | Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of data. |
Destruction | Deletion, destruction or anonymization of personal data |
Law | Personal Data Protection Law No. 6698 |
Recording medium | Any environment where personal data is processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system. |
Personal data | Any information relating to an identified or identifiable natural person |
Personal data owner | The natural person whose personal data is processed |
Processing of personal data | Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system. |
Personal data processing inventory | The inventory in which data controllers create the personal data processing activities they carry out in connection with their business processes by relating them to the purposes of processing personal data, data category, the recipient group to which the data is transferred and the data subject group, and detail the maximum period required for the purposes for which personal data is processed, the personal data planned to be transferred to foreign countries and the measures taken regarding data security. |
The Board | Personal Data Protection Board |
Organisation | Personal Data Protection Authority |
Special personal data | Data regarding race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. |
Periodic destruction | In case all the processing conditions of personal data specified in the law are eliminated, the deletion, destruction or anonymization process specified in the personal data storage and destruction policy will be carried out ex officio at recurring intervals. |
Policy | The policy on which data controllers base their decision on the process of determining the maximum period necessary for the purpose for which personal data is processed and the process of erasing, destroying and anonymising personal data. |
Record | The data controllers registry kept by the Personal Data Protection Authority |
Data processor | A natural or legal person who processes personal data on behalf of the data controller based on the authority granted to him. |
Data recording system | A registration system in which personal data is structured and processed according to certain criteria. |
Data controller | It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
Regulations | Regulation on the Deletion, Destruction or Anonymization of Personal Data, which entered into force upon publication in the Official Gazette dated 28.10.2017 and numbered 30224 . |
- RESPONSIBILITIES AND DUTY DISTRIBUTIONS
All units and employees of the company actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed, in order to properly implement the technical and administrative measures taken by the responsible units within the scope of the Policy, to train and raise awareness of the unit employees, to monitor and continuously audit them, and to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law.
The distribution of titles, units and job descriptions of those involved in the storage and destruction of personal data is given below.
Table 1: Distribution of tasks in storage and destruction processes
Title | Unit | Job Description | |
IT Officer | Information Processing | Ensuring that the processes within its scope of duty comply with the retention period, managing the periodic destruction process, and performing the necessary audits and controls to respond to the requests of Data Owners. | |
| Accounting | Ensuring that the processes within its scope of duty comply with the retention period, managing the periodic destruction period, checking whether the obligations to keep books and documents arising from the TCC No. 6100 and Tax Legislation continue and whether the obligations have been eliminated. | |
Human Resources Manager | Human Resources | Ensuring compliance with the retention period of personnel personal data, managing the periodic destruction process, receiving and responding to requests for clarification of personnel regarding their rights specified in the Law. |
- RECORDING ENVIRONMENTS
Personal data is stored securely by the Authority in accordance with the law in the environments listed in Table 2.
Table 2: Personal data storage media
Electronic Media | Non-Electronic Media |
|
|
- EXPLANATIONS ON STORAGE AND DESTRUCTION
The personal data of real persons, including employees, job candidates, interns, supplier representatives, supplier employees, product or service recipients, potential product or service recipients, shareholders/partners, visitors and other third parties are stored and destroyed by the Company in accordance with the KVKK .
In this context, detailed explanations regarding storage and destruction are given below, respectively.
4.1 Explanations Regarding Storage
3 of the Law , and Article 4 states that the personal data processed must be related to the purpose for which they are processed, limited and proportionate, and must be stored for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed, while Articles 5 and 6 list the conditions for processing personal data.
Accordingly, within the framework of Company activities, personal data is stored for a period of time stipulated in the relevant legislation or in accordance with our processing purposes.
4.1.1 Legal Reasons Requiring Storage
The Company stores personal data processed within the scope of its activities for the period stipulated in the relevant legislation. In this context, personal data;
- Tax Procedure Law No. 213
- Labor Law No. 4857
- Social Insurance and General Health Insurance Law No. 5510
- Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications
- Turkish Code of Obligations No. 6098
- Turkish Commercial Code No. 6102
- Occupational Health and Safety Law No. 6361
- Personal Data Protection Law No. 6698
It is stored for the duration of the storage periods specified in other secondary legislation in force .
4.1.2. Processing Purposes Requiring Storage
The Company stores the personal data it processes within the scope of its activities for the following purposes:
- Execution of emergency management processes
- Execution of information security processes
- Conducting the application processes of working candidates
- Fulfillment of obligations arising from employment contracts and legislation for employees
- Conducting side rights and benefits processes for employees
- Auditing / Conducting ethical activities
- Conducting Training Activities
- Carrying out activities in accordance with legislation
- Carrying out financial and accounting activities
- physical space security
- Conducting assignment processes
- Monitoring and execution of legal affairs
- Conducting Internal Audit/Investigation/Intelligence Activities
- Carrying out communication activities
- Carrying out human resources processes
- Conduct/supervision of Business Activities
- Carrying out occupational health/safety activities
- Carrying out logistics activities
- Carrying out goods/service production and operation processes
- Carrying out goods/service purchasing processes
- Carrying out goods/service sales processes
- Organization and Event Management
- Execution of Risk Management Processes
- Conducting contract processes
- Follow-up of requests and complaints
- Ensuring the security of movable goods and resources
- Providing information to authorized persons, institutions and organizations
4.2. Reasons Requiring Destruction
Personal data;
- Amendment or repeal of the relevant legislative provisions that form the basis of processing,
- The purpose requiring processing or storage is eliminated,
- In cases where personal data is processed only based on explicit consent, the relevant person must withdraw his/her explicit consent,
- Acceptance of the application made by the relevant person for the deletion and destruction of personal data within the framework of his/her rights in accordance with Article 11 of the KVKK ,
- If the company rejects the application made by the relevant person requesting the deletion or destruction of his/her personal data, finds the response insufficient or does not respond within the period stipulated in the KVKK ; it shall file a complaint with the Board and this request shall be deemed appropriate by the Board, and
- The maximum period for which personal data must be stored has passed and there are no circumstances that would justify storing personal data for a longer period.
In such cases , it is deleted, destroyed or made anonymous by the Company upon the request of the person concerned .
- TECHNICAL AND ADMINISTRATIVE MEASURES
In order to securely store personal data, prevent unlawful processing and access, and lawfully destroy personal data, technical and administrative measures are taken by the Company within the framework of adequate measures determined and announced by the Board for special personal data in accordance with Article 12 and Article 6, paragraph 4 of the KVKK .
5.1. Technical Measures
The measures taken by the Company regarding the personal data it processes are listed below;
- Network security and application security are provided.
- A closed system network is used for personal data transfer via network.
- Security measures are taken within the scope of information technology systems procurement, development and maintenance.
- The security of personal data stored in the cloud is ensured.
- An authority matrix has been created for employees.
- Access logs are kept regularly.
- Data masking measures are applied when necessary.
- The authority of employees who change their duties or leave their jobs is revoked in this area.
- Up-to-date anti-virus systems are used.
- Firewalls are used.
- Personal data is backed up and the security of the backed up personal data is also ensured.
- User account management and authorization control systems are implemented and monitored.
- Log records are kept without user intervention.
- Intrusion detection and prevention systems are used.
- Cyber security measures have been taken and their implementation is constantly monitored.
- Encryption is being done.
- Data loss prevention software is used.
5.2. Administrative Measures
The measures taken by the Company regarding the personal data it processes are listed below;
- Institutional policies on access, information security, use, storage and destruction have been prepared and implemented.
- There are disciplinary regulations in place for employees that include data security provisions.
- Confidentiality commitments are made.
- Personal data security is monitored.
- Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
- The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
- The security of environments containing personal data is ensured.
- Personal data is reduced as much as possible.
- Periodic and/or random audits are carried out within the institution.
- Current risks and threats have been identified.
- PERSONAL DATA DESTRUCTION TECHNIQUES
At the end of the storage period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data are destroyed by the Company, either ex officio or upon the application of the relevant person, using the techniques specified below, in accordance with the relevant legislation.
6.1. Deletion of Personal Data
Personal data is deleted using the methods given in Table 3.
Table 3: Deletion of personal data
| Explanation | |
Personal data in physical environment | Personal data in physical media is deleted by using the blackout method or by storing the document in a secure environment where it cannot be accessed by the relevant users in any way. | |
Personal Data Located on Servers | For personal data on the servers whose storage period has expired, the system administrator will delete the data by revoking the access rights of the relevant users. | |
Personal data contained in databases | The relevant user is prevented from accessing personal data in the database by assigning roles and permissions. | |
Personal data located on central servers | The access rights of the relevant user on the directory where the file containing personal data is located are removed. | |
Personal data on portable devices (such as USB, Hard disk, CD, DVD) | The relevant user’s access to the file is blocked. |
6.2. Destruction of Personal Data
As a company, the methods we use to ensure that personal data is destroyed in accordance with the law are as follows:
Table 4: Destruction of Personal Data
| Explanation | |
Personal data in physical environment | Personal data on paper whose storage period has expired are irreversibly destroyed in paper shredders. | |
Personal data located in peripheral (network devices, flash- based media, optical systems, etc.) and local systems | Devices containing personal data are destroyed by physical processes such as burning, breaking into small pieces, melting. In addition, the personal data on the device is destroyed by demagnetization, making it unreadable. In addition, the destruction process is carried out by preventing the recovery of old data by randomly entering data into existing data with special software. |
6.3. Anonymization of Personal Data
Anonymization of personal data means making personal data in such a way that it cannot be associated with an identified or identifiable natural person in any way, even if it is matched with other data.
In order for personal data to be made anonymous, it must be rendered incapable of being associated with an identified or identifiable natural person, even through the use of techniques appropriate for the recording medium and relevant field of activity, such as the return of personal data by the data controller or third parties and/or matching of data with other data.
- STORAGE AND DESTRUCTION PERIODS
Regarding the personal data processed by the Company within the scope of its activities;
- The retention periods for all personal data within the scope of activities carried out in accordance with the processes are listed in the Personal Data Processing Inventory;
- Retention periods based on data categories are determined during registration with VERBIS ;
- Process-based retention periods are included in this Personal Data Storage and Destruction Policy.
The destruction process of personal data is carried out by the Company in accordance with the retention periods determined by the relevant legislation in accordance with each relationship. Personal data whose retention periods have expired are deleted, destroyed or anonymized within the periodic destruction periods determined by the Company.
Table 5: Table of Storage and Destruction Periods Based on Process
PERIOD | STORAGE PERIOD | DESTRUCTION PERIOD |
Execution of human resources employee processes | 15 years from the date of termination of employment | During the first 6 months of periodic destruction following the end of the storage period. |
Conducting processes regarding employee candidates | 1 year from the date of application | During the first periodic destruction period following the end of the storage period |
Conducting contractual relations | 10 years following termination of the contract | During the first periodic destruction period following the end of the storage period |
Camera Records | 15 days after registration | During the first periodic destruction period following the end of the storage period |
Accounting and Finance Processes | 10 years after registration | During the first periodic destruction period following the end of the storage period |
ex officio deletion, destruction or anonymization of personal data whose storage periods have expired is carried out by the departments listed under the heading “2. RESPONSIBILITY AND DUTY DISTRIBUTION”.
- PERIODIC DESTRUCTION PERIOD
In accordance with Article 11 of the Regulation, the periodic destruction period has been determined by the Company as [6] months. Accordingly, the Company carries out periodic destruction in June and December each year.
- PUBLICATION AND STORAGE OF THE POLICY
The policy is published in two different media: wet-signed (printed paper) and electronically, and is made public on the website. The printed copy is also kept in the Human Resources Department file.
- POLICY UPDATE PERIOD
The policy is updated when needed and when there are changing processes.
- ENFORCEMENT AND REPEAL OF THE POLICY
This Policy is deemed to have come into force after it is published on the Company’s website.
In case of a decision to repeal, the old signed copies of the Policy shall be cancelled (by stamping or writing cancellation) with the company stamp and signature of a company official and kept by the Human Resources Department for at least 5 years.