Personal Data Storage and Destruction Policy

 

    INTRODUCTION 
1.1. Objective
Personal Data Storage and Destruction Policy (Policy) has been prepared in order to determine the procedures and principles regarding the works and transactions regarding the storage and destruction activities carried out by HEMMER MERMER LIMITED COMPANY (Company).
The Company; In line with the procedures and principles determined within the scope of the Personal Data Protection Law (KVKK) and the relevant legislation and its own mission, vision and basic principles; It has adopted as a priority to process the personal data of company employees, employee candidates, service providers, visitors, product or service recipients, potential product or service recipients, supplier employees, supplier officials and other third parties in accordance with the Constitution of the Republic of Turkey, international conventions, KVKK No. 6698 and other relevant legislation and to ensure that the relevant persons use their rights effectively.
The works and transactions regarding the storage and destruction of personal data are carried out in accordance with the policy prepared by the company in this direction.
1.2. Scope
Personal data belonging to company employees, employee candidates, service providers, visitors, product or service recipients, potential product or service recipients, supplier employees, supplier officials and other third parties are within the scope of this policy and this policy is applied in all recording environments where personal data owned or managed by the company are processed and in activities for personal data processing.
1.3. Abbreviations and Definitions
Recipient Group: The category of natural or legal person to whom personal data is transferred by the data controller
Explicit Consent: Consent regarding a specific subject, based on information and expressed with free will.
Anonymization: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Employee: Company personnel
Electronic Media: Media in which personal data can be created, read, changed and written with electronic devices.
Non-Electronic Media: All written, printed, visual, etc. media other than electronic media.
Service Provider: A natural or legal person who provides services under a specific contract with the Personal Data Protection Authority.
Relevant Person: The natural person whose personal data is processed.
Relevant User: Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.
Destruction: Deletion, destruction or anonymization of personal data.
Law: Law No. 6698 on the Protection of Personal Data.
Recording Medium: Any medium in which personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory: The inventory that data controllers create by associating the personal data processing activities they carry out depending on their business processes with the purposes and legal reason for processing personal data, data category, transferred recipient group and data subject group, and detailing the maximum retention period required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.
Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Board: Personal Data Protection Board
Sensitive Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Periodic Destruction: The process of deletion, destruction or anonymization to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy in the event that all of the conditions for processing personal data specified in the Law are eliminated.
Policy: Personal Data Retention and Destruction Policy
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.
Data Recording System: The recording system where personal data is structured and processed according to certain criteria.Veri Sorumlusu: Kişisel verilerin işleme amaçlarını ve vasıtalarını belirleyen, veri kayıt sisteminin kurulmasında ve yönetilmesinden sorumlu gerçek veya tüzel kişi.

Data Controllers Registry Information System: The information system created and managed by the Presidency, accessible via the internet, which data controllers will use in the application to the Registry and other related transactions regarding the Registry.

VERBIS: Data Controllers Registry Information System

Regulation: Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

 

    DISTRIBUTION OF RESPONSIBILITIES AND DUTIES

All units and employees of the Company actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law, by properly implementing the technical and administrative measures taken by the responsible units within the scope of the Policy, training and raising awareness of the unit employees, monitoring and continuous supervision.

The distribution of the titles, units and job descriptions of those involved in the storage and destruction of personal data is given in Table 1.

TITLE

UNIT

TASK

COMPANY MANAGER / CHAIRMAN OF THE BOARD OF DIRECTORS

COMPANY

Responsible for ensuring that employees act in accordance with the policy.

HUMAN RESOURCES MANAGER

HUMAN RESOURCES

It is responsible for the preparation, development, execution, publication and updating of the Policy in relevant media and providing technical solutions needed for the implementation of the policy.

Table 1: Task distribution for retention and destruction processes

    RECORDING MEDIA

Personal data is securely stored by the Company in accordance with the law in the environments listed below.

Electronic Environments:

a) Servers (domain, backup, e-mail, database, web, file sharing, etc.)

b) Software (office software, portal, VERBIS.)

c) Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)

d)    Personal computers (desktop, laptop)

e)    Mobile devices (phone, tablet, etc.)

f)     Optical disks (CD, DVD, etc.)

g)    Removable memories (USB, Memory Card, etc.)

h) Printer, scanner, photocopier

Non-Electronic Media :

a)    Paper

b) Manual data recording systems (survey forms, visitor logbook)

c) Written, printed, visual media

 

    EXPLANATIONS ON STORAGE AND DISPOSAL

Personal data belonging to company employees, employee candidates, service providers, visitors, product or service recipients, potential product or service recipients, supplier employees, supplier officials and other third parties are stored and destroyed by the Company in accordance with the Law.

In this context, detailed explanations regarding storage and destruction are given below respectively.

4.1. Explanations on Storage

Article 3 of the Law defines the concept of processing personal data, Article 4 states that the personal data processed must be connected, limited and proportionate to the purpose for which they are processed and must be kept for the period stipulated in the relevant legislation or for the purpose for which they are processed, and Articles 5 and 6 list the conditions for processing personal data.

Accordingly, within the framework of our company's activities, personal data are stored for the period stipulated in the relevant legislation or in accordance with our processing purposes.

4.1.1. Legal Grounds Requiring Retention

 

Personal data processed within the framework of the Company's activities are retained for the period stipulated in the relevant legislation. In this context, personal data; 

 

a) Law No. 6698 on the Protection of Personal Data,

 

b) Turkish Code of Obligations No. 6098,

 

c) Social Security and General Health Insurance Law No. 5510,

 

d) Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through These Publications,

 

e) Occupational Health and Safety Law No. 6331,

 

f)     Labor Law No. 4857,

 

g)    Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes,

 

h) Turkish Commercial Code No. 6102

 

i) Retention periods stipulated within the framework of other secondary regulations in force pursuant to these laws.

 

 

 

4.1.2. Processing Purposes Requiring Retention

 

The Company stores personal data processed within the framework of its activities for the following purposes.

 

         To carry out human resources processes,

         To ensure the commercial operation of the company,

         To ensure corporate communication,

         Ensuring company security,

         To be able to study statistics,

         To be able to perform works and transactions as a result of signed contracts and protocols,

         To ensure that legal obligations are fulfilled as required or mandated by legal regulations,

         To liaise with real/legal persons who have a business relationship with the Company,

         Obligation of proof as evidence in legal disputes that may arise in the future.

 

 

4.2. Reasons Requiring Destruction

 

Personal data;

 

         Amendment or abolition of the relevant legislation provisions that constitute the basis for processing,

         The purpose requiring processing or storage disappears,

         In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject may withdraw his/her explicit consent,

         Pursuant to Article 11 of the Law, the Personal Data Protection Board's acceptance of the application made by the data subject regarding the deletion and destruction of his/her personal data within the framework of his/her rights or a judicial decision,

         In cases where the Company rejects the application made by the data subject with the request for the deletion, destruction or anonymization of his/her personal data, finds the answer insufficient or does not respond within the period stipulated in the Law; filing a complaint to the Personal Data Protection Board and this request is approved by the Board,

         In the event that the maximum period required for the storage of personal data has expired and there are no conditions that justify the storage of personal data for a longer period of time, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by the Company upon the request of the relevant person.

 

 

    TECHNICAL AND ADMINISTRATIVE MEASURES

Technical and administrative measures are taken by the company within the framework of adequate measures determined and announced by the Personal Data Protection Board for special categories of personal data in accordance with Article 12 of the Law and Article 6, paragraph four of the Law for the safe storage of personal data, prevention of unlawful processing and access and destruction of personal data in accordance with the law.

5.1. Technical Measures

 

The technical measures taken by the Company regarding the personal data it processes are listed below:

 

         Through penetration tests, risks, threats, vulnerabilities and vulnerabilities, if any, to our company's information systems are revealed and necessary measures are taken.

         Risks and threats that will affect the continuity of information systems are continuously monitored as a result of real-time analysis through information security incident management.

         Access to information systems and authorization of users are carried out through access and authorization matrix and security policies through the corporate active directory.

         Necessary measures are taken for the physical security of the Company's information systems equipment, software and data.

         In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 monitoring system, ensuring the physical security of the edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, network access control, systems that prevent malware, etc.) measures are taken.

         Risks to prevent unlawful processing of personal data are identified, technical measures are taken in accordance with these risks and technical controls are carried out for the measures taken.

         Access procedures are established within the Company and reporting and analysis studies are carried out regarding access to personal data.

         Access to storage areas containing personal data is recorded and inappropriate access or access attempts are kept under control.

         The Company takes necessary measures to ensure that deleted personal data is inaccessible and non-reusable for the relevant users.

         In the event that personal data is unlawfully obtained by others, a suitable system and infrastructure has been established by the Company to notify the relevant person and the Board.

         Security vulnerabilities are monitored, appropriate security patches are installed and information systems are kept up-to-date.

         Strong passwords are used in electronic media where personal data are processed.

         Secure logging systems are used in electronic media where personal data is processed.

         Data backup programs are used to ensure that personal data is stored securely.

         Access to personal data stored in electronic or non-electronic media is restricted according to access principles.

         Access to the Company's website is encrypted with SHA 256 Bit RSA algorithm using secure protocol (HTTPS).

         A separate policy has been determined for the security of special categories of personal data.

         Trainings on special categories of personal data security have been provided for employees involved in special categories of personal data processing processes, confidentiality agreements have been made, and the authorizations of users authorized to access data have been defined.

         Electronic media where sensitive personal data are processed, stored and/or accessed are maintained using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of the environments are constantly monitored, necessary security tests are regularly performed / conducted, and test results are recorded,

         Adequate security measures are taken for the physical environments where sensitive personal data are processed, stored and/or accessed, and unauthorized entry and exit are prevented by ensuring physical security.

         If sensitive personal data needs to be transferred via e-mail, it is transferred encrypted with a corporate e-mail address or using a KEP account. If it needs to be transferred via media such as portable memory, CD, DVD, etc., it is encrypted with cryptographic methods and the cryptographic key is kept in different media. If transfer is carried out between servers in different physical environments, data transfer is carried out by establishing a VPN between servers or using the sFTP method. If it is necessary to transfer via paper media, necessary precautions are taken against risks such as theft, loss or unauthorized viewing of the document and the document is sent in "confidential" format.

 

5.2. Administrative Measures

 

The administrative measures taken by the Company regarding the personal data it processes are listed below:

 

         In order to improve the quality of employees, trainings are provided on the prevention of unlawful processing of personal data, prevention of unlawful access to personal data, ensuring the protection of personal data, communication techniques, technical knowledge skills and other relevant legislation.

         Confidentiality agreements are signed by employees regarding the activities carried out by the Company.

         A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.

         Before starting personal data processing, the Company fulfills its obligation to inform the relevant persons.

         A personal data processing inventory has been prepared.

         Internal periodic and random audits are conducted.

         Information security trainings are provided for employees.

 

 

    PERSONAL DATA DESTRUCTION TECHNIQUES

At the end of the period stipulated in the relevant legislation or at the end of the retention period required for the purpose for which they are processed, personal data are destroyed by the Company ex officio or upon the application of the person concerned, in accordance with the provisions of the relevant legislation, by the following techniques.

 

6.1. Deletion of Personal Data

 

Personal data are deleted by the methods given in Table-2.

 

DATA RECORDING MEDIUM

 

EXPLANATION

 

Personal Data on Servers

 

For the personal data on the servers, deletion is made by the system administrator by removing the access authorization of the relevant users for those whose retention period has expired.

 

Personal Data in Electronic Media

 

The personal data in electronic media that expire after the expiration of the period required to be stored are made inaccessible and non-reusable in any way for employees (relevant users) other than the database administrator.

 

Personal Data in Physical Environment

 

For the personal data kept in physical environment, those whose period of storage has expired are rendered inaccessible and non-reusable in any way for employees other than the unit manager responsible for the document archive. In addition, the blackout process is also applied by scratching/painting/erasing in such a way that it cannot be read.

 

Personal Data on Portable Media

 

The personal data kept in Flash-based storage media and those whose retention period has expired are encrypted by the system administrator and access authorization is given only to the system administrator and stored in secure environments with encryption keys.

Tablo 2: Kişisel Verilerin Silinmesi

6.2. Destruction of Personal Data

 

Personal data shall be destroyed by the company by the methods given in Table-3.

 

DATA RECORDING MEDIUM

 

EXPLANATION

 

Personal Data in Physical Environment

 

Personal data stored in paper media that expire after the period of time required for their retention are irreversibly destroyed in paper shredding machines.

 

Personal Data on Optical / Magnetic Media

 

Physical destruction of personal data on optical media and magnetic media, such as melting, incineration or pulverization, is applied to those whose retention period has expired. In addition, the magnetic media is passed through a special device and the data on it is rendered unreadable by exposing it to a high magnetic field.

 

Table 3: Destruction of Personal Data

 

6.3. Anonymization of Personal Data

 

Anonymization of personal data means making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data.

 

In order for personal data to be anonymized; personal data must be rendered unassociated with an identified or identifiable natural person even through the use of appropriate techniques for the recording medium and the relevant field of activity, such as the return of personal data by the data controller or third parties and / or matching the data with other data.

 

    RETENTION AND DESTRUCTION PERIODS

Regarding the personal data processed by the Institution within the scope of its activities;

 

         Retention periods on the basis of personal data related to all personal data within the scope of activities carried out depending on the processes in the Personal Data Processing Inventory;

         Retention periods on the basis of data categories are recorded in VERBIS;

         Retention periods on process basis are included in the Personal Data Retention and Destruction Policy.

Ex officio deletion, destruction or anonymization of personal data whose retention periods have expired is carried out by the Human Resources Unit.

 

PROCESS

 

STORAGE TIME

 

DISPOSAL PERIOD

 

Preparation of Contracts

 

10 years following the end of the contract

 

At the first periodic destruction following the end of the storage period

 

Execution of Company Communication Activities

 

10 years after the end of the activity

 

At the first periodic destruction following the end of the storage period

 

Execution of Human Resources Processes

 

10 years after the end of the activity

 

At the first periodic destruction following the end of the storage period

 

Log Recording Tracking Systems

 

10 years

 

At the first periodic destruction following the end of the storage period

 

Execution of Hardware and Software Access Processes

 

2 years

 

At the first periodic destruction following the end of the storage period

 

Camera Recordings

 

2 years

 

At the first periodic destruction following the end of the storage period

 

Table 4: Process-based retention and disposal times table

 

    PERIODIC DESTRUCTION PERIOD

Pursuant to Article 11 of the Regulation, the Company has determined the periodic destruction period as 6 months. Accordingly, the periodic destruction process is carried out in June and December every year.

 

    PUBLICATION AND STORAGE OF THE POLICY

The Policy is published in two different media, wet signed (printed paper) and electronic media, and disclosed to the public on the website. The printed paper copy is also kept in the KVKK file.

 

  UPDATE PERIOD OF THE POLICY

The Policy is reviewed as needed and the necessary sections are updated.

 

  EFFECTIVENESS AND ABROGATION OF THE POLICY

The Policy shall be deemed to have entered into force upon its publication on the Company's website. In the event that it is decided to abolish the Policy, the old copies of the Policy with wet signatures shall be canceled (by stamping or writing "cancel") and signed by the Human Resources Department with the decision of the Board of Directors and kept by the Human Resources Department for at least 5 years.