Personal Data Retention and Destruction Policy
POLICY OBJECTIVE:
This policy has been prepared based on the Regulation on the Erasure, Destruction or Anonymisation of Personal Data in order to define our company's approach to the storage and destruction of personal data it collects and processes.
DEFINITIONS:
Destruction: The deletion, destruction or anonymisation of personal data
Recording medium: Any environment containing personal data processed either fully or partially automatically, or by non-automated means provided that it forms part of a data recording system.
Periodic disposal: Where all the conditions for processing personal data set out in the law cease to exist, the deletion, destruction or anonymisation of personal data shall be carried out automatically at regular intervals as specified in the personal data storage and destruction policy.
Data recording system: It refers to a record system in which personal data is processed according to specific criteria.
REASONS FOR STORAGE AND DISPOSAL, STORAGE AND DISPOSAL PERIODS:
Our company securely stores the personal data it processes in physical and/or electronic environments for the periods specified in the Personal Data Inventory and publicly announced in VERBİS (Data Controllers Registry), in order to fulfil its legal obligations and commercial activities. The Personal Data Inventory specifies the environments in which each piece of personal data is processed and stored, as well as the methods used for its destruction. Personal data is stored in accordance with the provisions of the Personal Data Protection Law No. 6698, the Labour Law No. 4857, the Occupational Health and Safety Law No. 6331, and all other legislation relevant to our company's activities.
When determining personal data retention periods, the legal basis for processing personal data or the purpose of processing is taken into account. If personal data is collected and processed as required by law, the retention period is defined in the Personal Data Inventory as the period specified in the relevant legislation. For other data, periods that will enable the relevant activities to be carried out are determined in accordance with the purpose of processing and defined in the Personal Data Inventory. Retention periods are sometimes defined as ‘months’ or “years”, while for some personal data they may be defined as ‘until the end of...’ or ‘until...’. For this reason, a different retention period may apply to each piece of personal data, depending on the period specified in the relevant legislation or the period necessary for the purpose for which it is processed.
Personal data is stored in accordance with the ‘Data Security Measures’ publicly announced on VERBİS. In addition to administrative measures such as preparing an authorisation matrix for employees, conducting training sessions, and entering into confidentiality agreements with employees and data processors, technical data security measures are also implemented, including the use of up-to-date antivirus systems, firewalls, backups, encryption, etc.
When destroying personal data, depending on the method chosen, the deletion, destruction or anonymisation process is carried out in such a way that it is not possible to access, retrieve, use or associate the personal data with the data subject again.
Personal data whose retention period has expired shall be destroyed in accordance with the specified destruction methods, and the process shall be recorded using a Data Destruction Record. These records shall be retained for at least 3 years.
Responsibilities for the storage and destruction of personal data are assigned to designated individuals as specified in the ‘Personal Data Inventory’ and the ‘Authorisation Matrix and Authorisation Management Table for Personal Data’. Individuals involved in destruction procedures are recorded in the Data Destruction Record.
Our company reviews personal data every three months (March, June, September and December), identifies data whose retention period has expired, and deletes, destroys or anonymises personal data in the first periodic disposal process following the date on which the obligation to delete, destroy or anonymise personal data arises. This period shall not exceed six months.
DELETION OF PERSONAL DATA UPON REQUEST BY THE DATA SUBJECT
Data subjects may request information about their data using the contact methods listed in our General Information Notice on Personal Data. If this request is for the deletion of personal data:
a) If all conditions for processing personal data no longer apply, the personal data subject to the request shall be destroyed. The data subject's request shall be resolved within 30 days at the latest and they shall be informed in writing/electronically.
b) If all conditions for processing personal data have ceased to exist and the data subject to the request has been transferred to the data processors, our company shall notify the Data Processor of the situation and ensure that the destruction procedures are carried out.
c) If all the conditions for processing personal data have not been met, our company will reject the request, stating the reasons, and will notify the applicant of the rejection in writing/electronically within 30 days at the latest.