PERSONAL DATA STORAGE AND DESTRUCTION POLICY
The Personal Data Storage and Destruction Policy (“Policy”) has been prepared in order to determine the procedures and principles regarding the storage and disposal activities carried out by ITB PARTNER (“Company”).
ITB PARTNER ; Personal data belonging to company employees, employee candidates, customers, visitors and other third parties are T.C. Constitution, international conventions, Personal Data Protection Law No.6698 (“Law”) and other relevant legislation, and ensuring that the relevant persons exercise their rights effectively is a priority.
The work and transactions regarding the storage and destruction of personal data are carried out in accordance with the “Policy” prepared by the Company in this direction.
Personal data belonging to Company employees, employee candidates, service providers, visitors and other third parties are within the scope of this Policy, and this Policy is applied in all recording environments where personal data owned or managed by the Company are processed and in activities related to personal data processing.
ITB PARTNER acts within the framework of the following principles in the storage and disposal of personal data:
- In the deletion, destruction and anonymization of personal data, the principles listed in Article 4 of the Law and Article 12 of this Policy and 5.2. It is fully complied with the technical and administrative measures specified in the article, relevant legislation provisions, Board decisions and this Policy.
- All transactions regarding the deletion, destruction and anonymization of personal data are recorded by the Company and the records of these transactions are kept for at least 3 years , except for other legal obligations.
III. Unless a contrary decision is taken by the Board, the appropriate method of deleting, destroying or anonymizing personal data is selected by us. However, upon the request of Relevant Person , the appropriate method will be selected by explaining the reason.
- In the event that all the conditions for processing personal data in Articles 5 and 6 of the Law are eliminated, the personal data are deleted, destroyed or anonymized by the Company either ex officio or upon the request of the Relevant Person. In case of an application to the Company by the Related Person in this matter;
- Submitted requests are concluded within 30 (thirty) days at the latest and the Related Person is informed,
- In case the data subject to the request is transferred to third parties, this situation is notified to the third party to whom the data is transferred and necessary actions are taken in the eye of third parties.
3. EXPLANATIONS ON REASONS REQUIRING STORAGE AND DISPOSAL
Personal data belonging to data owners are securely collected by the Company within the framework of the limits specified in KVKK and other relevant legislation 5.1. It is stored in physical or electronic environments specified in the article, especially for the purposes listed below.
- Ability to maintain commercial activities.
- Planning and execution of employee rights and fringe benefits.
III. Managing customer relations and providing better service to customers.
- To ensure company security.
- To contact real / legal persons who have business relations with the Institution.
- Storage of personal data because it is directly related to the establishment and execution of contracts.
VII. Storing personal data for the purpose of establishing, exercising or protecting a right.
VIII. It is mandatory to keep personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the persons.
- Storage of personal data in order to fulfill any legal obligations of the Company.
- The storage of personal data is clearly stipulated in the legislation.
- Obligation of proof as evidence in legal disputes that may arise in the future.
Pursuant to the Regulation, in the following cases, personal data belonging to data owners are deleted, destroyed or anonymized by the Company, either ex officio or upon request.
- The provisions of the relevant legislation that constitute the basis for the processing or storage of personal data
replacement or abolition.
- No longer the purpose requiring the processing or storage of personal data.
III. Elimination of the conditions that require the processing of personal data in Articles 5 and 6 of the Law.
- In cases where the processing of personal data takes place only on the condition of express consent, the Relevant Person withdraws his consent.
- In the event that the Data Controller rejects the application made by the Relevant Person with the request of deletion, destruction or anonymization of his personal data, the response he gave is insufficient or does not respond within the period stipulated in the Law; Complaining to the Board and approval of this request by the Board.
- The acceptance of the application made by the data officer for the deletion, destruction or anonymization of the personal data within the framework of the rights in the clauses (e) and (f) of Article 11 of the Law.
VII. Although the maximum period for the storage of personal data has passed, there is no requirement to justify the storage of personal data for a longer period of time.
4. PRINCIPLES ON STORAGE AND DESTRUCTION PERIOD
The following criteria are used in determining the storage and destruction periods of your personal data obtained by the company in accordance with the provisions of KVKK and other relevant legislation:
- If a period is stipulated in the legislation regarding the storage of personal data, this period is respected. Following the expiration of the said period, action is taken regarding the data within the scope of paragraph 2 below.
- In the event that the period stipulated in the legislation regarding the storage of the personal data in question expires or there is no stipulation for the storage of the said data in the relevant legislation, respectively;
- Personal data are classified as personal data and special quality personal data, based on the definition in Article 6 of the KVKK. All personal data determined to be of special nature are destroyed. The method to be applied in the destruction of the said data is determined according to the nature of the data and the importance of its storage to the Company.
- The compliance of data storage with the principles specified in article 4 of the KVKK (for example, whether the company has a legitimate purpose in storing the data) is questioned. The data that is determined to be stored in violation of the principles in article 4 of the KVKK is deleted, destroyed or anonymized.
- It is determined which / which of the exceptions foreseen in articles 5 and 6 of the KVKK can be considered within the scope of data storage. Reasonable periods for storing data are determined within the framework of exceptions identified. Data is deleted, destroyed or anonymized if the said periods expire.
All transactions regarding the deletion, destruction and anonymization of personal data are recorded and the said records are kept for at least three years, excluding other legal obligations.
5. PROCEDURES OF STORAGE AND DISPOSAL OF PERSONAL DATA BY THE COMPANY
5.1. RECORDING MEDIA
Personal data belonging to data owners are securely stored by the Company in the environments listed in the table below in accordance with the relevant legislation, especially the provisions of KVKK, and within the framework of international data security principles:
- Electronic Media
- Software (office software)
- Information security devices (firewall, intrusion detection and prevention, log file,
- antivirus etc. )
- Personal computers (desktop, laptop)
- Mobile devices (phone, tablet etc.)
- Optical discs (CD, DVD etc.)
- Removable sticks (USB, memory card etc.)
- Non-electronic media
- Manual data recording systems
- Written, printed and visual media
5.2. TECHNICAL AND ADMINISTRATIVE MEASURES
All administrative and technical measures taken by the Company within the framework of the principles in Article 12 of the KVKK in order to keep your personal data securely, to process it illegally, to prevent access and to destroy the data in accordance with the law are listed below:
5.2.1. Administrative Measures:
ITB PARTNER takes the following administrative measures.
- Limits internal access to stored personal data to the personnel required to access it as per job description. In restricting access, whether the data is of special nature and its importance are also taken into consideration.
- In case the processed personal data is obtained by others illegally, it shall notify the relevant person and the Board as soon as possible.
- Regarding the sharing of personal data, sign a framework contract regarding the protection of personal data and data security with the persons with whom personal data are shared or provide data security with the provisions added to the existing contract. It employs knowledgeable and experienced personnel about the processing of personal data and provides its personnel with the necessary training within the scope of personal data protection legislation and data security.
- It carries out the necessary inspections and has it done in order to ensure the implementation of the provisions of the Law before its own legal entity. It removes the privacy and security vulnerabilities that arise as a result of the inspections.
5.2.2. Technical Measures:
The company takes the following technical measures.
- As a result of real-time analysis with information security event management, risks and threats that will affect the continuity of information systems are constantly monitored.
- Access to information systems and authorization of users , access and authorization matrix are performed through security policies over an institutional active directory.
- Necessary measures are taken for the physical security of the company’s information systems equipment, software and data.
- In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 monitoring system, etc.) and software (firewalls, attack prevention systems, etc.) strong>, network access control, malicious software blocking systems, etc.) measures are taken.
- Risks to prevent unlawful processing of personal data are identified, technical measures are taken in accordance with these risks and technical controls are carried out for the measures taken.
- By creating access procedures within the company, reporting and analysis studies regarding access to personal data are carried out.
- Access to storage areas containing personal data is recorded and inappropriate access or access attempts are kept under control.
- The company takes the necessary measures to ensure that the deleted personal data are inaccessible and unavailable for the relevant users.
- In case the personal data is illegally obtained by others, a suitable system and infrastructure has been established by the Company to inform the Related Person and the Board.
- Following security vulnerabilities, appropriate security patches are installed and information systems are kept up-to-date.
- Strong passwords are used in electronic environments where personal data are processed.
- Secure record keeping (logging) systems are used in electronic environments where personal data are processed.
- Data backup programs are used to keep personal data securely.
- Access to personal data stored in electronic or non-electronic media is restricted according to access principles.
- A separate policy has been determined for the security of special quality personal data.
- Special quality personal data security trainings have been provided for employees involved in processing processes of special quality personal data, confidentiality agreements have been made, and the authorizations of users who have access to data have been defined.
- Adequate security measures are taken in physical environments where personal data of special nature are processed, stored and / or accessed, and unauthorized entries and exits are prevented by ensuring physical security.
6. RESPONSIBILITY AND DISTRIBUTION OF DUTIES
You can find the titles, units and job descriptions of the personnel involved in the personal data storage and destruction process from the list in Annex-1 of this Policy.
7. DISPOSAL PROCEDURES OF PERSONAL DATA
Personal data obtained by the Company in accordance with the KVKK and other relevant legislation, in the event that the personal data processing purposes listed in the Law and Regulation are eliminated, the Law and the relevant legislation will be sent by the Company either ex officio or upon the application of the Relevant Person It will be destroyed by the following techniques in accordance with the provisions.
7.1 Deletion of Personal Data
- Personal Data on Servers
For those who have expired from the personal data on the servers, the system administrator removes the access authorization of the relevant users and deletes them.
- Personal Data in Electronic Environment
Those who have expired from personal data in electronic environment, are made inaccessible and unusable for other employees (relevant users), except for the database administrator.
III. Personal Data in the Physical Environment
Except for the department manager responsible for the document archive, for those who have expired from the personal data kept in a physical environment, they are made inaccessible and unavailable in any way. In addition, the blackening process is also applied by scratching / painting / wiping it in an illegible way.
- Personal Data on Removable Media
Of the personal data kept in Flash-based storage media, those that have expired are stored in secure environments with encryption keys, encrypted by the system administrator and the access authorization is given only to the system administrator.
7.2 Destruction of Personal Data
- Personal Data in Physical Environment
Those who have expired from the personal data in the paper environment, will be irreversibly destroyed by paper trimming machines or other suitable methods .
- Personal Data on Optical / Magnetic Media
Those who have expired from the personal data in optical media and magnetic media are destroyed by irrecoverable deletion of the data in question or by making the media physically unusable, as required by the situation.
7.3 Anonymizing Personal Data
The anonymization of personal data is to render personal data in no way associated with an identified or identifiable natural person, even if they are matched with other data. In order for personal data to be anonymized; Personal data must be rendered unrelated to a natural person whose identity is known or identifiable, even by using techniques appropriate for the recording medium and the relevant field of activity, such as the return of personal data by the Data Controller or third parties and / or matching the data with other data.
8. STORAGE AND DESTRUCTION PERIODS
Regarding personal data being processed by ITB PARTNER within the scope of its activities;
- Retention periods based on personal data related to all personal data within the scope of activities carried out in connection with the processes In the Personal Data Processing Inventory;
- Storage periods based on data categories are registered with VERBIS;
- Retention periods based on the process are included in the Personal Data Retention and Destruction Policy.
For personal data whose retention periods have expired, the process of ex officio deletion, destruction or anonymization is carried out by the Relevant Unit of the Company.
|PROCESS||STORAGE PERIOD||DESTRUCTION TIME|
|Planning and Execution of Corporate Communication Activities||10 years after the termination of the business relationship||Within 180 days after the retention period expires|
|General Assembly Transactions||10 years||Within 180 days after the retention period expires|
|Documents regarding the recruitment of personnel||10 years after the termination of the business relationship||Within 180 days after the retention period expires|
|Responding to court / executive information requests regarding personnel||10 years after the termination of the business relationship||Within 180 days after the retention period expires|
|Documents regarding in-service training of personnel||10 years after the termination of the business relationship||Within 180 days after the retention period expires|
|Tender / business opening / ministries, undersecretariats document preparation processes||10 years||Within 180 days after the retention period expires|
|Documents that form the basis of contracts||10 years||Within 180 days after the retention period expires|
|Preservation of contracts||10 years||Within 180 days after the retention period expires|
|Recruiting||10 years after the termination of the business relationship||Within 180 days after the retention period expires|
|Payroll||10 years after the termination of the business relationship||Within 180 days after the retention period expires|
|Preparation of personnel’s private health and personal accident insurance policies||10 years from the date the person concerned leaves the job||Within 180 days after the retention period expires|
|Vehicle allocation to personnel||10 years from the date the person concerned leaves the job||Within 180 days after the retention period expires|
|Credit card allocation to staff||10 years from the date the person concerned leaves the job||Within 180 days after the retention period expires|
|Occupational health and safety practices||10 years after the termination of the business relationship||Within 180 days after the retention period expires|
|Log / Record / Tracking Systems||1 year||Within 180 days after the retention period expires|
|Information about company partners and board members||10 years after leaving membership or board||Within 180 days after the retention period expires|
|Payment transactions||10 years after the termination of the business relationship||Within 180 days after the retention period expires|
|Work Accident Reporting||10 years from the date the person concerned leaves the job||Within 180 days after the retention period expires|
|Emergency Preparation||10 years||Within 180 days after the retention period expires|
|Camera Records||1 month||Due to the capacity of the recording device, recording is possible for a maximum of 1 month. Therefore, it is automatically destroyed at the end of the storage period.|
9. PERIODIC DESTRUCTION TIME
In accordance with Article 11 of the Regulation, the Company has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out every year in March and September in the Company.
10. PUBLICATION AND STORAGE OF THE POLICY
The policy is published in two different media as wet signed (printed paper) and electronically, and is publicly disclosed on the website.
11. UPDATE PERIOD OF THE POLICY
The policy is reviewed as needed, and the required sections are updated.
12. ENFORCEMENT AND TERMINATION OF THE POLICY
The policy is deemed to have entered into force after ITB PARTNER is published on the website.
13. OTHER ISSUES
In case of inconsistency between the provisions of the KVKK and other relevant legislation and this Policy, the provisions of the KVKK and other relevant legislation will be applied first.
This Policy prepared by the Company entered into force on 08.10.2019. In case of any changes in the policy, the effective date of the Policy and the relevant articles will be updated accordingly.