PERSONAL DATA STORAGE AND DISPOSAL POLICY
PERSONAL DATA STORAGE AND DESTRUCTION POLICY
1. Purpose and Scope
This Personal Data Retention and Destruction Policy ("Policy")has been prepared by EROMBilişim ve Telekomünikasyon Ticaret A.Ş. ("Company") as the data controller in order to fulfill our obligations in accordance with the Law on the Protection of Personal Data No. 6698 ("LPPD" or "Law") and the Regulation on the Deletion, Destruction or Anonymization of Personal Data ("Regulation") published and enacted in the Official Gazette dated 28 October 2017, which constitutes the secondary regulation of the Law, and to inform the data owners about the deletion, destruction and anonymization processes andthe principles of determining the maximum retention period required for the purpose for which your personal data are processed.
Within the scope of this Policy, there are customers, prospective customers, employee candidates, employees, company shareholders, company officials, visitors, business partners, suppliers, employees of the persons and companies cooperated with, shareholders, officials and third parties as real persons processed automatically or non-automatically, provided that they are part of any data recording system. The policy is implemented in the activities carried out for the processing and protection of all personal data managed by our Company.
2. Definitions
Explicit Consent
It is consent on a specific topic, based on being informed and described by free will.
Disclosure Obligation
During the acquisition of personal data, the data controller or the person authorized by it, to the relevant persons; to provide information on the identity of the data controller and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred,
the method and legal reason for collecting personal data, and other rights listed in Article 11 of the Law.
Relevant User
The persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except the person or unit responsible for the storage, protection and backup of the data technically.
Destruction
It is the deletion, destruction or anonymization of personal data.
Law
It's the Law on Protection of Personal Data No. 6698
Recording Medium
Any environment in which personal data are processed, which are fully or partially in automated ways or non-automated ways provided that being part of any data recording system.
Personal Data
All kinds of information related to identified or identifiable real persons.
Processing of Personal Data
All kinds of processes related to obtaining, recording, storing, retaining, changing, revising, disclosing, transferring, taking over, classifying the personal data and taking them over by wholly or partially automated means or by nonautomated means provided that they are a part of any data recording system or prevention of their utilization.
Anonymization of Personal Data
Anonymization is to make personal data unrelated to an identified or identifiable natural person under any circumstances, even when paired with other data.
Deletion of Personal Data
Deletion of personal data is the process of making personal data inaccessible and unusable for the relevant users in no way.
Destruction of Personal Data
Process of making personal data inaccessible, recoverable and unusable by anyone, in any manner.
Board
This is the Protection of Personal Data Board.
Sensitive Personal Data
These are biometric and genetic data of persons relating to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, costume and clothing, association, foundation or trade union membership, health, sexual life, criminal conviction, and security measures .
Periodic Destruction
In the event that all the processing conditions of personal data in the Law disappear, the process of deletion, destruction, or anonymization of the personal data will be carried out at regular intervals specified in the retention and destruction policy.
Data Owner/Related Person
A real person whose personal data is processed.
Data Processor
Real and legal person who processes personal data on behalf of the data controller with the authorization invested by the data controller.
Data Controller
The real or legal person who determines the purposes and means of personal data processing and is in charge of establishing and managing the data recording system
Regulations
Regulation on Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.
3. Principles Regarding the Processing of Personal Data
The personal data collected by the Company are processed for specific, clear and legitimate purposes in accordance with the relevant articles of the Law, in accordance with the law and honesty rules, in an accurate and up-to-date manner when necessary, and are used in connection with the purpose for which they are processed, in a limited and measured manner, and are kept for the periods stipulated in the relevant legislation or required for the purpose for which they are processed and determined by the Company in this Policy.
Explicit consent is obtained from the Data Owner regarding the personal data processed by the Company. However, in accordance with Article 5 of the Law, It is possible to process personal data without the explicit consent of the Data Owner in the following cases. These situations are counted as follows:
- In the event that it is explicitly provided for by the laws,
- In the event that it is mandatory for the protection of life or physical integrity of a person herself/himself, or any other person, who is bodily incapable of giving her/his consent or whose consent is not deemed legally valid,
- In the event that it is required to process personal data of the parties to the contract, provided that the processing is directly related to the conclusion or fulfilment of that contract,
- In the event where it is mandatory for the data controller to be able to fulfill her/his legal obligations,
- In the event that the data is made available to the public by the person concerned,
- When data processing is mandatory for the establishment, exercise, or protection of any right,
- In the event that data processing is required for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the relevant person are not damaged.
All processes regarding the deletion, destruction and anonymization of personal data are recorded by the Company and the said records are kept for at least 3 years, excluding other legal obligations.
Unless otherwise decided by the Board, the appropriate method of deleting, destroying, or anonymizing personal data is selected by us. However; the appropriate method shall be selected by explaining the reason upon the request of the relevant person.
In the event that all the conditions for processing personal data are eliminated, the personal data is deleted, destroyed or anonymized by the Company ex officio or upon the request of the person concerned. If the Data Owner applies to the Company for this matter, the requests submitted are finalized within 30 (thirty) days at the latest and the data owner is informed. In the event that the data subject to the request has been transferred to third parties, this situation is notified to the third party to whom the data has been transferred.
4. Recording Media
Personal Data processed by the Company are stored in the following recording media.
Electronic Environments
Physical Medium
·
· Servers (Domain, backup, e-mail, database, web)
· Software (Office Software, Holicon)
· Information security devices (firewall, antivirus, etc.)
· Personal computers (Desktop, laptop)
· Mobile devices (phone, tablet, etc.)
· Optical discs (CD, DVD, etc.)
· Removable storage (USB, Memory
· Card etc.)
Document( Written, printed, and visual media)
Archive files
5. Personal Data Retention Purposes
Personal data processed by the Company are stored for the purposes listed below.
- Carrying out system activities, providing online therapy services, making the processing of personal data necessary for the work and the situations required by the work,
- To ensure that our legal obligations are fulfilled as required or required by legal regulations
- Performing works and transactions as a result of signed contracts and protocols,
- Fulfilling corporate communication, corporate security and sales marketing activities,
- Liaising with real / legal persons in business relationship with the company, providing necessary information,
- Providing the burden of proof as evidence in legal disputes that may arise in the future,
- Performing statistical studies.
6. Reasons for Destruction of Personal Data
The Company destroys the personal data it processes in the presence of the following cases. These situations can be listed as follows.
- The amendment or abolition of the relevant legislation provisions that form the basis for processing,
- the purpose of processing personal data or retention of the same is disappeared,
- In cases where the processing of personal data is only performed upon the obtaining of the explicit consent, the withdrawal of the consent by the person concerned,
- The Company accepts the application made for the deletion and destruction of personal data within the framework of the rights of the person concerned, pursuant to Article 11 of the Law,
- In the event that the Company rejects the application made to it with the request of deletion, destruction or anonymization of its personal data by the relevant person, finds the answer inadequate or does not respond within the period stipulated in the Law; if the relevant person makes a complaint to the Institution and this request is approved by the Institution,
- The maximum period for keeping the personal data has passed and there are no conditions to justify keeping the personal data for a longer period of time.
7. Technical and Administrative Precautions
The following technical and administrative measures are taken by the Company within the framework of adequate measures determined and announced by the Board for personal data of special nature in accordance with the fourth paragraph of Article 6 of the Law and Article 12 of the Law for the safe storage, unlawful processing and prevention of access to personal data and the destruction of personal data in accordance with the law.
a. Technical Precautions
- Necessary internal controls are made within the scope of existing systems.
- Regularly and when needed, it ensures the control of system weaknesses by having a penetration test, if any, it takes the necessary measures by revealing the risks, threats, weaknesses and vulnerabilities for information systems.
- As a result of real-time analyzes with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.
- Necessary measures are taken for the physical security of the company's information systems equipment, software and data.
- In order to ensure the security of information systems against environmental threats, hardware (ensuring the physical security of the edge switches forming the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, network access control, systems preventing harmful software, etc.) measures are taken.
- Risks for preventing unlawful processing of personal data are determined, technical measures are taken in accordance with these risks and technical controls are made for the measures taken.
- Access to storage areas where personal data is stored is recorded and inappropriate access or access attempts are kept under control.
- Necessary measures are taken to ensure that the deleted personal data are not accessible and reusable for the relevant users.
- Security vulnerabilities are monitored and appropriate security patches are installed, and information systems are kept up-to-date.
- Strong passwords are used in electronic environments where personal data are processed.
- Secure record-keeping (logging) systems are used in electronic environments where personal data are processed.
- Data backup programs are used that ensure the safe storage of personal data.
- Access to personal data stored in electronic or non-electronic media is restricted according to access principles.
b. Administrative Precautions
- Limiting the access to the stored personal data within the company to the personnel required to access due to job description. Necessary contracts and protocols are arranged between this personnel and the Company regarding the security of the data.
- Personnel who are knowledgeable and experienced about the processing of personal data are employed and the personnel are provided with the necessary training within the scope of personal data protection legislation and data security.
- Necessary audits are made or made to ensure the implementation of the provisions of the law. Confidentiality and security weaknesses arising as a result of audits are eliminated.
In Article 6 of the PPD Law, personal data, which has the risk of causing victimization or discrimination when illegally processed, are identified as "sensitive". These data are the personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data.
The Company takes the necessary measures to protect sensitive personal data, which is determined as "sensitive" by the Law and processed in accordance with the law. In the technical and administrative measures taken to protect personal data, sensitivity is displayed for sensitive personal data.
8. Deletion, Destruction and Anonymization of Personal Data
a. Deletion of Personal Data
Deletion of personal data is the process of making personal data inaccessible and reusable to the users concerned, in any manner. The methods of deleting personal data according to recording media are as follows:
- Personal data in the cloud system are deleted by issuing a delete command without recovery authorization.
- Personal data in the paper environment are deleted using the blackout method. A kind of blackout process is applied by drawing/painting or deleting personal data on the paper in a way that cannot be read.
- The personal data in the office files on the central server are deleted by the deletion command in the operating system or by removing the access rights on the directory where the file is located.
- Personal data on portable media are stored encrypted and deleted using appropriate software. If personal data are found in databases, the relevant lines are deleted by database commands.
b. Destruction of Personal Data
Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone, in any manner. The methods of destruction of personal data according to recording media are as follows:
- Personal data on local systems is destroyed by one of the methods of de-magnetization, overwriting or physical destruction.
- Storage media( within network devices are fixed. Products often have the delete command, but do not have the ability to destroy. It is destroyed by using one or more of the methods of de-magnetization, physical destruction or overwriting.
- Those with flash-based ATA (SATA, Pata, etc.), SCSI (SCSI Express, etc.) interface are destroyed by using the command if supported, by using the destruction method recommended by the manufacturer if not supported, or by using one or more of the de-magnetization, physical destruction, or overwriting methods.
- In units such as magnetic discs, the data contained must be destroyed by exposure to very strong magnetic environments, by de-magnetization, or by physical destruction such as burning, melting.
- Fixed memory areas on portable smartphones have erase commands, but most do not have erase commands, so one or more of the methods of de-magnetization, physical destruction, or overwriting are used to destroy them.
- Optical discs are destroyed by physical destruction methods such as incineration, dismemberment, melting.
- Peripherals such as the printer, which can be removed from the data recording medium, and the fingerprint door access system are verified to be removed and destroyed by using one or more of the methods of de-magnetization, physical destruction or overwriting according to its feature.
- There is no command to destroy peripherals such as printers with fixed data recording media and fingerprint door access system. It is destroyed by using one or more of the methods of de-magnetization, physical destruction or overwriting.
- Since the personal data in the paper environment is permanently and physically written on the medium, the main medium must be destroyed. While this process is being carried out, the media is divided into small pieces in an incomprehensible size, horizontally and vertically, in such a way that it cannot be put back together by shredding or shearing machines.
- Personal data transferred from the original paper format to the electronic environment by scanning is destroyed by using one or more of the methods of magnetization, physical destruction or overwriting according to the electronic environment they are in.
- Personal data in the Cloud Environment is encrypted by cryptographic methods during the storage and use of personal data, and where possible for personal data, separate encryption keys are used, especially for each cloud solution from which service is received. When the cloud computing service relationship ends, all copies of the encryption keys necessary to make personal data available are destroyed.
c. Anonymizing Methods of Personal Data
Anonymization of personal data is the process of making personal data unlikely to be associated with any identified or identifiable real person in any way, even when such personal data is paired with other data.
In order for personal data to be anonymized; personal data must be made unlikely to be associated with any identified or identifiable real person in any way, even by using appropriate techniques in recording medium and related field of activity, such as restoring personal data and pairing data with other data by data controller or third parties.
9. Storage and Destruction Periods
The personal data processed by the company will be stored for the periods specified in the table below and will be anonymized or destroyed at the end of the period.
Procedure
Storage Period
Destruction Period
Data stored under the Labor Law (eg performance records, etc.)
10 years following the end of the employment relationship
Within 180 days as of the end of the retention (storage) period
Data collected within the scope of occupational health and safety legislation (health reports etc.)
15 years following the end of the work relationship
Within 180 days as of the end of the retention period
Data kept within the scope of SSI legislation
10 years following the end of the employment relationship
Within 180 days as of the end of the retention period
Documents that can be used in a request/lawsuit regarding work accident/occupational disease
10 years following the end of the employment relationship
Within 180 days as of the end of the retention period
Data collected in accordance with other applicable legislation
For the period stipulated in the applicable legislation
Within 180 days as of the end of the retention period
In case the relevant personal data is subject to a crime within the scope of the Turkish Criminal Code or other legislation that regulates a criminal provision
During the statute of limitations
Within 180 days as of the end of the retention period
Customer data
10 years following its registration
Within 180 days as of the end of the retention period
Data on System Users
As long as the user account is available
Within 180 days following deletion of the user account
Data on Personnel Candidates
2 years following the date of registration
Within 180 days as of the end of the retention period
Due to legislative changes, current case law provisions, innovations in judicial decisions, and other reasons within this Clarification Text, changes may be made without any notification to users. For this reason, we recommend that the said text be reviewed and checked periodically.