Бронирование

Personal Data Storage And Destruction Policy

Personal Data Storage And Destruction Policy

PERSONAL DATA STORAGE AND DESTRUCTION POLICY

  1. Purpose

This policy has been prepared in order for AYDIN ÜNLÜER TURİZM GIDA TİC VE SAN AŞ (COMPANY) to fulfill its obligations stipulated in the Personal Data Protection Law No. 6698 (PDPL) and Articles 5 and 6 of the Regulation on Deletion, Destruction and Anonymization of Personal Data, as well as to explain the procedures and processes for the destruction of personal data due to the high importance we attach to the fundamental human right to protect personal data.

 

  1. Scope

This policy covers all personal data of all parties connected with our COMPANY, which are processed by automatic or non-automatic means, provided that they are part of any data recording system, electronically or in printed documents.

 

3. Definitions

Company: 'Horozluhan OSB Mahallesi Cibi Sokak No-4/1 Selçuklu/KONYA' AYDIN ÜNLÜER TURİZM GIDA TİC VE SAN AŞ

Explicit Consent: It refers to the consent regarding a specific subject, based on information and expressed with free will.

Cookie: These are small files saved on users' computers or mobile devices that help store preferences and other information on the web pages they visit.

Related User: Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.

Destruction: Deletion, destruction or anonymization of personal data.

Contact Person: The real person notified by the data controller at the time of registration to the Registry for communication with the Authority regarding the obligations of legal entities resident in Turkey and non-resident legal entity data controller representative within the scope of PDPL and secondary regulations to be issued based on this Law.

(The contact person is not authorized to represent the Data Controller. As the name suggests, it is only the person assigned to ensure the communication "liaison" between the data controller and the relevant persons and the Authority).

PDPL: Personal Data Protection Law dated March 24, 2016 and numbered 6698, published in the Official Gazette dated April 7, 2016 and numbered 29677.

Recording Medium: Any medium in which personal data processed by fully or partially automated or non-automated means, provided that it is part of any data recording system.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: All kinds of operations performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system.

Anonymization of Personal Data: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Deletion of Personal Data: Making personal data inaccessible and non-reusable in any way for the Relevant Users.

Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.

Board: Personal Data Protection Board.

Institution: Personal Data Protection Authority.

Special Categories of Personal Data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Periodic Destruction: The process of deletion, destruction or anonymization to be carried out ex officio at recurring intervals specified in this Policy in the event that all of the conditions required for the processing of personal data disappear.

Policy: Personal Data Storage and Destruction Policy created by the Data Controller.

VERBIS: It is a registration system that natural and legal persons who process personal data must register before they start processing personal data and enter information on a categorical basis about the personal data they process.

Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.

Data Recording System: Recording system where personal data is structured and processed according to certain criteria.

Data Subject/Related Person: The natural person whose personal data is processed.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.      

Regulation: Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on October 28, 2017.

 

4. Responsibility

All units and employees of the COMPANY are responsible for actively supporting the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law, by properly implementing the technical and administrative measures taken by the responsible units within the scope of this Policy, training and raising awareness of unit employees, monitoring and continuous auditing.

 

  1. Policy Flow
    1. Data Storage Medias

Personal data is securely stored by the COMPANY in accordance with the law in the environments listed in the table below.

Electronic media;

  • MS Office Files,
  • Our Servers
  • Our computers protected with antivirus programs and firewalls,
  • Shared/unshared disk drives used for data storage on a network, file server,
  • Yandex mail,
  • Backup Cloud systems, (fixcloud),
  • Mobile phones (use of mail system),
  • Attendance systems,
  • GMS program,
  • Flash memories,
  • Netsis
  • Sedna,
  • DHCP,
  • DC,
  • CRM system (ayz system),
  • SQL and Postgresql SQL database,
  • Personal computers (desktop, laptop)
  • Mobile devices (phone, tablet etc)
  • Printer, scanner, copier

 

Physical environments;

  • Paper,
  • Manual data recording systems (survey forms, guest accommodation certificate etc.)
  • Written, printed, visual media,
  • Unit cabinets,
  • Unit archive,
  • Institutional archive,

 

    1. Implementation

In accordance with its vision, mission and core values, the COMPANY processes personal and sensitive data within the framework of the principle of "data minimization" by using technological resources and infrastructures in order to carry out its administrative and business processes in line with the legislation it is bound to and to provide the best experience to the people it serves. In the processing of data, the principles set out in the 4th article of the PDPL and the measures to be taken in accordance with the 12th article are taken into consideration. Record storage media are information system servers, applications, corporate computers and storage media for electronic data, and offices and archives for hardcopy documents.

 

5.2.1. Explanations on the Reasons for Storage

The data belonging to the data subject are securely stored by the COMPANY in physical or electronic media within the limits specified in the PDPL and the relevant legislation in order to maintain its activities, fulfill legal obligations, plan employee rights, and operate processes with business partners.

The legal grounds for withholding are as follows-

  • Law No. 6698 on the Protection of Personal Data,
  • Turkish Code of Obligations No. 6098,
  • Law No. 5510 on Social Security and General Health Insurance,
  • Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through These Publications,
  • Law No. 1774 on Identity Notification
  • Law No. 6331 on Occupational Health and Safety,
  • Law No. 4982 on Access to Information,
  • Law No. 3071 on the Exercise of the Right to Petition,
  • Labor Law No. 4857,
  • Law No. 5434 on Retirement Health,
  • Law No. 2828 on Social Services,
  • Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes,
  • Regulation on Archive Services,

other secondary regulations in force pursuant to these laws.

Also personal data,

      • Legislation clearly stipulates the retention of personal data,
      • Personal data is directly related to the establishment and performance of contracts,
      • Storing personal data for the purpose of establishing, exercising or protecting a right,
      • It is mandatory to keep personal data for the legitimate interests of the COMPANY, provided that it does not harm the fundamental rights and freedoms of individuals,
      • Storage of personal data in order for the COMPANY to fulfill any legal obligation,

It is also kept for legal reasons.

 

      1. Processing Purposes Requiring Storage

The COMPANY stores the personal data it processes within the framework of its activities for the following purposes.

  • To carry out human resources processes.
  • To ensure corporate communication.
  • To ensure the security of the institution,
  • To be able to do statistical studies.
  • To be able to perform works and transactions as a result of signed contracts and protocols.
  • To ensure that legal obligations are fulfilled as required or mandated by legal regulations.
  • To liaise with real/legal persons who have a business relationship with the organization.
  • Making legal reports.
  • Managing call center processes.
  • The burden of proof as evidence in future legal disputes.

 

      1. Explanations on the Reasons for Destruction

Pursuant to the Regulation, personal data or sensitive personal data shall be deleted, destroyed or anonymized by the COMPANY ex officio or upon the request of the data subject in the following cases-

      • The conditions requiring the processing of personal data under Articles 5 and 6 of the PDPL no longer exist,
      • Withdrawal of consent by the person concerned, where it is based on explicit consent,
      • Amendment or elimination of the provisions of the relevant legislation that constitute the basis for the processing or storage of personal data,
      • The purpose requiring the processing or storage of personal data disappears,
      • The data subject's application for the deletion, destruction or anonymization of his/her personal data within the framework of his/her rights is accepted by the data controller or the board decides to do the necessary.

 

5.2.4. Technical and Administrative Measures Implemented

The COMPANY takes technical and administrative measures in data storage and destruction, taking into account Articles 7 and 12 of the PDPL. The measures taken are as follows;

 

  • Network security and application security are ensured.
  • Closed system network is used for personal data transfers through the network.
  • Key management is in place.
  • Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
  • There are disciplinary regulations for employees that include data security provisions.
  • Training and awareness raising activities on data security are carried out for employees at regular intervals.
  • Authorization matrix has been created for employees.
  • Access logs are kept regularly.
  • Corporate policies on access, information security, use, storage and disposal have been prepared and implemented.
  • Data masking measures are applied when necessary.      
  • Confidentiality commitments are made.
  • Employees who are reassigned or leave their jobs are no longer authorized in this area.
  • Up-to-date anti-virus systems are used.
  • Firewalls are used.
  • The signed contracts contain data security provisions.
  • Extra security measures are taken for personal data transferred via paper and the relevant document is sent in the format of a confidential document.
  • Personal data security policies and procedures have been determined.
  • Personal data security issues are reported quickly.
  • Personal data security is monitored.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • Physical environments containing personal data are secured against external risks (fire, flood etc.).
  • Security of environments containing personal data is ensured.
  • Personal data is minimized as much as possible.
  • Personal data is backed up and the security of backed up personal data is also ensured.
  • User account management and authorization control system are implemented and monitored.
  • Internal periodic and/or random audits are conducted and commissioned.
  • Log records are kept without user intervention.
  • Existing risks and threats have been identified.
  • Protocols and procedures for the security of sensitive personal data have been determined and implemented.
  • If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using a KEP or corporate mail account.
  • Secure encryption/cryptographic keys are used for sensitive personal data and managed by different units.
  • Intrusion detection and prevention systems are used.
  • Cyber security measures have been taken and their implementation is constantly monitored.
  • Encryption is performed.
  • Sensitive personal data transferred on portable memory sticks, CDs and DVDs are encrypted.
  • Data processing service providers are periodically audited on data security.
  • Awareness of data processing service providers on data security is ensured.
  • Data loss prevention software is used.

 

5.2.5. Data Deletion, Destruction and Anonymization

In the event that the conditions specified in Article 5.2.3rd of this policy disappear, personal data shall be deleted, destroyed or anonymized by the COMPANY automatically or upon the request of the person concerned. In case the relevant person applies to the COMPANY in this regard;

      • The requests are finalized within 30 (thirty) days at the latest and the relevant person is informed,
      • In the event that the data subject to the request has been transferred to third parties, this situation shall be notified to the third party to whom the data has been transferred and necessary actions shall be taken before the third parties,
      • If it is necessary to use another destruction method instead of the destruction method requested by the person concerned due to the situation, conditions and legislation, the situation is explained in the response to the person concerned and destruction is carried out with the method that should be used,
      • If all the conditions for processing personal data have not disappeared, this request may be rejected by the data controller by explaining the reason in accordance with the third paragraph of Article 13 of the PDPL and the rejection response shall be notified to the data subject in writing or electronically within 30 (thirty) days at the latest.

Unless otherwise decided by the Board, we choose the appropriate method of ex officio deletion, destruction or anonymization of personal data. However, at the request of the person concerned, the appropriate method is selected with an explanation of the rationale.

Replies to applications made by the person concerned under the rights set out in Article 11 of the PDPL shall be provided free of charge. Although the basic principle is to provide the response free of charge, if the response to be given requires an additional cost, the fees shown in Article 7 of the Communiqué on the Procedures and Principles of Application to the Data Controller may be requested by the COMPANY from the relevant person. The relevant article reads as follows-

 

Wage

ARTICLE 7 - (1) If the relevant person's application is to be answered in writing, no fee is charged for up to ten pages. A transaction fee of 1 Turkish Lira may be charged for each page over ten pages.

(2) If the response to the application is given on a recording medium such as CD, flash memory, the fee that may be requested by the data controller cannot exceed the cost of the recording medium.

 

        1. Personal Data Deletion

Personal Data on Servers: For the personal data on the servers, the system administrator removes the access authorization of the relevant users and deletes them.

Personal Data Stored in Electronic Media: Personal data stored in electronic media that expire after the period of time required for their storage shall be rendered inaccessible and non-reusable in any way for employees (relevant users) other than the database administrator.

Personal Data Stored in Physical Environment: Documents that have expired from the personal data stored in the physical environment are made inaccessible and non-reusable in any way for employees other than the Physical Archive Room Supervisor. It is also blacked out by scratching/painting/erasing it so that it cannot be read.

Personal Data on Portable Media: Personal data stored on Flash-based storage media, which expire after the period of time required for storage, are encrypted by the system administrator and access authorization is given only to the system administrator and stored in secure environments with encryption keys.

 

5.2.5.2. Personal Data Destruction

Personal Data on Physical Media:   Personal data on paper media that expire after the expiration of the period for which they are required to be retained are destroyed by incineration or irreversibly shredded in paper shredding machines.

Personal Data on Optical/Magnetic Media: Personal data on optical media and magnetic media shall be physically destroyed, such as melting, incineration or pulverization, if the period required for storage of such data has expired. In addition, the magnetic media is passed through a special device and exposed to a high magnetic field, making the data on it unreadable.

        1. Personal Data Anonymization

For anonymization in COMPANY, one of the methods of variable extraction, noise addition, micro-aggregation is used depending on the environment and processing type of the data.

Variable Extraction: With the method of extracting descriptive data, the existing data set is anonymized by removing the "highly descriptive" variables from the variables in the data set created after the collection of the collected data.

Adding Noise: The method of adding noise to the data, especially in a data set where numerical data is predominant, is anonymized by adding some deviations in the plus or minus direction to the existing data at a determined rate.

Micro Aggregation: In the micro-aggregation method, all data are first sorted into groups in a meaningful order (such as from largest to smallest), and anonymization is achieved by taking the average of the groups and substituting the value obtained by replacing the relevant data in the current group.

    1. Data Retention and Destruction Periods

Regarding the personal data processed by the COMPANY within the scope of its activities;

  • Retention periods on personal data basis for all personal data within the scope of activities carried out depending on the processes are in Personal Data Inventory List;
  • Recording retention periods based on data categories to VERBIS; Data Controller Information Inquiry from VERBIS (kvkk.gov.tr).
  • Process-based retention information is included in this Policy.  Such retention periods shall be updated by the COMPANY if necessary.  For personal data whose retention periods have expired, ex officio deletion, destruction or anonymization is carried out by the COMPANY.

 

    1. Periodic Destruction Period

Pursuant to Article 11 of the Regulation, the Agency has set the periodic destruction period as 6 months. Accordingly, the Agency carries out periodic destruction in June and December each year.

 

    1. Enforcement

This Policy issued by the COMPANY entered into force on 19/02/2024 and was made public. In case of any conflict between the applicable legislation, in particular the PDPL, and the regulations set forth in this Policy, the provisions of the legislation shall apply.

 

    1. Update

Last Updated on:-                                           

 

  1. Relevant Documents Personal Data Inventory List