INTERHAS ANONİM COMPANY
PERSONAL DATA RETENTION AND DISPOSAL POLICY
CHAPTER I
PURPOSE, DEFINITIONS, RESPONSIBILITIES AND DUTIES, RECORDING MEDIUMS WHERE DATA IS STORED
1- Purpose
The purpose of this Policy; Pursuant to Articles 7 and 12 of the Law on the Protection of Personal Data No. 6698, “Regulation on the Deletion, Destruction or Anonymization of Personal Data” and “Regulation on the Data Controllers Registry”, the physical data of the personal data obtained and processed by the employer as a data controller It has been prepared for the purpose of determining the internal procedures and principles regarding the storage, security and destruction of personal data in electronic media, determining the maximum period required for the purpose for which personal data is processed, compliance of these periods with the information specified in the Personal Data Processing Inventory, and monitoring whether the maximum period has been exceeded.
2- Definitions
Explicit Consent: It refers to the consent that is based on information and freely expressed regarding a certain subject.
Anonymization: It means making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching with other data.
Employee: Employees working under a contract include trainees and trainees, as well as board members and contract workers.
Employee Candidate: It includes people who apply for a job to the Company by any method or whose resumes are obtained through recruitment platforms.
Electronic Media: It refers to the environments where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Media: All written, printed, visual etc. other than electronic media. refers to other environments.
Relevant Person/Data Owner: Refers to the natural person whose personal data is processed.
Relevant User: Refers to the persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
Destruction: It refers to the deletion, destruction or anonymization of personal data.
Destruction Regulation: Refers to the "Regulation on the Deletion, Destruction or Anonymization of Personal Data" published in the Official Gazette dated 28/10/2017 and numbered 30224.
Workplace Physician: Refers to the workplace doctor whose qualifications and duties are specified in the Occupational Health and Safety Law No. 6331, Art.
Recording medium: It refers to any medium in which personal data is processed wholly or partially automatically or non-automatically provided that it is a part of any data recording system.
Personal data: It refers to any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory: Prepared by the Company in accordance with the Regulation on Disposal and the Registry of Data Controllers, and created by associating the personal data processing activities carried out by the Company depending on the business processes, personal data processing purposes, data category, transferred recipient group and data subject group. and refers to the inventory it details.
Processing of personal data: It means all kinds of operations performed on data such as recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data.
Board: Refers to the Personal Data Protection Board
KVK Law: Refers to the Law on Protection of Personal Data No. 6698.
Customer: Represents the real persons benefiting from the services of the Company and the partners or managers of the legal entities benefiting from these services.
Partner: Refers to the real person partners of the Company and the real persons who represent the real or legal person partners in the general assembly.
Personal data of special nature: Data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric data. and genetic data.
Periodic Destruction: It refers to the deletion, destruction or anonymization process that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all of the personal data processing conditions in the KVK Law are eliminated.
Policy: Refers to the Personal Data Retention and Disposal Policy.
Company: Refers to Interhas Anonim Şirketi Company.
Supplier/Service Provider: Refers to the natural person suppliers and the partners and managers of the legal entity suppliers with whom the Company is procuring other services/products from outside, or from which it may purchase services/products in the future, or with which it has entered into business partnerships.
TBK: Refers to the Turkish Code of Obligations No. 6098.
TTK: Refers to the Turkish Commercial Code No. 6102.
Data Processor: Refers to the natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Registration System: It refers to the registration system in which personal data is processed and structured according to certain criteria.
Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry Regulation: Refers to the "Regulation on Data Controllers Registry" published in the Official Gazette dated 30.12.2017 and numbered 30286.
VERBIS: Represents the Data Controllers Registry Information System.
Visitor: Refers to people who enter the Company's office or other physical environments, visit the Company's website or similar electronic media, or benefit from the Company's wireless internet service.
DISTRIBUTION OF RESPONSIBILITIES AND DUTIES
All units and employees of the Chamber are responsible for the proper implementation of the technical and administrative measures taken within the scope of the Policy, increasing the training and awareness of the unit employees, monitoring and continuous inspection of personal data, preventing the illegal processing of personal data, preventing unlawful access to personal data, and In order to ensure that personal data is kept in accordance with the law, it actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed.
The distribution of the titles, units and job descriptions of those involved in the storage and destruction processes of personal data is given in Table 1.
Table 1: Task distribution of storage and disposal processes
Data GroupResponsible Room Unit/Title Task1.Employee, Subcontracted Employee, Former Employee Data
HR Manager
Responsible for the preparation, development and execution of the policy. 2. Employee Candidate DataHR Units
HR Manager
Responsible for the preparation, development and execution of the policy.3Customer Data
Supplier Data
Accounting / Financial Affairs / Sales, Legal Advisory, Responsible for the preparation, development and execution of the policy.
Responsible for providing needed technical solutions.
2. Saving Media of Data
Personal data processed by the Chamber; It is stored in non-electronic or electronic media containing personal data that is fully or partially automated or processed by non-automatic means provided that it is a part of any data recording system, especially in the environments listed below, within the framework of data security principles, in accordance with the KVK Law and relevant legislation.
Personal data is stored securely by the Institution in the environments listed in Table 2, in accordance with the law.
Table 2: Personal data storage environments
Electronic MediaPhysical Media
Servers, Software, Information Firewall, Intrusion Detection and Prevention, Computers Used in the Room and Optical Disks, Removable memories (USB, Memory Card etc.) Storage areas of printer, scanner, copier. Paper, Manual Data Recording Systems, Questionnaires, Event Forms, Application Forms, Written and Printed All Visual Media.
CHAPTER II
PROCEDURES AND PRINCIPLES REGARDING THE STORAGE AND DISPOSAL OF PERSONAL DATA
1. _cc781905-5cdeGER-3194-bb394_d_ 1. _cc781905-5cdeGER-3194-bb394_d___bad5c
Personal data processed within the framework of company activities are kept within the company for the period stipulated in the relevant legislation. In this context, personal data;
Law No. 6698 on the Protection of Personal Data,
Turkish Code of Obligations No. 6098,
Turkish Commercial Code No. 6102
Tax Procedure Law No. 213
Social Insurance and General Health Insurance Law No. 5510,
Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts,
Occupational Health and Safety Law No. 6361,
Labor Law No. 4857,
Social Services Law No. 2828
Identification Law No. 1776,
Other secondary regulations in force pursuant to these laws
are stored for the specified storage periods.
PROCESSING OBJECTIVES THAT REQUIRE STORAGE
Within the framework of its activities, the Company provides your personal data, determination and implementation of our Company's commercial business and strategies, realization of commercial activities carried out by our Company, planning and execution of human resources policies and processes, after-sales support services and obligations, customer Planning and execution of customer satisfaction, corporate communication activities, customer relations and customer requests and complaints management processes; planning or execution of business continuity activities; follow-up of contract processes or legal requests; follow-up of financial or accounting affairs; planning, auditing and execution of corporate sustainability, corporate governance, strategic planning and information security processes; execution of business and management of relations with business partners, drug stores or suppliers; Planning and execution of sales, marketing and promotion processes of products and services, as well as market research, determination and customization of taste, usage and service understanding; Carrying out necessary work to benefit customers from the products and services offered by the Company, informing the latest developments regarding our services by sending informative and promotional e-mails in line with the explicit consent of the data owners, fulfilling legal obligations under the legislation, Ensuring physical space and occupational safety in all locations of the Company, Personal data will be processed within the terms and purposes of processing specified in Articles 5 and 6 of the Law No. 6698, in order to fully and accurately fulfill the responsibilities arising from the work, service, sale, proxy, work and other contracts and legislation to which the Company is a party.
LEGAL REASONS FOR DISPOSAL
Personal data;
Changing or repealing the provisions of the relevant legislation, which is the basis for processing,
The disappearance of the purpose that requires processing or storage,
In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject withdraws his explicit consent,
The Company accepts the application made for the deletion and destruction of personal data within the framework of the rights of the person concerned, pursuant to Article 11 of the KVKK Law,
In cases where the company rejects the application made by the person concerned for the deletion, destruction or anonymization of his personal data, finds the answer insufficient or does not respond within the time stipulated in the KVK Law; Making a complaint to the Board and this request being approved by the Board,
In cases where the maximum period requiring the storage of personal data has passed and there is no condition to justify keeping the personal data for a longer period, it is deleted, destroyed or ex officio deleted, destroyed or anonymized at the request of the person concerned.
CHAPTER III
TECHNICAL AND ADMINISTRATIVE MEASURES TO STORAGE AND SECURITY OF DATA
1. Technical Precautions
The Company implements the following technical measures in order to ensure the security of the personal data it stores in its electronic media and to protect it against unauthorized access from outside and inside: A closed system network is used in transferring personal data via network.
Training and awareness activities are carried out periodically for employees on data security.
Current anti-virus systems are used.
Firewalls are used.
Personal data security issues are reported quickly.
Physical environments containing personal data are secured against external risks (fire, flood, etc.).
The security of environments containing personal data is ensured.
Personal data is reduced as much as possible.
In-house periodic and/or random audits are conducted and made.
Protocols and procedures for special quality personal data security have been determined and implemented. Access logs are kept in our CRM, Academy, GTP, File Sharing Systems without user intervention. Authorization and authorization control are carried out in our CRM, Academy, GTP, File Sharing Systems that limit employees' access to data.
If special quality personal data is to be sent via e-mail, it must be sent in encrypted form and using a KEP or corporate mail account. Data of special persons transferred in portable memory, CD, DVD media are transferred by encrypting.
2. Administrative Actions
The company implements the following administrative measures to ensure the security of personal data and to protect it from unauthorized access from outside and inside:
Within or in the annex of the agreements made with its employees, it receives a commitment to protect the confidentiality of the personal data they access due to their duties.
Necessary trainings are given to the employees in order to increase the awareness and responsibility of the employees about protecting the confidentiality of personal data and acting in accordance with the KVK Law and secondary legislation.
The company can use third-party software programs and clouds in the creation of a database of personal data, share data with third parties in order to store physical documents and obtain other personal data processing purposes, or receive support from third parties in the position of data processing in obtaining personal data. In such cases, the third parties are authorized to access the data to the extent necessary, taking into account the purpose of the data transfer, and obligations are imposed on these persons to ensure the security of personal data and to protect their confidentiality, within or in the annex of the contracts made with these persons.
Physical documents containing personal data are stored in locked environments and employees' access to these documents is limited to the extent permitted by the Company's administrative, operational and working order.
Before starting to process personal data, the Company fulfills its obligation to inform the relevant persons.
Personal data processing inventory has been prepared.
Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
Confidentiality commitments are made.
Protocols and procedures for special quality personal data security have been determined and implemented.
The authorizations of employees who have a change of job or quit their job in this field are removed.
CHAPTER IV
PROCEDURES AND PRINCIPLES ON DISPOSAL OF PERSONAL DATA
1. Personal Data Retention and Destruction Periods
Personal data is stored for the following periods.
Table 3: Data Storage and Disposal Times
Data TypeRetention timeDestruction time
Company Employee Data is stored within the Company for the duration of the relevant contract. It is stored for 10 years from the expiry of the contract. In the first periodic destruction period following the end of the storage period.
Company's Former Employee DataHealth data 15 YEARS
Other data 10 YEARS
At the first periodic disposal period following the end of the storage period
Candidate Data Applying to the Company1 YEARImmediate destruction.
Customer Data10 YEARS at the first periodic destruction period following the end of the retention period
Customer Data (records taken for security reasons)
Employee Data (records taken for security reasons)CCTV – 2 Months
Log records – 10 YEARS
Incident Records- 10 YEARS
At the first periodic disposal period following the end of the storage period
PERIODIC DISPOSAL TIME
Pursuant to Article 11 of the Disposal Regulation, the Company has determined the period of periodic destruction as 6 months. Accordingly, periodic destruction is carried out at the Company in June and December each year.
PERSONAL DATA DISPOSAL TECHNIQUES
At the end of the storage period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data is destroyed by the Company ex officio or upon the application of the relevant person, again in accordance with the provisions of the relevant legislation, with the techniques specified below.
Deletion of Personal Data
Personal data is deleted with the methods given in Table-4.
Table 4: Deletion of Personal Data
Data Recording Media Description
Located on Servers
Personal Data
The system administrator removes the access authorization of the relevant users and deletes the personal data on the servers for those whose period of time has expired.
Field Personal Data
Among the personal data in the electronic environment, the ones whose period has expired are made inaccessible and non-usable in any way for other employees (related users) except the database administrator.
Personal Data
Among the personal data kept in the physical environment, it is made inaccessible and non-usable in any way for other employees, except for the unit manager responsible for the document archive, for those whose period of time has expired. In addition, blackening is applied by drawing/painting/erasing in a way that cannot be read.
Personal Data Found
Of the personal data kept in flash-based storage media, the expired ones are encrypted by the system administrator and the access authorization is given only to the system administrator, and are stored in secure environments with encryption keys.
_
Destruction of Personal Data
Personal data is destroyed by the methods given in Table-5 by the Company.
Table 5: Destruction of Personal Data
Data Recording Media Description
Located in the Physical Environment
Personal Data
Among the personal data in the paper medium, the ones that need to be kept, are destroyed in the paper clipping machines, irreversibly. In Optical / Magnetic Media
Personal Data Included
The physical destruction of the personal data in optical media and magnetic media, such as melting, burning or pulverizing, is applied.
Anonymization of Personal Data
Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.
In order for personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning the personal data by the data controller or third parties and/or matching the data with other data.
4. Retention of Records Related to Destruction of Data
The Company records in writing the periodic destruction processes it has carried out and the destruction processes based on the application of the data owner. In addition, log records of electronic destruction processes are kept. Pursuant to the third paragraph of Article 7 of the Disposal Regulation, records of all destruction operations carried out by the Company are kept for at least three years, excluding other legal obligations.
CHAPTER VI
UPDATES
Provided that the policy is kept within the company for at least 5 years, it is reviewed as needed and the necessary sections are updated.