Kişisel Veri Saklama ve İmha Politikası
Mart 1, 2021 2023-07-21 9:32Kişisel Veri Saklama ve İmha Politikası
PERSONAL DATA RETENTION AND DISPOSAL POLICY
1. INTRODUCTION AND PURPOSE OF PREPARING THE POLICY
This Personal Data Retention and Destruction Policy (“ Policy ”), Personal Data Protection Law No. 6698 (“ KVKK ” or “ Law ”) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“ Regulation ”) of Necm Kimya Akaryakıt Şirketi (“Regulation”), which came into force after being published in the Official Gazette dated October 28, 2017, which constitutes the secondary regulation of the Law (“Regulation”) “ CompanyIt has been prepared by NECM KİMYA as the data controller in order to fulfill its obligations and to inform the data owners about the principles of determining the maximum storage period required for the purpose for which their personal data is processed, and the deletion, destruction and anonymization processes .
2. DEFINITIONS
Abbreviation | Definition |
Open Consent | Consent on a particular subject, based on information and expressed with free will. |
Related User | Except for the person or unit responsible for technical storage, protection and backup of the data, they are the persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller. |
Destruction | Deletion, destruction or anonymization of personal data. |
Law/KVKK | Law on Protection of Personal Data No. 6698. |
Recording Media | Any environment in which personal data is processed wholly or partially automatically or by non-automatic means provided that it is a part of any data recording system. |
Personal Data | Any information relating to an identified or identifiable natural person. |
Processing of Personal Data | All kinds of operations performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system . |
Anonymization of Personal Data | Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data. |
Deletion of Personal Data | Deletion of personal data; making personal data inaccessible and unusable for Relevant Users in any way. |
Destruction of Personal Data | The process of making personal data inaccessible, irretrievable and unusable by anyone in any way. |
Board | Personal Data Protection Board. |
Special Qualified Personal Data | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. |
Periodic Destruction | The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all of the personal data processing conditions in the Law are eliminated. |
verbis | Data recording system in which personal data is processed and structured according to certain criteria. |
Data Owner/Relevant Person | The natural person whose personal data is processed. |
Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
regulation | Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on October 28, 2017. |
- RECORDING ENVIRONMENTS
The personal data of the relevant person is safely stored by NECM KİMYA in the environments listed in the table below, in accordance with the relevant legislation, especially the provisions of the KVKK, within the framework of international data security principles:
Electronic Media:
- Orka Accounting Program
- On unit computers
- On servers
- on websites
- In Email Boxes
- Other
Physical Environments:
- unit cabinets
- Archive
4.PRINCIPLES
NECM KİMYA acts within the framework of the following principles in the storage and destruction of personal data:
- In the deletion, destruction and anonymization of personal data, the Law and the provisions of the relevant legislation, Board decisions and this Policy are fully complied with.
- Compliance with the law and the rules of honesty: The individual rights of data subjects must be protected during the processing of personal data. Personal data must be collected and processed lawfully and fairly.
- All transactions regarding the deletion, destruction and anonymization of personal data are recorded by NECM KİMYA and these records are kept for at least 3 (three) years, excluding other legal obligations.
- Unless a contrary decision is taken by the Board, NECM KİMYA chooses the appropriate method of deletion, destruction or anonymization of personal data ex officio . However, upon the request of the Relevant Person, the appropriate method will be chosen by explaining the reason.
- In the event that all of the conditions for processing personal data in Articles 5 and 6 of the Law are eliminated, personal data is deleted, destroyed or anonymized by NECM KİMYA ex officio or upon the request of the person concerned. If NECM KIMYA is applied by the Related Person in this regard ;
- Requests submitted are finalized within 30 (thirty) days at the latest and the relevant person is informed,
- In case the data subject to the request has been transferred to third parties, this situation is notified to the third party to which the data is transferred and necessary actions are taken before the third parties.
5. EXPLANATIONS ON REASONS REQUESTING STORAGE AND DISPOSAL
Personal data of data owners are stored securely in physical or electronic media within the limits specified in the KVKK and other relevant legislation, especially in order to continue commercial activities, fulfill legal obligations, plan and perform employee rights and fringe benefits, and manage customer/subscriber relations .
The reasons for keeping it are as follows:
- Storing personal data as it is directly related to the establishment and performance of contracts,
- Storing personal data for the purpose of establishing, exercising or protecting a right,
- It is obligatory to keep personal data for the legitimate interests of NECM KIMYA , provided that it does not harm the fundamental rights and freedoms of individuals,
- Keeping personal data in order for NECM KİMYA to fulfill any of its legal obligations,
- Explicitly stipulating the storage of personal data in the legislation,
- Explicit consent of data owners in terms of storage activities that require the explicit consent of data owners.
In accordance with the Regulation, the personal data of the data owners are deleted, destroyed or anonymized by NECM KİMYA ex officio or upon request in the following cases :
- Changing or canceling the provisions of the relevant legislation that form the basis for the processing or storage of personal data,
- The disappearance of the purpose that requires the processing or storage of personal data,
- Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law,
- In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject withdraws his consent,
- The data controller accepts the application made by the data subject regarding the deletion, destruction or anonymization of his personal data within the framework of his rights in subparagraphs (e) and (f) of Article 11 of the Law,
- In cases where the data controller rejects the application made by the data subject to the request for the deletion, destruction or anonymization of his personal data, his response is found to be insufficient or he does not respond within the time stipulated in the Law; Complaining to the Board and approval of this request by the Board,
- The absence of any conditions justifying the retention of personal data for a longer period of time, although the maximum period for keeping personal data has passed.
6. STORAGE AND DISPOSAL TIMES
1- In determining the storage and destruction periods of your personal data obtained by NECM KİMYA in accordance with the provisions of the KVKK and other relevant legislation, the following criteria are used, respectively:
- If a period is stipulated in the legislation regarding the storage of the personal data in question, this period shall be complied with.
- If a period of time is not foreseen, it is determined which / which scope of the storage of personal data can be evaluated by taking into account the processing conditions stipulated in Articles 5 and 6 of the KVKK (reasons for compliance with the law). Reasonable periods for data storage are determined within the framework of the determined processing conditions.
- In the event of the expiry of the said periods, the data is deleted, destroyed or anonymized ex officio by the data controller.
2- When the data subject requests the deletion or destruction of his/her personal data by applying to the data controller pursuant to Articles 11 and 13 of the KVKK;
a- If all the conditions for processing personal data have disappeared; The data controller deletes, destroys or anonymizes the personal data subject to the request. The data controller finalizes the request of the data subject within thirty days at the latest and informs the data subject.
b- If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, the data controller notifies the third party; ensures that the necessary actions are taken within the scope of this Regulation before the third party.
c- If all the conditions for processing personal data have not disappeared, this request may be rejected by the data controller by explaining the reason in accordance with the third paragraph of Article 13 of the KVKK, and the refusal is notified to the relevant person in writing or electronically within thirty days at the latest.
3- The required time for the processing of personal data should be determined in a reasonable way, taking into account the purposes of processing or stipulated in the relevant legislation (Article 4/2.d of the KVKK).
In this context, the storage periods, which also take into account the relevant legislation provisions determined on the basis of activity, are as follows;
SEQ ID | Name or Subject of the Activity | Storage Time | Rest | |
one | Processed Data of Personnel in Human Resources Processes | 10 Years After Employment Termination | TBK General Timeout | |
2 | Personal Data Processed in Finance and Accounting Processes | 5 Years in the Unit Archive + 5 Years in the Institution Archive after the Legal Relationship Ended | VUK, TBK, TTK and Related Articles in the Income Tax Law | |
3 | Realization of purchasing and sales processes | 10 Years After Contractual Relationship Ended | TBK General Timeout | |
4 | Personal data used in the procurement and embezzlement of Work and Personnel Protective Equipment | At least 15 years after the Contractual Relationship Ended | Occupational Health and Safety Law No. 6331, Occupational Health and Safety Services Regulation | |
5 | Identity, vehicle card and business card printing processes | Until the employee is dismissed from the institution | KVKK art.4 | |
6 | Execution of request and complaint management | 5 Years in Unit Archive after Process Completion | KVKK art.4 | |
7 | Making official correspondence with public institutions and litigation follow-up | 20 Years After Legal Relationship Ended | KVKK art.4 | |
8 | Execution of internal disciplinary processes | 10 Years After Employment Termination | TBK General Timeout | |
9 | Execution of mediation processes | 20 Years After Legal Relationship Ended | KVKK art.4 | |
10 | The activity of keeping the records of the drivers who drive or the employees to whom the vehicle is allocated. | Until the contractual relationship ends | The current application is compatible with KVKK. | |
11th | Realization of accommodation activities | 2 Years After the Legal Relationship Ended | KVK Institutional Storage Disposal Policy | |
12 | Execution of Board of Directors Processes | 10 Years After Legal Relationship Ended | TTK | |
13 | Execution of Visitor Processes | 2 Years After Visit Ended | KVK Institutional Storage Disposal Policy | |
14 | Monitoring and recording of campus surroundings and interior via CCTV system | 1 month | The current application is compatible with KVKK. | |
15 | Health Data on OHS | For at least 15 years from the date of dismissal (40 years for Personnel Exposed to Asbestos, Mutogen or Carcinogenic Substances) | OHS legislation | |
16 | Handling incoming and outgoing document processes | 5 Years in Unit Archive + 25 Years in Institution Archive | ||
17 | Personal data processed during the execution of Communication and Business Processes | Until the Legal Relationship Ends | KVKK art.4 | |
18 | Employee Candidate data | 3 Years for unsuccessful candidates | KVKK art.4 | |
19 | Log Records of Employees’ Access to Media Containing Personal Data | 2 years | Pursuant to Law No. 5651 and TİB (Telecommunication Communications Presidency) Regulations | |
20 | Access Authorizations of Employees Regarding the Environments Containing Personal Data, User Definitions | 10 Years After Termination of Legal Relationship with the Related Person | TBK General Timeout | |
21 | Keeping delivery receipt and embezzlement minutes | 10 Years After Termination of Legal Relationship with the Related Person | TBK General Timeout |
If there is a contractual relationship, the above retention periods start with the completion of the process in terms of other activities, together with the fulfillment of the obligations arising from the contract.
If the personal data whose storage period has expired is stored in physical and paper environments, it should be checked in accordance with the procedures set forth in this Policy, within the framework of the destruction periods stated above, at the latest in 6-month periods, and upon the determination that the retention period has expired, the department employee should complete the relevant data destruction process upon the written instruction of the department responsible. The destruction must be recorded in a minute.
The data kept in the digital environment is in accordance with the “Regulation on the Deletion, Destruction or Anonymization of Personal Data”.It should be subject to deletion according to article 8. According to this article, the concept of deletion will mean making the data inaccessible to the relevant users. Looking at the definitions section of the same regulation, the definition of the relevant user is “Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data”.is indicated as. In this context, it can be said that legal deletion will take place with the transfer of data beyond the access authority of the units. After this process, the data in question should be destroyed by being completely deleted from the systems of the data controller after a certain period of time, provided that the principle of proportionality in the law is not exceeded. After this stage, the digital media (server / hard disk) used by the institution should be cleaned by overwriting (WIPE – Secure Erase) technical measure for certain periods, and the data previously saved on the server / hard disk should be cleaned in a way that cannot be recovered.
7. MEASURES TAKEN FOR THE STORAGE, PROCESSING, PREVENTION OF UNLAWFUL ACCESS AND DISPOSAL OF PERSONAL DATA
Personal data obtained by NECM KİMYA in accordance with the KVKK and other relevant legislation will be destroyed by NECM KİMYA ex officio or upon the application of the Relevant Person, again in accordance with the provisions of the Law and relevant legislation, with the techniques specified below, in case the personal data processing purposes listed in the Law and Regulation cease to exist.
It would be appropriate to appoint the department responsible to request whether the retention periods of the data processed for each department have expired, and if they have been destroyed, to follow up the retention periods determined specifically for each department, and the contact person to check whether all department responsibles fulfill this preservation obligation. Upon detection that the retention period has expired, the department employee must complete the relevant data destruction process upon the written instruction of the department responsible.
Within the framework of the principles in Article 12 of the KVKK, in order to keep your personal data safe, to process it unlawfully, to prevent its access and to destroy the data in accordance with the law,All administrative and technical measures taken by NECM KIMYA are listed below:
7.1. Administrative Measures:
Within the scope of administrative measures of NECM KİMYA ;
- It limits the internal access to the stored personal data to the personnel required to access it as per the job description. Whether the data is of a special nature or not and the degree of importance are also taken into account in limiting the access.
- In case the processed personal data is obtained by others unlawfully, it notifies the person concerned and the Board as soon as possible. In accordance with the KVKK’s decision dated 24.01.2019 and numbered 2019/10, the shortest time has been determined as 72 hours. Therefore, the Institution is obliged to notify the Board of this situation within 72 hours after learning about the illegality of the data it processes.
- Regarding the transfer of personal data, it provides data security with the third real/legal persons to whom personal data is transferred, by signing a contract on the protection of personal data and data security, or with the provisions added to the current contract.
- It employs knowledgeable and experienced personnel about the processing of personal data and provides its personnel with the necessary training within the scope of personal data protection legislation and data security.
- The company’s senior management/board of directors convenes every 6 months and evaluates both the current situation and risks related to KVK and whether the destruction processes are carried out within the specified periods. In this context, a meeting is held every 6 months by the Institution’s management in order to monitor whether the departments have fulfilled the periodic disposal procedures. Administrative, technical and legal measures to be taken in order to comply with the KVK legislation are decided at the meetings to be held and the meeting decisions are filed with the wet signatures of the managers.
- When a violation of the policy is detected, the issue is immediately reported to a senior manager by the manager of the relevant employee. Necessary administrative action is taken about the employee who violates the policy, after the evaluation by Human Resources.
7.2. Technical Measures:
Within the scope of NECM KIMYA technical measures;
- Performs necessary internal controls within the scope of established systems.
- It carries out information technology risk assessment processes within the scope of established systems.
- It ensures the provision of the technical infrastructure to prevent or monitor the leakage of data outside the institution and the creation of relevant authority matrices.
- It provides control of system vulnerabilities by receiving penetration test service regularly or when needed.
- It ensures that the access to personal data of the employees in the information technology units is kept under control.
- The destruction of personal data is ensured in a way that cannot be recycled and leaves no audit trail.
- Pursuant to Article 12 of the Law, all kinds of digital media where personal data are stored are protected by the most appropriate technical methods in order to meet information security requirements.
- EMPLOYEE
You can find the titles, units and job descriptions of the personnel involved in the personal data storage and destruction process from the list in Annex-1 of this Policy.
9. PERSONAL DATA DISPOSAL PROCEDURES
NECM KIMYA retains personal data only for as long as required by the relevant legislation or for the purpose for which they are processed. In this context, first of all, it is determined whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, this period is acted upon. Personal data is deleted, destroyed or anonymized in accordance with NECM KIMYA ‘s policy , in the event that the period expires or the reasons requiring it to be processed disappear, unless there is a legal reason allowing them to be processed for a longer period of time . NECM CHEMISTRYUnless a contrary decision is taken by the Board, it chooses the appropriate method of deletion, destruction or anonymization of personal data ex officio. If requested by the relevant person, he/she chooses the appropriate method by explaining the reason. All transactions regarding the deletion, destruction or anonymization of personal data are recorded and these records are kept for at least 3 (three) years, excluding other legal obligations.
a. Deletion and Destruction of Personal Data:
Deletion of personal data is the process of making personal data inaccessible and unusable in any way. Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.NECM KIMYA takes technical and administrative measures to prevent this business unit from processing the relevant personal data after the purpose and storage period required for the processing of personal data of the relevant business unit within its own organization has expired. In addition, NECM KİMYA considers the “Guidelines for the Deletion, Destruction or Anonymization of Personal Data” published by the Institution in the techniques of deletion and destruction of personal data and chooses the appropriate one from the examples published in this guide.
b. Anonymization of Personal Data:
Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. In order for personal data to be anonymized by NECM KİMYA ; by the data controller, the recipient or groups of recipients; Personal data must be rendered non-associative with an identified or identifiable natural person, even through the use of appropriate techniques for the recording medium and the relevant field of activity, such as returning the data and matching the data with other data. NECM KIMYA is obliged to take all necessary technical and administrative measures regarding the anonymization of personal data. NECM CHEMISTRY, while applying these techniques, takes into account the “Guidelines for the Deletion, Destruction or Anonymization of Personal Data” published by the Institution and chooses the appropriate one from the examples published in this guide.
- UPDATE AND COMPLIANCE
In case of incompatibility between KVKK and other relevant legislation provisions and this Policy, KVKK and other relevant legislation provisions will be applied first. This Policy, prepared by NECM KIMYA, entered into force on 26/02/2020. NECM KİMYA reserves the right to make changes in this Personal Data Retention and Disposal Policy in line with the changes made in the Law, in accordance with the Board decisions or in line with the developments in the sector. The policy is reviewed as needed and the necessary sections are updated. Changes made in this Personal Data Retention and Disposal Policy are immediately processed in the text and explanations regarding the changes are announced at the end of the policy.
APPENDIX-1
The list of personnel, duties and responsibilities determined below is advisory and may change according to the internal functioning and structure of your Institution. In this case, it is recommended to make necessary updates and revisions. As we stated in the Legal Situation Analysis Report; It would be appropriate to authorize the unit that will be tasked with monitoring the retention periods/destruction processes/data security reporting/inventory updates/application to the data officer/complaint processes to the Board, previously suggested by us to update the personal data inventory periodically.
STAFF TITLE, UNIT AND TASK LIST
EMPLOYEE | DUTY | RESPONSIBILITY |
Archive Manager | Human Resources | Destruction of personal data. |
Lawyer | Contract Lawyer | Receiving the requests of the relevant persons, checking their compliance with the procedure and answering the request. |
Accounting staff | Sales and Accounting | Ensuring the compliance of the processes within the scope of its duty with the storage period, management of the periodical destruction process, performing the necessary inspections and controls in order to respond to the requests of the relevant persons. |
finance | Finance expert | Managing the personal data destruction process in accordance with the periodical destruction period, ensuring the compliance of the processes within its scope with the retention period. |
Human Resources Staff | Human Resources | Managing the personal data destruction process in accordance with the periodical destruction period, ensuring the compliance of the processes within its scope with the retention period. |
keygencracks is an all-in-one online site that offers a wide range of cracks, keygens, and patches for many different kinds of software. Our website has a huge collection of cracked software, which lets users use special features without buying expensive licenses. With an easy-to-use interface, users can easily move around in our large library and find the tools they need quickly. We care a lot about the security and safety of our guests, so we make sure that all cracked software files are scanned carefully for malware and other possible risks.