Personal Data Retention And Destruction Policy

[vc_row row_type=”parallax” parallax_content_width=”in_grid” text_align=”left” background_image=”15736″ full_screen_section_height=”yes” vertically_align_content_in_middle=”yes”][vc_column css=”.vc_custom_1495455799238{padding: 40px !important;background-color: rgba(255,255,255,0.82) !important;*background-color: rgb(255,255,255) !important;}”][vc_column_text]

CONTENTS

SECTION

ONE……………………………………………………………………………………………………………………………………………………………………………………………………………………………..4

NATURE AND PURPOSE OF THE PERSONAL DATA RETENTION AND DESTRUCTION POLICY ……………………………………………………………………………………………………… ………………………………………………………………………………………………………………..4

1.1. INTRODUCTION………………………………………………………………………………………………………………………………… …………………………………………………………………………4

1.2. DEFINITIONS…………………………………………………………………………………………………. ………………………………………………………………………………………………………….4

SECTION TWO……………………………………………………………………………………………………………………………… ………………………………………………………………………………………..6

MEDIA AND SECURITY MEASURES …………………………………………………………………………………………………………………………………………………………………………………………………………………………………6

2.1. MEDIA WHERE PERSONAL DATA ARE STORED ………………………………………………………………………………………………………………………………………………………………………………………………………………………………….6

2.2. ENSURING SECURITY OF THE MEDIA …………………………………………………………………………………………………………………………………………………………………………………………………………………………………..7

2.2.1. Technical Measures …………………………………………………………………………………………………………………………………………………………………………………………………………………………………..7

2.2.2. Administrative Measures …………………………………………………………………………………………………………………………………………………………………………………………………………………………………..8

2.2.3. Internal Audit ………………………………………………………………………………………………………………………………………………………………………………………………………………………………….8

SECTION

THREE……………………………………………………………………………………………………..…………………………………………………………………………………………………………………..9

DESTRUCTION OF PERSONAL DATA …………………………………………………………………………………………………………………………………………………………………………………………………………………………………9

3.1. REASONS REQUIRING RETENTION AND DESTRUCTION……………………………………………………………………………………………9……………………………………………………………………………………………………………….9

3.1.1. Reasons Requiring Retention …………………………………………………………………………………………………………………………………………………………………………………………………………………………………..9

3.1.2. Reasons Requiring Destruction …………………………………………………………………………………………………………………………………………………………………………………………………………………………………..9

3.2. DESTRUCTION METHODS ………………………………………………………………………………………………………………………………………………………………………………………………………………………………….9

3.2.1. Erasure of Personal Data …………………………………………………………………………………………………………………………………………………………………………………………………………………………………..9

3.2.2. Destruction of Personal Data …………………………………………………………………………………………………………………………………………………………………………………………………………………………………10

3.2.3.  Anonymization of Personal Data ……………………………………………………………………………………………………………………………………………………………………………………………………………………………….. 11

3.3. RETENTION AND DESTRUCTION PERIODS …………………………………………………………………………………………………………………………………………………………………………………………………………………………………11

3.3.1. Retention Periods …………………………………………………………………………………………………………………………………………………………………………………………………………………………………11

3.3.2. Destruction Periods …………………………………………………………………………………………………………………………………………………………………………………………………………………………………12

3.4. PERIODIC DESTRUCTION …………………………………………………………………………………………………………………………………………………………………………………………………………………………………13

3.5. INSPECTION OF COMPLIANCE OF DATA DESTRUCTIONS WITH LAW …………………………………………………………………………………………………………………………………………………………………………………………………………………………………13

3.5.1. Technical Measures
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………13

3.5.2 Administrative Measures …………………………………………………………………………………………………………………………………………………………………………………………………………………………………13

SECTION

FOUR…………………………………………………………………………………………………………………………………………………………………………………………………………………………14

4.1.PERSONAL DATA COMMITTEE …………………………………………………………………………………………………………………………………………………………………………………………………………………………………14

SECTION

FIVE…………………………………………………………………………………………………………..………………………………………………………………………………………………………………15

REVISION AND COMPLIANCE

…………………………………………………………………………………………………………………………………………………………………………………………………………………………………15

5.1. REVISION NOTES …………………………………………………………………………………………………………………………………………………………………………………………………………………………………15

 

SECTION ONE

NATURE AND PURPOSE OF THE PERSONAL DATA RETENTION AND DESTRUCTION POLICY

 

1.1. INTRODUCTION

This Personal Data Retention and Destruction Policy (“Policy”) has been prepared by BEYAZ KÂĞIT VE HİJYENİK ÜRÜNLER TEMİZLİK İNŞAAT SANAYİ TİCARET A.Ş. in our capacity as data controller in accordance with the Law No. 6698 on the Protection of Personal Data (“PDPL” or the “Law”) and the By-Law on Erasure, Destruction or Anonymization of Personal Data (“By-Law”), which entered into force after being published in the Official Gazette dated 28 October 2017, and which constitutes the secondary legislation pertaining to the Law- in order to lay down the principles and procedures to be applied by our Company regarding the erasure, destruction or anonymization of the personal data collected as per the PDPL and other legislation, as well as the principles of determining the maximum retention period necessary for the purpose of processing personal data of data subjects, and in order to fulfill our obligations in accordance with the PDPL and other legislation.

Within this context, the personal data of our employees, employee candidates, our customers, and any real person whose personal data are kept within the body of our Company for any purpose are lawfully managed in accordance with the Policy on Protection and Processing of Personal Data and this Personal Data Retention and Destruction Policy.

 

1.2. DEFENITIONS

Explicit Consent

Consent in relation to a specific matter, which is given upon being informed and of one’s own free will.

Relevant User

The persons, other than the person or department responsible for technical storage, preservation, and backup of data, who process personal data within the data controller’s organization or as authorized and instructed by the data controller.

Personal Data

Any information relating to an identified or identifiable real person.

Special Categories of Personal Data

Data in relation to race, ethnic origin, political opinion, philosophic belief, religion, sect or other beliefs, appearance, membership in associations, foundations or unions, health, sexual orientation, criminal convictions and security measures and biometric and genetic data.

 

 

 

 

 

Processing of Personal Data

4

 

 

 

Any operation which is performed on Personal Data, such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, or blocking their use, by wholly or partly automatic means, or by non-automatic means which form part of a data-recording system.                                  

Direct Identifiers

The personally identifiable information which can alone directly reveal, disclose, and distinguish the identity of the person they are related with.

Indirect Identifiers

The personally identifiable information which can, when combined with other identifiers, reveal, disclose, and distinguish the identity of the person they are related with.

Data Subject/Relevant Person

Real persons whose personal data are processed by our Company, including internal and external stakeholders of the Company, Company officials, Company business partners, suppliers, our consultants, our employees and  employee candidates, visitors, customers, potential customers and third parties, official institutions, banks, independent auditing firms, etc.

Data Controller

Any legal person who determines the purposes and methods of the processing of personal data, and who is responsible for establishment and management of the data recording system.

Data Processor

Real and legal persons who process personal data on behalf of the data controller based on the authorization given by the data controller.

Law

The Law No. 6698 on the Protection of Personal Data.

By-Law

The By-Law on Erasure, Destruction or Anonymization of Personal Data,  published in the Official Gazette dated 28 October 2017.

PDP Board

The Personal Data Protection Board.

Recording Media

Any environment containing personal data which are processed by fully or partly automated means, or by non-automated means provided that they are part of a data recording system.

Policy on Processing, Protection and Privacy of Personal Data

The policy that sets the principles and procedures regarding the management of personal data kept by the Company, which is available at www.beyazkagit.com.tr.

Data Recording System

Any recording system in which Personal Data are processed by being configured according to specific criteria.

Destruction

Deletion, destruction, or anonymization of personal data.

Anonymization

Rendering it impossible for personal data, which has been already associated with a person, to be associated in any manner with the identity of a real person who is identified or identifiable, even if they are matched with other data.

Erasure of Personal Data

The process of rendering personal data inaccessible to and non-reusable by Relevant Users in any manner.

Destruction of Personal Data

The process of rendering personal data inaccessible to, non-restorable and non-reusable by anybody in any manner.

Periodic Destruction

The erasure, destruction, or anonymization of personal data, as specified in the Personal Data Retention and Destruction Policy, which shall be carried out ex officio at recurrent intervals, in the case that all conditions for processing of personal data specified under the Law cease to exist.

 

SECTION TWO

MEDIA AND SECURITY MEASURES

 

2.1. MEDIA WHERE PERSONAL DATA ARE STORED

The personal data retained by our Company are kept in a suitable recording media depending on the nature of the data and our legal obligations. The recording media used for keeping personal data are listed below in general. However, certain data may be kept in a media other than those listed herein, due to their special nature or our legal obligations. Our Company acts in its capacity as data controller in any case and processes and protects the personal data in accordance with the Law, the Policy on Processing, Protection and Privacy of Personal Data and this Personal Data Retention and Destruction Policy.

  1. a) Printed media: Media where the data such as unit cabinets, archives, etc. are printed out on paper or microfilms.
  2. b) Local digital media: Other digital media owned by our Company, such as servers, hard disks, or portable disks, etc.

6

  1. d) Cloud media: Media not owned but used by our Company where Internet-based systems encrypted with cryptographic methods are used.
  2. e) Electronic media

 

2.2. ENSURING SECURITY OF THE MEDIA

As per the principles in Article 12 of the PDPL, our Company takes all necessary technical and administrative measures for the safe storage of your personal data and prevention of unlawful processing of and access to your personal data, and lawful destruction of the same, depending on the features of the relevant personal data and the media where the relevant personal data are kept.

These measures include, but are not limited to, the following administrative and technical measures, to the extent that they are suitable depending on the nature of the related personal data and the features of the media where they are kept.

All administrative and technical measures taken by our Company are listed below:

 

2.2.1.  Technical Measures

Our Company mainly takes the following technical measures for all the media where the personal data are stored, depending on the nature of the related personal data and the features of the media where they are kept:

  • Only up-to-date and secure systems suitable for technological developments are used in the media where personal data is kept.
  • Necessary internal checks are carried out within the established systems.
  • Security systems are used for the media where personal data is kept.
  • Security tests and research are carried out to detect security vulnerabilities on information systems, and the existing or potential risky issues identified as a result of the tests and research are eliminated.
  • Access to the media where personal data is kept is restricted, and only authorized persons are allowed to access these data limited to the purpose of storing personal data, and all accesses are recorded.
  • It is ensured that the technical infrastructure is provided to prevent or monitor the leakage of data outside the entity and the relevant matrices are created. System vulnerabilities are checked by receiving penetration test services regularly and when needed.
  • Our Company has sufficient technical personnel to ensure the security of the media where personal data are kept.
  • It is ensured that the authorizations of employees working in information technology units to access personal data are kept under control.
  • Destruction of personal data is ensured in a way that cannot be reversed and leaves no audit trail.
  • Pursuant to Article 12 of the Law, all kinds of digital media where personal data are stored are protected by encrypted or cryptographic methods to meet information security requirements.

 

7

2.2.2.  Administrative Measures

Our Company mainly takes the following administrative measures for all the media where the personal data are stored, depending on the nature of the related personal data and the features of the media where they are kept:

  • Activities are carried out in order to raise awareness of all Company employees, who have access to personal data, on information security, personal data and privacy, and necessary trainings are provided to them within the context of personal data protection legislation and data security.
  • Internal access to stored personal data are limited to the personnel who are required to do so as per their job descriptions. Whether the data is included in special categories of personal data, and the degree of importance are also considered in limiting the access.
  • Legal and technical consultancy services are procured in order to follow the developments in the field of information security, right of privacy and protection of personal data, and to take the necessary actions.
  • If the processed personal data are obtained unlawfully by others, the data subject and the Board are notified of this situation as soon as possible.
  • In the event that personal data are transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties for the protection of personal data, or data security is ensured with the provisions added to the existing agreement, and all necessary care is taken to ensure that the relevant third parties comply with their obligations under these protocols.
  • Our Company performs and procures the performance of necessary audits within its own organization in order to ensure implementation of the provisions of the Law. Privacy and security vulnerabilities revealed as a result of audits are eliminated.

 

2.2.3.  Internal Audit

Our Company carries out internal audits regarding the implementation of the provisions of the Law and this Personal Data Retention and Destruction Policy, and the Policy on Protection and Processing of Personal Data, pursuant to Article 12 of the Law.

If any deficiency or failure is identified regarding the implementation of these provisions as a result of the internal audits, such deficiencies or failures are remedied immediately.

If it is understood during the audit or otherwise that the personal data under the responsibility of our Company have been obtained unlawfully by others, our Company notifies the data subject and the Board of this situation as soon as possible.

 

 

8

 

SECTION THREE

DESTRUCTION OF PERSONAL DATA

 

3.1. REASONS REQUIRING RETENTION AND DESTRUCTION

 

3.1.1.  Reasons Requiring Retention

The personal data retained by our Company are stored for the purposes and grounds stipulated hereunder, pursuant to the Law and our Personal Data Policy (available at www.beyazkagit.com.tr).

 

3.1.2.  Reasons Requiring Destruction

The personal data retained by our Company are erased, destroyed, or anonymized pursuant to this destruction policy at the request of the data subject, or ex officio if all the conditions under Articles 5 and 6 of the Law cease to exist.

The conditions stipulated under Articles 5 and 6 of the Law are as follows:

  1. Where expressly prescribed by the laws;
  2. Where mandatory for the protection of life or bodily integrity of a person (or of another person) who is incapable of giving his/her consent due to physical impossibility or whose consent is legally invalid;
  3. Where processing of personal data belonging to parties to a contract is necessary, provided that it is directly related to entering into or performing the contract;
  4. Where mandatory for the data controller to fulfill its legal obligation;
  5. Where data are made public by the relevant person himself/herself;
  6. Where data processing is mandatory for the establishment, exercise, or protection of a right;
  7. Where it is obligatory to process data for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not infringed.

 

3.2. DESTRUCTION METHODS

Our Company erases, destroys or anonymizes the personal data stored pursuant to the Law and other legislation, either at the request of the data subject or ex officio within the periods stipulated under this Personal Data Retention and Destruction Policy, if all the conditions requiring the processing of personal data cease to exist.

 

3.2.1. Erasure of Personal Data

Personal data can be erased by our Company through the methods specified below.

 

 

 

 

 

Data Recording Media

 

 

 

 

9

 

Description

Personal Data Stored on Servers

Amongst the personal data available on the servers, the system manager erases the ones, the necessary retention periods of which have expired, and  terminates access authorizations

of the relevant users.

Personal Data Stored Electronically

Amongst the personal data stored electronically, the ones, the necessary retention periods of  which have expired, are rendered inaccessible and non-reusable for the other personnel (relevant users) except the database manager.

Personal Data Stored in Physical Media

Amongst the personal data stored electronically, the ones, the necessary retention periods of  which have expired, are rendered inaccessible and non-reusable for the other personnel (relevant users), except for the unit director responsible for document archive. In addition, the data are concealed by crossing out/ painting/ erasing in the way to render them indecipherable.

Personal Data Stored in Portable Media

Amongst the personal data kept in Flash-based storage media, the ones, the necessary retention periods of which have expired, are encrypted by the system manager and access authorization is granted only to the system manager with encryption keys stored in secure media.

 

3.2.2. Destruction of Personal Data

Personal data can be destructed by our Company through the methods specified below.

Data Recording Media

Description

Personal Data Stored in Physical Media

Amongst the personal data contained in the printed media, the ones, the necessary retention periods of which have expired, are irreversibly destroyed by using shredders.

Personal Data Stored in Optical Magnetic Media

Personal data stored in optical and magnetic media, the retention periods of which have expired, are destroyed by implementing physical destruction methods such as melting, burning, or pulverizing. Furthermore, the magnetic media are exposed to high rate of magnetic field by being placed in a special device in order to render the data contained therein illegible.

 

10

3.2.3. Anonymization of Personal Data

Anonymization of personal data is the process of rendering it impossible for personal data to be associated with any identified or identifiable real person in any way, even if the personal data are matched with other data. In order for personal data to be considered anonymized; it should become impossible for the data controller or third parties to associate such personal data with an identified or identifiable real person, even by using techniques appropriate in terms of the recording media and the relevant field of activity, such as data recovery and/or matching the data with other data.

 

3.3. RETENTION AND DESTRUCTION PERIODS

 

3.3.1.  Retention Periods

 PROCESS

RETENION PERIOD

DESTRUCTION PERIOD

Management of Human Resources Processes

5 Years Following the Completion of the Activity 

In the first periodic destruction process following the expiry of the retention period

Management of Purchasing and Marketing Processes

5 Years Following the Completion of the Activity 

In the first periodic destruction process following the expiry of the retention period

Preparation of

Contracts

5 Years following the Expiry/Termination of the Contract 

In the first periodic destruction process following the expiry of the retention period

Performance of Communication Activities

10 Years Following the Completion of the Activity 

In the first periodic destruction process following the expiry of the retention period

Log Record Monitoring

Systems

10 years

In the first periodic destruction process following the expiry of the retention period

Hardware and Software

Performance of Access

Processes

5 years

In the first periodic destruction process following the expiry of the retention period

Visitor

5 years

In the first periodic destruction process following the expiry of the retention period

Camera Recordings

45 days

In the first periodic destruction process following the expiry of the retention period

 

 

 

 

 

 

 

  • If a longer period is required under the legislation or the legislation stipulates a longer period of prescription, time-bar, or storage etc., the periods under the legislative provisions are considered as maximum retention periods.
  • In addition, due to the nature of the documents, it is possible to keep the relevant documents up to a maximum of 20 years, without being subject to the above periods if the need for longer storage arises for commercial or legal reasons.

 

3.3.2.  Destruction Periods

Our Company erases, destroys or anonymizes the personal data for which it is responsible, pursuant to the Law, applicable legislation, the Policy on Processing and Protection of Personal Data and this Personal Data Retention and Destruction Policy, in the first periodic destruction process following the date on which its obligation to erase, destroy or anonymize such personal data has emerged.

When a data subject files an application with the Company and requests erasure or destruction of his/her personal data pursuant to Article 13 of the Law:

  1. If all the conditions for processing of personal data cease to exist, our Company erases, destroys or anonymizes the personal data indicated in the related request, with the suitable destruction method within 30 (thirty) days following the date of its receipt of the request, by explaining its reason. In order for our Company to be deemed to have received the request, the data subject must make the request in accordance with the Policy on Processing, Protection and Privacy of Personal Data. Our Company informs the data subject for each transaction performed in any case.
  2. If all the conditions for processing of personal data have not ceased to exist, our Company may reject this request by explaining its reason pursuant to paragraph three of Article 13 of the Law and the rejection is notified to the data subject in writing or in the electronic media within maximum thirty days.

 

12

 

3.4. PERIODIC DESTRUCTION

If all the conditions for processing of personal data under the Law cease to exist, our Company erases, destroys or anonymizes the personal data for which the processing conditions no longer exist, ex officio at recurring intervals as stated under this Personal Data Retention and Destruction Policy. The periodic destruction processes start on 1.1.2020 for the first time and are repeated every 6 (six) months.

 

3.5. INSPECTION OF COMPLIANCE OF DATA DESTRUCTIONS WITH LAW

Our Company performs data destruction either upon request, or ex officio as part of the periodic data destruction processes, in accordance with the Law, other legislation, the Policy on Processing and Protection of Personal Data and this Personal Data Retention and Destruction Policy.

Our Company takes certain administrative and technical measures in order to ensure that the data destruction is performed in accordance with these regulations.

 

3.5.1.  Technical Measures

  • Our Company keeps technical tools and equipment suitable for each data destruction method in this Policy.
  • Our Company ensures the safety of the place where data destructions are performed.
  • Our Company keeps the access records for the persons performing the data destruction.
  • Our Company employs competent and experienced personnel to perform the data destruction, or engages competent third parties, if necessary.

 

3.5.2.  Administrative Measures

  • Our Company carries out activities to increase and raise the awareness of its employees who will perform the data destruction, regarding information security, personal data and right of privacy.
  • Our Company procures legal and technical consultancy services in order to follow the developments in the field of information security, right of privacy, protection of personal data, and safe destruction techniques and to take the necessary actions.
  • Our Company enters into protocols with the third parties that are engaged for the data destruction processes due to technical or legal requirements, in order to protect the personal data, and shows due care to ensure that these third parties comply with the obligations under these protocols.
  • Our Company regularly performs audits to determine whether or not data destructions are performed in accordance with the terms and obligations under the Law and this Personal Data Retention and Destruction Policy and takes the necessary actions.
  • Our Company records all the transactions carried out in relation to erasure, destruction or anonymization of personal data and keeps them for a period of at least three years, except for other legal obligations.

 

13

 

SECTION FOUR

4.1. PERSONAL DATA COMMITTEE

The Company establishes an internal Personal Data Committee. The Personal Data Committee is authorized and in charge of taking the necessary actions/having the necessary actions taken and supervising the processes for the storage and processing of the data of the relevant persons in accordance with the Law, the Policy on Processing and Protection of Personal Data and the Personal Data Retention and Destruction Policy.

The Personal Data Committee is composed of five persons, three managers and two technical specialists. The titles and job descriptions of the Company employees assigned to the Personal Data Committee are as follows:

TITLE

JOB DESCRIPTION

Personal Data Committee

Manager                                           

Responsible for steering and guiding any planning, analysis, research, risk identification studies for the projects carried out in the process of compliance with the Law; managing processes that must be carried out in accordance with the Law, the Policy on Processing and Protection of Personal Data and the Personal Data Retention and Destruction Policy and deciding on the requests received from the data subjects.

PDP Specialist

(Technical, Administrative)

Responsible for reviewing the requests of data subjects and reporting the same to the Personal Data Committee Manager for evaluation (Legal, Technical and Administrative); fulfilling the processes regarding the data subjects’ requests evaluated and decided by the Personal Data Committee Manager, in accordance with the decision of the Personal Data Committee Manager; auditing the storage and destruction processes and reporting these audits to the Personal Data Committee Manager; and for execution of storage and destruction processes.

 

14

SECTION FIVE

REVISION AND COMPLIANCE

Our Company reserves the right to revise the Policy on Processing and Protection of Personal Data or this Personal Data Retention and Destruction Policy in line with the amendments to the Law, the resolutions passed by the Authority, or the developments in the sector or in the field of information technologies.

The revisions made in this Personal Data Retention and Destruction Policy are immediately reflected on the text, and revision notes are provided at the end of the Policy.

In case of any controversies between this Policy and the provisions of the PDPL and other relevant legislation, the provisions of the PDPL and other relevant legislation shall prevail.

 

5.1. REVISION NOTES

….2019 :     Personal Data Retention and Destruction Policy was published.

*No previous revision found.*

15

[/vc_column_text][/vc_column][/vc_row][vc_row css_animation=”” row_type=”row” use_row_as_full_screen_section=”no” type=”full_width” angled_section=”no” text_align=”left” background_image_as_pattern=”without_pattern”][vc_column][vc_column_text]

[/vc_column_text][/vc_column][/vc_row]