Policy of Storage - Deletion and Destruction of Personal Data
1. Preparationpurpose of policy of storage – deletion and destruction of personal data
Purpose of this policy is to make regulations in connection with updating, transferring, anonymizing, deleting and destroying personal data inALTINYAĞ KombinalarıA. Ş. (hereinafter shall be referred to ALTINYAĞ or company). Policygoes in effect upon resolution of executive board. application of policy instead will be monitored by personal data protection committee to be assigned by executive board or one responsible to be elected by committee.
2. Preparation of policy of preservation and destruction of personal data and modifications
Policygoes in effect upon resolution of executive board. Application of policy instead will be monitored by personal data protection committee/responsible to be assigned by executive board. executive board either directly or upon proposal of committee/responsible, may renew policy, go for modifications in policy.
3. Definitions
Inapplication of this personal data storage and destruction policy:
| ABBREVIATION | DEFINITION | ||
| Law | Personal Data Protection Act Nr. 6698 | ||
| Personal Data Protection Committee/Responsible | Personal data protection committee or a member elected by it, responsible of in-house operation in connection with protection and process of personal data created upon resolution of executive board within the body of Altınyağ Madencilik ve Enerji Yatırımları San. ve Tic. A.Ş., | ||
| Clear Consent | Clear consent released upon free will in connection with informing on a certain subject | ||
| Receiving Group | Natural or legal person category to whom personal data is transferred by data responsible | ||
| Relevant Person | Natural person whose personal data is processed | ||
| Personal Data | Information of any kind related to natural person whose identity is known or identifiable. | ||
| Anonymization Of Personal Data | Converting personal data to a form that cannot be relatable in any manner to a natural person whose identity is known or specifiable despite of being matched with other data. | ||
| Destruction Of Personal Data | Deletion, destruction or anonymization of personal data | ||
| Deletion Of Personal Data | Process of converting personal data to a form that could never be accessible and reusable by relevant users in any manner whatsoever. | ||
| Destruction Of Personal Data | Process of converting personal data to a form that could never be accessible, restorable and reusable by any person in manner whatsoever. | ||
| Policy |
Personal data storage, deletion and destruction policy of Altınyağ Madencilik ve Enerji Yatırımları San. ve Tic. A.Ş. |
||
| Company | Altınyağ Madencilik ve Enerji Yatırımları San. ve Tic. A.Ş (In Short - Altınyağ) | ||
| Executive Board | Executive board of Altınyağ Madencilik ve Enerji Yatırımları San . ve Tic. A.Ş. | ||
| Regulation | Regulation on deletion, destruction or anonymization of personal data published on official gazette dated 28 October 2017 and gone in effect. | ||
4. Media, on which personal data are recorded
Company has been preserving personal data it has obtained in scope of data processing activities in compliance to law limited to the extent required for processing purpose. in this context, personal data obtained are stored in physical and electronic media by company.
5. Legal, technical and other reasons that require storage and destruction of personal data
Personal data obtained directly or indirectly in compliance to the data processing conditions contained in law, are preserved by company for the period foreseen by legislation or required by the processing purpose and in compliance to law and faith rules. Company has been preserving information and documents containing personal data in connection with commercial activities in scope of fulfilling legal responsibilities arising from Turkish trade code nr.6102 and labor act nr.4857 as well as other relevant legislation and establishment, utilization and protection of its rights being one of data processing conditions contained in law, for their periods of limitation. company keeps job applications submitted in the systems of company for a period of 1- year maximum. In case of any demand for deletion instead, they are immediately destroyed without awaiting for 1-year period. Need for personnel is covered among the applications recorded in system time to time. Furthermore, company may preserve such obtained personal data for a period it shall determine as of the expiry of preservation periods foreseen in relevant legislation provided that process conditions contained in articles 5 and 6 of law shall be met and justification would be provided. Personal data should be deleted in case that the reasons requiring preservation in compliance to article 4 of law would have been abolished. Furthermore, storage activities governed on the basis of clear consent of data owner should also be terminated if such consent would have been revoked by owner and such data should be deleted. In cases where data owner submits to company demand of deletion of data in scope of the rights contained in article 11 of law, such demand is assessed by personnel within company and such data is deleted if data processing conditions specified in law would have been abolished.
6. Technical and administrative measures taken for storage of personal data in a safely manner and prevention of illegally processing of and accessing to personal data
Company has been taking technical and administrative measures of any kind in order to ensure legally processing of and providing safety of personal data; has been rendering trainings to company’s personnel and has been running audits with periodical intervals to ensure compliance to such measures. Company has been analyzing personal data processing realized by each department within its body, and has been taking measures necessary for ensuring compliance to law during present and additional processing. All stages related to data collection in company are reviewed one by one;studies are performed in order to obtain data in compliance to law. In receiving job applications, approval texts related thereto are also taken,and for those being received at e-mail address of company [info@altinyag.com.tr] response is submitted by e-mail and approval process of applications is completed. Company’s employees are informed of that they should not reveal personal data they obtained in recourse of their work to any third person and/or entity. Confidentiality record is added to service agreements among employee and company in line with aforesaid; undertaking is obtained from employees regarding to that such liability of confidentiality shall continue after they abandon their work. Furthermore, provisions regarding to that receiving group should take measures of any kind in order to ensure safety of personal data are added to agreements executed by company with third persons and/or entities with whom data transfer has been realized in compliance to articles 8 and 9 of law. Company has been taking technical measures of any kind in frame of technological opportunities and costs in order to ensure safety of personal data contained in information systems. For instance use of firewall, real-time penetration tests, installation of security software into all instruments, access procedures on unit and work process basis. In order to prevent illegal access to personal data and disclosure of personal data, access of employees to data is limited to their scope of work. On the other hand, company has put in effect this policy and various policies in scope of ensuring compliance to law. this policy and other policies are being updated according to changing legislation and emerging needs. furthermore;
- Cleaning personal data available in common files of computer environment: obsolete files and pictures have been deleted,files and pictures thought to be useful and specified have been added to folders accessible of it only.
- Updating access authorizations: access authorizations in common files have been restricted thus employees are furnished with access to files concerning their job only. New access authorization has been regulated as to be given after approval of manager and written request.
- Updating all HR forms: All forms we have received on the job or when working have been evaluated and unnecessary personal data have been removed.
- Updating common HR folder: HR folders of us in computer environment have been screened and all personal data either unnecessary or beyond actuality have been cleared.
- Updating reports of us: All reports of us have been screened and those reports containing personal data have been evaluated and personal data in use unnecessarily have been cleared.
- KVK Committee: A committee has been established.
- Render Training: All personnel have been rendered training on KVK law and their responsibilities have been explained. Furthermore, it has been resolved to include such training into compulsory trainings and to be repeated once a year.
- Undertaking: Approval signatures of all personnel have been received and clarification text has been published. it has been added among the forms to be undersigned in recruiting.
- KVK Procedure&Information Safety Procedure: Procedureof KVK law has been prepared. We have been working on information safety procedure.
- E-Mail warning and site enhancement: E-Mail warnings to be automatically added to mails have been prepared and a text related to KVK was added to our site.
7. Technical and administrative measures taken for destruction of personal data in compliance to law
Unless otherwise resolved by board, company is authorized to select the proper one among the methods directly deleting, destroying or anonymizing personal data in accordance with regulation. In case of request by data owner, it selects proper one upon describing the reason. Company has been taking technical and administrative measure of any kind in order to delete, destroy or anonymize personal data in compliance to law. Upon considering technological opportunities and applications costs company holds, most proper method is being used. Destruction process is inspected by committee/responsible created in company to ensure compliance of personal data processing courses to law. Periodical destruction process has been realized by minimum two persons in the body of this unit, and written undertaking of these persons is taken regarding to that any copy of personal data destroyed has not been taken. Those persons in charge shall also be determined by committee/responsible. Should the instruments available in company, which contain personal data have become unserviceable anymore and they would be sold or left outside, personal data within such instruments are destroyed, if this is not possible, instrument itself is destroyed.
8. Titles, units and job descriptions of persons taking part in storage and destruction processes of personal data
Processes related to storage and destruction of personal data shall be realized by committee/responsible established within the body of company, who are in charge to ensure processing personal data in compliance to law. Criterions such as magnitude of processing activities, organization structure especially situation and intensity of processing personal data with special quality are considered and a “personal data protection committee” in which more than one person in charge would take place, or in case of being found sufficient a “responsible” is employed in recourses of job. Again an “assistant to responsible of data protection” may be appointed in virtue of need. duties of personal data protection committee / responsible are as following:
- To ensure compliance of personal data processing operations to law, regulation, other secondary legislation, confidentiality policies of company,
- To evaluate and to finalize requests to be received from data owners,
- To actually participate in destruction process of personal data,
- To determine measures needed by company in safety of personal data and to ensure the same to be taken,
- To make/cause to make periodical inspections in connection with compatibleness situation of company,
- To prepare and to suggest training plan regarding to increasing awareness of employees on the matter of developments and changes in legal field and in practice.
9. Periodical destruction times
Company deletes, destroys or anonymizes personal data during the initial periodical destruction process following the date on which responsibility of deleting, destroying and anonymizing personal data would occur. Time interval for realization of periodical destruction is 6 months. Digital and physical environments are screened by KVK committee on behalf of data responsible in the months of January and July of each year, and data of which storage period would expire are deleted and destroyed.
10. Storage and destruction periods
Storage and destruction periods in respect to personal data being processed by company are indicated in the chart below. Legislation provisions related to legal basis of storage periods are contained in attachment to this policy.
|
DATA CATEGORY |
STORAGE AND DESTRUCTION PERIOD | LEGAL BASIS |
| Data related to visitors | They’re stored generally for a period of 1 year and deleted at the end of such period. | Turkish Trade Code Nr. 6102, Land Roads Traffic Law, Turkish Crime Code Nr.5237, Turkish Obligations Code Nr.6098 and other legislation through which lapse of time periods are regulated. |
| Personal data related to employees of company | They are stored along with the duration of job. | Turkish Obligations Code Nr.6098, Labor Code Nr.4857 and other legislation through which lapse of time periods are regulated. |
| Personal data related to suppliers from which company purchases goods and/or service and representatives of suppliers | They are stored as long as commercial relation survives. They are stored for legal lapse of time period + 1 year in cases where commercial relation will be thought to not exist; Commercial relation could not be established for years long. they are deleted at the end of such period. | Turkish Trade Code Nr. 6102, Turkish Obligations Code Nr.6098 and other legislation through which lapse of time periods are regulated. |
| Camera shootings obtained through closed circuit monitoring systems | They are deleted at the end of two month-period in cases any judicial event would not be experienced and they would not be requested by official authorities. | They are kept for reasonable period of 15 days in scope of legal benefits of data responsible company in compliance to personal data protection act nr. 6698. |
| Effects being forgotten within company, which contain personal data | They are kept for a period of 6 months if owner could not have been reached, and destroyed under a protocol at the end of such period. | They are kept for reasonable period of 6 months in scope of legal benefits of data responsible company in compliance to personal data protection act nr. 6698. |
| Job Applications – CV’s | Applications are kept in system until deletion request of application’s owner and immediately destroyed upon demand of approval’s owner. | They are kept for a period of 10 years for legal benefit and in scope of application of application’s owner. |
| Data related to former employees abandoned job | They are kept for a period of 15 years due to possible labor lawsuits especially such lawsuits based on occupational diseases. | Health data are kept for 15 years under labor act, labor health and safety act nr.6331. |
| Data in instant messaging applications such as whatsappetc. | They are kept in application along with the financial year during which business relation is ongoing | They are deleted off the application at the end of financial year due to business practices and due to employer’s legal benefit. |
|
Personal data in corporate e-mail used for commercial purpose and personal e-mails |
They are kept in e-mail instrument and servers for a period of 10 years due to business practices and due to legal benefit of employer | They are deleted off servers and instruments due to business practices and due to legal benefit of employer. |
ANNEX: Limitation Periods
LIMITATION PERIODS
Limitation periods to be considered in frame of Turkish trade code nr.6102, Turkish crime code nr.5237, Turkish obligations code nr.6098 should be assessed as following:
1.Visitorsinformation
It will be destroyed during the initial destruction process after termination of visitors’ book since any special regulation does not exist in respect to any judicial event or investigation. Visitors’ data kept in digital form are preserved for a period of 1 year.
2. Data related to employees of company
Personal files should be maintained along with continuance of business relation. Upon termination of business relation instead such periods will be subject to periods of former employee status.
3. Data related to former employees
Data related to former employees are preserved for 15 years upon considering lawsuits of occupational disease and are destroyed at the end of such period. If there is a lawsuit, files are preserved until absolution of lawsuit.
4. Camera records
These are automatically deleted every two months. In the event of any situation is experienced as to be subject matter of lawsuit, these are set aside and preserved, and remainders are deleted.
5. Supplier information
Information of natural person suppliers will be destroyed 10 years after if agreement relations have terminated and shall not continue.
6. Files of which lawsuit process is ongoing
If Lawsuit process related to one of limitation term and destruction process above is ongoing –even though destruction process is reached- in such a case data are preserved until termination of lawsuit process and absolution of court order. destruction is realized 1 year after destruction absolution date or continuance of process with transactions such as sanction etc.
7. Data in instant messaging and applications such as corporate e-mail, whatsapp etc.
Data in instant communication applications are deleted at the end of relevant financial year, those in corporate e-mails instead are deleted at the end of 10th year from instruments and servers, upon considering dynamics of commercial activity due to business practices and legal benefit of employer.
8.Data processed in scope of production and buying-selling activities
Companymay redetermine such periods related to transactions among preserving, deleting and destroying periods that may be subject to licenses.