PERSONAL DATA STORAGE AND DESTRUCTION POLICY

13.01.2021 13:27

PERSONAL DATA STORAGE AND DESTRUCTION POLICY




1. Purpose and Scope


This Personal Data Storage and Destruction Policy (the "Policy"), the Personal Data Protection Law No.6698 ("KVKK" or the "Law") and the Personal Data published in the Official Gazette on 28 October 2017, which constitutes the secondary regulation of the Law. To fulfil our obligations by the Regulation on Deletion, Destruction or Anonymization ("Regulation") and to inform the data owners about the principles of determining the maximum storage period required for processing your personal data and the deletion, destruction and anonymization processes. BMK Software and Digital Solutions Consultancy Ltd. ┼×ti. ("Company").


Within the scope of this Policy, customers, prospects, employee candidates, employees, company shareholders, company officials, visitors, business partners, suppliers, collaborators as natural persons who are processed automatically or non-automatically, provided that they are part of any data recording system. and companies' employees, shareholders, officers and third parties. The policy is implemented in all activities managed by our Company for the processing and protection of all personal data.




2. Definitions


Explicit Consent: It is the consent that is based on the information and expressed with free will regarding a specific subject.


The obligation of Disclosure: During the acquisition of personal data, the data controller or the person authorized by the person concerned; the identity of the data controller and, if any, its representative, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data,


It is to give information about other rights enumerated in article 11 of the Law.


Relevant User: Except for the person or unit responsible for the technical storage, protection and backup of the data, they are the persons who process personal data within the organization of the data controller or by the authorization and instruction received from the data controller.


Destruction: Deletion, destruction or anonymization of personal data.


Law: It is the Personal Data Protection Law No. 6698.


Recording Media: Any medium that contains personal data that is fully or partially automated or processed non-automatically provided that it is a part of any data recording system.


Personal Data: All kinds of information related to an identified or identifiable natural person.


Processing of Personal Data: Obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, through fully or partially automatic means of personal data or non-automatic means provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use.


Making Personal Data Anonymous: It is the rendering of personal data that cannot be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.


Deletion of Personal Data: Deletion of personal data; making personal data inaccessible and unavailable in any way for Related Users.


Destruction of Personal Data: It is the process of making personal data inaccessible, unrecoverable and reusable by anyone.


Board: It is the Personal Data Protection Board.


Special Quality Personal Data: Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and association, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and their genetic data.


Periodic Destruction: It is the process of deletion, destruction or anonymization, which is specified in the personal data storage and disposal policy and will be carried out ex officio at repetitive intervals if all the conditions for processing personal data in the Law are eliminated.


Data Owner / Relevant Person: The real person whose personal data is processed.


Data Processor: Real or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.


Data Supervisor: Real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.


Regulation: It is the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on October 28, 2017.




3. Principles Regarding the Processing of Personal Data


The personal data collected by the company by the relevant articles of the Law by the law and the rules of honesty, accurate and up-to-date when necessary, specific, open and are processed for legitimate purposes, used in connection with the purpose for which they are processed, in a limited and measured manner and are kept for the periods stipulated in the relevant legislation or required for the purpose for which they are processed and for the periods specified in this Policy by the Company.


Explicit consent is obtained from the Data Owner regarding the personal data processed by the Company. However, within the scope of Article 5 of the Law, it is possible to process personal data without the explicit consent of the Data Owner in the cases listed below. These cases are listed as follows:


- It is clearly stipulated in the laws,


- It is obligatory for the protection of the life or physical integrity of the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid,


- It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,


- It is mandatory for the data controller to fulfil his legal obligation,


- It is made public by the person concerned,


- Data processing is mandatory for the establishment, use or protection of a right,


- Where data processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.


The company records all transactions related to the deletion, destruction and anonymization of personal data, and the said records are kept for at least 3 years, excluding other legal obligations.


Unless a contrary decision is taken by the Board, the appropriate method of deleting, destroying or anonymizing personal data is selected by us. However, upon the request of the Related Person, the appropriate method will be selected by explaining its justification.


If all the conditions for the processing of personal data are eliminated, the personal data are deleted, destroyed or anonymized by the Company, either directly or at the request of the relevant person. In case the Data Owner applies to the Company regarding this matter, the requests submitted are concluded within 30 (thirty) days at the latest and the data owner is informed. In case the data subject to the request is transferred to third parties, this situation is notified to the third party to whom the data was transferred.




4. Recording Media


Personal Data processed by the Company are stored in the following recording media.




Electronic Media




Physical Environments


Servers (Domain, backup, email, Database, web)


Software (Office Software, Holicon)


Information security devices (firewall, antivirus, etc.)


Personal computers (Desktop, laptop)


Mobile devices (phone, tablet, etc.)


Optical discs (CD, DVD, etc.)


Removable sticks (USB, Memory


Card etc.)




Paper (written, printed, visual media)


Archive Files




5. Purposes of Keeping Personal Data


Personal data processed by the company are stored for the purposes listed below.


- Conducting company activities, making it necessary to process personal data in situations required by the job and work,


- Fulfilling legal obligations as required or required by legal regulations,


- Execution of works and transactions as a result of contracts and protocols signed,


- Fulfilling corporate communication, corporate security and sales marketing activities,


- Providing contact with real/legal persons who have business relations with the company, providing necessary information,


- Obtaining the burden of proof as evidence in legal disputes that may arise in the future,


- Statistical studies can be done.




6. Reasons for Destroying Personal Data


The company destroys the personal data it processes in the presence of the following situations. These cases can be listed as follows.


- The amendment or abolition of the relevant legislation provisions that form the basis for processing,


- The disappearance of the purpose requiring processing or storage,


- In cases where the processing of personal data takes place only on the condition of express consent, the person concerned withdraws his express consent,


- By Article 11 of the Law, the application made by the Company for the deletion and destruction of personal data within the framework of the rights of the person concerned,


- If the Company rejects the application made by the person concerned with the request for deletion, destruction or anonymization of the personal data, finds the answer insufficient or does not respond within the period stipulated in the Law; the relevant person filing a complaint to the Authority and this request is approved by the Authority,


- The maximum period that requires the storage of personal data has passed and the personal data is longer

the absence of any conditions to justify storage.




7. Technical and Administrative Measures


Within the framework of adequate measures determined and announced by the Board for special quality personal data by Article 12 of the Law and the fourth paragraph of Article 6 of the Law to securely store personal data, to prevent unlawful processing and access, and to destroy personal data by the law, The following technical and administrative measures are taken by the company.




a. Technical Measures


- Necessary internal controls are made within the scope of existing systems.


- Regularly and when the need arises, it ensures the control of system vulnerabilities by having a penetration test, and if there is any, takes the necessary measures by revealing the risks, threats, vulnerabilities and vulnerabilities in information systems.


- Risks and threats that will affect the continuity of information systems are continuously monitored as a result of real-time analysis with information security event management.


- Necessary measures are taken for the physical security of the company's information systems equipment, software and data.


- To ensure the security of information systems against environmental threats, hardware (ensuring the physical security of edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, network access control, systems that prevent malware, etc. .) measures are taken.


- Risks to prevent unlawful processing of personal data are determined, these risks take technical measures, and technical controls are made for the measures taken.


- Access to storage areas with personal data are recorded and inappropriate access or access attempts are kept under control.


- Necessary measures are taken to ensure that deleted personal data cannot be accessed and reused for the relevant users.


- Following security vulnerabilities, appropriate security patches are installed and information systems are kept up-to-date.


- Strong passwords are used in electronic environments where personal data are processed.


- Secure record keeping (logging) systems are used in electronic environments where personal data are processed.


- Data backup programs are used to ensure the safe storage of personal data.


- Access to personal data stored in electronic or non-electronic media is restricted according to access principles.




b. Administrative Measures


- Limits internal access to stored personal data to the personnel required to access it as per job description. Necessary contracts and protocols regarding data security are drawn up between these personnel and the Company.


- Knowledgeable and experienced personnel about the processing of personal data are employed and the personnel are given the necessary training within the scope of the legislation on protection of personal data and data security.


- Necessary inspections are made or made to ensure the implementation of the provisions of the law. Confidentiality and security weaknesses that arise as a result of the inspections are eliminated.




In the 6th article of the Law, personal data that has the risk of causing victimization or discrimination when processed illegally is determined as "Special Quality". These data; Biometric and genetic data regarding race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures.


The Company takes the necessary precautions for the protection of special quality personal data determined as "special quality" by the Law and processed by the law. In the technical and administrative measures taken to protect personal data, sensitivity is shown for special quality personal data.




8. Deletion, Destruction and Anonymization of Personal Data


a. Deletion of Personal Data


Deletion of personal data is the process of making personal data inaccessible and unavailable in any way for the relevant users. The methods for deleting personal data according to their recording medium are as follows:


- Personal data in the cloud system is deleted by issuing a delete command without the authorization to retrieve it.


- Personal data on paper media are deleted using the blackout method. A kind of blackout process is applied by drawing/painting or deleting personal data on the paper in a way that cannot be read.


- Personal data in the office files on the central server are deleted by the delete command in the operating system or by removing the access rights on the directory where the file is located.


- Personal data on removable media is stored encrypted and It is deleted using impressions. If personal data are found in databases, the relevant lines are deleted with database commands.




b. Destruction of Personal Data


The destruction of personal data is the process of making personal data inaccessible, unrecoverable and reusable in any way. The methods of destroying personal data according to the recording media are as follows:


- Personal data located on local systems are destroyed by either de-magnetizing, overwriting or physical destruction.


- Network devices (internal storage media are fixed. Products often have the erase command but no destruction capability. They are destroyed using one or more of the methods of de-magnetizing, physical destruction or overwriting.


- Flash-based ATA (SATA, PATA, etc.), SCSI (SCSI Express, etc.) It is destroyed by using one or more of them.


- In units such as magnetic disks, the data contained must be destroyed by exposure to very strong magnetic media and de-magnetizing or physical destruction methods such as burning and melting.


- Portable smartphones have a wipe command in fixed memory areas, but since most of them do not have a destroy command, they are destroyed by using one or more of the de-magnetizing, physical destruction or overwrite methods.


- Optical discs are destroyed by physical destruction methods such as burning, breaking into small pieces, melting.


- Peripherals such as a printer with removable data recording media, fingerprint door access system are verified that all data recording media have been removed and destroyed by using one or more of the methods of de-magnetizing, physical destruction or overwriting according to their characteristics.


- There is no command to destroy peripherals such as printer, fingerprint door access system with the fixed data recording medium. It is destroyed by using one or more of the methods of de-magnetizing, physical destruction or overwriting.


- Since personal data in paper media is permanently and physically written on the media, the main media must be destroyed. While this process is being carried out, the media is divided into small pieces that are incomprehensible by paper shredding or shearing machines, horizontally and vertically, if possible, so that they cannot be put back together.


- Personal data transferred from the original paper format to electronic media by scanning is destroyed by using one or more of the methods of de-magnetizing, physical destruction or overwriting, depending on the electronic medium in which they are located.


- Personal data in the Cloud Environment is encrypted with cryptographic methods during the storage and use of personal data, and where possible, separate encryption keys are used for each cloud solution, especially for personal data. When the cloud service relationship expires, all copies of the encryption keys required to make personal data available are destroyed.




c. Anonymization of Personal Data


The anonymization of personal data is to render personal data in no way associated with an identified or identifiable natural person, even if they are matched with other data.


For personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even though the use of appropriate techniques in terms of the recording medium and the relevant field of activity, such as the return of personal data by the data controller or third parties and/or matching the data with other data.




9. Storage and Destruction Periods


The personal data processed by the company will be stored for the periods specified in the table below and will be anonymized or destroyed at the end of the period.




Data stored under the Process Labor Law (e.g. performance records etc.)


Retention Period 5 years following the termination of the business relationship


Destruction Period Within 180 days after the expiry of the storage period




Process Data collected within the scope of occupational health and safety legislation (health reports, etc.)


Retention Period 15 years following the termination of the business relationship


Destruction Period Within 180 days after the end of the storage period




Process Data kept within the scope of SGK legislation


Retention Period: 10 years following the termination of the business relationship


Destruction Period Within 180 days after the end of the storage period




Process Documents that can be used in a request/lawsuit regarding work accident / occupational disease


Retention Period 10 years following the termination of the business relationship


Destruction Period Following the end of the storage period 18 Within 0 days




Process Data collected in accordance with other relevant legislation


Storage Period As much as the period stipulated in the relevant legislation


Destruction Period Within 180 days after the end of the storage period




Process Subject of the relevant personal data to a crime within the scope of the Turkish Penal Code or other criminal legislation.


Retention Period During the statute of limitations


Destruction Period Within 180 days after the expiry of the storage period




Process Customer data


Retention Period 10 years following registration


Destruction Period Within 180 days after the end of the storage period




Data on Process System Users


Retention Period During the time the user account exists


Destruction Period Within 180 days after the user account is deleted




Data on Process Personnel Candidates


Retention Period 2 years following registration


Destruction Period Within 180 days after the expiry of the storage period




In this Personal Data Storage and Destruction Policy, changes can be made without any notification to the users due to legislative changes, up-to-date case law provisions and innovations in judicial decisions and other reasons. For this reason, we recommend that the mentioned text be reviewed and checked periodically.