PERSONAL DATA STORAGE AND DISPOSAL POLICY1. Tetramar Natural Stone Marble Industry and Trade Ltd. Sti. (“Company”), has prepared this Personal Data Retention and Destruction Policy (“Policy”), in accordance with the Personal Data Protection Law No. 6698 (“KVKK”) and Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”) as the “Data Controller” in order to determine the procedures and principles and to inform the “Data Owners” about the principles of determining the maximum storage period required for the purpose for which personal data is processed, and the processes of deletion, destruction and anonymization.
2. This policy applies to all the real persons processed automatically or non-automatically, provided that it is the system of any data system, customer candidates, employee candidates, partners, companies, company candidates, business partners, employees of subcontractors and vendors, shareholders and third parties.
The policy is implemented in the activities carried out for the processing and protection of all personal data managed by our Company.
3. This policy is published on our company’s website (www.tetramar.com) and is made available to the relevant persons upon the request of personal data owners.
4. The category in the implementation of this Policy,
- Relevant Person: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for technical storage, protection and backup of the data,
- Destruction: Deletion, destruction or anonymization of personal data,
- Law: Personal Data Protection Law No. 6698,
- Recording medium: Any medium containing personal data that is fully or partially automated or processed non-automatically provided that it is a part of any data recording system,
- Personal data: Any information relating to an identified or identifiable natural person,
- Personal data owner: The real person whose personal data is processed,
- Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing personal data completely or partially automatically or non-automatically provided that it is a part of any data recording system All kinds of operations performed on data such as transferring, taking over, making it available, classifying or preventing its use,
- Personal data processing inventory: Data controllers create personal data processing activities based on business processes by associating personal data processing purposes, data category, transferred recipient group and data subject group, and personal data is processed. The inventory they detail by explaining the maximum time required for the purposes, the personal data foreseen to be transferred to foreign countries, and the measures taken regarding data security,
- Board: Personal Data Protection Board,
- Authority: Personal Data Protection Authority,
- Special quality personal data: People’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life
- Periodic destruction: The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the conditions for processing personal data in the law are eliminated,
- Data Retention and Disposal Policy: This Policy, on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization,
- Registry: The registry of data controllers kept by the Presidency of the Personal Data Protection Authority,
- Data processor: The natural and legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,
- Data registration system: The registration system in which personal data is structured and processed according to certain criteria,
- Data controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
For definitions not included in this Policy, the definitions in the Law are valid.
5. All unit managers of the company actively support the proper implementation of technical and administrative measures regarding the processing, storage and destruction of personal data in their units. For this purpose, unit managers; It provides training and awareness raising of the unit employees, monitors and supervises the processes, helps to prevent the illegal processing of personal data and illegal access to the processed data, and to take and implement technical and administrative measures for data security.
It provides active support to the fulfillment of the processing, storage and destruction of personal data in accordance with the legislation by increasing the knowledge and awareness of the relevant users on the protection of personal data.The titles, units and job descriptions of those involved in the storage and destruction of personal data are as follows:
- General Manager : In the capacity of the representative of data controller, he is responsible for the implementation of all procedures regarding the protection and destruction of personal data and the implementation of the policy.
- Human Resources Manager : Responsible for preparing, developing, executing, publishing and updating the policy, ensuring compliance of processes within his/her duty with the retention period, and managing the personal data destruction process in accordance with the periodic destruction period, training and informing .
- Accounting Manager : Responsible for the preparation, development, execution, publication and updating of the policy, ensuring the compliance of the processes within its duty with the retention period, and the management of the personal data destruction process in accordance with the periodic destruction period.
- Information Systems Manager : Responsible for technical storage, protection and backup of data, determination and implementation of technical solutions needed for policy implementation.
- Other Unit Managers : They are responsible for implementing the policy in their own units, monitoring and supervising the implementation, ensuring the compliance of the processes within their duty with the retention period, and managing the personal data destruction process in accordance with the periodic destruction period.
- Relevant User and Data Processors : Responsible for compliance with procedures and laws regarding data processing and storage.
- Special Authorized Relevant User : Responsible for the protection, storage and inaccessibility of personal data deleted by the procedure or the relevant person’s request until they are destroyed, until they are destroyed.
- Electronic Media; Other digital media such as servers, portable disks, software, information security devices, employee computers, optical discs, removable memories, printers, scanners and copiers.
- Physical Media; Other media such as paper, manual data recording systems, written, printed and visual media where data is kept by printing on paper or microfilms.
- Cloud Environments; They are environments where encrypted internet-based systems are used by the company, although they are not owned by the company.
Technical MeasuresThe following technical measures are taken in accordance with the characteristics of all environments where personal data is stored and the environment in which the data is kept:
- Only up-to-date and secure systems suitable for technological developments are used in environments where personal data is kept.
- Security systems are used for environments where personal data is kept.
- Security tests and research are carried out to detect security vulnerabilities on information systems, and the existing or potential risky issues identified as a result of the tests and researches are eliminated.
- Access to data is restricted to the environments where personal data is kept, and only authorized persons are allowed to access this data limited to the purpose of storing personal data, and all accesses are recorded. In limiting access, whether the data is of special quality and its importance are also taken into account.
- The Company has sufficient technical personnel to ensure the security of the environments where personal data is kept. It ensures that the access to personal data of employees in information technology units is kept under control
- Personal data destruction is ensured in a way that is non-recyclable and leaves no audit trail.
- According to Article 12 of the Law, all kinds of digital media where personal data are stored are protected by encrypted methods to meet information security requirements.
Administrative MeasuresIt takes the following administrative measures in accordance with the characteristics of all environments where personal data is stored and the environment in which the data is kept:
- Works are carried out to raise awareness and raise awareness of all company employees who have access to personal data on information security, personal data and privacy issues.
- Legal and technical consultancy services are received in order to follow the developments in the field of information security, privacy and protection of personal data and to take the necessary actions.
- In the event that personal data is transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties for the protection of personal data, and all necessary care is taken to ensure that the relevant third parties comply with their obligations under these protocols.
- In case the processed personal data is obtained by others unlawfully, it notifies the person concerned and the Board as soon as possible.
- Makes and has the necessary inspections made in order to ensure the implementation of the provisions of the Law before the Company. It fixes privacy and security vulnerabilities that arise as a result of audits.
- Explicitly stipulated by law.
- The person who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity is compulsory for the protection of himself or someone else’s life or bodily integrity.
- Provided that it is directly related to the establishment or performance of a contract, it is necessary to process the personal data of the parties to the contract.
- It is mandatory for the data controller to fulfill its legal obligation.
- The person concerned has been made public by himself.
- Compulsory data processing for the establishment, exercise or protection of a right.
- Compulsory data processing for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
9. The procedures and principles regarding the deletion and destruction of personal data by the Company are listed below.
DELETION OF PERSONAL DATA
Blackening of Personal Data on Paper:It is the method of removing the personal data on the relevant document from the document by physically cutting it or rendering it invisible using fixed ink, which is irreversible and cannot be read with technological solutions.
- Secure Deletion from Software: It is a method of deleting personal data kept in the cloud or local digital environments and making them inaccessible again.
DESTRUCTION OF PERSONAL DATA
- Physical Destruction: There is a system of physical destruction of personal data so that it cannot be used later. Documents in paper media are destroyed in such a way that they cannot be reassembled with document shredders. Optical and magnetic media containing personal data are physically destroyed by melting, burning or pulverizing.
- De-magnetization: It is the method of corrupting the data on it in an unreadable way by passing the magnetic media through special devices where it will be exposed to high magnetic fields.
- Overwrite: It is a method of destruction that eliminates the ability to read and recover old data by writing random data consisting of 0s and 1s at least seven times over magnetic media and rewritable optical media via special software.
ANONIMIZATION OF PERSONAL DATA
- Removing the variables: It is the method of removing the highly descriptive variables from the variables in the data set created after the collected data of the relevant person is brought together and anonymized.
- Partial hiding: Since a single data creates a barely visible combination, if there is a determinative feature, hiding the relevant data provides anonymization. It is the process of deleting the information that may be distinctive about the exceptional data.
- Generalization: It is the process of bringing together the personal data of many people and turning them into statistical data by removing their distinctive information.
- Lower and Upper Bound Coding: It is a method of anonymizing the values in a data group containing predefined categories by combining them by determining a certain criterion.
- Micro-joining: All data is first separated into groups by arranging them in a meaningful order, and the value obtained by taking the average of the groups is written in place of the relevant data in the current group, thus providing anonymity.
- Data mixing and corruption: Direct or indirect identifiers in personal data are mixed with other values or corrupted, thus breaking their relationship with the data subject and causing them to lose their descriptive qualities.
10. Retention and Disposal Periods
|PROCESS||STORAGE PERIOD||DISPOSAL PERIOD|
|Recruitment documents to the Social Security Institution; Personnel data based on notifications regarding service period and wage||It is kept for 10 years from the beginning of the calendar year following the service contract and the end of it.||Within 180 days after the expiry of the retention period|
|Recruitment documents to the Social Security Institution; Personnel data excluding personnel data that is the basis for notifications regarding length of service and wages||It is kept for 10 years after the service contract and from the beginning of the calendar year following its conclusion||Within 180 days after the expiry of the retention period|
|Data in the Workplace Personal Health File||It is kept for 10 years after the end of the service contract||Within 180 days after the expiry of the retention period|
|Occupational health and safety practices||It is kept for 10 years following the termination of the business relationship.||Within 180 days after the expiry of the retention period|
|Answering court/enforcement information requests regarding personnel||It is kept for 10 years following the termination of the relationship.||Within 180 days after the expiry of the retention period|
|Personnel Financing Processes||It is kept for 10 years following the termination of the business relationship.||Within 180 days after the expiry of the retention period|
|Identity information, contact information, financial information, Business Partner/Solution Partner/Consultant employee data regarding the execution of the commercial relationship between the Business Partner/Solution Partner/Consultant and the company||Within 180 days after the expiry of the retention period|
|Visitor’s name, surname, license plate and camera records taken at the entrance to the physical spaces,||Saved for 2 years.||Within 180 days after the expiry of the retention period|
|Information in the CV and job application form of the Employee Candidate||Within 180 days after the expiry of the retention period|
|Information in the internship file of the intern||Within 180 days after the expiry of the retention period|
|Customer’s name, surname, T.C.K.N., contact information, payment information and methods, product/service preferences, transaction history,||Within 180 days after the expiry of the retention period|
|Identity information, contact information, financial information obtained during the contract negotiations between the potential customer and the company on the establishment of a commercial relationship,||Saved for 2 years.||Within 180 days after the expiry of the retention period|
|Identity information, contact information, financial information regarding the conduct of the commercial relationship between the cooperated institutions, companies, customers and the company, data of the institution, company, customer employee with which the company is in cooperation||Within 180 days after the expiry of the retention period|
|Planning and Execution of Corporate Communication Activities||It is kept for 10 years following the termination of the business relationship.||Within 180 days after the expiry of the retention period|
|Other Data Required to be Processed or Processed for the Establishment or Performance of a Contract||Within 180 days after the expiry of the retention period|
|Information about company partners and board members||Saved for 10 years.||Within 180 days after the expiry of the retention period|
|Accident Reporting||Saved for 10 years.||Within 180 days after the expiry of the retention period|
|Document preparation||Saved for 10 years.||Within 180 days after the expiry of the retention period|
|Filing of training records||Saved for 10 years.||Within 180 days after the expiry of the retention period|
11. Although no period has been determined for the storage of personal data under the law, it is essential to keep personal data for as long as required by the relevant legislation or for the purpose for which they are processed, in accordance with general principles. The Data Controller Company makes an evaluation based on the legislation in force regarding each data processing process and the purpose of the process, in order to determine the retention periods in accordance with the said principle. If it is arranged for a longer period in accordance with the legislation, or in accordance with the legislation, the statute of limitations, foreclosure period, retention periods, etc. If a longer period is foreseen for the storage period, the periods in the provisions of the legislation are considered as the maximum storage period. In this respect, personal data is kept at least until the period required by legal obligations and the statute of limitations subject to the relevant Law expires.
Personal data may be stored in order to make the necessary defenses within the scope of the dispute in case of any dispute that may arise between you and the Data Controller. Personal data is anonymized, deleted or destroyed in accordance with the Law, with the disappearance of the purpose of processing the relevant personal data within the scope of any process, including the expiration of the aforementioned periods.
12. Personal data whose storage period has expired or whose purpose for storage has ceased to exist is deleted, destroyed or anonymized by being destroyed every six months, by means of an action to be carried out ex officio at repetitive intervals as specified in this Personal Data Retention and Disposal Policy. is brought. Periodic destruction is also carried out in January and July of each year.
13. Our company makes the necessary assignments within the Company in order to fulfill the obligations in the KVK Law and to implement the issues specified in this Policy, and establish the procedures accordingly.
14. Company activities and possible changes in the personal data groups processed, changes to be made in the legal legislation and the policy decisions of the Personal Data Protection Board are followed. This policy is reviewed and the necessary sections are updated, changed or re-created according to the emerging need.