E-Catalog

Personal Data Storage and Destruction Policy

Personal Data Storage and Destruction Policy

Personal Data Storage and Destruction Policy

RYS Rota Construction Metal Building Systems Industry and Trade Limited Company

Personal Data Storage and Destruction Policy

ADDRESS:  Saray Neighborhood, Lumberjacks Industrial Site, 15th Street No:25, Kazan / ANKARA

TELEPHONE:  0 (312) 815 22 41

WEB : www.rysrota.com

MAİL : info@rysrota.com

1.INTRODUCTION

1.1 Purpose

Personal Data Storage and Destruction Policy (“Policy”) has been prepared to determine the procedures and principles regarding the work and transactions related to the storage and destruction activities carried out by RYS Rota İnşaat Metal Yapı Sistemleri Sanayi ve Ticaret Limited Şirketi (Company).

The Company has determined its primary objective to ensure that the personal data of our employees, interns, apprentices, main contractor company officials and employees, company officials-shareholders-partners, deputies, visitors, registered individuals, potential and current supplier officials and employees, administrative institution officials, product or service recipients and third parties with whom we have a relationship are processed in accordance with the Constitution of the Republic of Turkey, international agreements, the Personal Data Protection Law No. 6698 (“Law”) and other relevant legislation, and that the relevant individuals can effectively exercise their rights.

The work and procedures regarding the storage and destruction of personal data are carried out in accordance with this Policy prepared by the Company in this regard.

1.2 Scope

Our employees, interns, apprentices, main contractor company officials and employees, company officials-shareholders-partners, deputies, visitors, registered parties, potential and current supplier officials and employees, administrative institution officials, product or service recipients and third parties with whom we have a relationship are covered by this Policy, and this Policy applies to all recording environments and personal data processing activities owned or managed by the Company where personal data is processed.

1.3 Abbreviations and Definitions

Recipient Group:  Category of natural or legal persons to whom personal data are transferred by the data controller.

Explicit Consent:  Consent related to a specific subject, based on information and expressed with free will.

Anonymization:  Making personal data incapable of being associated with an identified or identifiable natural person in any way, even when matched with other data.

Employee:  Personal Data Protection Authority staff.

Electronic Environment:  Environments where personal data can be created, read, changed and written using electronic devices.

Non-Electronic Media:  All written, printed, visual, etc. media other than electronic media.

Service Provider:  A natural or legal person who provides services within the framework of a specific contract with the Company.

Relevant Person:  The natural person whose personal data is processed.

Relevant User:  Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data.

Destruction:  Deletion, destruction or anonymization of personal data.

Law:  Personal Data Protection Law No. 6698.

Recording Medium:  Any medium containing personal data processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system.

Personal Data:  Any information relating to an identified or identifiable natural person.

Personal Data Processing Inventory: The inventory in which  data controllers detail the personal data processing activities they carry out in connection with their business processes, by relating them to the purposes and legal reason for processing personal data, data category, recipient group to which the data is transferred and the data subject group, and by explaining the maximum retention period required for the purposes for which personal data is processed, personal data intended to be transferred to foreign countries, and the measures taken regarding data security.

Processing of Personal Data:  Any operation performed on data, such as obtaining, recording, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.

Board:  Personal Data Protection Board

Special Personal Data:  Data regarding individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, membership of associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Periodic Destruction:  The process of deletion, destruction or anonymization, which will be carried out ex officio at recurring intervals and as specified in the personal data storage and destruction policy, in the event that all processing conditions for personal data specified in the law are eliminated.

Policy:  Personal Data Storage and Destruction Policy

Data Processor:  Natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Recording System:  A recording system in which personal data is structured and processed according to certain criteria.

Data Controller:  The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

Data Controllers Registry Information System:  The information system created and managed by the Presidency, accessible via the internet, to be used by data controllers in applying to the Registry and other relevant transactions related to the Registry.

VERBIS:  Data Controllers Registry Information System

Regulation:  Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.

Deletion of Personal Data:  It is the process of making personal data inaccessible and non-reusable for the relevant users in any way.

Destruction of Personal Data:  It is the process of making personal data inaccessible, irretrievable and reusable by anyone.

Masking:  The method of anonymizing Personal Data by removing the basic identifying information from the Personal Data.

Obscuration:  Operations such as crossing out, painting or blurring personal data in such a way that it cannot be associated with an identified or identifiable natural person.

2. RESPONSIBILITIES AND DUTY DISTRIBUTIONS

All units and employees of the company actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed, in order to properly implement the technical and administrative measures taken by the responsible units within the scope of the Policy, to train and raise awareness of the unit employees, to monitor and continuously audit them, to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the lawful storage of personal data.

The distribution of titles, units and job descriptions of those involved in the storage and destruction of personal data is given in Table 1.

Table 1: Distribution of tasks in storage and destruction processes

ADDRESS UNIT JOB DESCRIPTION
GENERAL MANAGER MANAGEMENT Ensuring compliance with the retention period for processes within the scope of its duties and managing the personal data destruction process in accordance with the periodic destruction period. Responsible for updating and publishing the policy in line with evolving and changing business processes.

 

The General Manager is responsible for forwarding applications sent by other units to the units authorized to respond.
ACCOUNTING MANAGER

 

FINANCE MANAGER

 ACCOUNTING AND FINANCE Ensuring compliance with the retention period for processes within its scope of responsibility and managing the personal data destruction process in accordance with the periodic destruction period. Managing personal data retention processes within the scope of the Labor Law, the Turkish Code of Obligations, the Turkish Commercial Code (TTK), the Tax Procedure Law, and other laws. Responsible for fulfilling the obligation to inform data subjects and receiving and responding to requests.
HUMAN RESOURCES HUMAN RESOURCES Ensuring compliance with the retention period for employees, job candidates, and other HR contacts related to the application and placement processes, and managing the personal data destruction process in accordance with the periodic destruction period. Managing personal data retention processes within the scope of the Labor Code, TCC, TCC, Tax Procedure Law, and other laws. Responsible for fulfilling the obligation to inform data subjects, receiving and responding to requests, and ensuring employee compliance with personal data policies.
PURCHASING MANAGER SATIN ALMA Ensuring compliance with the retention periods for personal data of suppliers and individuals receiving or receiving services, and managing the relevant periodic destruction process. Responsible for fulfilling the obligation to inform data subjects and receiving and responding to requests.
BID AND TECHNICAL MANAGER OFFER AND TECHNICAL Ensuring compliance with the retention period for processes within its scope of responsibility and managing the personal data destruction process in accordance with the periodic destruction period. Managing personal data retention processes within the scope of the Public Procurement Law and its related secondary legislation, the TCC, the Tax Procedure Law, and other laws. Responsible for fulfilling the obligation to inform data subjects and receiving and responding to requests.
IT SERVICE PROVIDER THIRD PARTY RECEIVING SERVICES Ensuring that processes within its scope of responsibility comply with the retention period and managing the personal data destruction process in accordance with the periodic destruction period. Responsible for fulfilling the obligation to inform IT systems addressees and relevant individuals, receiving and responding to requests, and providing the technical solutions needed for policy implementation.

All units and employees are responsible for the implementation of the Policy in accordance with their duties.

All unit managers are responsible for submitting the destruction reports to the Management.

3. RECORDING ENVIRONMENTS

Personal data is stored securely by the Company in accordance with the law in the environments listed in Table 2.

Electronic Media Non-Electronic Media
-Servers (Domain, backup, email, database, web, file sharing, etc.)

 

-Software (office software, portal)

-Personal computers (Desktop, laptop)

-Mobile devices (phone, tablet, etc.)

-Removable memories (USB, memory card, etc.)

-Printer, scanner, photocopier

-E-invoice, E-ledger system

-Camera Recording Server

 -Paper

 

-Non-automatic data recording systems

(Job application form, etc.)

-Written, printed, visual media

-Cabinets

4. INSTRUCTIONS ON STORAGE AND DESTRUCTION

Personal data processed by the Company belonging to our employees, interns, apprentices, main contractor company officials and employees, company officials-shareholders-partners, deputies, visitors, registered persons, potential and current supplier officials and employees, administrative institution officials, product or service recipients and third parties with whom we have a relationship are stored and destroyed in accordance with the Law.

In this context, detailed explanations regarding storage and destruction are given below, respectively.

4.1 Explanations Regarding Storage

The concept of processing personal data is defined in Article 3 of the Law, and Article 4 states that the personal data processed must be linked, limited and proportionate to the purpose for which they are processed and must be kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed. Articles 5 and 6 list the conditions for processing personal data.

Accordingly, within the framework of our Company’s activities, personal data is stored for a period stipulated in relevant legislation or consistent with our processing purposes. When determining these periods, our priority is to implement the periods stipulated by legislation.

4.1.1 Legal Reasons Requiring Storage

Personal data processed within the scope of our company’s activities is retained for the period stipulated in the relevant legislation. In this context, personal data;

-Personal Data Protection Law No. 6698

-Labor Law No. 4857

-Social Insurance and General Health Insurance Law No. 5510

-Tax Procedure Law No. 213

-Income Tax General Communiqué No. 265

-Occupational Health and Safety Law No. 6331

-Military Service Law No. 1111

-Annual Paid Leave Regulation

-Law No. 6356 on Trade Unions and Collective Bargaining Agreements

-Occupational Health and Safety Services Regulation

-Regulation on Overtime and Working with Extra Hours Regarding the Labor Law

-Turkish Code of Obligations No. 6098

-Vocational Education Law No. 3308

-Turkish Commercial Code No. 6102

-Enforcement and Bankruptcy Law

-Law on Regulation of Electronic Commerce

-Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through These Publications

-TOBB and Chambers and Commodity Exchanges Law

-Public Procurement Law

– Regulation on the Execution of Vehicle Sales, Transfer and Registration Services

– Corporate Tax Law

-Other secondary regulations in force pursuant to these laws

In the event of retention periods specified within the framework and explicit consent, data is stored for a period of time appropriate to the purpose of processing.

4.1.2 Processing Purposes Requiring Storage

The Company stores the personal data it processes within the scope of its activities for the following purposes.

Main Objectives Sub-Objectives
Execution of the Company’s Human Resources Policies  

 

 

– Carrying out processes regarding the essential and side rights of employees arising from employment contracts and legislation,

– Fulfillment of obligations arising from contractual relations and legislation,

– Carrying out the selection and placement processes of candidate employees, trainees and apprentices and providing internship support,

– Execution of Human Resources Processes and Policies,

– Carrying out procedures for evaluating job applications and job suitability,

– Granting Power of Attorney within the Scope of Assignment and Conducting Authorization Processes and Performance Evaluation Processes.
Carrying out and executing the necessary studies, research and planning for the realization and security of commercial activities carried out by the company.  

 

– Designing, developing and implementing corporate governance and communication activities,

– Planning and Execution of the Company’s Commercial and Business Activities and/or Business Processes,

– Carrying out supply relations and supply chain management processes related to the purchasing activities of goods or services,

– Providing material prices and technical information, requesting materials and tracking orders,

– Conducting Marketing and Supply Analysis Studies and Communication Activities,

– Carrying out management activities,

– Preparation of cost and offer within the scope of customer and project research, and offer presentation and follow-up,

– Execution of Contract Processes,

– Taking Application Measurements, Preparing Projects, Obtaining Project Approval and Preparing Orders,

– Determining, Executing and Developing the Company’s Business Strategies and Investment Processes and Carrying Out Business Continuity Activities,

– Planning and Execution of Production, Supply and/or Operation Processes,

– Monitoring the current status of orders related to the construction site and the current manufacturing status, and informing about the changing manufacturing or adding new manufacturing,

– A New Request or Revision of an Existing Request Regarding the Construction Site,

– Conducting Tender Processes,

– Execution of Goods and Services Sales Processes,

– Determination of potential companies to supply materials.
Ensuring the Legal, Technical and Occupational Safety of the Company, its Employees and Persons in Business Relations with the Company – Providing information to authorized persons, institutions and organizations,

 

– Monitoring and Execution of Legal Processes,

– Protection of the Company Against Legal and Criminal Liability,

– Conducting Occupational Health / Safety Activities,

– Ensuring the safety of movable goods, resources and personnel within and around the building,

– Carrying out activities in accordance with legislation,

– Ensuring the Security of Information, Transactions, Data and Devices and Preventing Malicious Use,

– Planning and Execution of Information Technology Processes and Data Security Activities,

– Carrying out activities/developments and analyses regarding access to systems and physical environments and monitoring entry-exit information at controlled access points,

– Tracking the location of the company’s vehicles for security and performance reasons,

– Our company takes legal and commercial security measures and fulfills its obligations,

– Ensuring that safety precautions are taken in the workplace and preventing deterioration of the working environment in the workplace.
Execution of the Company’s Audit Activities and Protection of the Confidence It Inspires in Consumers – Collecting the Information Required for Conducting Disciplinary, Complaint, Internal Investigation and Audit Activities,

 

– Measuring and Increasing Customer Satisfaction and Tracking Requests and Complaints within the Scope of Carrying Out Customer Relations Management Activities,

– Quality Control and Evaluation of Service/Contract Performance within the Scope of Carrying Out Activities Aimed at Customer Satisfaction,

– Obtaining Anonymous User Experience-Based Analyses for Corporate Promotional Purposes.
 

 

Planning and Execution of Payment Processes to be Made to the Company’s Employees and Persons with Whom the Company Has a Business Relationship

 

 – Execution of processes and policies regarding finance, accounting and wage payments,

 

– Carrying out storage and archive activities.
Ensuring the Safety of Company Employees in Emergencies – Execution of Emergency Management Processes.
Carrying out the necessary work to recommend the products and services offered by our company to personal data owners by customizing them according to their tastes, usage habits and needs. – Planning the activities required to present, recommend and promote our services to the relevant people,

 

– Improving the Quality of Online Experience,

– Providing and facilitating the online user experience on our website and improving its functionality and performance.

4.2 Reasons Requiring Destruction

Personal data;

  • Amendment or repeal of the relevant legislative provisions that form the basis of processing,
  • The purpose requiring processing or storage is eliminated,
  • In cases where personal data processing is carried out only on the basis of explicit consent, the person concerned must withdraw his/her explicit consent,
  • Pursuant to Article 11 of the Law, the personal data of the relevant person within the framework of his/her rights
  • In cases where the Authority accepts the application made by the relevant person for the deletion, destruction or anonymization of his/her personal data, or if the Authority rejects the application made by the relevant person for the deletion, destruction or anonymization of his/her personal data, finds the response insufficient or does not respond within the period stipulated in the Law, he/she may file a complaint with the Board and this request is approved by the Board,
  • The maximum period for which personal data must be stored has passed and there are no conditions that would justify storing personal data for a longer period,

In such cases, it is deleted, destroyed or made anonymous by the Company upon the request of the person concerned.

5. TECHNICAL AND ADMINISTRATIVE MEASURES

In order to ensure the safe storage of personal data, to prevent unlawful processing and access, and to destroy personal data in accordance with the law, technical and administrative measures are taken by the Company within the framework of the adequate measures determined and announced by the Board for special personal data in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law.

5.1 Technical Measures

The technical measures taken by the Company regarding personal data processed are listed below:

  • Up-to-date anti-virus systems are used.
  • Personal data is backed up and the backed up personal data
  • security is also provided.
  • User account management and authorization control systems are implemented and monitored.
  • If sensitive personal data is to be sent via e-mail, it must be encrypted and sent using a corporate e-mail account.
  • Intrusion detection and prevention systems are used.
  • Cyber ​​security measures have been taken and their implementation is constantly monitored.
  • Encryption is being done.
  • Penetration testing is performed
  • A firewall is used.
  • Security measures are taken within the scope of information technology systems procurement, development and maintenance.
  • Network security and application security are provided.
  • Firewall and gateway measures are taken.
  • Hardware and software are subject to secure installation and configuration processes.
  • Unused software and services are deleted.
  • The adequacy of security measures taken for systems is checked regularly.
  • Access to systems containing personal data is restricted.
  • Passwords and passcodes are changed at regular intervals.
  • Account deletion is provided without delay for employees whose relationships are terminated.
  • To protect against malware, products such as anti-virus and anti-spam are used that regularly scan the information system network and detect threats.
  • If personal data is to be obtained from different websites/mobile application channels, the connections are made via SSL or a more secure method.
  • It is checked which software and services are running on IT networks.
  • It can be determined whether there is a leak or a movement that should not have occurred in information networks.
  • Security issues are reported as quickly as possible.
  • Entry and exit to electronic and printed media containing personal data are under control.
  • The environments in question have been protected against external risks such as fire, flood, etc. with appropriate methods.
  • Access between network components for personal data in electronic environment is restricted or separated.
  • If data is to be transferred via e-mail, necessary security measures are taken.
  • Printed documents, servers, backup devices and devices such as USB containing personal data are kept in a separate section where additional security measures will be taken and entry and exit to these areas are controlled.
  • Internationally accepted encryption programs are used to help fully protect personal data.

5.2 Administrative Measures

The administrative measures taken by the Company regarding the personal data it processes are listed below:

  • The notification on the procedures and principles to be applied in fulfilling the obligation to inform and the information texts within the scope of Articles 10 and 11 of the Personal Data Protection Law have been prepared and used.
  • The Personal Data Protection and Processing Policy has been prepared and is being used.
  • Personal Data Processing Inventory has been prepared and policies, texts etc. have been created in light of this inventory.
  • An application form has been created and made available to the relevant parties pursuant to Article 11 of the Personal Data Protection Law and the Communiqué on the Procedures and Principles for Applications to the Data Controller. In this context, the aim is to fulfill the request within the legally required period, including application response texts. Otherwise, the reason for such request will be communicated to the relevant party within the legally required period.
  • In case of a personal data breach, a Breach Notification Policy has been created with a notification infrastructure for the relevant person and institution to ensure that the process is overcome as quickly and with the least damage.
  • The decisions of the Personal Data Protection Authority have been incorporated into data security processes within the scope of awareness and compliance training, and new decisions are being monitored.
  • Disciplinary regulations that include data security provisions are in place for employees. Employee training and awareness campaigns on data security are conducted periodically. Employees are required to sign confidentiality agreements regarding company activities.
  • During the personal data processing inventory preparation process, the Access and Authorization Control Matrix was created and auditing was aimed.
  • A “policy for the use of communication tools” and a “password policy” have been prepared to raise employee awareness and ensure the security of business processes.
  • Employment contracts of employees have been revised in terms of the protection of personal data.
  • Institutional policies regarding access and authorization policy, information security, usage, storage and destruction have been prepared and implemented.
  • The authority of employees who change their duties or leave their jobs is revoked in this area.
  • Extra security measures are taken for personal data transferred via paper, and the relevant documents are sent in a confidential document format.
  • Necessary Procedures for processes requiring the processing of personal data have been prepared and are being used.
  • Personal data is reduced as much as possible.
  • Explicit consent texts have been prepared and are being used for data processing, excluding the exceptions in Articles 5 and 6 of the Personal Data Protection Law, and are now being used within the scope of provisional article 1/3. A consent withdrawal form has been created for those who wish to withdraw their consent, aiming to ensure the process continues with the same speed and efficiency as consent granting.
  • A separate policy and procedures for the security of special personal data have been determined and implemented.
  • Explicit consent texts have been prepared and are being used for data processing, excluding the exceptions in Articles 5 and 6 of the Personal Data Protection Law, and are now being used within the scope of provisional article 1/3. A consent withdrawal form has been created for those who wish to withdraw their consent, aiming to ensure the process continues with the same speed and efficiency as consent granting.
  • A “transfer policy” has been prepared to set out the general framework for personal data transfer.
  • To ensure the effective destruction of data transferred to third parties, either ex officio or upon request, a third-party data destruction notice has been issued. Furthermore, given that the data subject may request correction, a correction notice has been issued for data transferred to third parties.
  • A “transfer policy” has been prepared to set out the general framework for personal data transfer.
  • “Privacy and Cookie” policies have been prepared for situations where data is provided automatically through the website or non-automatically through the application form on the website.

6. PERSONAL DATA DESTRUCTION TECHNIQUES

At the end of the retention period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data are destroyed by the Company ex officio or upon the application of the relevant person, using the techniques specified below, in accordance with the relevant legislation.

6.1 Deletion of Personal Data

Personal data is deleted using the methods given in Table 3.

Table 3: Deletion of Personal Data

Data recording medium Explanation
Personal Data Located on Servers For personal data on the servers whose storage period has expired, the system administrator will delete it by removing the access authorization of the relevant users.
Personal Data in Electronic Media Personal data in electronic media, whose storage period has expired, are rendered inaccessible and non-reusable by any means for employees or third parties (relevant users), except for the database administrator.
Personal Data in the Physical Environment For personal data held in a physical environment whose retention period has expired, it is rendered inaccessible and non-reusable by all employees except the unit manager responsible for document archives. Furthermore, it is obscured by drawing, painting, or erasing it to make it illegible.
Personal Data on Portable Media Personal data kept on flash-based storage media is deleted after the retention period has expired.

6.2 Destruction of Personal Data

Personal data is destroyed by the Institution using the methods given in Table-4.

Table 4: Destruction of Personal Data

Data Recording Environment Explanation
Personal Data in the Physical Environment Personal data on paper, whose storage period has expired, is destroyed irreversibly in shredders or by burning.
Personal Data Contained in Optical/Magnetic Media Personal data on optical and magnetic media that have expired are physically destroyed, such as melting or burning.

6.3 Anonymization of Personal Data

Anonymization of personal data means making personal data in no way identifiable with an identified or identifiable natural person, even if matched with other data.

In order for personal data to be anonymized, it must be rendered incapable of being associated with an identified or identifiable natural person, even through the use of techniques appropriate to the recording medium and relevant field of activity, such as the return of personal data by the data controller or third parties and/or matching of data with other data.

Company,

The nature of the data,

The size of the data,

The structure of the physical environment where the data is located,

The diversity of data,

The frequency of data processing,

Proportionality of the effort to be expended to destroy the data,

The magnitude of the damage that could occur if the destruction is ineffective,

The possibility that the destruction will be ineffective,

The centrality rate of the data,

It manages the destruction process by selecting the appropriate destruction method, taking into account the users’ access authorization controls to the relevant data, and either ex officio or upon the application of the relevant person.

Data that is deleted, destroyed, or anonymized is recorded. These records are kept for 3 years.

7. STORAGE AND DESTRUCTION PERIODS

Regarding the personal data processed by the Company within the scope of its activities;

The retention periods for all personal data within the scope of activities carried out in connection with the processes are listed in the Personal Data Processing Inventory;

Retention periods based on data categories are determined during registration with VERBIS;

Process-based retention periods are included in the Personal Data Retention and Destruction Policy.

The General Manager will update these retention periods, if necessary. These updates will be added to the Policy, along with the date, and then the updated version will be published.

For personal data whose storage period has expired, the ex officio deletion, destruction or anonymization process is carried out by the relevant department manager for data in physical media, and by the IT consultant for data in electronic media.

7.1 Process-Based Storage and Destruction Periods

Table 5: Table of storage and destruction periods based on processes

PERIOD STORAGE PERIOD DESTRUCTION TIME
Fulfilling the legislative obligations of the process related to the activities for the establishment and execution of employment contracts 10 years from the termination of the employment contract Within 180 days following the end of the Storage Period
Ensuring occupational health and safety and creating personal health files of employees 15 years from the termination of the employment contract Within 180 days following the end of the Storage Period
Activities related to the execution of legal processes 10 years from the date of finalization

 

10 years from the date of preparation of the last report

10 Years from the date of the accident (During the Statute of Limitations in case of a criminal act occurring)

 Within 180 days following the end of the Storage Period
Allocation or authorization processes for the execution and control of business activities During his employment Within 180 days following the end of the Storage Period
Apprentice and trainee selection and placement activities 5 Years from the end of the legal relationship Within 180 days following the end of the Storage Period
Work and transactions related to the execution of commercial activities 10 years from the end of the legal relationship Within 180 days following the end of the Storage Period
Special records regarding the evaluation of job applications After confirmation

 

Until the first periodic destruction period

 Within 180 days following the end of the Storage Period
Data kept for the purpose of carrying out commercial activities and business processes but not regulated by legislation 10 Years as per general practice Within 180 days following the end of the Storage Period
Work and transactions related to the execution of contract processes 10 years from the end of the contractual relationship Within 180 days following the end of the Storage Period
Communication activities offered through the WEBSITE Until it is read (in case of establishing a legal relationship, for the period included) Within 180 days following the end of the Storage Period
Camera recordings 15 Days The recording system has a 15-day field and works by overwriting the 1st day on the 16th day.
The processes of preparing and preserving the documents that form the basis of commercial books The calendar year in which it was issued

 

10 years from the end

10 Years from the end of the calendar year in which it occurred

10 Years from the last registration date

 Within 180 days following the end of the Storage Period
Log/Record/Tracking systems 2 Years Within 180 days following the end of the Storage Period
Marketing processes and activities 3 Years Within 180 days following the end of the Storage Period
Location information processed for the purpose of monitoring performance processes Until the vehicle is sold or the lease period ends It is kept instantly and is not included in the additional recording system.

If the Company’s purpose for using the relevant personal data has not yet expired, if the retention period for the relevant personal data required by relevant legislation exceeds the periods listed in the table, or if the statute of limitations for the relevant matter requires the personal data to be stored for longer than the periods listed in the table, the periods listed in the table above may not apply. In this case, the period specified in the purpose of use, the specific legislation, or the statute of limitations for the relevant matter, whichever expires later, will apply.

7.2 Destruction Periods on Demand

Upon request, and if all conditions for processing personal data are no longer met, the Company will delete, destroy, or anonymize the personal data subject to the request. This request will be fulfilled within 30 days and notified to the relevant person.

In case of transfer of personal data to a third party, the Company ensures that the request is forwarded by transferring the relevant request to the third party.

This request may be rejected if all the conditions for processing personal data are not met. The relevant person will be notified of this, along with the reason, within 30 days. Notification may be made in writing or electronically. For ease of communication, notification will preferably be made through the same method used by the relevant person for the request.

8. PERIODIC DESTRUCTION PERIOD

Pursuant to Article 11 of the Regulation, the Company has set a periodic destruction period of six months. Accordingly, the Company conducts periodic destruction operations in June and December each year.

9. PUBLICATION AND STORAGE OF THE POLICY

The policy is published in two formats: ink-signed (printed) and electronically, and is made publicly available on the website. The printed copy is also kept in the “Personal Data Protection Procedures and Principles” file held by the General Manager.

10. POLICY UPDATE PERIOD

The Policy is reviewed as needed, and necessary sections are updated. Updates are added to the Policy, along with a date record, and then the updated version is published.

11. ENFORCEMENT AND REPEAL OF THE POLICY

The Policy is deemed to have entered into force upon its publication on the Company’s website. If a decision is made to revoke it, the old, wet-signed copies of the Policy will be cancelled (either by stamping the cancellation stamp or by writing the cancellation) by the General Manager and will be kept by the General Manager for a minimum of five years.