AR GROUP MACHINERY INDUSTRY AND TRADE JOINT STOCK COMPANY
PERSONAL DATA STORAGE AND DESTRUCTION POLICY
- INTRODUCTION AND PURPOSE OF PREPARING THE POLICY
İşbu Kişisel Veri Saklama ve İmha Politikası (“Politika”), 6698 Sayılı Kişisel Verilerin Korunması Kanunu (“KVKK” ya da “Kanun”) ve Kanun'un ikincil düzenlemesi teşkil eden 28 Ekim 2017 tarihli Resmi Gazete’de yayımlanarak yürürlüğe giren Kişisel Verilerin Silinmesi, Yok Edilmesi veya Anonim Hale Getirilmesi Hakkında Yönetmelik (“Yönetmelik”) uyarınca yükümlülüklerimizi yerine getirmek ve veri sahiplerinin kişisel verilerinin işlendikleri amaç için gerekli olan azami saklama süresinin belirlenmesi esasları ile silme, yok etme ve anonim hale getirme süreçleri hakkında bilgilendirmek amacıyla veri sorumlusu sıfatıyla Ar Grup Makine Sanayi ve Ticaret Anonim Şirketi (“Ar Makine” veya “Şirket”) tarafından hazırlanmıştır.
Ar Makine’nin tüm birimleri, çalışanları, yetkilileri ve temsilcileri işbu Politika’ya uymakla yükümlüdür ve Politika’ya uyum sağlamak için gerekli adımları atar.
This Personal Data Storage and Destruction Policy ("Policy") has been prepared by Ar Grup Makine Sanayi ve Ticaret Anonim Şirketi ("Ar Makine" or the "Company"), acting as the data controller, to fulfill our obligations pursuant to Law No. 6698 on the Protection of Personal Data ("KVKK" or the "Law") and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data ("Regulation"), which entered into force upon publication in the Official Gazette dated October 28, 2017, and constitutes a secondary amendment thereto. It also aims to inform data subjects about the principles for determining the maximum retention period necessary for the purpose for which their personal data is processed, as well as the deletion, destruction, and anonymization processes.
All units, employees, officers, and representatives of Ar Makine are obligated to comply with this Policy and will take the necessary steps to ensure compliance.
All personal data shared with and obtained by Ar Makine is the subject of this Policy. This Policy only pertains to personal data belonging to individuals; data belonging to legal entities is not covered by the Policy.
In the event of any inconsistency between this Policy and the KVKK, the Regulation, and relevant legislation, the relevant legislation will apply. Ar Makina undertakes to comply with this Policy and the tools, programs, and processes implemented pursuant to it when deleting, destroying, or anonymizing processed personal data in its possession
- DEFINITIONS
|
Abbreviation
|
Definition
|
|
Buyer Group
|
The category of natural or legal persons to whom personal data is transferred by the Data Controller
|
|
Explicit Consent
|
Consent based on informed consent and expressed freely on a specific subject
|
|
Anonymization
|
Personal data should be made incapable of being linked to an identified or identifiable natural person, even when matched with other data.
|
|
Electronic Media
|
Environments where personal data can be created, read, changed and written using electronic devices
|
|
Non-Electronic Media
|
All written, printed, visual, etc. media other than electronic media
|
|
Service Provider
|
A natural or legal person who provides services within the framework of a specific contract with Ar Makina.
|
|
Contact Person
|
The natural person whose personal data is processed
|
|
Related User
|
Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data
|
|
Destruction
|
Deletion, destruction or anonymization of personal data
|
|
Law/KVKK
|
Personal Data Protection Law No. 6698
|
|
Recording Environment
|
Any environment where personal data is processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system.
|
|
Personal Data Processing Inventory
|
The inventory that Data Controllers create and detail by relating the personal data processing activities they carry out in connection with their business processes to the personal data processing purposes, data category, the recipient group to which they are transferred and the data subject group.
|
|
Deletion
|
Making personal data inaccessible and non-reusable for the relevant users in any way.
|
|
Disposal
|
Making personal data inaccessible, irretrievable and non-reusable by anyone.
|
|
Personal Data
|
Any information relating to an identified or identifiable natural person
|
|
Processing of Personal Data
|
Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, whether fully or partially automatic or non-automatic, provided that it is part of any data recording system.
|
|
Board
|
Personal Data Protection Board
|
|
Personal Data Protection and Processing Policy
|
Personal data protection and processing policy dated [•], which determines the procedures and principles regarding all kinds of transactions related to the processing of personal data such as obtaining, recording, protecting and transferring personal data by Ar Makina [Please fill in the relevant date.]
|
|
Special Personal Data
|
Data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
|
|
Policy
|
This personal data storage and destruction policy
|
|
Company
|
Ar Group Machinery Industry and Trade Joint Stock Company
|
|
Periodic Destruction
|
In case all the processing conditions of personal data specified in the Law are eliminated, the deletion, destruction or anonymization process specified in the personal data storage and destruction policy, which will be carried out ex officio at recurring intervals.
|
|
Data Processor
|
A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
|
|
Data Recording System
|
A registration system in which personal data is structured and processed according to certain criteria.
|
|
Data Controller
|
The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
|
|
VERBİS
|
Data Controllers Registry Information System
|
|
Regulations
|
Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on October 28, 2017
|
- PRINCIPLES TO BE FOLLOWED IN THE STORAGE AND DESTRUCTION OF PERSONAL DATA
Ar Makina adheres to the following principles for the storage and destruction of personal data:
In the deletion, destruction, and anonymization of personal data, the principles listed in Article 4 of the Law and the technical and administrative measures required to be taken within the scope of Article 12 and specified in Article 6.2 of this Policy are fully compliant with relevant legislation, Board decisions, and this Policy.
Unless otherwise decided by the Board, Ar Makina selects the appropriate method for deleting, destroying, or anonymizing personal data ex officio. However, upon the request of the Data Subject, the appropriate method will be selected, with a justification provided. If all the conditions for processing personal data stipulated in Articles 5 and 6 of the Law cease to exist, personal data will be deleted, destroyed, or anonymized by Ar Makina ex officio or upon the request of the Data Subject. If the Data Subject contacts Ar Makina regarding this matter:
Requests are finalized within 30 (thirty) days at the latest, and the Data Subject is informed. If the data subject to the request has been transferred to third parties, this is notified to the third party to whom the data has been transferred, and the necessary actions are taken with the third party.
If it is determined that not all of the conditions for processing personal data have been met, Ar Makine may reject the request, explaining the reason. In this case, the relevant person will be informed in writing or electronically within 30 days from the date the request is received/notified to Ar Makine.
EXPLANATIONS ON REASONS REQUIRING STORAGE AND DESTRUCTION
Article 3 of the Law defines the concept of processing personal data. Article 4 states that personal data processed must be relevant, limited, and proportionate to the purpose for which it is processed, and must be retained for the period stipulated in the relevant legislation or necessary for the purpose for which it is processed. Articles 5 and 6 list the conditions for processing personal data.
Accordingly, Ar Makine retains personal data within the scope of its activities for the period stipulated in the relevant legislation or compatible with the processing purposes.
Processing Purposes Requiring Storage
Personal data held by Ar Makina belonging to data owners is stored for the following purposes in accordance with the KVKK and other relevant legislation, as well as the Personal Data Protection and Processing Policy.
Maintaining commercial and daily operations,
Fulfilling contractual obligations such as recruitment, creation of personnel files, management and monitoring of leave and absence records, induction processes, and salary payments,
Conducting employee termination procedures,
Conducting and monitoring employee training activities,
Conducting periodic inspections,
Conducting financial activities within the scope of accounting, invoicing, and payments,
Sharing information with banks,
Fulfilling Ar Makina's obligations arising from legislation or other legal obligations, including providing information to public institutions and organizations,
Conducting Ar Makina's legal and commercial relationships with its past, present, and future employees, officials, suppliers, business partners, visitors, service providers, and their employees, and processing personal data regarding relevant parties for the purpose of entering into and performing contracts,
Conducting corporate communication and administrative activities,
Planning and executing customer relations and customer request and complaint management processes,
Domestic and international sales Conducting domestic and international procurement processes,
Executing processes related to corporate law,
Following up on lawsuits, enforcement proceedings, administrative and criminal investigations, prosecutions, and similar processes related to Ar Makine, and fulfilling the burden of proof in legal disputes,
Ensuring data security within Ar Makine.
Legal Reasons Requiring Storage
Storing personal data because it is directly related to the establishment and execution of contracts,
Storing personal data for the purpose of establishing, exercising, or protecting a right,
Storing personal data is mandatory for Ar Makine's legitimate interests, provided that it does not harm the fundamental rights and freedoms of individuals,
Storing personal data for the purpose of fulfilling any legal obligation of Ar Makine,
Storing personal data is expressly provided for in the legislation,
Storing of personal data requires the explicit consent of the data subjects for storage activities that require the explicit consent of the data subjects. Reasons Requiring Destruction
Pursuant to the Regulation, personal data belonging to data subjects will be deleted, destroyed, or anonymized by Ar Makine, either ex officio or upon request, in the following cases:
The relevant legislative provisions that form the basis for the processing or storage of personal data are not met.
Processing or abolition,
The purpose requiring the processing or storage of personal data is eliminated,
The conditions requiring the processing of personal data in Articles 5 and 6 of the Law are eliminated,
In cases where personal data processing is carried out solely based on explicit consent, the data subject withdraws their consent,
The data controller accepts the data subject's application for the deletion, destruction, or anonymization of their personal data, in accordance with their rights under Article 11, paragraphs (e) and (f) of the Law,
In cases where the data controller rejects the application submitted by the data subject requesting the deletion, destruction, or anonymization of their personal data, or if the response is deemed inadequate or if they fail to respond within the time period stipulated in the Law, a complaint must be filed with the Board, and the Board approves this request, and Although the maximum period requiring the storage of personal data has elapsed, there are no circumstances that would justify storing personal data for a longer period.
PERSONAL DATA CATEGORIES TO BE STORED
Personal data to be stored by Ar Makina is divided into the following categories for the purposes of this Policy:
Potential product or service recipient data
Product or service recipient data
Employee data
Employee candidate data
Former employee data where the contractual relationship has ended
Intern
Family relative data
Supplier representative/employee data
Business partner representative/employee data
Visitor
STORAGE AND DESTRUCTION PERIODS
Regarding your Personal Data processed by Ar Makina in accordance with the provisions of the Personal Data Protection Law (KVKK):
If a specific period is stipulated in the legislation, this period will be adhered to.
If no specific period is stipulated in the relevant legislation for the retention of such data, reasonable periods for which the data must be stored will be determined within the framework of the exceptions identified under the KVKK.
Upon expiration of these periods, the Personal Data will be deleted, destroyed, or anonymized.
You can access the storage, destruction, and periodic destruction periods determined by Ar Makina in the "Storage and Destruction Periods Table" in the annex [Annex-1] to this Policy. Process-based retention periods for Personal Data are included in the "Personal Data Processing Inventory," while retention periods for data categories are recorded in VERBIS.
PERIODIC DESTRUCTION
Even if the retention period for personal data expires or if there is no request from the Data Subject, if it is determined that the reasons requiring processing of personal data have ceased, the relevant personal data will be deleted, destroyed, or anonymized in the first periodic destruction process following the elimination of the reasons.
Periodic destruction of personal data is carried out every 6 (six) months. However, if the Board determines a shorter period for the periodic destruction of personal data in the event of irreparable or impossible damage or a clear unlawful act, this period will be adhered to.
The first periodic destruction will be carried out on [●].
All actions related to the deletion, destruction, and anonymization of personal data are recorded, and these records are retained for at least three years, excluding any other legal obligations.
MEASURES TAKEN TO SECURE PERSONAL DATA AND PREVENT UNLAWFUL PROCESSING AND ACCESS TO PERSONAL DATA
Ar Makina takes all administrative and technical measures to ensure the secure storage of your personal data, to prevent unlawful processing and access, and to ensure the lawful destruction of personal data, in accordance with the principles set forth in Article 12 of the Personal Data Protection Law and the adequate measures determined and announced by the Board for special categories of personal data pursuant to Article 6, Paragraph 4 of the Personal Data Protection Law.
Administrative Measures:
Within the scope of administrative measures, Ar Makina:
Ar Makine's employees, officers, and representatives are trained and informed on the lawful processing, storage, and destruction of personal data.
Access to stored Personal Data within Ar Makine is restricted only to personnel who are required or authorized to access it as per their job description.
If services are obtained from third parties or collaborations are made with third parties for the storage or other processing of Personal Data, the contracts with these parties shall include provisions regarding the lawful storage, security, and destruction of personal data.
If the processed Personal Data is obtained by others through unlawful means, the relevant party and the Board shall be notified as soon as possible.
Ar Makine fulfills its obligation to inform the relevant parties before processing Personal Data.
A Personal Data Processing Inventory has been prepared.
The provisions of the Law apply to its own legal entity.
|
Title of the Staff
|
Unit
|
Job Description
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-
PERSONAL DATA DESTRUCTION PROCEDURES
Personal data obtained by Ar Makina in accordance with the KVKK and other relevant legislation will be destroyed by Ar Makina, either ex officio or upon the request of the Data Subject, using the techniques specified below, if the purposes of processing personal data listed in the Law and Regulation cease to exist.
Deletion and Destruction of Personal Data;
The procedures and principles regarding the deletion and destruction techniques by Ar Makina are listed below:
Deletion of Personal Data:
Secure Deletion from Software: When deleting data processed entirely or partially by automated means and stored in digital media, methods are used to delete the data from the relevant software, rendering it inaccessible and reusable for the Relevant Users.
This may include revoking the relevant user's access rights to the file or directory containing the file on the central server; deleting relevant lines in databases using database commands; or deleting data on removable media, i.e., flash media, using appropriate software.
However, if deleting personal data would result in the inability to access and use other data within the system, personal data will also be deemed deleted if the personal data is archived and rendered unattributable to the relevant person, provided the following conditions are met:
It is not accessible to any other institution, organization, or person.
All necessary technical and administrative measures are taken to ensure that personal data is only accessible by authorized individuals.
Obliteration of Personal Data on Paper: This method involves physically cutting and removing personal data from the document, or obscuring it using permanent ink, rendering it irreversible and unreadable by technological means, to prevent the misuse of personal data or to delete data requested for deletion.
Demagnetization of Personal Data:
Demagnetization: This method involves passing magnetic media through special devices subject to high magnetic fields, rendering the data on it unreadable. It is important to note that if this method fails to destroy the data, the destruction process can only be completed by physically destroying the media.
Physical Destruction: Personal data can be processed by non-automated means, provided it is part of any data recording system. When destroying such data, the system is implemented to physically destroy the personal data so that it cannot be used later. Data on paper and microfiche must also be destroyed in this manner, as they cannot be destroyed any other way.
During the aforementioned situations, Ar Makina fully complies with the provisions of the KVKK, the Regulation, and other relevant legislation to ensure data security and takes all necessary administrative and technical measures.
Anonymizing Personal Data:
Anonymizing personal data means rendering personal data incapable of being associated with an identified or identifiable natural person, even if matched with other data.
For personal data to be anonymized, personal data must be rendered incapable of being associated with an identified or identifiable natural person, even through the use of appropriate techniques for the recording medium and relevant field of activity, such as the data controller's return and/or matching of data with other data.
POLICY UPDATE AND ENFORCEMENT
This Policy is stored within Ar Makina as a signed (printed) document and is made available to personal data subjects upon request. This Policy will be updated as and when necessary.
This Policy, prepared by Ar Makina, entered into force on [•]. [Please fill in the relevant date.]
ANNEX-1 STORAGE AND DESTRUCTION PERIOD TABLE
The storage and destruction periods for data processed by Ar Makina are determined on a process-by-process basis in the Personal Data Processing Inventory.
|
Period
|
Storage Period
|
Destruction Time
|
|
Fulfilling contractual obligations such as recruitment, identification, obtaining residence and work permits, health insurance procedures, creation of personnel files, management and follow-up of leave and absence records, start-up processes, and salary payments.
|
10 years from the termination of the Employment Contract
|
During the first periodic destruction period following the end of the storage period
|
|
Carrying out human resources processes, including carrying out and monitoring employee training activities, organizing business trips and making allowance payments, and processing information and applications to relevant authorities,
|
10 years from the termination of the Employment Contract
|
During the first periodic destruction period following the end of the storage period
|
|
Carrying out financial activities within the scope of accounting, invoicing and payment,
|
10 years from the end of the legal relationship
|
During the first periodic destruction period following the end of the storage period
|
|
Sharing information with banks,
|
10 years from the end of the legal relationship
|
During the first periodic destruction period following the end of the storage period
|
|
Carrying out the employee's termination procedures,
|
10 years from the end of the legal relationship
|
During the first periodic destruction period following the end of the storage period
|
|
Processes in which employees' health data is processed
|
15 years from the termination of the Employment Contract for health data
|
During the first periodic destruction period following the end of the storage period
|
|
Carrying out domestic and international sales processes
|
10 years from the end of the legal relationship
|
During the first periodic destruction period following the end of the storage period
|
|
Carrying out domestic and international purchasing processes
|
10 years from the end of the legal relationship
|
During the first periodic destruction period following the end of the storage period
|
|
Planning and execution of customer relations and customer requests and complaints management processes
|
10 years from the end of the legal relationship
|
During the first periodic destruction period following the end of the storage period
|
For Personal Data Storage and Destruction Policy Click...