AR GRUP MAKİNE SANAYİ VE TİCARET ANONİM ŞİRKETİ

PERSONAL DATA RETENTION AND DESTRUCTION POLICY

 

  1. INTRODUCTION AND PURPOSE OF THE POLICY

This Personal Data Retention and Destruction Policy (the "Policy") has been prepared by Ar Grup Makine Sanayi ve Ticaret Anonim Şirketi ("Ar Makine" or the "Company"), acting as the Data Controller, in order to fulfill our obligations under the Personal Data Protection Law No. 6698 (the "Law" or "KVKK") and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data (the "Regulation"), published in the Official Gazette dated October 28, 2017, which constitutes the secondary legislation of the Law, and to inform data subjects regarding the principles for determining the maximum retention period required for the purposes for which their personal data is processed, as well as the procedures for deletion, destruction, and anonymization.

All units, employees, officers, and representatives of Ar Makine are obliged to comply with this Policy and shall take the necessary steps to ensure compliance with the Policy.

All kinds of personal data shared with and obtained by Ar Makine constitute the subject of this Policy. This Policy applies solely to personal data of natural persons and does not cover data belonging to legal entities.

In the event of any inconsistency between this Policy and the KVKK, the Regulation, and the relevant legislation, the provisions of the legislation shall prevail. Ar Makine undertakes to ensure compliance with this Policy and the tools, programs, and procedures to be applied pursuant to this Policy during the deletion, destruction, or anonymization of the processed personal data held within its organization.

 

  1. DEFINITIONS

 

Abbreviation Definition
Recipient Group The category of natural or legal persons to whom personal data is transferred by the Data Controller
Explicit Consent Consent that is based on being informed and expressed freely and specifically on a particular matter
Anonymization Rendering personal data incapable of being associated with an identified or identifiable natural person, even through matching with other data
Electronic Environment Environments where personal data can be created, read, altered, and written using electronic devices
Non-Electronic Environment All written, printed, visual, and other media other than electronic environments
Service Provider A natural or legal person who provides services to Ar Makine within the framework of a specific contract
Data Subject The natural person whose personal data is processed
Relevant User Persons who process personal data within the data controller's organization, except for the person or unit responsible for the technical storage, protection, and backup of the data, or in accordance with the authorization and instruction received from the data controller
Destruction The deletion, destruction, or anonymization of personal data
Law/KVKK Personal Data Protection Law No. 6698
Recording Medium Any medium in which personal data is processed by wholly or partially automatic means or by non-automatic means provided that it is part of any data recording system
Personal Data Processing Inventory The inventory created and detailed by Data Controllers by associating their personal data processing activities, purposes of processing, data categories, recipient groups, and data subject groups based on their business processes
Deletion Rendering personal data inaccessible and unusable for the relevant users in any way
Destruction Rendering personal data inaccessible, irretrievable, and unusable by anyone in any way
Personal Data Any information relating to an identified or identifiable natural person
Processing of Personal Data Any operation performed on personal data, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing its use, by wholly or partially automatic means or by non-automatic means provided that it is part of any data recording system
Board The Personal Data Protection Board
Personal Data Protection and Processing Policy The policy dated [•] regarding the protection and processing of personal data, which sets forth the procedures and principles for all operations concerning the processing of personal data, such as obtaining, recording, protecting, and transferring personal data by Ar Makine [Please fill in the relevant date.]
Special Categories of Personal Data Data relating to individuals' race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance, membership in associations, foundations or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data
Policy This personal data retention and destruction policy
Company Ar Grup Makine Sanayi ve Ticaret Anonim Şirketi
Periodic Destruction The deletion, destruction, or anonymization process to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy, in case all of the personal data processing conditions stipulated in the Law cease to exist
Data Processor A natural or legal person who processes personal data on behalf of the data controller, based on the authorization granted by the data controller
Data Recording System The recording system in which personal data is processed by being structured according to specific criteria
Data Controller The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system
VERBİS Data Controllers' Registry Information System
Regulation The Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette on October 28, 2017

 

  1. PRINCIPLES TO BE OBSERVED IN THE RETENTION AND DESTRUCTION OF PERSONAL DATA

Ar Makine acts within the framework of the following principles in the retention and destruction of personal data:

  • In the deletion, destruction, and anonymization of personal data, full compliance is maintained with the principles set forth in Article 4 of the Law, the technical and administrative measures specified in Article 12 of the Law and in Section 6.2 of this Policy, the relevant legislative provisions, Board decisions, and this Policy.
  • Unless the Board decides otherwise, the appropriate method for ex officio deletion, destruction, or anonymization of personal data is selected by Ar Makine. However, upon the request of the Data Subject, the appropriate method will be selected by explaining the justification. In case all of the personal data processing conditions set forth in Articles 5 and 6 of the Law cease to exist, the personal data is deleted, destroyed, or anonymized by Ar Makine ex officio or upon the request of the data subject. In this regard, if the Data Subject applies to Ar Makine:
  • The requests submitted are concluded within 30 (thirty) days at the latest, and the Data Subject is informed accordingly.
  • If the data subject to the request has been transferred to third parties, this situation is notified to the third parties to whom the data has been transferred, and it is ensured that necessary actions are taken by such third parties.
  • If it is understood that all of the personal data processing conditions have not ceased to exist, Ar Makine may reject this request by explaining the justification. In this case, the Data Subject is informed in writing or electronically within 30 days at the latest from the date the request reaches/is served on Ar Makine.
  1. EXPLANATIONS REGARDING THE REASONS REQUIRING RETENTION AND DESTRUCTION

Article 3 of the Law defines the concept of processing personal data. Article 4 stipulates that the processed personal data must be connected, limited, and proportionate to the purposes for which they are processed and must be retained for the period prescribed by the relevant legislation or required for the purposes for which they are processed. Articles 5 and 6 enumerate the conditions for processing personal data.

Accordingly, Ar Makine retains Personal Data within the scope of its activities for the period prescribed by the relevant legislation or required for the purposes of processing.

  • Processing Purposes Requiring Retention

Personal Data belonging to data subjects held within Ar Makine are retained for the following purposes, in accordance with the KVKK and other relevant legislation and the Personal Data Protection and Processing Policy:

  • Continuation of commercial and daily activities,
  • Fulfillment of contractual obligations such as recruitment, creation of personnel files, management and monitoring of leave and absenteeism records, onboarding processes, salary payments,
  • Execution of employee termination procedures,
  • Implementation and monitoring of employee training activities,
  • Execution of periodic inspections,
  • Execution of financial activities within the scope of accounting, invoicing, and payments,
  • Sharing information with banks,
  • Fulfillment of Ar Makine's legal obligations arising from legislation or other legal obligations, including providing information to public institutions and organizations,
  • Conducting legal and commercial relations of Ar Makine with its past, current, and prospective employees, officers, suppliers, business partners, visitors, service providers, and their employees, concluding contracts in this context, and processing Personal Data of the relevant parties for the performance of concluded contracts,
  • Execution of corporate communication and management activities,
  • Planning and execution of customer relationship management and customer request and complaint management processes,
  • Execution of domestic and international sales processes,
  • Execution of domestic and international purchasing processes,
  • Execution of company law-related processes,
  • Monitoring of litigation, enforcement proceedings, administrative and criminal investigations, prosecutions, and similar processes concerning Ar Makine, and fulfillment of the burden of proof as evidence in legal disputes,
  • Ensuring data security within Ar Makine.
    • Legal Reasons Requiring Retention
  1. Retention of personal data because it is directly related to the establishment and performance of contracts,
  2. Retention of personal data for the purpose of establishing, exercising, or protecting a right,
  3. The necessity of retaining personal data for Ar Makine's legitimate interests, provided that it does not harm the fundamental rights and freedoms of individuals,
  4. Retention of personal data for the purpose of fulfilling any legal obligation of Ar Makine,
  5. Retention of personal data being explicitly stipulated by legislation,
  6. Having the explicit consent of data subjects with respect to retention activities requiring the obtaining of explicit consent.
    • Reasons Requiring Destruction

In accordance with the Regulation, personal data belonging to data subjects shall be deleted, destroyed, or anonymized by Ar Makine ex officio or upon request in the following cases:

  1. Amendment or repeal of the relevant legislative provisions that constitute the basis for the processing or retention of personal data,
  2. The purpose requiring the processing or retention of personal data ceases to exist,
  3. The conditions for processing personal data set forth in Articles 5 and 6 of the Law cease to exist,
  4. In cases where personal data is processed solely on the basis of explicit consent, the data subject withdraws their consent,
  5. The application made by the data subject, within the scope of their rights under subparagraphs (e) and (f) of Article 11 of the Law, regarding the deletion, destruction, or anonymization of their personal data is accepted by the data controller,
  6. In cases where the data controller rejects the application made by the data subject for the deletion, destruction, or anonymization of their personal data, the response given is found to be insufficient, or no response is given within the period prescribed by the Law; a complaint is lodged with the Board, and this request is found appropriate by the Board,
  7. Although the maximum period required for retaining personal data has expired, there is no condition that would justify retaining the personal data for a longer period.
  1. CATEGORIES OF PERSONAL DATA TO BE RETAINED

Personal data to be retained by Ar Makine is categorized as follows for the purposes of this Policy:

  • Data of potential product or service recipients
  • Data of product or service recipients
  • Employee data
  • Employee candidate data
  • Data of former employees whose contractual relationship has ended
  • Intern data
  • Family member data
  • Supplier representative/employee data
  • Business partner representative/employee data
  • Visitor data

 

  1. RETENTION AND DESTRUCTION PERIODS

With respect to your Personal Data processed by Ar Makine in accordance with the KVKK and other relevant legislative provisions:

  • If a period is prescribed by legislation, this period is complied with,
  • If no period is prescribed by the relevant legislation for the retention of the said data, reasonable periods required for retention are determined within the framework of the exceptions established in accordance with the KVKK.

Upon the expiration of the said periods, Personal Data is deleted, destroyed, or anonymized.

The retention, destruction, and periodic destruction periods determined by Ar Makine can be found in the "Retention and Destruction Periods Table" provided in the annex to this Policy [Annex-1]. Process-based retention periods for Personal Data are included in the "Personal Data Processing Inventory," and category-based retention periods are included in the registration to VERBİS.

 

  1. PERIODIC DESTRUCTION

Even if the retention period of personal data has expired or there is no request from the Data Subject, if it is understood that the reasons requiring the processing of personal data have ceased to exist, the relevant personal data shall be deleted, destroyed, or anonymized during the first periodic destruction process following the cessation of such reasons.

Periodic destruction of personal data is carried out every 6 (six) months. However, if a shorter period is determined by the Board for the periodic destruction of personal data in cases where irreparable or impossible damages may occur and there is a clear violation of law, this shorter period shall be complied with.

The first periodic destruction will be carried out on [●]. [Please fill in the relevant date.]

All operations regarding the deletion, destruction, and anonymization of personal data are recorded, and such records are retained for at least three years, except for other legal obligations.

 

  1. MEASURES TAKEN TO ENSURE THE SECURITY OF PERSONAL DATA AND TO PREVENT THEIR UNLAWFUL PROCESSING AND ACCESS

For the purposes of securely storing your personal data, preventing their unlawful processing and access, and ensuring their lawful destruction, Ar Makine takes all administrative and technical measures within the framework of the principles set forth in Article 12 of the KVKK and the adequate measures determined and announced by the Board for special categories of personal data, as required by Article 6, paragraph 4 of the KVKK.

            Administrative Measures:

Within the scope of administrative measures, Ar Makine:

  1. Ensures that its employees, officers, and representatives are trained and informed regarding the lawful processing, retention, and destruction of personal data.
  2. Limits access to retained Personal Data within Ar Makine only to personnel who are required or authorized to access such data by virtue of their job descriptions.
  3. In cases where services are procured from third parties or cooperation is established with third parties for the retention or other processing of Personal Data, includes provisions in the contracts with such parties regarding the lawful retention, security, and destruction of personal data.
  4. In case Personal Data is obtained by others through unlawful means, notifies the relevant person and the Board as soon as possible.
  5. Fulfills its obligation to inform relevant persons before commencing the processing of Personal Data.
  6. Has prepared a personal data processing inventory.
  7. Conducts or has conducted the necessary audits to ensure the implementation of the Law's provisions within its own legal entity. Removes confidentiality and security vulnerabilities identified as a result of the audits.

 

            Technical Measures:

Within the scope of technical measures, Ar Makine:

  1. Establishes or has established the necessary technical infrastructure for recording, transferring to third parties, deleting, destroying, anonymizing, and otherwise processing personal data. Performs the necessary internal controls within the established systems.
  2. Takes the necessary technical measures to ensure the security of recorded personal data. These measures are updated in accordance with technological developments and standards determined by the Board or under newly enacted legislation.
  3. Restricts external access to its internal systems and, in this context, takes technical measures such as firewalls. Inappropriate access attempts are instantly communicated to the relevant units, and necessary interventions are carried out by such units.
  4. Regularly audits and reports the established technical infrastructure.
  5. Takes the necessary measures for the physical security of Ar Makine's IT equipment, software, and data.
  6. Uses data backup programs that ensure the secure storage of Personal Data.
  7. The person(s) responsible for data processing and destruction identify the Personal Data that will be subject to the deletion process and determine the relevant users for each personal data. The access, retrieval, and reuse authorizations and methods of the relevant users are terminated and removed.
  8. Data located on the central server is deleted by issuing a deletion command. The relevant rows of data in databases are deleted using database commands (Delete). In all these operations, if the relevant user has the authority to retrieve deleted data, such authority is removed.
  9. For data located in other recording media, one of the methods of deletion (e.g., blackening), destruction (physical destruction, demagnetization, overwriting), or anonymization is preferred. For the selection of the destruction method, all relevant media are identified, and the type of system in which the data is located is taken into consideration.

 

  1. PROCEDURES FOR RETENTION AND DESTRUCTION OF PERSONAL DATA BY AR MAKINE
    • RECORDING MEDIA

Personal data belonging to data subjects are securely stored by Ar Makine in a variety of media depending on the type and characteristics of the personal data, including paper and Ar Makine cabinets, in compliance with the relevant legislation, particularly the provisions of the KVKK, and within the framework of international data security principles.

  • PERSONNEL

The titles, departments, and job descriptions of the personnel involved in the personal data retention and destruction process are as follows:

 

Personnel Title Department Job Description
     
     
     
     

 

  • METHODS OF DESTRUCTION OF PERSONAL DATA

Personal data obtained by Ar Makine in accordance with the KVKK and other relevant legislation shall be destroyed by Ar Makine ex officio or upon the Data Subject's application using the techniques specified below, in compliance with the Law and relevant legislative provisions, when the purposes of processing personal data specified in the Law and the Regulation cease to exist:

  1. Deletion and Destruction of Personal Data;

The procedures and principles concerning the techniques for deletion and destruction of personal data by Ar Makine are set forth below:

Deletion of Personal Data:

Secure Deletion from Software: When deleting data processed by wholly or partially automatic means and stored in digital environments, methods are used to ensure that the data is rendered inaccessible and unusable for Relevant Users in any way.

Removing the relevant user's access rights to the file or directory containing the file on the central server; deleting the relevant rows in databases using database commands; or deleting data on portable media, i.e., flash media, using appropriate software, may be considered within this scope.

However, if the deletion of personal data will result in the inaccessibility and unusability of other data within the system, personal data shall also be deemed deleted if it is archived by rendering it unassociable with the relevant person, provided that the following conditions are met:

  • The data is closed to access by any other institution, organization, or person,
  • All necessary technical and administrative measures are taken to ensure that personal data is accessible only by authorized persons.

Blackening of Personal Data in Paper Medium: This method involves physically cutting out and removing the relevant personal data from the document to prevent non-purposeful use of personal data or to delete data requested to be deleted, or rendering it invisible by using permanent ink in a way that cannot be reversed and cannot be read with technological solutions.

Destruction of Personal Data:

Demagnetization: This method involves passing magnetic media through special devices that will expose them to high magnetic fields, thereby corrupting the data on them in an unreadable manner. It should be noted that if destruction by this method is not successful, the destruction process can only be completed by physical destruction of the media.

Physical Destruction: Personal data can also be processed by non-automatic means, provided that it is part of any data recording system. When destroying such data, a system of physical destruction is applied so that the personal data cannot be used afterwards. The destruction of data on paper and microfiche media must also be carried out in this way, as it is not possible to destroy them by other means.

During the occurrence of the cases listed above, Ar Makine ensures full compliance with the KVKK, the Regulation, and other relevant legislative provisions to ensure data security and takes all necessary administrative and technical measures.

  1. Anonymization of Personal Data;

Anonymization of Personal Data means rendering Personal Data incapable of being associated with an identified or identifiable natural person, even through matching with other data.

For Personal Data to be considered anonymized, it must be rendered incapable of being associated with an identified or identifiable natural person by the data controller or third parties, even through the use of appropriate techniques in terms of the recording medium and the relevant field of activity, such as reversing and/or matching the data with other data.

  1. UPDATE AND ENTRY INTO FORCE OF THE POLICY

This Policy is stored within Ar Makine in wet-signed (printed paper) form and is made available to personal data subjects upon request. This Policy is updated when deemed necessary and required.

This Policy, prepared by Ar Makine, entered into force on [•]. [Please fill in the relevant date.]

ANNEX-1: RETENTION AND DESTRUCTION PERIODS TABLE

The retention and destruction periods for data processed by Ar Makine are determined on a process basis in the Personal Data Processing Inventory.

Process Retention Period Destruction Period
Recruitment, identity notification, obtaining residence and work permits, health insurance transactions, creation of personnel files, management and monitoring of leave and absenteeism records, onboarding processes, salary payments, and fulfillment of other contractual obligations 10 years from the termination of the Employment Contract During the first periodic destruction following the end of the retention period
Implementation and monitoring of employee training activities, organization of business travel and travel allowance payments, including notifications and applications to relevant authorities, and execution of human resources processes 10 years from the termination of the Employment Contract During the first periodic destruction following the end of the retention period
Execution of financial activities within the scope of accounting, invoicing, and payments 10 years from the termination of the legal relationship During the first periodic destruction following the end of the retention period
Sharing information with banks 10 years from the termination of the legal relationship During the first periodic destruction following the end of the retention period
Execution of employee termination procedures 10 years from the termination of the legal relationship During the first periodic destruction following the end of the retention period
Processes involving the processing of employee health data 15 years from the termination of the Employment Contract for health data During the first periodic destruction following the end of the retention period
Execution of domestic and international sales processes 10 years from the termination of the legal relationship During the first periodic destruction following the end of the retention period
Execution of domestic and international purchasing processes 10 years from the termination of the legal relationship During the first periodic destruction following the end of the retention period
Planning and execution of customer relationship management and customer request and complaint management processes 10 years from the termination of the legal relationship During the first periodic destruction following the end of the retention period

For the Personal Data Retention and Destruction Policy, please Click Here...

Test

Form Gönderimi

Tamam