PERSONAL DATA STORAGE AND DISPOSAL POLICY
- QUALIFICATION AND PURPOSE OF DISPOSAL POLICY
This Personal Data Storage and Disposal Policy has been prepared in order to determine the procedures and principles to be applied by EXTRATIK regarding the deletion, destruction or rendering of personal data in accordance with the Personal Data Protection Law no 6698.
The personal data of our employees, employee candidates, customers and all real persons who have personal data with EXTRATIK for any reason are managed in accordance with the laws in accordance with this Personal Data Storage and Disposal Policy.
Direct Identifiers: By themselves, identifiers that directly reveal, disclose and distinguish the person they are in contact with,
Indirect Identifiers: Descriptors that come together with other descriptors to reveal, disclose and distinguish the person they are associated with,
Related Contact: The real person whose personal data is processed,
Disposal: Delete, destroy or anonymize personal data,
Law: Law No. 6698 on the Protection of Personal Data published in the Official News dated 07.04.2016 and numbered 29677,
Regulation: The Regulation on the Deletion, Destruction or Anonymous Making of Personal Data published in the Official News dated 28.10.2017 and numbered 30224.
Board: Personal Data Protection Board,
Recording media: Any media containing personal data that is fully or partially automated or processed by non-automated means provided that it is part of any data recording system,
Processing and Protection of Personal Data Policy: The policy that determines the procedures and principles related to the management of personal data available in EXTRATIK,
Data recording system: Data recording system in which personal data is structured and processed according to certain criteria.
- ENVIRONMENTS AND SAFETY PRECAUTIONS
- PERSONAL STORAGE ENVIRONMENTS
Personal data stored in EXTRATIK shall be kept in a recording environment in accordance with the nature of the relevant data and our legal obligations.
The recording media used to store personal data are generally as follows. However, some data may be kept in a different environment than the environments shown here, either because of their particular qualifications or our legal obligations. EXTRATIK acts in any case as a data officer and processes and protects personal data in accordance with the Law and this Personal Data Retention and Disposal Policy.
- Preprinted media: Media where data is printed and kept on paper or microfilm.
- Local digital media: Other digital media such as servers, fixed or removable disks, optical disks, etc.
- Cloud media: Although not included in EXTRATIK, they are the medias in which EXTRATIK are used and internet-based systems encrypted by cryptographic methods are used.
- ENVIRONMENTAL SECURITY
EXTRATIK takes all necessary technical and administrative measures in accordance with the characteristics of the environment in which it is kept and to protect the personal data in a safe manner and to prevent unlawful processing and access.
These measures include, but are not limited to, the following administrative and technical measures to the extent appropriate to the nature of the personal data and the environment in which they are held.
- Technical Precautions
EXTRATIK takes the following technical measures in accordance with the relevant data of all environments where personal data is stored and the characteristics of the environment in which the data is kept:
- Personal data are only used in environments where kept up to date and secure systems, in line with technological developments.
- Security systems are used in environments where personal data is kept.
- Security tests and investigations are carried out in order to detect security weaknesses on information systems, and existing or potential risks identified as a result of the tests and researches are eliminated.
- Access to data in environments where personal data is held is restricted, and only authorized persons are allowed access to this data for the purpose of storing personal data, and all access is recorded.
- EXTRATIK has sufficient technical personnel to ensure the security of the environment in which personal data is kept.
- Administrative Precautions
EXTRATIK takes the following administrative measures in accordance with the relevant data of all environments in which personal data is stored and the characteristics of the environment in which the data is kept:
- Efforts are being made to raise awareness and raise awareness of all EXTRATIK employees who have access to personal data on information security, personal data and privacy.
- Legal and technical consultancy services are taken to follow the developments in the area of information security, privacy and protection of personal data and to take necessary actions.
- In the event that personal data are transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties for the protection of personal data and all necessary care is taken to ensure that the relevant third parties comply with their obligations in these protocols.
- Company Internal Audit
EXTRATIK conducts internal audits regarding the implementation of the provisions of the Law and the provisions of this Personal Data Retention and Disposal Policy in accordance with Article 12 of the Law.
As a result of this lack of control within the company or flaws or defects in case of detection of defects relating to the implementation of these provisions is resolved immediately.
In the event that it is understood that the personal data which is under the responsibility of EXTRATIK during the audit or in any other way is obtained by the unlawful means, EXTRATIK shall inform the relevant person and the Board as soon as possible.
- DISPOSAL OF PERSONAL DATA
- REASONS FOR STORAGE AND DISPOSAL
- Reasons for Storage
Personal data held by EXTRATIK are stored for the purposes and reasons specified herein.
- Reasons for Disposal
Personal data contained in EXTRATIK shall be erased, destroyed or anonymized in accordance with this destruction policy upon the request of the person concerned or in case of the disappearance of the reasons mentioned in articles 5 and 6 of the Law.
The reasons listed in Articles 5 and 6 of the Law consist of the following:
Clearly foreseen in the law.
Obligation to protect the life or body integrity of the person or someone else who is unable to disclose his or her consent due to impossibility or whose consent is not granted legal validity.
The processing of personal data of the parties to the contract is required, provided that it is directly related to the establishment or performance of a contract.
Obligation for the data officer to fulfill his legal obligation.
Publication by the person concerned.
Data processing is mandatory for the establishment, use or protection of a right.
Providing data is compulsory for the legitimate interests of the data officer, provided that they do not harm the fundamental rights and freedoms of the person concerned.
- DISPOSAL METHODS
EXTRATIK deletes, personally deletes the personal data stored in accordance with the Law and other legislation and the Processing and Protection of Personal Data Policy at the request of the person concerned or within the periods specified in this Personal Data Storage and Destruction Policy in case the reasons requiring the processing of the data disappear. anonymous.
The most common deletion, destruction and anonymization techniques used by EXTRATIK are listed below:
- Deletion Methods
Deletion Methods for Personal Data Stored in Printed Media
Dimming: Personal data on the printed media is deleted using the dimming method. The dimming process is done by cutting personal data on the relevant documents where possible and making them invisible using stationary ink which is irreversible and impossible to read with technological solutions.
Deletion Methods for Personal Data Stored in the Cloud and Local Digital Environment
Secure deletion from the software: Personal data stored in the cloud or in local digital media is deleted with a digital command so that it can no longer be recovered. The deleted data cannot be accessed again.
- Destruction Methods
Destruction Methods for Personal Data Stored in Printed Media
Physical destruction: Documents kept in printed media are destroyed in such a way that they cannot be reassembled with the document disposal machines.
Destruction Methods for Personal Data Stored in Local Digital Media
Physical destruction: The process of physically destroying optical and magnetic media that contain personal data, such as melting, burning or pulverizing. Data is rendered inaccessible by processes such as melting, incinerating, powdering or passing the optical or magnetic media through a metal grinder.
De-magnetization (degauss): It is the process of exposing magnetic media to high magnetic field and unreadable data on it.
Overwriting: Magnetic data and rewritable optical media are overwritten by random data of 0 and 1 at least seven times to prevent reading and recovery of old data.
Destruction Methods for Personal Data Stored in the Cloud
Secure deletion from the software: Personal data held in the cloud can be unrecoverable by digital command and all copies of the encryption keys required to make personal data available when the cloud service relationship is terminated are destroyed. The deleted data cannot be accessed again.
- Anonymization Methods
Anonymisation means that personal data cannot be associated with a certain or identifiable real person, even by pairing it with other data.
Subtracting variables: Subtracting one or more of the direct descriptors contained in the personal data of the person concerned and which will be used to identify the person in any way.
This method can be used to anonymize personal data, or it can be used to erase personal information if it contains information that is not intended for data processing purposes.
Regional cloaking: The process of deleting potentially discriminatory information about the exception in the data table where personal data is collectively anonymous.
Generalization: It is the process of bringing personal data belonging to many people together and removing the discriminating information into statistical data.
Upper and lower limit coding / Global coding: For a given variable, the ranges of that variable are defined and classified. If the variable does not contain a numeric value, then the close data within the variable is classified.
Micro Association: With this method, all records in the data set are first ordered in a meaningful order and then the whole set is subdivided into a certain number of subsets. Then, the value of each subset of that variable is replaced with the average value by taking the average of the value of the specified variable. In this way, the indirect identifiers in the data will be corrupted, making it difficult to relate the data to the person concerned.
Data hash and distortion: Direct or indirect identifiers in personal data are mixed or corrupted with other values to break the relationship with the person concerned and lose their descriptive qualities.
EXTRATIK uses one or more of these anonymization methods to anonymize personal data, depending on the nature of the data concerned. EXTRATIK can use a variety of statistical methods when using these anonymization methods.
- STORAGE AND DISPOSAL TIMES
- Storage Times
|DATA OWNER||DATA CATEGORY||DATA STORAGE TIME *|
|Employee||Recruitment documents and Social Security Institution; personal data for service period and fee notifications||10 years|
|Employee||Recruitment documents and Social Security Institution; Personality data other than personal data based on service period and fee notifications||10 years|
|Employee||Data in Workplace Personal Health File||10 years|
|Partner / Solution Partner / Consultant||Identity, contact information, financial information, voice recordings received on telephone calls, partner / solution partner / consultant employee data regarding the execution of the commercial relationship between Partner / Solution Partner / Consultant and EXTRATİK||10 years|
|Visitor||EXTRATİK’e physical place taken at the entrance of the visitor’s name, surname, Identity number, vehicle license plate and camera records, voice calls received in phone calls||2 years|
|Website Visitor||Name, surname, e-mail address, navigation movements of Website Visitor||2 years|
|Employee Candidate||Resume and information on job application form||2 years|
|Intern||Information in the internship file of the trainee||10 yıl|
|Customer||Customer’s name, surname, identity number, contact information, payment information and methods, navigation movements information, voice recordings received on phone calls, product / service preferences, transaction history, special day information||2 years|
|Customer||Camera footage, license plate information||2 yıl|
|Potential Customer||Identity, contact information, financial information, voice recordings received during phone calls received during the contract negotiations for establishing a commercial relationship between the potential customer and EXTRATİK||2 yıl|
|EXTRATIK’ In Cooperation||Identity, contact information, financial information, voice recordings received on phone calls, data about EXTRATIK’s Collaboration||10 yıl|
*A longer period in accordance with the legislation; for a longer period of time, the periods in the provisions of the legislation shall be considered as the maximum retention period.
- Disposal Times
EXTRATIK deletes personal data in the first periodic destruction process following the date when the obligation to delete, destroy or anonymize the personal data that it is responsible in accordance with the Law, applicable legislation, the Processing and Protection of Personal Data Policy and this Personal Data Storage and Destruction Policy or anonymously.
When the person concerned applies to EXTRATIK in accordance with Article 13 of the Law, he requests that his personal data be deleted or destroyed;
If all the conditions for processing personal data have been removed; EXTRATIK deletes, destroys or anonymizes the personal data subject to the request by appropriate disposal method by explaining the reason within 30 (thirty) days after receiving the request. In order for EXTRATIK to be deemed to have received the request, the person concerned must have made the request in accordance with the Personal Data Processing and Protection Policy. In any case, EXTRATIK informs the relevant person about the operation.
If all conditions relating to the processing of personal data have not been abolished, this request may be rejected by EXTRATIK in accordance with the third paragraph of Article 13 of the Law and the rejection response shall be notified in writing or electronically within thirty days.
- PERIODIC DISPOSAL
In the event that all the conditions for processing personal data in the law are eliminated; EXTRATIK deletes, destroys or anonymises personal data whose processing conditions have been abolished by a transaction that will be carried out at regular intervals at repetitive intervals specified in this Personal Data Storage and Destruction Policy.
Periodic destruction repeats every 6 (six) months.
- AUDITING LEGAL COMPLIANCE OF DISPOSAL PROCESS
- Technical Precautions
EXTRATIK shall provide technical means and equipment suitable for each disposal method included in this policy.
EXTRATIK ensures the safety of the place of destruction.
EXTRATIK maintains access records of the persons involved in the destruction.
EXTRATIK employs competent and experienced personnel to carry out the destruction process or receives services from competent third parties when necessary.
- Administrative Precautions
EXTRATIK works to raise awareness and raise awareness of its employees on information security, personal data and privacy issues.
EXTRATIK obtains legal and technical consultancy services in order to follow the developments in the field of information security, privacy, protection of personal data and safe destruction techniques.
EXTRATIK signs protocols for the protection of personal data with the relevant third parties in cases where it is made to be destroyed by third parties due to technical or legal requirements and takes all necessary care to ensure that third parties comply with their obligations in these protocols.
EXTRATIK regularly checks whether the destruction is carried out in accordance with the law and the conditions and obligations specified in this Personal Data Storage and Destruction Policy, and takes the necessary actions.
EXTRATIK records all transactions related to the deletion, destruction and anonymization of personal data and keeps such records for at least three years, excluding other legal obligations.
- PERSONAL DATA COMMITTEE
Establishes a Personal Data Committee within EXTRATIC. The Personal Data Committee is authorized and responsible for carrying out and supervising the processes required for the storage and processing of the data of the persons concerned in accordance with the law, the Personal Data Processing and Protection Policy and the Personal Data Retention and Disposal Policy.
The Personal Data Committee consists of three persons: a manager, an administrative expert and a technical expert. The titles and job descriptions of EXTRATİK employees working in the Personal Data Committee are as follows:
|Personal Data Comitee Manager||To direct all kinds of planning, analysis, research and risk determination activities in the projects carried out in compliance with the law; The Law is responsible for managing the processes to be carried out in accordance with the Personal Data Processing and Protection Policy and the Personal Data Retention and Disposal Policy and deciding the requests made by the persons concerned.|
(Technical and Administrative)
|Reviewing requests of related persons and reporting them to the Personal Data Committee Manager for evaluation; The execution of the transactions related to the requests of the person evaluated and resolved by the Personal Data Committee Manager in accordance with the decision of the Personal Data Committee Manager; auditing the storage and disposal processes and reporting these audits to the Personal Data Committee Manager; responsible for the execution of storage and disposal processes.|
- UPDATE AND COMPLIANCE
EXTRATIK reserves the right to amend the Personal Data Processing and Protection Policy or this Personal Data Storage and Destruction Policy in accordance with the decisions of the Authority or due to changes in the Law or in line with the developments in the sector or in the field of informatics.
Changes to this Personal Data Retention and Disposal Policy are immediately transcribed and the disclosure of any changes is disclosed at the end of the policy.
Personal Data Storage And Disposal Policy