Back

Personal Data Retention and Disposal Policy

TURAN MACHINE PLASTIC PIPE SYSTEMS INC.

Personal Data Storage and Destruction Policy

 

 

Contents

  1. SCOPE
  2. DEFINITIONS
  3. PURPOSE AND SCOPE
  4. RECORDING MEDIA
  5. SITUATIONS REQUIRING DESTRUCTION OF PERSONAL DATA
  6. DESTRUCTION OF PERSONAL DATA
  7. PERSONAL DATA DESTRUCTION METHODS AND PROCESS
  8. STORAGE AND DESTRUCTION PERIODS
  9. CHANGES TO BE MADE IN THE POLICY
  10. EFFECTIVE DATE OF THE POLICY

 

 

A. SCOPE

  1. This Personal Data Storage and Destruction Policy (“Policy”) covers all subsidiaries, directorates, units and employees and third parties operating in Türkiye that are involved in the processes in which TURAN MAKİNA PLASTİK BORU SİSTEMLERİ A.Ş. (“Company”) processes personal data.
  2. This Policy covers all storage and destruction activities that the Company will implement on personal data.
  3. This Policy will only apply to the destruction and storage of personal data.
  4. In case the Law, Regulation or other legislation is partially or completely changed, amended, updated or repealed, the Company will change the Policy by updating it to be compatible with the new Law, Regulation or legislation.

B. DEFINITIONS

The concepts used in the implementation of this Policy have the following meanings:

Buyer group It is the group of natural or legal persons to whom personal data is transferred by the data controller.
Related User Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data.
Destruction Deletion, destruction or anonymization of personal data
Law Personal Data Protection Law No. 6698
Recording medium Any environment in which personal data is processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system.
Personal data processing inventory It is an inventory in which the company creates the personal data processing activities it carries out in connection with its business processes by relating them to the purposes of processing personal data, data category, the recipient group to which the data is transferred and the data subject group, and details the maximum period required for the purposes for which personal data is processed, the personal data planned to be transferred to foreign countries and the measures taken regarding data security.
The Board Personal Data Protection Board
Periodic destruction It is the process of deletion, destruction or anonymization to be carried out by the Company ex officio within certain time intervals specified in this Policy in case all the processing conditions of personal data specified in the law are eliminated.
Record It is the Data Controllers Registry to be kept by the Board in accordance with the Draft Regulation on the Data Controllers Registry, which is not currently in force.
Data recording system It is a recording system in which personal data is structured and processed according to certain criteria.
Data Controller It is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Regulations It is the Regulation on the Deletion, Destruction or Anonymization of Personal Data.

 

C. PURPOSE AND SCOPE

  1. This Policy applies to real or legal persons who are responsible for the destruction of personal data included in the Regulation established in accordance with Article 7 of the Law and determines the principles to be followed by the Company and third parties for whom the Company is contractually responsible.
  2. Pursuant to the Regulation, the Company, as a Data Controller with an obligation to register in the Registry, is obliged to prepare and act in accordance with this Policy in order to store the personal data in its possession in accordance with the personal data inventory and to destroy it when necessary.
  3. The following principles will apply in the storage and destruction of personal data:
  4. The general principles in Article 4 of the Law will be complied with.
  5. The Company accepts that the preparation of this Policy alone does not mean that personal data has been destroyed in accordance with the Regulation, Law and relevant legislation.
  6. The Company accepts, declares and undertakes that it will act in accordance with the security measures in Article 12 of the Law, the provisions in the relevant legislation, the decisions to be taken by the Board and this Policy when storing, deleting, destroying or anonymizing personal data.
  7. The Company undertakes to comply with this Policy and the tools, programs and processes to be implemented in accordance with the Policy during the destruction of personal data processed for the purpose of being fully or partially automatic or non-automatic, provided that it is part of any registration system.
  8. The Company takes all necessary technical and administrative measures to ensure the safe storage of personal data and to prevent unlawful processing and access. The technical and administrative measures in question are described in the technical guides created for the methods to be used for the storage and destruction of personal data.
  9. If the Company will have employees who will be present during the personal data storage and destruction processes, it determines their titles, units and job descriptions.

D. RECORDING MEDIA

With this Policy, the Company agrees to include personal data in the environments listed below and other environments that may arise in addition to these within the scope of the Policy.

  1. Computers / servers used on behalf of the company
  2. Network devices,
  3. Shared / non-shared disk drives used for storing data on the network,
  4. Mobile phones and all storage areas inside them,
  5. Paper,
  6. Microfiche,
  7. Peripherals such as printer, fingerprint reader,
  8. Magnetic tapes,
  9. Optical discs,
  10. Flash memories.

E. SITUATIONS REQUIRING DESTRUCTION OF PERSONAL DATA

In the event of a breach within the scope specified below, the Potential Security Breach situation will be accepted and the relevant security breach processes will be operated by the Company, and the reports and notifications regarding these will be shared with the Company management, the Board and the relevant personal data owners when deemed necessary. For this purpose, the Company’s breach management processes will be implemented to make the said reports and notifications.

  1. Violation of the Law

The Company undertakes that it will not process personal data in a manner contrary to the manner specified in the Law.

Unless there are exceptions to the conditions for processing personal data in Articles 5 and 6 of the Law, the Company;

  1. It will not store personal data of persons whose explicit consent has not been obtained, except for the exceptions specified in the Law.
  2. If the purpose of processing the data processed within the scope of the exception or explicit consent is eliminated and/or the legal retention periods expire, the Company will not store and will destroy these personal data.
    1. Elimination of Personal Data Processing Conditions

The Company is responsible for the up-to-dateness of data processing conditions and shares this responsibility with all relevant employees who process personal data.

Employees will not continue to process data in cases where the conditions for data processing are no longer applicable. The determination of such situations is made by the Internal Control, Compliance and Legal departments upon the recommendation of the relevant business unit and the destruction is carried out in accordance with this Policy.

The Company accepts that the data processing conditions are eliminated in the relevant cases listed below and also specified in the Regulation:

  1. Amendment or repeal of the provisions of the relevant legislation that constitute the basis for processing personal data;
  2. The contract between the parties has never been established, the contract is invalid, the contract ends automatically, the contract is terminated or the contract is withdrawn,
  3. The purpose requiring the processing of personal data disappears,
  4. Processing personal data is against the law or the rule of honesty,
  5. In cases where personal data is processed only based on explicit consent, the person concerned must withdraw his/her consent,
  6. Acceptance by the Company of the application made by the relevant person in accordance with the procedure regarding the processing of personal data within the framework of the rights in subparagraphs (e) and (f) of Article 11 of the Law,
  7. If the Company rejects the application made by the relevant person requesting the destruction of his/her personal data, if the response is found insufficient or if the Company does not respond within the period stipulated in the Law; a complaint is made to the Board and this request is found appropriate by the Board,
  8. Although the maximum period for which personal data must be stored has passed, there are no circumstances that would justify storing personal data for a longer period.

F. DESTRUCTION OF PERSONAL DATA

Destruction of personal data can be done in three different ways: deletion, destruction or anonymization of data, which are explained in detail below.

The relevant business units within the company, the owners of the information systems and applications where the personal data in question is located, the Internal Control, Compliance and Legal departments and other persons or departments that may be relevant to the subject shall make a written decision on the method to be applied for the destruction of personal data depending on the reason for this destruction. In accordance with this written decision, one of the destruction methods in Article G) of this Policy shall be applied in accordance with the Personal Data Deletion, Destruction and Anonymization Guide published by the Board.

The Company also creates technical guidelines regarding the methods to be used for the storage and destruction of personal data and ensures their implementation.

Monitoring the destruction of personal data is the responsibility of the relevant data owner business unit within the Company. The data owner business unit receives support from different units of the Company for the destruction of data, provided that it is supervised by itself.

  1. Deletion of Personal Data

Deletion of personal data processed completely or partially by automatic means is the process of making the personal data in question inaccessible and reusable by the relevant users in any way.

In the process of deleting personal data that constitutes a part of any data recording system and is processed by non-automatic means, the personal data to be subject to deletion are determined by taking into account the legal retention periods. The Company updates the role and authority matrices that the Company currently carries out on information systems and applications in terms of access and authorization of personal data and identifies the relevant users. The authorities and methods of the relevant Users, such as access, retrieval and reuse, are determined within this scope.

In cases where the Company deletes personal data, it renders the data inaccessible or reusable in any way. In doing so, the Company guarantees that the data is inaccessible or reusable by any user.

  1. Destruction of Personal Data

Destroying personal data is the process of making personal data inaccessible, irreversible and reusable by anyone.

The destruction process will be carried out in cases where the Company processes data on physical recording media, and the Company is obliged to make this data irretrievable.

When performing this process for paper and microfiche media, the media will be destroyed by shredding or shredding machines into small pieces that cannot be reassembled. In addition, the Company may receive destruction services from Third Parties in this context.

  1. Anonymization of Personal Data

Anonymization is the process of rendering personal data incapable of being associated with an identified or identifiable natural person, even when matched with other data, when the Company processes personal data wholly or partially by automated means.

The Company removes or modifies all direct and/or indirect identifiers in the relevant dataset, preventing the identification of the relevant person and ensuring that the person loses the ability to be distinguished in a group or crowd in a way that cannot be associated with a natural person.

When anonymizing data, the Company may use methods such as one-way functions and encryption.

G. PERSONAL DATA DESTRUCTION METHODS AND PROCESS

For the destruction of personal data, the Company defines all methods that can be used during destruction in this Policy and its annexes. The data owner business unit is obliged to determine and apply the appropriate method in this Policy according to the appropriate situation.

During the destruction of personal data, the Company carries out the destruction by choosing the appropriate method from the following methods, in accordance with the written decision it will make:

  1. Overwrite

It is the process of making old data unreadable by writing random data consisting of 0s and 1s at least 7 times on magnetic media and rewritable optical media with software.

  1. Magnetizing

It is the process of making the data on magnetic media unreadable by physically changing it in a high-value magnetic field.

  1. Physical Destruction

It is the process of physically destroying optical media or magnetic media by melting, pulverizing, grinding, etc. It can be applied in cases where magnetizing or overwriting methods fail.

  1. Destruction of Personal Data in Environmental Systems

It is the destruction process that must be carried out by overwriting, magnetizing or physically destroying the internal unit, if available, or the entire device, if not available, that contains personal data in systems such as printers, fingerprint units, door entrance turnstiles. Such destruction must be applied before the devices are subject to backup, maintenance and similar processes.

H. STORAGE AND DESTRUCTION PERIODS

 

  1. Periodic Destruction and Legal Retention Periods

Physical and electronic data that have completed their legal retention and destruction periods are destroyed periodically. The Company destroys personal data in the first periodic destruction process following the date on which the destruction obligation arises.

Periodic destruction is carried out at 6-month intervals for all personal data. The legal retention periods to be used as a basis during periodic destruction are specified in the Company’s Personal Data Inventory (ANNEX). The destruction process is carried out during the first periodic destruction following the occurrence of the destruction obligation.

All transactions regarding destroyed personal data are recorded and these records are kept for 3 years.

  1. Destruction Process in Case of Request by Data Owners

 

In cases where data owners apply to the Company and request the destruction of their personal data, the Company checks the current status of the personal data processing conditions. As a result of the said check;

 

If it is understood that all the conditions for processing personal data have been eliminated, the personal data subject to the request will be destroyed within thirty days at the latest in accordance with the decisions and methods specified in this Policy and the relevant person will be informed.

If it is understood that the conditions for processing personal data have been eliminated and the personal data subject to the request has been transferred to third parties, the Company notifies the relevant third party of this situation and ensures that the necessary actions are taken within the scope of the Regulation with the third party.

If all the conditions for processing personal data have not been eliminated, the Company may reject the request by explaining the reason to the relevant data owner and notify the relevant person of the rejection in writing or electronically within thirty days at the latest.

In order to meet and respond to requests from data owners, a Process for the Management of Requests and Complaints from Personal Data Owners is established within the Company.

  • AUTHORIZATION IN STORAGE AND DESTRUCTION PROCESSES
    1. The people responsible for the storage and destruction of personal data and their job descriptions are as follows:
  1. KVKK Working Group: Works with the relevant business units of the Company on the storage and destruction of personal data and decides on policies and methods, ensures that the Policy and its annexes are kept up to date, and when necessary, works closely with the relevant units of the Company to ensure that the Policy is implemented correctly and in accordance with the Law and Regulation.
  2. Internal Control, Compliance and Law: Provides consultancy on legal issues related to the storage and destruction of personal data, and provides the necessary information to the relevant business units in case of changes in the Law, Regulation and relevant legislation. Ensures that the Policy is implemented in accordance with the Law and Regulation.
  3. Information technologies: Ensures that the relevant destruction and storage processes are carried out in accordance with the Law and Regulation in the light of the decisions and methods specified in the Policy.
  4. The relevant business units of the Company: Express their opinions and justifications for determining the policies and methods regarding the storage and destruction of personal data and monitor the actions taken in accordance with this Policy.

J. CHANGES TO BE MADE IN THE POLICY

  1. In case the Law, Regulation or other legislation is partially or completely changed, amended, updated or repealed, the Company will change the Policy by updating it to be compatible with the new Law, Regulation or legislation.

 

  1. The Company will share the updated Policy with its employees via e-mail and make it accessible to its employees via the corporate intranet, so that any changes made to the Policy can be reviewed.

 

K. EFFECTIVE DATE OF THE POLICY

This Policy entered into force on 26.03.2020 .

 

 

ANNEX : Inventory showing personal data retention periods