Zeynep Bilgiç Danışmanlık Anonim Şirketi (“Company”), this Personal Data Retention and Destruction Policy (“Policy”), Law on Protection of Personal Data No. 6698 (“KVKK”) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data, which constitutes the secondary regulation of the KVKK, (“Regulation”) to fulfill our obligations and to protect the data owners personally It is regulated to determine the principles of determining the maximum storage period necessary for the purpose for which the data is processed, and to determine the procedures and principles regarding the deletion, destruction or anonymization of personal data that is fully or partially automated or processed by non-automatic means provided that it is a part of any data recording system.
Within the scope of this Policy, as natural persons, employee candidates, employees, company shareholders, company officials, visitors, employees of the institutions/members in cooperation with, shareholders and real persons processed automatically or non-automatically, provided that they are part of any data recording system officials and third parties.
With this Policy, the Company agrees to include the personal data in the environments listed below that contain personal data, and in addition to the personal data in other media that may arise, within the scope of the Policy.
Personal data belonging to the data owners are stored by the Company within the limits specified in the Law and other relevant legislation, especially for (i) the continuation of commercial activities, (ii) fulfillment of legal obligations, (iii) the planning and performance of employee rights and fringe benefits.
The reasons for keeping it are as follows:
In accordance with the Regulation, the personal data of the data owners are deleted, destroyed or anonymized by the Company ex officio or upon request in the following cases:
The Company takes all necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data. The measures envisaged in article 12/1 of the KVKK are as follows:
The measures taken by the Company in this context are listed below:
The Company retains personal data only for as long as required by the relevant legislation or for the purpose for which they are processed. In this context, first of all, it is determined whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, this period is acted upon. Personal data is deleted, destroyed or anonymized by the Company in the event that the period expires or the reasons requiring its processing disappear unless there is a legal reason allowing them to be processed for a longer period of time. All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least 3 (three) years, excluding other legal obligations.
Deletion of personal data is the process of making personal data inaccessible and unusable in any way. The Company takes technical and administrative measures to prevent the relevant business unit (the relevant user) from processing the relevant personal data after the purpose and storage period required for the processing of personal data of the relevant business unit within its own organization has expired. The relevant personal data is not deleted, destroyed or anonymized before the end of the processing purposes and storage periods required for the same personal data of other business units within the company organization.
If the deletion of personal data will result in the inability to access and use other data that do not need to be deleted, within the system
Archiving personal data by making it anonymous
Personal data will be deemed to be deleted, provided that it is not accessible to any other institution, organization or person and all necessary technical and administrative measures are taken to ensure that only authorized persons can access personal data.
Destroying personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. The company is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.
Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. In order for the personal data to be anonymized by the company; by the data controller, the recipient or groups of recipients; Personal data must be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning the data and matching the data with other data. The company is obliged to take all necessary technical and administrative measures regarding the anonymization of personal data.
For the destruction of personal data, the Company defines all methods that can be used during destruction in this Policy. The data owner business unit is obliged to determine and implement the appropriate method in this Policy according to the appropriate situation.
During the destruction of personal data, Company employees perform the destruction by choosing the appropriate method among the following:
Deletion from the Database and File System
Personal data is deleted together with all associated data, making it impossible to read or access again.
It is the process of physically destroying optical media or magnetic media by melting, pulverizing, grinding and similar processes. It can be applied where magnetizing or overwriting methods fail. In addition, it is the fulfillment of paper clipping processes to destroy personal data in media such as paper and microfiche.
STORAGE AND DISPOSALRELERI
Physical and digital data that have completed the legal storage and destruction periods are destroyed periodically. The company deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises. Periodic destruction is carried out at 6-month intervals for all personal data. Transactions regarding deleted, destroyed and anonymized data are kept for at least 3 years, free from other legal obligations.
In cases where data owners request the deletion or destruction of their personal data by applying to the Company, it checks the current status of the personal data processing conditions and takes relevant actions accordingly. If all the conditions for processing personal data have been removed, it deletes, destroys or anonymizes the personal data subject to the request. The company finalizes the request of the person concerned within thirty days at the latest and informs the person concerned.
If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, the data controller notifies the third party; It ensures that the necessary actions are taken within the scope of the Regulation before the third party.
If the conditions for processing personal data have not disappeared, the Company may reject the request by explaining the reason to the relevant data owner, and notify the relevant person in writing or electronically within thirty days at the latest.
The effective date of this Policy is 01.02.2021. The Company reserves the right to make changes in the Policy in line with the legal regulations. You can find the current version of the Policy on our website.