Personal Data Retention and Destruction Policy

  1. PURPOSE OF THE POLICY As

    Zeynep Bilgiç Danışmanlık  Anonim Şirketi (“Company”), this Personal Data Retention and Destruction Policy (“Policy”), Law on Protection of Personal Data No. 6698 (“KVKK”) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data, which constitutes the secondary regulation of the KVKK, (“Regulation”) to fulfill our obligations and to protect the data owners personally It is regulated to determine the principles of determining the maximum storage period necessary for the purpose for which the data is processed, and to determine the procedures and principles regarding the deletion, destruction or anonymization of personal data that is fully or partially automated or processed by non-automatic means provided that it is a part of any data recording system.

  2. SCOPE OF THE POLICY

    Within the scope of this Policy, as natural persons, employee candidates, employees, company shareholders, company officials, visitors, employees of the institutions/members in cooperation with, shareholders and real persons processed automatically or non-automatically, provided that they are part of any data recording system officials and third parties.

  3. DEFINITIONS AND ABBREVIATIONS
    1. Explicit Consent: It expresses consent that is based on the information and freely expressed regarding a certain subject.
    2. Anonymization: It means making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching with other data.
    3. Relevant Person/Data Owner: Represents the natural person whose personal data is processed.
    4. Law: Law on Protection of Personal Data No. 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677 (“KVKK”)
    5. Personal Data: Refers to any information relating to an identified or identifiable natural person.
    6. Special Qualified Data: People's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and dress, association, foundation or union membership, health, sexual life, data on criminal convictions and security measures, as well as biometric and genetic data.
    7. Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing personal data completely or partially automatically or non-automatically provided that it is a part of any data recording system means all kinds of operations performed on data such as transferring, taking over, making it available, classifying or preventing its use.
    8. Data Controller: It is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
    9. Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
    10. Data Registration System: It is the registration system in which personal data is processed and structured according to certain criteria.
    11. Data Controller: It is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
    12. Application Form: It is the form containing the application to be made by the data owner in order to use his rights within the framework of the relevant legislation.
    13. Policy: Personal Data Protection and Privacy Policy (“Policy”)
    14. Destruction: It is the deletion, destruction or anonymization of personal data.
    15. Periodic Destruction: It is the process of deletion, destruction or anonymization that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the conditions for processing personal data in the law are eliminated.
    16. Recording Medium: Any medium containing personal data that is fully or partially automated or processed non-automatically, provided that it is a part of any data recording system.
    17. Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on October 28, 2017. (“Regulations”)
    18. Deletion of Personal Data: Deletion of personal data; making personal data inaccessible and non-reusable for Relevant Users.
    19. Destruction of Personal Data: It is the process of making personal data inaccessible, irretrievable and reusable by anyone
  4. RECORDING ENVIRONMENTS

    With this Policy, the Company agrees to include the personal data in the environments listed below that contain personal data, and in addition to the personal data in other media that may arise, within the scope of the Policy.

    1. Computers/servers used on behalf of the company,
    2. Network devices,
    3. Shared/non-shared disk drives used for data storage on the network,
    4. Cloud systems,
    5. Mobile phones and all their storage areas,
    6. Paper,
    7. Microfiche,
    8. Peripherals such as printer, fingerprint reader,
    9. Magnetic tapes,
    10. Optical discs,
    11. Flash memories.
  5. CONDITIONS REQUESTING THE STORAGE AND DISPOSAL OF PERSONAL DATA

    Personal data belonging to the data owners are stored by the Company within the limits specified in the Law and other relevant legislation, especially for (i) the continuation of commercial activities, (ii) fulfillment of legal obligations, (iii) the planning and performance of employee rights and fringe benefits.

    The reasons for keeping it are as follows:

    1. Storing personal data as it is directly related to the establishment and performance of contracts,
    2. Storing personal data for the purpose of establishing, exercising or protecting a right,
    3. It is obligatory to keep personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of individuals,
    4. Storing personal data for the Company to fulfill any of its legal obligations,
    5. The legislation clearly stipulates the storage of personal data,
    6. Explicit consent of data owners for storage activities that require explicit consent of data owners.

    In accordance with the Regulation, the personal data of the data owners are deleted, destroyed or anonymized by the Company ex officio or upon request in the following cases:

    1. In cases where it is necessary due to the amendment or repeal of the provisions of the relevant legislation, which are the basis for the processing or storage of personal data,
    2. The disappearance of the purpose that requires the processing or storage of personal data,
    3. The elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law,
    4. In cases where the processing of personal data takes place only on the basis of express consent, the data subject withdraws his consent,
    5. The data controller accepts the application made by the data subject regarding the deletion, destruction or anonymization of his personal data within the framework of his rights in Article 11 of the Law,
    6. In cases where the data controller rejects the application made by the data subject to the request for the deletion, destruction or anonymization of his personal data, his response is found to be insufficient or he does not respond within the time stipulated in the Law; Complaining to the Board and approval of this request by the Board,
    7. There are no conditions to justify keeping personal data for a longer period of time, even though the maximum period for keeping personal data has passed.
  6. TECHNICAL AND ADMINISTRATIVE MEASURES REGARDING DATA SECURITY

    The Company takes all necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data. The measures envisaged in article 12/1 of the KVKK are as follows:

    • To prevent the unlawful processing of personal data,
    • To prevent unlawful access to personal data,
    • To ensure the protection of personal data.

    The measures taken by the Company in this context are listed below:

    1. Administrative Measures:
      1. The company carries out and has the necessary inspections made in its own institution or organization in order to ensure the implementation of the provisions of the law.
      2. In case the processed personal data is obtained by others illegally, our institution notifies the relevant person and the Board as soon as possible.
      3. Concerning the sharing of personal data, the Company signs a framework agreement with the persons with whom the personal data is shared, or provides data security with the provisions it will add to the agreements.
      4. The Company provides its personnel with the necessary training on the Protection of Personal Data.
    2. Technical Measures:
      1. The institution of personal data ensures the provision of the technical infrastructure to prevent and/or observe the beam penetration.
      2. Allows access to personal data to be kept under control.
      3. There are security measures such as encryption and access management in order to protect information systems containing personal data against unauthorized access, cyber attacks and illegal data processing.
  7. PERSONAL DATA DISPOSAL TECHNIQUES

    The Company retains personal data only for as long as required by the relevant legislation or for the purpose for which they are processed. In this context, first of all, it is determined whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, this period is acted upon. Personal data is deleted, destroyed or anonymized by the Company in the event that the period expires or the reasons requiring its processing disappear unless there is a legal reason allowing them to be processed for a longer period of time. All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least 3 (three) years, excluding other legal obligations.

    1. Deletion of Personal Data

      Deletion of personal data is the process of making personal data inaccessible and unusable in any way. The Company takes technical and administrative measures to prevent the relevant business unit (the relevant user) from processing the relevant personal data after the purpose and storage period required for the processing of personal data of the relevant business unit within its own organization has expired. The relevant personal data is not deleted, destroyed or anonymized before the end of the processing purposes and storage periods required for the same personal data of other business units within the company organization.

      If the deletion of personal data will result in the inability to access and use other data that do not need to be deleted, within the system

      1. Archiving personal data by making it anonymous

      2. Personal data will be deemed to be deleted, provided that it is not accessible to any other institution, organization or person and all necessary technical and administrative measures are taken to ensure that only authorized persons can access personal data.

    2. Destruction of Personal Data

      Destroying personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. The company is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.

    3. Anonymization of Personal Data

      Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. In order for the personal data to be anonymized by the company; by the data controller, the recipient or groups of recipients; Personal data must be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning the data and matching the data with other data. The company is obliged to take all necessary technical and administrative measures regarding the anonymization of personal data.

  8. METHODS AND PROCESS OF DISPOSAL OF PERSONAL DATA

    For the destruction of personal data, the Company defines all methods that can be used during destruction in this Policy. The data owner business unit is obliged to determine and implement the appropriate method in this Policy according to the appropriate situation.

    During the destruction of personal data, Company employees perform the destruction by choosing the appropriate method among the following:

    1. Deletion from the Database and File System

      1. Personal data is deleted together with all associated data, making it impossible to read or access again.

    2. Physical Destruction

      1. It is the process of physically destroying optical media or magnetic media by melting, pulverizing, grinding and similar processes. It can be applied where magnetizing or overwriting methods fail. In addition, it is the fulfillment of paper clipping processes to destroy personal data in media such as paper and microfiche.

  9. STORAGE AND DISPOSALRELERI

    1. Periodic Disposal and Legal Storage Periods

      Physical and digital data that have completed the legal storage and destruction periods are destroyed periodically. The company deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises. Periodic destruction is carried out at 6-month intervals for all personal data. Transactions regarding deleted, destroyed and anonymized data are kept for at least 3 years, free from other legal obligations.

    2. Deletion and Destruction Process at the Request of Data Owners

      In cases where data owners request the deletion or destruction of their personal data by applying to the Company, it checks the current status of the personal data processing conditions and takes relevant actions accordingly. If all the conditions for processing personal data have been removed, it deletes, destroys or anonymizes the personal data subject to the request. The company finalizes the request of the person concerned within thirty days at the latest and informs the person concerned.

      If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, the data controller notifies the third party; It ensures that the necessary actions are taken within the scope of the Regulation before the third party.

      If the conditions for processing personal data have not disappeared, the Company may reject the request by explaining the reason to the relevant data owner, and notify the relevant person in writing or electronically within thirty days at the latest.

  10. ENFORCEMENT

    The effective date of this Policy is 01.02.2021. The Company reserves the right to make changes in the Policy in line with the legal regulations. You can find the current version of the Policy on our website.

Icon