certificates certificates

Personal Data Storage and Destruction Policy

PERSONAL DATA PROTECTION AND PROCESSING POLICY PERSONAL DATA STORAGE AND DESTRUCTION POLICY GENERAL CLARIFICATION STATEMENT ON THE PROCESSING OF PERSONAL DATA EMPLOYEE CANDIDATE PERSONAL DATA PROCESSING DISCLOSURE STATEMENT

AĞIRMAN MAKİNA OTOMOTİV YAN SANAYİ VE TİCARET ANONİM ŞİRKETİ 

PERSONAL DATA STORAGE AND DESTRUCTION POLICY

 

CONTENTS

  1. Introduction and Purpose of Policy Preparation

  2. Definitions

  3. Scope of the Policy

  4. Data Storage Media

  5. Principles

  6. Explanation of legal, technical, or other reasons for the storage and destruction of personal data

  7. Technical and administrative measures taken to ensure the secure storage of personal data and prevent unlawful processing and access

  8. Technical and administrative measures taken for the lawful destruction of personal data

  9. Titles, departments, and job descriptions of those involved in personal data storage and destruction processes

  10. Retention periods of personal data and Periodic Destruction Periods

  11. Final Provisions

 

1 – INTRODUCTION AND PURPOSE OF POLICY PREPARATION

The purpose of this policy is to fulfill the obligations imposed on Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi under the 7th article of the Personal Data Protection Law No. 6698 and the Regulation created in accordance with it. It aims to establish a personal data storage and destruction policy that aligns with relevant legislation and ensures personal data processing activities are conducted in compliance with the law.

2 – DEFINITIONS

2.1 – Law: The Personal Data Protection Law No. 6698.
2.2 – Regulation: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data.
2.3 – Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
2.4 – Personal Data Processing Inventory: The inventory created by Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi, based on its business processes, detailing personal data processing activities, the purposes of processing personal data, data categories, recipient groups to which the data is transferred, and data subject groups. It further explains the maximum duration for processing personal data for the specified purposes, personal data to be transferred to foreign countries, and measures taken regarding data security.
2.5 – Deletion of Personal Data: The process of making personal data inaccessible and unusable for the relevant users in any way. (Example: Visitor information stored digitally is deleted from the system in such a way that the HR department can no longer access it after the designated period. For paper documents, personal data on a petition is obscured, redacted, or erased when submitted to a department manager.)
2.6 – Destruction of Personal Data: The process of making personal data completely inaccessible, irrecoverable, and unusable in any way. (Example: Data on systems is destroyed by demagnetizing, overwriting, or other appropriate methods, while paper data is destroyed in paper shredding machines.)
2.7 – Anonymization: The process of altering personal data using techniques like masking, aggregation, data distortion, etc., so that it loses its personal data characteristics and this change cannot be reversed. (Example: In a satisfaction survey report, if there is only one manager in a specific age group or gender category, the record of this person is removed, making the personal data unidentifiable with any individual.)
2.8 – Data Recording System: The system in which personal data is processed according to specific criteria.

3 – SCOPE OF THE POLICY

This policy applies to all departments, employees, and third parties involved in any process where Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi processes personal data.
This policy covers all destruction activities that will be carried out by Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi regarding personal data, and it will be applied whenever there is a need for destruction.
In the case of changes in the relevant legislation, Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi will update this policy in accordance with the new regulations.
If there is a legal obstacle to the implementation of this policy by Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi, the company may determine the necessary steps again after consulting its Legal Advisor and the Board of Directors, if necessary.
In accordance with the Regulation, Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi, as a Data Controller with a registry obligation, has established the principles under this policy for storing personal data in accordance with the personal data inventory and for deleting or anonymizing the data when necessary.

4 – DATA STORAGE MEDIA

In the implementation of this Policy, the term "data storage media" refers to any environment where personal data is processed either fully or partially automatically, or through non-automatic means as part of a data recording system.

The data storage media used in our company include:

a) Computers/Servers
b) Network devices
c) Disk drives
d) Cloud systems
e) Mobile phones and their storage areas
f) Paper
g) Peripheral devices such as printers, fingerprint scanners, and facial recognition devices
h) Magnetic tapes
i) Optical discs
j) Flash drives
k) Electronic environments
l) Physical environments (Unit cabinets, file-based paper records stored in archive environments)
m) Security camera footage storage systems

5 – PRINCIPLES

Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi follows the principles outlined below for the storage and destruction of personal data.

5.1 The deletion, destruction, and anonymization of personal data are carried out in full compliance with the principles set forth in Article 4 of the Law, the measures that must be taken under Article 12, the technical and administrative measures defined in this policy, the relevant legislative provisions, the decisions of the Personal Data Protection Board, and this policy.

5.2 Unless otherwise decided by the Personal Data Protection Board, the most appropriate method for deleting, destroying, or anonymizing personal data is selected by us. However, if requested by the data subject, the reason for choosing the method will be explained.

5.3 When the conditions for processing personal data, as outlined in Articles 5 and 6 of the Law, no longer exist, the personal data will be deleted, destroyed, or anonymized by Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi, either ex officio or upon the request of the data subject. In the case of such requests made to Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi, the requests will be concluded within 30 days at the latest, and the data subject will be informed. If the data subject’s personal data has been transferred to third parties, this will be communicated to the third party, and the necessary actions will be taken with respect to the third parties involved.

6 – EXPLANATION OF LEGAL, TECHNICAL, OR OTHER REASONS FOR THE STORAGE AND DESTRUCTION OF PERSONAL DATA

Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi stores and destroys personal data for the following purposes:

a) To manage Human Resources processes,
b) To carry out its commercial activities for the purpose of fulfilling various projects and establishing business partnerships,
c) In the management of corporate law, event management, and corporate communication processes,
d) In the design and auditing of strategies related to the company’s commercial activities,
e) To ensure security,
f) To fulfill obligations to legally authorized public institutions and organizations,
g) For the establishment, use, or protection of a legal right,
h) To fulfill any legal obligation of Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi,

The personal data is stored and destroyed in accordance with the relevant legislation and policies.

7 – TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE SECURE STORAGE OF PERSONAL DATA AND PREVENT UNLAWFUL PROCESSING AND ACCESS

In order to store personal data securely and in compliance with the law, prevent unlawful processing and access, and ensure lawful destruction of data, Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi adopts technical and administrative measures based on the principles outlined in Article 12 of the Law, taking into account technological possibilities and the cost of implementation.

7.1 – Technical Measures Taken to Ensure the Lawful Storage, Processing, and Prevention of Access to Personal Data:

Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi:

  • Performs necessary internal controls within the systems established.

  • Manages processes for information technology risk assessments and business impact analysis within the systems established.

  • Provides technical infrastructure to prevent or monitor the leakage of data outside the organization and ensures the creation of relevant matrices.

  • Ensures that employees' access to personal data is controlled, limits access rights, and regularly reviews these rights.

  • Employs personnel knowledgeable in technical matters.

  • Utilizes software and hardware, including antivirus systems and firewalls.

  • Uses backup programs in a lawful manner to ensure secure storage of personal data.

  • Logs access to the data storage areas containing personal data, and any inappropriate access attempts or attempts are communicated to relevant individuals.

  • In accordance with Article 12 of the Law, protects all digital environments where personal data is stored using encryption or cryptographic methods to meet information security requirements.

7.2 – Administrative Measures Taken to Ensure the Lawful Storage, Processing, and Prevention of Access to Personal Data

Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi:

  • Limits internal access to stored personal data to personnel who are required to access it as part of their job description. The nature of the data (whether it is sensitive or not) and its level of importance are also considered in restricting access.

  • If personal data is unlawfully obtained by others, the company informs the relevant individual and the Personal Data Protection Board as soon as possible.

  • In relation to the sharing of personal data, the company signs framework agreements with recipients of the data, addressing the protection of personal data and data security.

  • Provides necessary training on data security.

  • Carries out and ensures audits to implement the provisions of the Law within its own legal entity. It addresses confidentiality and security vulnerabilities discovered during audits.

  • Informs and trains employees on personal data protection law and the lawful storage and processing of personal data.

  • Analyzes all activities of its departments and identifies personal data processing activities related to specific commercial activities carried out by the relevant business units based on this analysis.

  • Informs employees that they cannot disclose personal data they have learned to others in violation of the provisions of the Personal Data Protection Law, nor can they use it for purposes other than processing, and that this obligation continues even after their departure from the company.

8 – TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE LAWFUL DESTRUCTION OF PERSONAL DATA

Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi takes technical and administrative measures, considering technological possibilities and implementation costs, to ensure the lawful destruction of personal data, and applies the appropriate methods from various available options.

8.1 – Technical Measures Taken to Ensure the Lawful Destruction of Personal Data:

  • Personal data storage and destruction activities carried out within Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi are audited.

  • The technical precautions taken are reported to the relevant parties.

  • Personnel knowledgeable in technical matters are employed.

8.2 – Administrative Measures Taken to Ensure the Lawful Destruction of Personal Data:

  • Employees are informed and trained on personal data protection law and the lawful destruction of personal data.

  • Personnel responsible for the destruction of personal data registered in the Personal Data Processing Inventory have been designated.

8.3 – Methods Used for the Lawful Destruction of Personal Data:

8.3.1 – Methods for Deleting Personal Data:

i. Personal Data in Paper Format: It is deleted using the redaction method.
ii. Office Files on Central Servers: It is deleted using the delete command in the operating system.
iii. Personal Data on Portable Media: It is deleted using appropriate software.
iv. Databases: The relevant rows containing personal data are deleted using database commands.

8.3.2 – Methods for Destroying Personal Data:

i. Personal Data on Local Systems: It is destroyed using appropriate methods such as de-magnetization, physical destruction, or overwriting.
ii. Personal Data on Environmental Systems:

  1. Network Devices (e.g., switches, routers, etc.): It is destroyed using the appropriate methods outlined in (i.) above.

  2. Flash-Based Media: It is destroyed using the methods recommended by the relevant manufacturer or the methods outlined in (i.) above.

  3. Magnetic Tapes: It is destroyed using de-magnetization or physical methods such as burning or melting.

  4. SIM Cards and Fixed Memory Cards: It is destroyed using the appropriate methods outlined in (i.) above.

  5. Optical Disks: It is destroyed using physical methods such as burning, breaking into small pieces, or melting.

  6. Fixed External Devices for Data Storage: It is destroyed using the appropriate methods outlined in (i.) above.
    iii. Paper shredders are used for destruction. Personal data that is scanned from the original paper format into an electronic medium is destroyed using appropriate methods depending on the medium where the data is located.

Tabii, işte gönderdiğiniz metnin doğrudan İngilizce çevirisi:

8.3.3 – Methods for Anonymizing Personal Data:

In the process of anonymizing personal data, the methods outlined in the "Guide for the Deletion, Destruction, or Anonymization of Personal Data" published by the Personal Data Protection Authority are used. (Variable Removal, Record Removal, Regional Masking, Lower and Upper Bound Coding, Generalization, Global Coding, Noise Addition, Microaggregation, Data Swapping etc.)

9 – Titles, Departments, and Job Descriptions of Those Involved in the Personal Data Storage and Destruction Processes:

In the personal data storage processes of Ağırman Makina Otomotiv Yan Sanayi ve Ticaret Anonim Şirketi, the following departments are involved:

  • Accounting & Finance

  • Human Resources

  • Information Technology

  • Sales and Purchasing

  • Quality Management

In the personal data destruction processes, the departments involved are:

  • Information Technology

  • Human Resources

The responsibility for managing the storage and destruction processes lies at the department level, and the relevant job descriptions are included in the company’s "Internal Regulation" document.

10 – Personal Data Retention and Destruction Periods and Periodic Destruction Timelines

The Personal Data Processing Inventory, which includes retention and destruction periods as well as periodic destruction timelines, is an integral part of this Policy.

11 – Final Provisions

11.1 - In matters not covered by this Policy, changes made later will be subject to the provisions of the Law and relevant legislation.
11.2 - This Policy comes into effect on 01.01.2020.

 

Your browser is out of date!

Update your browser to view this website correctly. Update my browser now

×