1. Purpose of the Policy
The purpose of our personal data retention and destruction policy is to determine the maximum period required for the purpose of processing personal data as a data controller, to set forth the philosophy, purpose and action plan we will follow in our deletion, destruction and anonymization processes.
In this context, our aim is to inform our employees, our administrative staff, our visitors and the companies we cooperate with, and all third parties who are in contact with TREK DATA HİZMETLERİ ANONİM ŞİRKETİ about the processing of their data and their rights; .
2. Basis of Policy
Our policy is based on the Law on the Protection of Personal Data No. 6698 dated 7.4.2016 (KVKK No. 6698) and the “Regulation on the Deletion, Destruction or Anonymization of Personal Data”, which was published in the Official Gazette dated 28.10.2017 and numbered 30224. It was created as a requirement of Articles 5 and 6 of the Regulation).
3. Scope of the Policy
Our policy includes our employees, administrative personnel, visitors and institutions we cooperate with, and all real and legal persons in legal relationship with TREK DATA HİZMETLERİ ANONİM ŞİRKETİ and their KVKK numbered 6698. It covers all personal data of special nature and non-personal data defined by The Policy also covers personal data in systems where data is processed by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, as specified in KVKK No. 6698. Unless otherwise stated in the policy, personal data and sensitive personal data will be referred to as “Personal Data” together.
4. Definitions
Relevant person: The real person whose personal data is processed,
Personal data: Any information relating to an identified or identifiable natural person,
Personal data of special nature: Data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric data. And genetic data,
Explicit consent: Consent on a specific subject, based on information and expressed freely, Data controller: Real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,
Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, all kinds of operations carried out on the data, such as the classification or prevention of its use,
Destruction: Deletion, destruction or anonymization of personal data,
Personal data retention and destruction table: The table showing the periods during which personal data will be kept at TREK DATA HİZMETLERİ ANONİM ŞİRKETİ,
Personal data processing inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data with the purposes of processing, the data category, the transferred recipient group and the data subject group, explaining the maximum period required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security,
Deletion of personal data: The process of making personal data inaccessible and unusable for the relevant users,
Destruction of personal data: The process of making personal data inaccessible, unrecoverable and unusable by anyone,
Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data,
Periodic destruction: The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the conditions for processing personal data in the law are eliminated,
Data registration system: The registration system in which personal data is processed and structured according to certain criteria,
Board: Refers to the Personal Data Protection Board.
5. General Principles Based on the Policy
Data controller TREK DATA HİZMETLERİ ANONİM ŞİRKETİ acts within the framework of the following principles in the processing of data.
5.1. Personal data can only be processed in accordance with the procedures and principles stipulated in the KVKK No. 6698 and other laws.
5.2. It is obligatory to comply with the following principles in the processing of personal data:
a) Compliance with the law and honesty rules.
b) Being accurate and up-to-date when necessary.
c) Processing for specific, explicit and legitimate purposes.
ç) Being connected, limited and restrained with the purpose for which they are processed.
d) To be kept for the period required by the relevant legislation or for the purpose for which they are processed.
6. Recording Media Regulated by the Policy
Any media containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system, is within the scope of recording media.
7. Duties and Powers of the Personal Data Protection Committee
7.1. The Personal Data Protection Committee is responsible for the announcement of this Policy to the relevant business units and the follow-up of the fulfillment of its requirements by TREK DATA HİZMETLERİ ANONİM ŞİRKETİ units.
7.2. The Personal Data Protection Committee makes the necessary announcements and notifications for the relevant business units to follow up on the legislation changes regarding the protection of personal data, regulatory actions and decisions of the Personal Data Protection Board (Board), court decisions or changes in the processes, practices and systems, and update their business processes if necessary. .
7.3. Personal Data Protection Committee KVKK No. 6698. and secondary regulations as well as the decisions and regulations of the Board, court decisions, and the processes for the examination, evaluation, follow-up and conclusion of the decisions and/or requests of other competent authorities and announces them to the relevant units.
8. What To Do In Case The Conditions for Processing Personal Data Are No longer applicable
8.1. The disappearance of the purpose factor for the processing of personal data, the withdrawal of express consent or the disappearance of all the conditions for processing personal data in Articles 5 and 6 of the KVKK No. 6698, or there is a situation where none of the exceptions in the mentioned articles are applicable In the event that the processing conditions are no longer valid, the personal data is deleted, destroyed or anonymized by the relevant business unit, taking into account the business needs, within the scope of Articles 7 to 10 of the Regulation, by explaining the reason for the method applied. However, in case of a finalized court decision, it is obligatory to apply the method of destruction determined by the court decision.
8.2. All users who process or store personal data and units of TREK DATA HİZMETLERİ ANONİM ŞİRKETİ will review the data recording media they use, within six-month periods at the latest, whether the conditions related to processing have been eliminated. Upon the application of the personal data owner or the notification of the Board or a court, the relevant users and units will make this review in the data recording media they use, regardless of the period of periodic inspection.
8.3. As a result of periodic reviews or at any time, when it is determined that the data processing conditions have been removed, the relevant user or data owner will decide to delete, destroy or anonymize the relevant personal data from the recording medium in his/her own responsibility in accordance with this policy. In case of hesitation, action will be taken by obtaining the opinion of the relevant data owner business unit. When it is necessary to take a decision on the destruction of personal data with multi-stakeholder data ownership in the Central Information Systems, the opinion of the Personal Data Protection Committee will be taken and the data owner will be responsible for the storage or deletion, destruction or anonymization of the personal data in accordance with this policy. will be decided by the unit.
8.4. All transactions regarding the deletion, destruction or anonymization of personal data are recorded and these records are kept for at least one year, excluding other legal obligations.
8.5. Pursuant to Articles 4 and 7 of the Regulation, the methods applied for the deletion, destruction and anonymization of personal data will be explained in the Data Destruction Procedure to be published after the entry into force of this Policy.
8.6. In the deletion, destruction or anonymization of personal data, it is obligatory to act in accordance with the general principles in Article 4 of the KVKK No. 6698 and the technical and administrative measures to be taken within the scope of Article 12, the provisions of the relevant legislation, the Board decisions and the personal data retention and destruction policy. .
8.7. When the real person who owns a personal data requests the deletion, destruction or anonymization of his personal data by applying to TREK DATA HİZMETLERİ ANONİM ŞİRKETİ pursuant to Article 13 of the KVKK No. 6698, the relevant data owner business unit does not process the personal data. examines whether all the conditions have disappeared. If all the processing conditions have disappeared; deletes, destroys or anonymizes the personal data subject to the request. In this case, as the details will be determined in the Data Disposal Procedure; The request is finalized within thirty days at the latest from the date of application and the applicant is informed through the relevant board. If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, the relevant data owner business unit immediately notifies the third party to whom the transfer is made and ensures that the necessary actions are taken within the scope of the Regulation before the third party.
8.8. In cases where the conditions for processing personal data are not completely eliminated, the requests of personal data owners for the deletion or destruction of their data may be rejected by TREK DATA HİZMETLERİ ANONİM ŞİRKETİ by explaining the reason in accordance with the 3rd paragraph of Article 13 of the KVKK No. 6698. The rejection response is notified to the relevant person in writing or electronically within 30 days at the latest.
8.9. Requests for the deletion or destruction of personal data will only be considered if the identity of the person concerned has been identified. In requests to be made outside of the said channels, the relevant persons will be directed to the channels where identification or verification can be made.
9. Policy Enforcement, Violations and Sanctions
9.1. This Policy will enter into force by being announced to all employees and will be binding on all business units, consultants, external service providers and anyone processing personal data before TREK DATA HİZMETLERİ ANONİM ŞİRKETİ.
9.2. It will be the responsibility of the supervisors of the relevant employees to monitor whether TREK DATA HİZMETLERİ ANONİM ŞİRKETİ employees fulfill the requirements of the Policy. When a violation of the policy is detected, the issue will be immediately reported to a higher supervisor by the supervisor of the relevant employee. If the violation is significant, the Personal Data Protection Committee will be informed without delay by the superior.
9.3. Necessary administrative action will be taken against the employee who violates the policy, after the evaluation to be made by the Human Resources unit.
9.4. In order to fulfill the policy requirements, by TREK DATA HİZMETLERİ ANONİM ŞİRKETİ; All necessary security measures are taken, including the ISO standard and the measures prescribed by all relevant ministries.
10. Persons and Their Responsibilities in the Processes of Storage and Disposal of Personal Data
All employees, consultants, external service providers and anyone who stores and processes personal data in TREK DATA HİZMETLERİ ANONİM ŞİRKETİ within TREK DATA HİZMETLERİ ANONİM ŞİRKETİ fulfills the requirements regarding the destruction of data specified in the KVKK No. 6698 Regulation and this Policy. responsible for bringing Each business unit is obliged to store and protect the data it produces in its own business processes; however, if the data produced is only available in information systems outside the control and authority of the business unit, the data in question will be stored by the units responsible for information systems. Periodic destructions that will affect business processes and cause data integrity, data loss and results contrary to legal regulations will be made by the relevant information systems departments, taking into account the type of personal data, the systems in which it is included, and the data owner business unit.
11. Periods of Retention and Disposal of Personal Data
Personal Data Retention and Disposal Periods are listed below. The storage and destruction periods in question will be taken into account in the periodic destruction or on-demand destruction processes. In case of hesitation, it will be updated by the business units that own the processes to be included in the Table Showing the Periods of Retention and Disposal of Personal Data, taking into account the evaluation of the Personal Data Protection Committee.
TCO No. 6098 article 146: 10 Years
Relevant Legislation: Until the stipulated time
12. Periodic Disposal Times
The Periodic Destruction Period of Personal Data is determined by the relevant business units that own the data. This period cannot exceed 6 (six) months in any case.
13. Enforcement
13.1. The policy will enter into force as of the date of publication.
13.2. It is the responsibility of the Personal Data Protection Committee to announce the policy throughout TREK DATA HİZMETLERİ ANONİM ŞİRKETİ and make the necessary updates.