Pursuant to Article 20 of the Constitution of the Republic of Türkiye, everyone has the right to respect for their private and family life and to request the protection of their personal data. This right also includes being informed about personal data concerning oneself, accessing such data, requesting their correction or deletion, and learning whether they are used in accordance with their intended purposes.
Law No. 6698 on the Protection of Personal Data (“KVKK”), which aims to protect fundamental rights and freedoms of individuals—primarily the right to privacy—and to regulate the obligations and procedures to be followed by natural and legal persons processing personal data, was published in the Official Gazette dated 07 April 2016 and numbered 29677, and entered into force accordingly.
This Personal Data Retention and Destruction Policy (“Policy”) has been prepared by Datateam Bilgi Teknolojileri A.Ş. (the “Company” or “Datateam”) in accordance with Article 7 of the Law on the Protection of Personal Data (“KVKK”) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”). The purpose of the Destruction Policy is, in cases where the reasons requiring the processing of personal data cease to exist,
● to determine retention periods for the storage and deletion of personal data in accordance with the Law and the Regulation,
● to provide clarity on the duration and conditions under which personal data obtained from all categories of individuals associated with Datateam (including customers, potential customers, employees, candidates, suppliers, subcontractors, visitors, etc.) will be retained,
● Verilerin Maximum Data Retention Period ile deletion, destruction, and anonymization to explain the legal basis and procedures for such processing activities,
to identify the recording media and ensure secure and effective access to the stored personal data.
2. DEFINITIONS
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person; |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system; |
| Data Subject | The natural person whose personal data are processed; |
| Data Processor | Natural or legal persons who process personal data within the data controller’s organization or in line with the authority and instructions received from the data controller, excluding persons or units responsible solely for the technical storage, protection, and backup of data; |
| Explicit Consent | Consent given freely, based on adequate information, and relating to a specific matter; |
| Recipient Group | The category of natural or legal persons to whom personal data are transferred by the data controller; |
| KVK Board | Personal Data Protection Board; |
| KVK Authority | Personal Data Protection Authority; |
| Law | Law No. 6698 on the Protection of Personal Data dated 24/03/2016; |
| VERBIS | Data Controllers Registry Information System; |
| Data Recording System | The recording system in which personal data are processed by being structured according to specific criteria; |
| Processing of Personal Data | Any operation performed on personal data, whether fully or partially by automatic means or by non-automatic means provided that it forms part of a data recording system, such as collection, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, acquisition, making available, classification, or preventing use; |
| Personal Data Processing Inventory | An inventory created by associating the Company’s personal data processing activities carried out in connection with its business processes with the purposes of processing, data categories, recipient groups, and data subject groups, and explaining the maximum retention period required for the purposes for which personal data are processed, personal data intended to be transferred abroad, and the measures taken regarding data security; |
| Destruction | The deletion, destruction, or anonymization of personal data; |
| Data Retention and Destruction Policy | The policy serving as the basis for determining the maximum period required for processing personal data and for the deletion, destruction, and anonymization processes; |
| Periodic Destruction | The deletion, destruction, or anonymization of personal data to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy in cases where the conditions for processing personal data stipulated in the Law completely cease to exist; |
| Recording Medium | Any environment in which personal data are processed, whether fully or partially by automatic means or by non-automatic means provided that it forms part of a data recording system; |
| Redaction (Blackout) | The process of rendering personal data inaccessible by deleting, crossing out, or painting over all personal data in such a way that they cannot be associated with an identified or identifiable natural person; |
| Masking | The process of deleting, crossing out, painting over, or starring certain fields of personal data so that they cannot be associated with an identified or identifiable natural person; |
| Anonymization | The process of rendering personal data incapable of being associated with an identified or identifiable natural person in any manner whatsoever, even when matched with other data; |
| Customer / Potential Customer | Natural persons who visit the Company for shopping or visitation purposes, who benefit or are expected to benefit from its services, and who use the Company’s website; |
| Visitor | Natural persons who visit the Company for business or visitation purposes; |
| Employee | The Company’s employees, interns, apprentices, and/or members of the board of directors and/or representatives; |
| Job Applicant | Natural persons who have applied for a job with the Company by any means or who have made their resumes and related information available for the Company’s review; |
| Shareholder | The Company’s natural and legal person shareholders; |
| Supplier | Manufacturers providing products or services to the Company; |
| Subcontractor | Persons who undertake a portion or extensions of a specific job from the Company and who employ workers on their own behalf as employers; |
| Third Party | Persons who are not directly related to the Company’s activities but who benefit from them and/or relatives of employees, visitors, and similar persons. |
3. TITLES, DEPARTMENTS, AND DUTIES OF PERSONNEL INVOLVED IN PERSONAL DATA RETENTION AND DESTRUCTION PROCESSES
All departments and employees of the Company actively support the responsible units in ensuring the proper implementation of the technical and administrative measures adopted within the scope of the Policy; providing training and increasing the awareness of departmental employees; monitoring and continuous auditing; preventing the unlawful processing of personal data; preventing unlawful access to personal data; and taking technical and administrative measures to ensure data security across all environments in which personal data are processed, with the aim of ensuring the lawful retention of personal data.
The distribution of the titles, departments, and duty descriptions of those involved in personal data retention and destruction processes is provided in the table below.
| Title | Department | Duty Description |
|---|---|---|
| Content and Marketing Director | Marketing | Committee Chair – responsible for management and communication |
| ? | ? | Responsible for Information Technologies and data security |
| ? | ? | Responsible for KVKK Risk Management, Policies, and Procedures |
| ? | ? | Responsible for business process planning and reporting |
| ? | ? | Responsible for KVKK compliance and auditing |
4. RECORDING MEDIA
4.1. Electronic Media
● Servers (domain, backup, e-mail, database, web, file sharing, etc.),
● Software (office applications, camera recording and monitoring systems, VERBIS, etc.),
● Information security devices (firewalls, intrusion detection and prevention systems, log files, antivirus software, etc.),
● Personal computers (desktop, laptop),
● Mobile devices (phones, tablets, etc.),
● Optical media (CDs, DVDs, hard disks, etc.),
● Removable storage media (USB drives, memory cards, etc.),
● Printers, scanners, photocopiers.
4.2. Non-Electronic Media
● Paper,
● Manual data recording systems (survey forms, customer satisfaction forms, visitor logbooks, etc.),
● Written/printed and visual media,
● Departmental cabinets,
● Files and folders,
● Archives.
5. RETENTION OF PERSONAL DATA
All personal data obtained by the Company from individuals contacted during its activities—including, but not limited to, customers, visitors, employees, job applicants, suppliers, subcontractors, business partners, and shareholders—are retained and disposed of in accordance with the Law.
Article 3 of the Law defines the concept of processing personal data; Article 4 stipulates that processed personal data must be relevant, limited, and proportionate to the purposes for which they are processed and retained for the period prescribed by the relevant legislation or required for the purpose of processing; and Articles 5 and 6 set forth the conditions for processing personal data. Accordingly, within the scope of its activities, the Company retains personal data for the period prescribed by applicable legislation or for a duration appropriate to its processing purposes.
6. LEGAL GROUNDS AND PURPOSES REQUIRING THE RETENTION AND PROCESSING OF PERSONAL DATA
6.1. Legal Grounds Requiring the Retention of Personal Data
The Company retains the personal data it obtains within the scope of the grounds and retention periods prescribed by the legislation listed below:
● Law No. 6698 on the Protection of Personal Data
● Turkish Code of Obligations No. 6098
● Turkish Commercial Code No. 6102
● Consumer Protection Law No. 6502
● Public Procurement Law No. 4734
● Social Insurance and General Health Insurance Law No. 5510
● Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through Such Publications
● Public Financial Management and Control Law No. 5018
● Occupational Health and Safety Law No. 6331
● Right to Information Act No. 4982
● Law No. 3071 on the Exercise of the Right to Petition
● Labor Law No. 4857
● Social Services Law No. 2828
● Regulation on Health and Safety Measures to Be Taken in Workplace Buildings and Annexes
● Law No. 5746 on the Support of Research and Development Activities
● Technology Development Zones Law No. 4691
● Law No. 6111 on the Restructuring of Certain Receivables and Amendments to the Social Insurance and General Health Insurance Law
Personal data are retained for the retention periods stipulated under these laws and other applicable secondary legislation in force.
6.2. Processing Purposes Requiring the Retention of Personal Data
Within the scope of its activities, the Company retains the personal data it processes for the purposes set out below:
6.2.1. For the Purpose of Planning and/or Implementing the Company’s Human Resources, Procedures, Policies, and Processes
● Planning and/or conducting employees’ onboarding and personnel record processes
● Managing job application processes of job applicants
● Managing placement processes for job applicants / interns / apprentices
● Managing fringe benefits and benefits processes for employees
● Fulfilling obligations arising from employment contracts and applicable legislation for employees
● Managing activities in compliance with legislation
● Managing assignment processes
● Planning and/or executing personnel appointment and promotion processes
● Planning and/or executing talent and career development activities
● Planning and/or executing activities required within the scope of occupational health and/or safety
● Planning and/or executing internal/external training activities
● Monitoring and/or auditing employees’ work activities
● Planning and/or executing fringe benefits and/or benefits provided to employees
● Planning and/or executing domestic / international travel (events, organizations, fairs, etc.) of employees
● Planning and/or monitoring employees’ paid/unpaid leave
● Planning and/or executing payroll and wage payments
● Planning and/or executing employee exit processes
● Planning and/or executing operational activities related to disciplinary and ethical processes
● Conducting audit and ethics activities
● Managing assignment processes, product delivery, or service relationships involving employees
● Making internal Company announcements in cases of recruitment, appointment, promotion, special occasions, and/or employee exit
● Fulfilling obligations arising from employment contracts and/or legislation for employees
● Managing work permit and residence permit processes for foreign personnel
● Conducting business continuity activities
● Planning and/or executing employee satisfaction and/or engagement processes
● Conducting performance evaluation processes
● Planning and/or executing payroll processes
● Identifying and calculating incentives that the Company may benefit from under applicable legislation
6.2.2. For the Purpose of Planning and/or Implementing Activities to Ensure the Legal and Technical Security of the Company and/or Third Parties with Whom the Company Has a Business Relationship
For the purpose of ensuring that the Company’s activities are carried out in compliance with Company procedures and/or applicable legislation, and of maintaining operational and information security, the following activities are planned and/or implemented:
● Planning and/or execution of operational activities required to ensure that Company activities are conducted in accordance with procedures and legislation
● Planning and/or execution of internal/external audit, inspection, investigation, and/or control activities of the Company
● Monitoring legal affairs, contract processes, and/or legal claims; retaining transaction history after the termination of legal relationships to be used as evidence in case of disputes
● Planning and/or execution of activities for providing and recording information or documents requested by public institutions and/or organizations
● Planning and/or execution of emergency and/or incident management processes
● Ensuring the security of the Company’s fixed assets and/or resources
● Establishment and/or management of information technology infrastructure
● Management of access authorizations
● Defining and/or monitoring information access rights of individuals outside the Company
● Ensuring data accuracy and/or currency
● Ensuring physical premises security
● Planning and/or execution of activities related to corporate and partnership law transactions
● Ensuring the security of Company operations
● Ensuring the security of movable assets and resources
● Conducting supply chain management processes
● Planning, auditing, and/or execution of information security processes
● Providing information to authorized persons, institutions, and organizations
● Conducting activities in compliance with legislation
● Monitoring contract processes and/or legal claims
● Planning and/or execution of activities related to the creation, auditing, and/or monitoring of records of subcontractor employees
6.2.3. For the Purpose of Carrying Out Necessary Activities to Enable Data Subjects to Benefit from the Products and/or Services Offered by the Company and/or on Behalf of the Company, to Conduct Customer Satisfaction Activities, and to Ensure the Continuity of Related Business Processes
● Conducting activities aimed at customer satisfaction
● Managing customer relationship management (CRM) processes
● Evaluating customer requests and/or complaints collected through digital and/or other channels
● Designing and/or executing advertising, promotion, and/or marketing activities through digital and/or other media
● Publishing/sharing Company news and advertisements across all written and visual media and platforms where such content appears, including the Company website, social media, and materials such as posters, catalogs, and brochures
● Managing corporate communications and organizing related events, fairs, campaigns, and invitations, as well as providing information regarding such activities
● Conducting market research activities
● Performing sales and marketing analysis and managing marketing processes for products/services
● Creating and monitoring visitor records
● Carrying out strategic planning activities
● Conducting marketing analysis activities
● Managing pricing policies
● Managing loyalty processes related to companies/products/services
● Monitoring and managing requests and/or complaints
6.2.4. For the Purpose of Carrying Out the Necessary Activities by Our Business Partners to Perform the Commercial and/or Operational Activities Conducted by the Company and to Manage the Related Business Processes
● Planning and execution of goods/services procurement processes
● Execution of assembly and installation services
● Management of goods/services production and operational processes
● Execution of goods/services sales processes and post-sales support services
● Monitoring and management of finance and/or accounting activities
● Planning and/or execution of activities to perform efficiency and/or effectiveness analyses of business operations
● Planning and/or execution of corporate governance activities
● Planning and/or execution of inventory management and/or shipment processes for the Company’s products
● Execution of logistics activities
● Planning and execution of corporate communication activities
● Planning and/or implementation of operational and/or efficiency processes
● Planning and/or execution of internal/external reporting activities, together with the related sub-purposes
● Conducting internal audit/investigation/intelligence activities
6.2.5. For the Purpose of Planning, Organizing, and Implementing the Company’s Commercial Activities and Business Development Strategies
● Planning and/or execution of the Company’s financial risk management processes
● Conducting retention and archiving activities
● Management of investment processes
● Execution of management activities
● Management of relationships with business partners, suppliers, and subcontractors
● Execution and supervision of business operations
● Organization and management of activities arising from organic relationships with shareholders
● Planning and/or execution of activities related to corporate and partnership law transactions
● Organization and management of activities arising from organic relationships with shareholders, subsidiaries, and affiliates
● Collection and evaluation of suggestions aimed at improving business processes
● Execution of business continuity activities
7. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE SECURE STORAGE OF PERSONAL DATA AND TO PREVENT UNLAWFUL PROCESSING AND ACCESS
In accordance with Article 12 of the Law on the Protection of Personal Data (“KVK Law”), the Company takes the necessary technical and administrative measures to ensure an adequate level of security in order to prevent the unlawful processing of personal data it processes, to prevent unlawful access to such data, and to ensure the preservation of personal data. Within this scope, the Company carries out and commissions the necessary audits. In the event that processed personal data is obtained by third parties through unlawful means despite all technical and administrative measures having been taken, the Company shall notify the relevant authorities and units of this situation as soon as possible.
7.1. Administrative Measures
● The Company employs personnel who are knowledgeable and experienced in the processing of personal data and provides its employees with the necessary training within the scope of personal data protection legislation and data security.
● The Company has prepared and implements corporate policies regarding access, information security usage, storage, and destruction of personal data.
● In compliance with legal requirements related to personal data processing on a departmental basis, the Company designs and implements internal access and authorization processes for personal data.
● The Company has added provisions to all documents regulating its relationship with employees and containing personal data, stipulating that personal data must be processed in accordance with the obligations set forth under the KVK Law, that personal data must not be disclosed, must not be used unlawfully, and that the obligation of confidentiality regarding personal data shall continue even after the termination of the employment relationship. Failure by employees to comply with these obligations may result in sanctions up to and including termination of employment.
● The Company may process personal data related to employees’ work activities for other lawful purposes, in compliance with the principles set out in Article 4 of the KVK Law and the conditions specified in Article 5. Employees are duly informed by the Company, through appropriate methods, about the purposes for which such data may be processed.
● Before initiating any complaint procedure or disciplinary process against an employee based on data obtained through the processing of personal data related to work activities, the Company grants the employee the right to access such data, to provide explanations regarding the data, and to exercise the right of defense.
● Employees are informed that they shall not disclose personal data they become aware of to third parties in violation of the provisions of the KVK Law, shall not use such data outside the purpose of processing, and that this obligation shall continue even after they leave their position. Necessary undertakings are obtained from employees in this regard.
● Contracts executed with parties to whom personal data is lawfully transferred by the Company include provisions requiring such parties to take the necessary security measures to protect personal data and to ensure compliance with these measures within their own organizations.
● The Company appoints responsible personnel for personal data processing activities carried out within the Company. The number of employees authorized to access personal data obtained as a result of such processing is kept to a minimum. In this context, if there are employees who do not require access to such data, their access rights are removed or restricted. The Company also takes the necessary physical security measures to ensure that personal data is accessed only by authorized persons.
● In the event that processed personal data is obtained by others through unlawful means, the Company notifies the relevant data subjects and the Board as soon as possible.
● The Company carries out and commissions the necessary audits to ensure the implementation of the provisions of the KVK Law within its legal entity and eliminates any confidentiality and security vulnerabilities identified as a result of such audits.
● The Company ensures that data processor service providers are aware of data security requirements and conducts periodic audits at regular intervals.
● Pursuant to Article 12 of the KVK Law, the Company remains responsible for ensuring that third parties to whom personal data is transferred also fulfill their obligations to process, store, and access personal data lawfully in accordance with this Policy and the provisions of the KVK Law. Accordingly, the Company obtains undertakings through contracts and other arrangements to ensure these requirements are met and that it is granted the right to conduct audits. In addition, all Company personnel are specifically informed about their responsibilities arising from processes involving the transfer of personal data to third parties.
7.2. Technical Measures
● Employees are trained on the technical measures to be taken in order to prevent unlawful access to personal data.
● Technical measures appropriate to technological developments are implemented, and the measures taken are periodically updated and renewed.
● All reasonable measures necessary to ensure the security of employee data are taken. These measures are designed to prevent unauthorized access risks, accidental data loss, intentional deletion of data, or damage to data.
● Measures such as audit trails are implemented within information systems to identify who has accessed employees’ personal data. Within this scope, access logs are regularly monitored, and investigation mechanisms are established to address unauthorized access.
● Security measures are implemented within the scope of procurement, development, and maintenance of information technology systems.
● In cases where employees’ personal data is removed from the workplace through devices such as laptops, necessary security measures are taken, and the relevant employees are informed about these measures.
● Access and authorization technical solutions are implemented in accordance with legal compliance requirements determined on a departmental basis.
● Access rights are restricted and reviewed on a regular basis.
● An authorization matrix has been established for employees.
● The Company applies data masking measures where necessary.
● Access logs are regularly maintained. Corporate policies regarding access, information security, usage, storage, and destruction have been prepared and implemented.
● The technical measures taken are periodically reviewed, and matters posing risks are re-evaluated to produce the necessary technological solutions.
● Software and hardware including antivirus systems and firewalls are installed.
● Applications through which personal data is collected are regularly subjected to security scans to identify vulnerabilities, and detected vulnerabilities are remediated.
● Personal data is backed up, and the security of personal data is ensured.
● Log records are maintained without user intervention.
● The Company applies data masking measures where necessary.
● Cybersecurity measures have been implemented, and their application is continuously monitored.
● Special category personal data transferred via removable media such as portable storage devices, CDs, or DVDs is encrypted during transfer.
● Protocols and procedures for the security of special category personal data have been established and are implemented.
● Intrusion detection and prevention systems are used.
● Encryption is applied for data protection purposes.
● The destruction of personal data is carried out in a manner that prevents recovery and leaves no audit trail.
7.3. Audit of Measures Taken for the Protection of Personal Data
Within the scope of the KVK Law, the Company holds the status of data controller and shall be registered with the VERBİS system. Article 11, paragraph 1 of the Regulation states that “The obligations of legal entities established in Türkiye that act as data controllers under the Law shall be fulfilled by the authorized body or bodies, or the person or persons authorized to represent and bind the legal entity in accordance with the relevant legislation. The authorized body representing the legal entity may appoint one or more persons to carry out the obligations required for the implementation of the Law.”
In order to manage this Policy and other policies related and connected thereto, as well as the processing and destruction processes specified herein, and to ensure the fulfillment of compliance actions determined by senior management, the Company appoints a “Personal Data Protection Committee” or one or more persons responsible in this regard.
Within this scope, the duties to be carried out by the relevant person(s) or committee include:
● Preparation and monitoring of documents related to the design of personal data protection and processing processes, and submission of such documents for approval by the relevant parties,
● Ensuring the implementation of documents related to the protection and processing of personal data and carrying out the necessary audits,
● Monitoring relations and correspondence with the Personal Data Protection Authority (KVK Institution) and the Personal Data Protection Board (KVK Board).
The primary authorized person responsible for the monitoring and coordination of all activities within the scope of the KVK Law and the regulations of the Personal Data Protection Board is the Finance and Administrative Affairs Manager. In addition, the Administrative Affairs Unit Responsible, the Finance Unit Responsible, and the Financial Control Manager are authorized. Committee members are responsible for auditing whether the Relevant Users in departments act in compliance with this Policy and the Data Retention and Destruction Policy prepared within the framework of the Law and the Regulation. Senior managers of all departments shall report the actions they carry out in accordance with the Destruction Policy within the specified periodic destruction periods to the Committee Director. The Committee Director shall present the audit and action reports of senior managers of all departments to the Management during meetings. In cases requiring a decision, following the receipt of the opinion of the Committee Director, the decision of the Board of Directors shall be taken and subsequently implemented.
8. DESTRUCTION OF PERSONAL DATA
The Company destroys the personal data it has obtained in the following cases:
● Amendment or repeal of the relevant legislation that constitutes the legal basis for the processing of personal data,
● The elimination of the purpose requiring the processing or retention of personal data,
● In cases where the processing of personal data is based solely on explicit consent, the withdrawal of such explicit consent by the data subject,
● Acceptance by the Authority of the data subject’s application submitted within the scope of their rights under Article 11 of the Law requesting the deletion or destruction of their personal data,
● In cases where the Authority rejects the data subject’s application for the deletion, destruction, or anonymization of personal data, finds the response insufficient, or fails to respond within the period stipulated under the Law, and the data subject files a complaint with the Board and such request is deemed appropriate by the Board,
● Expiry of the maximum retention period required for the storage of personal data and the absence of any condition justifying the retention of personal data for a longer period,
the personal data shall be deleted, destroyed, or anonymized upon the request of the data subject, or ex officio deleted, destroyed, or anonymized by the Company.
9. MEASURES TAKEN REGARDING THE DESTRUCTION OF PERSONAL DATA
Even if personal data has been processed in compliance with the relevant legal provisions, the Company may delete or destroy personal data, either ex officio or upon the request of the data subject, in cases where the reasons requiring the processing no longer exist. Following the deletion of personal data, the relevant persons shall under no circumstances be able to access or use the deleted data again.
An effective data tracking process shall be managed by the Company for the definition and monitoring of personal data destruction processes. The process shall consist of, respectively, identifying the data to be deleted, identifying the relevant persons, determining the access methods of such persons, and immediately thereafter deleting the data.
Depending on the storage medium in which the personal data is recorded, the Company may use one or more of the methods specified below in order to delete, destroy, or anonymize personal data.
9.1. Methods for the Deletion of Personal Data
9.1.1. Application-as-a-Service (Cloud Solutions)
In cloud systems, data is deleted by issuing a deletion command. During this process, the relevant user does not have the authority to restore the deleted data within the cloud system.
9.1.2. Personal Data Stored in Physical (Paper-Based) Media
Personal data contained in paper-based media is deleted and/or destroyed by using the blackening (redaction) method or by means of a Paper Shredding Machine.
In the application of the Paper Shredding Machine, if there is any other information/data in the document that is not essential and/or not required for use apart from the personal data contained therein, the relevant document is shredded into pieces via the machine for the purpose of destroying the personal data. If the document contains other information/data that is essential and/or required for use, the blackening (redaction) method is applied.
The blackening process is carried out by cutting out the personal data on the relevant document where possible, or, where cutting is not possible, by rendering the data invisible to the relevant users through the use of permanent ink in a manner that is irreversible and cannot be read by technological means.
9.1.3. Office Files Stored on the Central Server
Files are deleted using the delete command of the operating system and/or the access rights of the relevant user to the file or the directory in which the file is located are revoked. During this process, it is ensured that the relevant user does not simultaneously have system administrator privileges.
9.1.4. Personal Data Stored on Portable Media
Personal data stored on flash-based storage media is kept in encrypted form and deleted using appropriate software compatible with these media.
9.1.5. Databases
The relevant rows containing personal data are deleted using database commands (such as DELETE, etc.). During this process, it is ensured that the relevant user does not simultaneously have database administrator privileges.
9.2. Methods for the Destruction of Personal Data
9.2.1. Local Systems
Personal Data Stored in Physical Media: Personal data contained in paper-based records whose legally required retention period has expired are irreversibly destroyed using paper shredders in a manner that prevents reconstruction or reuse.
Personal Data Stored in Optical/Magnetic Media: Personal data stored on optical and magnetic media whose retention period has expired are physically destroyed through methods such as melting, incineration, and/or pulverization. In addition, magnetic media are rendered unreadable by being exposed to high-intensity magnetic fields using specialized devices, ensuring that the data cannot be recovered.
9.2.2. Environmental Systems
● Network Devices (switches, routers, etc.)
● Flash-Based Storage Media
● Mobile Phones
● Optical Discs
● Peripheral Devices with Fixed Data Storage Media, such as Printers and Card-Based Access Control Systems
● Paper and Microfilm Media
● Cloud Environments
Methods for the destruction of personal data are applied for the following environments and systems:
10. RETENTION AND PERIODIC DESTRUCTION PERIODS
With regard to the personal data processed within the scope of its activities, the Company determines retention periods as follows:
● Retention periods on a personal data basis for all personal data processed within the scope of process-related activities are specified in the Personal Data Processing Inventory;
● Retention periods on a data category basis are recorded in VERBIS;
● Retention periods on a process basis are set out in the Personal Data Retention and Destruction Policy.
Where necessary, updates to these retention periods are made by the Personal Data Contact Person.
Personal data whose retention period has expired are destroyed ex officio. Where a retention period is stipulated by applicable legislation for certain personal data, such period shall be strictly complied with. In cases where no statutory retention period is prescribed, personal data shall be retained for the maximum periods specified in the table below. These periods are determined by taking into account the Company’s data categories and data subject groups, ensuring compliance with statutory obligations, and observing the maximum statute of limitations period stipulated under the Turkish Code of Obligations (10 years).
| Record Type | Details | Retention Period | Destruction Period |
|---|---|---|---|
| Identity Information: | It refers to data containing information relating to an individual’s identity (such as name and surname, Turkish ID number, nationality, mother’s and father’s name, place and date of birth, marital status, gender, and similar information included in documents such as driver’s licenses, national identity cards, and passports, as well as tax identification numbers, etc.). | 10 Years | During the first periodic destruction period following the end of the retention period. |
| Contact Information: | It refers to contact information such as telephone number, address, email, and similar communication details. | 10 Years | During the first periodic destruction period following the end of the retention period. |
| Financial Information | It refers to personal data processed in relation to information, documents, and records that indicate all kinds of financial outcomes arising from the legal relationship established between our Company and the data subject, as well as data such as bank account number, IBAN, income information, and asset information. | 10 Years | During the first periodic destruction period following the end of the retention period. |
| Location Information | Employees’ Location Data | 2 Years | During the first periodic destruction period following the end of the retention period. |
| Employee Personnel Files | It constitutes all records maintained throughout employees’ employment with the Company and includes, but is not limited to: Employment Contracts, Termination-Related Documents, Leave Records, Promotion Documents, Employee Summary Information, Training Records, Recruitment Applications, and Fringe Benefits. | For the duration of the employment contract + 10 years | During the first periodic destruction period following the end of the retention period. |
| Personal Data of Job Applicants Not Hired | Includes all records collected during the recruitment process, including résumés. | 6 Months | During the first periodic destruction period following the end of the retention period. |
| Contracts | Includes contracts and related correspondence. | Throughout the term of the contract + 10 Years | During the first periodic destruction period following the end of the retention period. |
| Subcontractor / Contractor / Supplier Employee Information | Includes records evidencing that the wages and Social Security (SSI) notifications/payments of subcontractor, contractor, and supplier employees are duly and regularly made. | 10 Years | During the first periodic destruction period following the end of the retention period. |
| Physical Premises Security Information-1 | Personal data relating to records obtained during entry into and presence within physical premises, such as CCTV footage. | Retention Period: Security Camera Recordings – 30 days (1 year in cases of suspicion and notification); 10 years following the termination of the employment contract. | During the first periodic destruction period following the end of the retention period. |
| Visual / Audio Data | Personal data that do not fall within the scope of physical premises security information and consist of photographs, audio, and video recordings, excluding photo and camera recordings classified as Physical Premises Security Information. | 10 Years | During the first periodic destruction period following the end of the retention period. |
| Employee height, weight, and shoe size information collected for employer-provided equipment and workwear | Data collected to have workwear produced by vendors for employees and to manufacture protective clothing for occupational health and safety purposes. | 10 Years | During the first periodic destruction period following the end of the retention period. |
| Business Partner Relationships and Commitments | This covers business partners, shareholders, organizations in which the Company participates, newsletters, and corporate communication activities. | 10 Years | During the first periodic destruction period following the end of the retention period. |
| Risk Assessments | This covers insurance participation records, applications, and renewals. | 10 Years | Following the first periodic disposal period after the end of the retention period |
| Transaction Security Information | Personal data processed to ensure our technical, administrative, legal, and commercial security while conducting our commercial activities (such as log records, IP address information, internet access logs, and password credentials). | 2 Years | During the first periodic destruction period following the end of the retention period. |
| Legal Proceedings and Compliance Information | Personal data processed within the scope of determining, pursuing, and enforcing our legal receivables and rights, fulfilling our obligations, correspondence with judicial authorities, information contained in litigation files, employees’ enforcement (execution) file information, and ensuring compliance with our statutory obligations and the Company’s policies. | 10 Years | During the first periodic destruction period following the end of the retention period. |
| Request / Complaint Management Information | Personal data relating to the receipt, handling, and evaluation of all requests and/or complaints submitted to our Company. | 10 Years | During the first periodic destruction period following the end of the retention period. |
| Special Categories of Personal Data | Personal data relating to individuals’ race, religion, membership of associations, foundations or trade unions, health, criminal convictions and security measures, as well as biometric data. | 10 Years (Health data: 15 years) | During the first periodic destruction period following the end of the retention period. |
| Vehicle Information | Refers to information relating to vehicles associated with the data subject. | Retention Period: 2 years from the date the license plate is recorded. | During the first periodic destruction period following the end of the retention period. |
| Customer Transaction Data | Refers to data such as records regarding the use of products and services purchased by customers, as well as instructions and requests required for customers to use such products and services. | 10 Years | During the first periodic destruction period following the end of the retention period. |
11. RIGHT OF APPLICATION OF THE DATA SUBJECT
Applications by data subjects regarding their rights arising from the Personal Data Protection Law must be submitted to us in writing or by other methods to be determined by the Personal Data Protection Board (“Board”), in accordance with Article 13 of the Personal Data Protection Law.
| Application Method | Application Address | Information to Be Included in the Application |
|---|---|---|
| In-person application with wet signature or via Notary | Üniversiteler Mahallesi, Şehit Mustafa Tayyarcan Caddesi, Tepe Binası No:5 İç Kapı No: B01 Çankaya/ANKARA | The envelope/notification must state: “Information Request within the Scope of the Personal Data Protection Law”. |
| Application via Registered Electronic Mail (KEP) | Via Registered Electronic Mail (KEP) address: infinia@hs01.kep.tr | The subject line of the email must state: “Personal Data Protection Law Information Request”. |
| Application via Email Address Registered in Our System | By using the email address registered in our company’s system: info@infinia.com.tr | The subject line of the email must state: “Personal Data Protection Law Information Request”. |
● The requests included in your application will be concluded free of charge as soon as possible and no later than within 30 (thirty) days, depending on the nature of the request, and the result will be notified to you in writing or electronically. However, if the process requires an additional cost, the fee specified in the tariff determined by the Personal Data Protection Board may be charged to you.
● If the application and request are deemed justified by the Company, the necessary actions will be taken without delay. In the event that the application and request are rejected, the reason for rejection will be notified to the relevant data subject in writing or electronically, in the manner specified in the application and request petition.
● In cases where the application and request are rejected by the Company, the response is found to be insufficient, or no response is provided within the statutory period, the relevant data subject has the right to lodge a complaint with the Personal Data Protection Board within 30 (thirty) days from the date of learning the response to the application and request, and in any event within 60 (sixty) days from the date of application.
12. PERIODIC DISPOSAL PERIOD
In the event that the reasons requiring the processing of personal data cease to exist or the retention period expires, personal data shall be deleted, destroyed, or anonymized by the data controller ex officio or upon the request of the relevant data subject.
The Company’s periodic disposal period is 6 months. Personal data whose retention period has expired shall be disposed of at 6-month intervals, in accordance with the disposal periods and procedures set out in this Policy. In this process, data shall be permanently and irreversibly deleted from the media on which they are recorded, including documents, files, CDs, diskettes, hard disks, and similar storage tools, in a manner that prevents recovery.
All actions taken regarding the deletion, destruction, and anonymization of personal data are recorded, and such records are retained for a minimum period of three (3) years, excluding other legal obligations.
With regard to monitoring the periodic disposal process, the Company is obliged to register with the Data Controllers’ Registry (VERBİS) before commencing personal data processing activities and to take all necessary administrative and technical measures throughout the process.
13. PUBLICATION AND RETENTION OF THE POLICY
The Policy is published in two formats: with a wet signature (printed hard copy) and in electronic form, and is made publicly available on the Company’s website. The printed hard copy is also retained by the relevant administrative unit.
14. POLICY UPDATE PERIOD
The Policy is reviewed as needed and the necessary sections are updated accordingly. This document was last updated on 03/12/2024.
15. EFFECTIVE DATE AND TERMINATION OF THE POLICY
The Policy shall be deemed to have entered into force upon its publication on the Company’s website. In the event that this Policy is revised or repealed, the revised version of the Policy or the new policy text shall be announced in the relevant sections and on our website at https://datateam.com.tr/ .