This Personal Data Retention and Disposal Policy (“Policy”), FERSAN TEKSTİL TİC.VE SAN.LTD.ŞTİ. (the “Company”), in order to determine the procedures and principles regarding the works and transactions regarding the storage and destruction activities.
Company; in line with the basic principles; Personal data belonging to company employees, employee candidates, service providers, visitors, customers, suppliers and other third parties Its Constitution, International Conventions, Personal Data Protection Law No. 6698 (“Law”) and other relevant legislation have prioritized the processing and ensuring that the relevant persons exercise their rights effectively. carried out in accordance with the Policy prepared accordingly.
Personal data belonging to FERSAN TEKSTİL TİC.VE SAN.LTD.ŞTİ.’s employees, employee candidates, service providers, visitors, customers, suppliers and other third parties are within the scope of this policy, and all recording media where personal data owned or managed by the company are processed and This policy is applied in activities for the processing of personal data.
Recipient Group: The natural or legal person category to which personal data is transferred by the data controller.
Explicit Consent: Consent about a specific subject, based on information and expressed with free will.
Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data.
Employee: Company employee.
Electronic Media: Environments where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Media: All written, printed, visual etc. other than electronic media. other environments.
Service Provider: A natural or legal person who provides services within the framework of a certain contract with the Company.
Relevant Person: The natural person whose personal data is processed.
Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
Destruction: Deletion, destruction or anonymization of personal data.
Law: Law on Protection of Personal Data No. 6698.
Recording Media: Any environment where personal data is processed wholly or partially automatically or non-automatically, provided that it is a part of any data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data with the processing purposes and legal reason, the data category, the transferred recipient group and the data subject group, explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data intended to be transferred to foreign countries, if any, and the measures taken regarding data security. .
Processing of Personal Data: Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. or any kind of operation performed on the data, such as preventing its use.
Board: Personal Data Protection Board.
Institution: Personal Data Protection Authority.
Special Quality Personal Data: In accordance with Article 6 of the Law, it is data that, if learned, may cause discrimination or victimization. According to the law, these data; data; Data about race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Periodic Destruction: The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all the conditions for processing personal data in the law are eliminated.
Policy: Personal Data Retention and Disposal Policy.
Registry: The registry of data controllers kept by the Presidency of the Personal Data Protection Authority.
Data Processor: The person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Registration System: A registration system in which personal data is processed and structured according to certain criteria.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.
⦁ RECORDING ENVIRONMENTS
Personal data is stored securely by the Company in the environments listed in Table 1, in accordance with the law.
Table 1: Personal Data Storage Environments
Electronic Media Non-Electronic Media
⦁ Servers (Domain, backup, email, database, web, file sharing etc.)
⦁ Software (office software, portal)
⦁ Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)
⦁ Personal computers (Desktop, laptop)
⦁ Mobile devices (phone, tablet, etc.)
⦁ Optical discs (CD, DVD, etc.)
⦁ Removable memories (USB, Memory Card etc.) ⦁ Paper
⦁ Manual data recording systems (survey forms, visitor logbook)
⦁ Written, printed, visual media
⦁ RESPONSIBILITY
All units and employees of the company are responsible for the implementation of the technical and administrative measures taken within the scope of the Policy, training and awareness of the unit employees, prevention of illegal processing of personal data by monitoring and continuous inspection, prevention of illegal access to personal data and protection of personal data. It actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to ensure that it is stored in accordance with the law.
The distribution of the titles, units and job descriptions of those involved in the storage and destruction processes of personal data is given in Table 2.
Table 2: Task Distributions
TITLE UNIT TASK
Company Chairman of the Board FERSAN TEKSTİL TİC.VE SAN.LTD.ŞTİ. Responsible for the employees to act in accordance with the Policy.
Human Resources Manager Human Resources Department is responsible for the preparation, development, execution, publication and updating of the policy in the relevant media.
IT Manager IT Department is responsible for providing the technical solutions needed in the implementation of the Policy.
Accounting, Finance, Marketing-Sales, Foreign Trade Managers and Other Units Responsible for the execution of the policy in accordance with their duties.
⦁ LEGAL LIABILITY
⦁ Liability to Light
The data controller is obliged to provide the following information to the person concerned, either personally or through the person he/she has authorized, during the acquisition of personal data within the framework of Article 10 of the Law:
• Identity of the data controller and its representative, if any,
• For what purpose personal data will be processed,
• To whom and for what purpose personal data can be transferred,
• Method and legal reason for collecting personal data,
• To specify other rights listed in Article 11 of the Law.
⦁ Obligation to Ensure Data Security
According to Article 12 of the Law on data security, the data controller;
• To prevent the unlawful processing of personal data,
• To prevent unlawful access to personal data,
• To ensure the protection of personal data,
responsible for.
⦁ PROCESSING OF PERSONAL DATA
We process Personal Data in accordance with the principles below;
⦁ Being in compliance with the law and honesty rules, being accurate and up-to-date when necessary, being processed for specific, clear and legitimate purposes, being limited and proportional to the purpose for which they are processed, being stored for the period required by the relevant legislation or for the purpose for which they are processed.
⦁ Processing of personal data and special categories of personal data:
⦁ Personal data is processed within the framework of the provisions of the 5th and 6th articles of the Law.
⦁ Processing of personal data of special nature: As mentioned in section 3 of this Policy, “Definitions and Abbreviations”, personal data that carries the risk of causing victimization or discrimination when processed unlawfully are designated as “special quality”. These data are processed by the Company in cases where the express consent of the relevant person is obtained within the framework of the rules stipulated by the Law or in cases stipulated by the relevant Laws.
⦁ EXPLANATIONS ON STORAGE AND DISPOSAL
By the company; Personal data belonging to third parties involved as employees, employee candidates, visitors, customers, suppliers and service providers are stored and destroyed in accordance with the Law.
In this context, detailed explanations regarding storage and disposal are given below, respectively.
⦁ Remarks on Storage
In Article 3 of the Law, the concept of processing personal data is defined, in Article 4 it is stated that the processed personal data should be related to the purpose for which they are processed, limited and measured, and should be kept for the period required for the purpose for which they are processed or as stipulated in the relevant legislation. conditions are counted. Accordingly, within the framework of our Company’s activities, personal data is stored for a period of time stipulated in the relevant legislation or suitable for our processing purposes.
⦁ Legal Reasons Requiring Concealment:
Personal data processed within the framework of the company’s activities are kept for the period stipulated in the relevant legislation. In this context, personal data;
• Law No. 6698 on the Protection of Personal Data,
• Turkish Code of Obligations No. 6098,
• Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts,
• 6563 Law on the Regulation of Electronic Commerce,
• Turkish Commercial Code No. 6102,
. Vocational Education Law No. 3308
• Social Insurance and General Health Insurance Law No. 5510,
• Occupational Health and Safety Law No. 6331,
• Labor Law No. 4857,
• Social Services Law No. 2828,
• Tax Procedure Law No. 213,
• Law No. 6502 on the Protection of Consumers,
• Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Attachments,
• It is stored for as long as the storage periods stipulated in the framework of other secondary regulations in force in accordance with these laws.
• In cases where no time is stipulated in the laws, data is kept until the first periodic destruction, following the elimination of the need for data.
⦁ Processing Purposes Requiring Storage:
The Company stores the personal data it processes within the framework of its activities for the following purposes:
• To carry out human resources processes,
• Ensuring internal and external communication,
• Ensuring company security,
• To be able to perform statistical studies,
• To be able to perform work and transactions as a result of signed contracts and protocols,
•To ensure the fulfillment of legal obligations as required or required by legal regulations,
• To liaise with real / legal persons who have a business relationship with the company,
• To make legal reports,
• Obligation to prove as evidence in legal disputes that may arise in the future.
⦁ Reasons for Destruction:
Personal data;
• Amendment or repeal of the provisions of the relevant legislation, which are the basis for processing,
• The disappearance of the purpose that requires processing or storage,
• In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject withdraws his explicit consent,
• The Company’s application for the deletion and destruction of personal data within the framework of the rights of the person concerned, pursuant to Article 11 of the Law,
• In cases where the company rejects the application made by the person concerned for the deletion, destruction or anonymization of his personal data, finds the answer insufficient or does not respond within the time stipulated in the Law; Making a complaint to the Board and this request being approved by the Board,
• In cases where the maximum period requiring the storage of personal data has passed and there is no condition to justify keeping the personal data for a longer period, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by the Company upon the request of the person concerned.
⦁ TECHNICAL AND ADMINISTRATIVE MEASURES
In accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law, the Company provides technical assistance within the framework of adequate measures determined and announced by the Board for personal data in order to store personal data securely, to prevent unlawful processing and access, and to destroy personal data in accordance with the law. and administrative measures are taken.
⦁ Technical Measures
The technical measures taken by the company regarding the personal data it processes are listed below:
⦁ Network security and application security are provided.
⦁ Key management is implemented.
⦁ Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
⦁ The authorizations of employees who have a change of job or quit their job in this field are removed.
⦁ Current anti-virus systems are used.
⦁ Firewalls are used.
⦁ Personal data is backed up and the security of the backed up personal data is also ensured.
⦁ Existing risks and threats have been identified.
⦁ Encryption is done.
⦁ Awareness of data processing service providers on data security is ensured.
⦁ Administrative Measures
The administrative measures taken by the Company regarding the personal data it processes are listed below:
⦁ There are disciplinary regulations that include data security provisions for employees.
⦁ Training and awareness activities are carried out periodically for employees on data security.
⦁ Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
⦁ Confidentiality commitments are made.
⦁ Signed contracts contain data security provisions.
⦁ Personal data security policies and procedures have been determined.
⦁ Personal data security issues are reported quickly.
⦁ Personal data security is monitored.
⦁ Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
⦁ The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
⦁ The security of environments containing personal data is ensured.
⦁ Personal data is reduced as much as possible.
⦁ In-house periodic and/or random audits are conducted and made.
⦁ Protocols and procedures for special quality personal data security have been determined and implemented.
⦁ Personal data processing inventory has been prepared.
⦁ Before starting to process personal data, the company fulfills its obligation to inform the relevant persons.
⦁ PERSONAL DATA DISPOSAL METHODS
At the end of the storage period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data is destroyed by the Company ex officio or upon the application of the relevant person, again in accordance with the provisions of the relevant legislation, with the techniques specified below.
⦁ Deletion of Personal Data
Personal data is deleted with the methods given in Table-3.
Table 3: Deletion Methods of Personal Data
Data Recording Media Description
Personal Data on the Servers For the personal data on the servers that need to be stored, the system administrator removes the access authorization of the relevant users and deletes them.
Data Recording Media Description
Personal Data in the Electronic Media The personal data in the electronic media, which require their storage, are rendered inaccessible and non-reusable for other employees (related users) except the database administrator.
Personal Data in the Physical Environment Personal data kept in the physical environment is rendered inaccessible and unusable in any way for other employees, except for the unit manager responsible for the document archive, for those whose time period has expired. In addition, the process of blackening is applied by drawing/painting/erasing in a way that cannot be read.
Personal Data in Portable Media The personal data kept in Flash-based storage media, which require storage, are encrypted by the system administrator and the access authorization is given only to the system administrator, and are stored in secure environments with encryption keys.
⦁ Destruction of Personal Data
Personal data is destroyed by the methods specified in Table-4 by the Company.
Table 4: Methods of Destruction of Personal Data
Data Recording Media Description
Personal Data in the Physical Media Among the personal data in the paper media, the ones that have expired, are irreversibly destroyed in the paper clipping machines.
Personal Data in Optical/Magnetic Media Among the personal data in optical media and magnetic media, physical destruction is applied, such as melting, burning or pulverizing the expired personal data. In addition, magnetic media is passed through a special device, and the data on it is rendered unreadable by exposing it to a high magnetic field.
⦁ Anonymization of Personal Data
Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.
The method of anonymization of personal data; is to render personal data unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning personal data by the data controller or third parties and/or matching the data with other data. Anonymization is carried out by the company as stated above.
⦁ STORAGE AND DISPOSAL TIMES
Regarding the personal data being processed by the Company within the scope of its activities;
• Storage periods on the basis of personal data for all personal data within the scope of activities carried out in connection with processes are in the Personal Data Processing Inventory;
• Storage periods on the basis of data categories are recorded in VERBIS;
• Process-based retention periods are included in the Personal Data Retention and Disposal Policy.
If necessary, updates are made on the said retention periods by the Company.
For personal data whose storage period has expired, the deletion, destruction or anonymization process is carried out by the Data Controller.
Table 5: Process-based storage and disposal times table
PROCESS STORAGE TIME DISPOSAL TIME
Creation of Job Applications of Employee Candidates In the first periodic destruction period following the end of the 1 Year Storage Period from the Application Date
Execution of Human Resources Processes 10 Years from the End of the Employment Contract Expiry of the retention period
during the first periodic destruction period following
Execution of Marketing Activities 10 Years from the Expiry of the Agreement Expiry of the Storage Period
during the first periodic destruction period following
Execution of Financial Transactions 10 Years from the Expiry of the Agreement Expiry of the retention period
during the first periodic destruction period following
Execution of Purchasing Activities 10 Years from the Expiry of the Contract Expiry of the Storage Period
during the first periodic destruction period following
Execution of Accounting Transactions 10 Years from the Expiry of the Agreement Expiry of the retention period
during the first periodic destruction period following
Log Record Tracking Systems 10 Years The end of the storage period
first periodic destruction following
in time
Execution of Information Processing Activities 1 Year End of storage period
first periodic destruction following
in time
Camera Recordings expire 1 Year Storage period.
first periodic destruction following
in time
⦁ PERIODIC DISPOSAL TIMES
Pursuant to Article 11 of the Regulation, the Company has determined the period of periodic destruction as 6 months. Accordingly, periodic destruction is carried out in the company in June and December every year.
⦁ PUBLISHING AND STORING THE POLICY
The policy is published in two different media, with wet signature (printed paper) and electronic media, and is also published on the website.
⦁ UPDATING THE POLICY
The policy is updated and republished as needed.
FERSAN TEKSTİL TİC. SAN. LTD. ŞTİ.