GDPR
PERSONAL DATA STORAGE AND DISPOSAL POLICY
1. INTRODUCTION
1.1.Purpose
Personal Data Retention and Destruction Policy (Policy), ÜNALSAN METAL VE MAKİNA SANAYİ TİCARET A.Ş (hereinafter referred to as ÜNALSAN A.Ş.) as the data controller of the personal data we hold in accordance with the Law on Protection of Personal Data No. 6698 and other legislation. It has been prepared in order to determine the procedures and principles regarding the works and transactions related to storage and destruction activities.
UNALSAN A.S.; in line with its mission, vision and basic principles; ÜNALSAN A.Ş employees, employee candidates, service providers, visitors and other third parties personal data belonging to T.R. Its Constitution has prioritized it to be processed in accordance with international conventions, the Law on the Protection of Personal Data No. 6698 and other relevant legislation, and to ensure that the relevant persons use their rights effectively.
Work and transactions regarding the storage and destruction of personal data are carried out in accordance with the Policy prepared by ÜNALSAN A.Ş.
1.2.Scope
Personal data belonging to ÜNALSAN A.Ş employees, employee candidates, service providers, visitors and other third parties are within the scope of this Policy, and all recording media owned by ÜNALSAN A.Ş. or managed by ÜNALSAN A.Ş. This Policy is applied in activities related to
1.3. Definitions
Personal Data: Any information relating to an identified or identifiable natural person.
Relevant Person: The natural person whose personal data are processed.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Law: Law on Protection of Personal Data No. 6698
Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data
Board: Personal Data Protection Board.
Special Qualified Personal Data: Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric data. and genetic data.
Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use.
Explicit Consent: Consent about a specific subject, based on information and expressed with free will.
Recipient Group: The natural or legal person category to which personal data is transferred by the data controller.
Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory, which is created by associating the personal data processing purposes and legal reason, data category, transferred recipient group and data subject group, by explaining the maximum storage period required for the purposes for which personal data is processed, personal data foreseen to be transferred to foreign countries, and the measures taken regarding data security.
Recording Environment: Any environment in which personal data is processed wholly or partially automatically or by non-automatic means provided that it is a part of any data recording system.
Destruction: Deletion, destruction or anonymization of personal data.
Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data.
Deletion of Personal Data: Making personal data inaccessible and unusable for the relevant users in any way.
Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.
Periodic Destruction: The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all the conditions for processing personal data in the law are eliminated.
Policy: ÜNALSAN A.Ş’s Personal Data Retention and Destruction
2. RECORDING ENVIRONMENTS
The personal data of the data owners are safely stored by ÜNALSAN A.Ş in the following environments in accordance with the relevant legislation, especially the provisions of the Personal Data Protection Law, and within the framework of international data security principles.
The recording media used for the storage of personal data are generally listed below. However, some data may be kept in a different environment than the ones shown here, due to their special qualities or our legal obligations. In any case, ÜNALSAN A.Ş acts as a data controller and processes and protects personal data in accordance with the Law and this Personal Data Retention and Disposal Policy.
physical environments;
Paper, written, printed, visual media,
unit cabinets,
Archive
Electronic media;
Digital media such as servers, fixed or portable disks, optical disks within the body of ÜNALSAN A.Ş.
Servers (domain, backup, email database, web, file sharing, etc.)
Software (office software, portal, EBYS, VERBIS)
Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)
personal computers,
Mobile devices (phone, tablet, etc.),
Printer, scanner, copier,
3. EXPLANATIONS ON STORAGE AND DISPOSAL
3.1. Remarks on Storage
In Article 3 of the Law, the concept of processing personal data is defined, in Article 4 it is stated that the processed personal data should be related to the purpose for which they are processed, limited and measured, and should be kept for the period required for the purpose for which they are processed or as stipulated in the relevant legislation. conditions are counted.
Personal data belonging to the persons concerned are stored by ÜNALSAN A.Ş in a secure manner, in physical or electronic environments, in order to maintain commercial activities, fulfill legal obligations, plan and perform employee rights and fringe benefits, and manage customer relations. It is stored within the limits specified in the legislation and for a period of time stipulated in the relevant legislation or suitable for our processing purposes.
3.1.1. Reasons for Containment
Storing personal data as it is directly related to the establishment and performance of contracts,
Storing personal data for the purpose of establishing, exercising or protecting a right,
It is obligatory to keep personal data for the legitimate interests of ÜNALSAN A.Ş, provided that it does not harm the fundamental rights and freedoms of individuals,
Storing personal data in order for ÜNALSAN A.Ş to fulfill any of its legal obligations,
Explicitly stipulating the storage of personal data in the legislation,
Explicit consent of data owners in terms of storage activities that require the explicit consent of data owners.
3.1.2. Processing Purposes Requiring Storage
Carrying out human resources processes,
Creating a current card,
To provide corporate communication,
Ensuring company security,
To be able to perform statistical studies,
To be able to perform work and transactions as a result of signed contracts and protocols,
Within the scope of VERBIS, determining the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors, arranging the services provided accordingly and updating them if necessary,
Ensuring the fulfillment of legal obligations as required or mandated by legal regulations,
To contact real / legal persons who have a business relationship with the company,
Making legal reports,
Managing call center processes,
Obligation of proof as evidence in legal disputes that may arise in the future.
3.2. Explanations on Disposal and Reasons for Disposal
In accordance with the Regulation, the personal data of the data owners are deleted, destroyed or anonymized by ÜNALSAN A.Ş ex officio or upon request in the cases listed below.
Changing or repealing the provisions of the relevant legislation, which is the basis for the processing or storage of personal data,
The disappearance of the purpose that requires the processing or storage of personal data,
In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject withdraws his consent,
Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law,
The data controller accepts the application of the person concerned for the deletion, destruction or anonymization of his personal data within the framework of his rights in Article 11 of the Law,
In cases where the data controller rejects the application made by the data subject with the request for the deletion, destruction or anonymization of his personal data, his response is found insufficient or he does not respond within the time stipulated in the Law; Complaining to the Board and approval of this request by the Board,
Although the maximum period for keeping personal data has passed, there are no conditions to justify keeping personal data for a longer period of time,
4. STORAGE AND DISPOSAL TIMES
The following criteria are used to determine the retention and destruction periods of your personal data obtained by ÜNALSAN A.Ş in accordance with the Law and other relevant legislation;
If a period of time is stipulated in the legislation regarding the storage of the personal data in question, this period shall be complied with. After the expiry of the aforementioned period, the data is processed within the scope of the following article.
In the event that the period stipulated in the legislation regarding the storage of the said personal data expires or if no period is stipulated in the relevant legislation regarding the storage of the said data, respectively;
a) Personal data is classified as personal data and special quality personal data, based on the definition in Article 6 of the Law. All personal data determined to be of a private nature will be destroyed. The method to be applied in the destruction of the said data is determined according to the nature of the data and the degree of importance of its storage to ÜNALSAN A.Ş.
b) Compliance of data storage with the principles specified in Article 4 of the Law, for example; It is questioned whether ÜNALSAN A.Ş. has a legitimate purpose in storing the data. Data that are detected to be kept in violation of the principles set forth in Article 4 of the Law are deleted, destroyed or anonymized.
c) It is determined which of the exceptions stipulated in Articles 5 and 6 of the Law that data storage can be evaluated within the scope of. Within the framework of the detected exceptions, reasonable periods for data storage are determined. In the event of the expiration of such periods, the data is deleted, destroyed or anonymized.
Personal data, whose storage period has expired, is anonymized or destroyed in 6 (six) monthly periods in accordance with the procedures set forth in this Policy, within the framework of destruction periods. All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least 3 (three) years, excluding other legal obligations.
Regarding the personal data being processed by ÜNALSAN A.Ş within the scope of its activities;
The retention periods on the basis of personal data regarding all personal data within the scope of the activities carried out in connection with the processes are in the Personal Data Processing Inventory;
Storage periods on the basis of data categories are recorded in VERBIS;
Process-based retention periods are included in the Personal Data Retention and Disposal Policy.
Updates are made on the said retention periods, if necessary.
Process-based storage and disposal times table
PERIOD | STORAGE PERIOD | DISPOSAL TIME |
Evaluation of job applications | 1 year | At the first periodic disposal period following the end of the storage period |
Managing Human Resources processes | 10 years after the expiration of the contract | At the first periodic disposal period following the end of the storage period |
Transactions for customer employees | 10 years | At the first periodic disposal period following the end of the storage period |
Sales, marketing and purchasing activities | 10 years | At the first periodic disposal period following the end of the storage period |
accounting transactions | 10 years | At the first periodic disposal period following the end of the storage period |
Preparation of contracts | 10 years after the expiration of the contract | At the first periodic disposal period following the end of the storage period |
Camera footage, audio recordings from phone calls | 1 month | At the first periodic disposal period following the end of the storage period |
5. PERIODIC DISPOSAL TIME
In accordance with Article 11 of the regulation, ÜNALSAN A.Ş has determined the period of periodic destruction as 6 months. Periodic destruction processes first start in December 2020 and repeat every 6 (six) months.
6. TECHNICAL AND ADMINISTRATIVE MEASURES
Article 12 of the Law and 6/4 of the Law for the safe storage of personal data, the prevention of unlawful processing and access, and the destruction of personal data in accordance with the law. Technical and administrative measures are taken by ÜNALSAN A.Ş within the framework of adequate measures determined and announced by the Board for sensitive personal data pursuant to the article.
6.1. Technical Measures
The technical measures taken by ÜNALSAN A.Ş regarding the personal data it processes are listed below:
With the penetration tests, the risks, threats, vulnerabilities and vulnerabilities, if any, regarding the information systems of ÜNALSAN A.Ş are revealed and necessary precautions are taken.
As a result of real-time analyzes with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.
Access to information systems and authorization of users are made through security policies through the access and authorization matrix and the corporate active directory.
Necessary measures are taken for the physical security of information systems equipment, software and data of ÜNALSAN A.Ş.
In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 employee monitoring system, physical security of the edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software. Measures are taken (firewalls, attack prevention systems, network access control, systems preventing malware, etc.).
Risks to prevent unlawful processing of personal data are determined, appropriate technical measures are taken against these risks, and technical controls are carried out for the measures taken.
Access procedures are established within ÜNALSAN A.Ş, and reporting and analysis studies are carried out regarding access to personal data.
Inappropriate access or access attempts are kept under control by recording the accesses to the storage areas where personal data is stored.
ÜNALSAN A.Ş takes the necessary measures to ensure that the deleted personal data is inaccessible and reusable for the relevant users.
In the event that personal data is obtained by others unlawfully, a system and infrastructure has been established by ÜNALSAN A.Ş. to notify the relevant person and the Board.
Security vulnerabilities are followed and appropriate security patches are installed and information systems are kept up-to-date.
Strong passwords are used in electronic environments where personal data is processed.
Secure record keeping (logging) systems are used in electronic environments where personal data is processed.
Data backup programs are used to keep personal data safe.
Access to personal data stored in electronic or non-electronic media is limited according to access principles.
Accessing the ÜNALSAN A.Ş internet page is encrypted with the SHA 256 Bit RSA algorithm using a secure protocol (HTTPS).
A separate policy has been determined for the security of sensitive personal data.
Special quality personal data security trainings have been provided for employees involved in special quality personal data processing, confidentiality agreements have been made, and the authorizations of users who have access to data have been defined.
Electronic environments in which sensitive personal data are processed, stored and/or accessed are preserved using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of environments are constantly monitored, necessary security tests are regularly performed/have the test results recorded, to be taken under,
Adequate security measures are taken for physical environments where sensitive personal data is processed, stored and/or accessed, and unauthorized entry and exit is prevented by ensuring physical security.
If sensitive personal data needs to be transferred via e-mail, it is transferred in encrypted form with a corporate e-mail address or by using a KEP account. If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment. If transferring is carried out between servers in different physical environments, data transfer is carried out by establishing a VPN between servers or using the sFTP method. If it is required to be transferred via paper media, necessary precautions are taken against risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in a “confidential” format.
6.2. Administrative Measures
The administrative measures taken by ÜNALSAN A.Ş regarding the personal data it processes are listed below:
Trainings are provided on prevention of illegal processing of personal data, prevention of illegal access to personal data, protection of personal data, communication techniques, technical knowledge, skills and relevant legislation in order to improve the quality of employees.
Confidentiality agreements are signed by the employees regarding the activities carried out by ÜNALSAN A.Ş.
A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.
Before starting to process personal data, ÜNALSAN A.Ş fulfills its obligation to inform the relevant persons.
Personal data processing inventory has been prepared.
Periodic and random audits are carried out within the company.
Information security trainings are provided for employees.
7. PERSONAL DATA DISPOSAL TECHNIQUES
At the end of the storage period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data is destroyed by ÜNALSAN A.Ş., ex officio or upon the application of the relevant person, again in accordance with the provisions of the relevant legislation, with the following techniques.
7.1. Deletion of Personal Data
Personal data on servers; The system administrator removes the access authorization of the relevant users and deletes the personal data on the servers for those whose period of time has expired.
Personal data in electronic environment; Among the personal data in the electronic environment, the ones whose period has expired are rendered inaccessible and non-usable for the relevant users, except for the database administrator.
However, if the deletion of personal data will result in inability to access and use other data within the system, provided that the following conditions are met, personal data will be deemed deleted if the personal data is archived in a way that it cannot be associated with the person concerned.
a) It is closed to the access of any other institution, organization or person,
b) Taking all necessary technical and administrative measures to ensure that only authorized persons can access personal data.
Personal data in the physical environment; Among the personal data kept in the physical environment, it is made inaccessible and unusable in any way for the relevant users, except for the unit manager responsible for the document archive, for those whose period has expired. In addition, the process of blackening is applied by drawing/painting/erasing in a way that cannot be read.
Personal data contained in portable media; Of the personal data kept in flash-based storage media, the expired personal data is encrypted by the system administrator and the access authorization is given only to the system administrator, and are stored in secure environments with encryption keys.
Personal data in the physical environment; Of the personal data in the paper media, the ones that have expired, are irreversibly destroyed in the paper clipping machines.
Personal data contained in optical and magnetic media; The physical destruction of the personal data in optical media and magnetic media, such as melting, burning or pulverizing, is applied. In addition, magnetic media is passed through a special device, and the data on it is rendered unreadable by exposing it to a high magnetic field.
7.3. Anonymization of Personal Data
Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.
Variable subtraction; It is the removal of one or more of the direct identifiers included in the personal data of the data subject and which will help to identify the person concerned in any way.
This method can be used to anonymize personal data, or it can also be used for deletion of personal data if there is information that is not suitable for the purpose of data processing.
Generalization; It is the process of bringing together the personal data of many people and turning them into statistical data by removing their distinctive information.
8. UPDATING THE POLICY
ÜNALSAN A.Ş reserves the right to make changes in the Personal Data Processing and Protection Policy or this Personal Data Retention and Disposal Policy due to the changes made in the Law or in line with the developments in the sector or in the field of informatics.
Changes made in this Personal Data Retention and Disposal Policy are immediately processed in the text and explanations regarding the changes are announced at the end of the policy.
9. ENFORCEMENT AND IMPLEMENTATION
This Policy prepared by ÜNALSAN A.Ş is deemed to have entered into force after its publication on the website. In case of incompatibility between KVKK and other relevant legislation provisions and this Policy, KVKK and other relevant legislation provisions will be applied first.