MESAY AUTOMOTIVE INDUSTRY AND TRADE INC.
PERSONAL DATA STORAGE AND DISPOSAL POLICY
This Personal Data Retention and Destruction Policy (“Policy”), Personal Data Protection Law No. 6698 (“KVKK” or “Law”) and Personal Data Enforcement, which entered into force after being published in the Official Gazette dated 28 October 2017, which constitutes the secondary regulation of the Law. As a data controller, in order to fulfill our obligations pursuant to the Regulation on Deletion, Destruction or Anonymization (“Regulation”) and to inform data owners about the principles of determining the maximum storage period required for the purpose for which your personal data is processed, and the processes of deletion, destruction and anonymization. MESAY AUTOMOTIVE INDUSTRY AND TRADE INC. (MESAY OTOMOTİV or the “Company”). In deletion, destruction and anonymization of personal data by MESAY OTOMOTİV, the principles listed in Article 4 of the Law and the technical and administrative measures specified in this Policy, which must be taken within the scope of Article 12, and the relevant the provisions of the legislation, Board decisions and this Policy are fully complied with. Unless a contrary decision is taken by the Board, the appropriate method of deleting, destroying or anonymizing personal data ex officio is chosen by us. However, upon the request of the Relevant Person, the appropriate method will be chosen by explaining the reason. In the event that the processing conditions for personal data in Articles 5 and 6 of the Law are eliminated, personal data is deleted, destroyed or anonymized by MESAY OTOMOTİV ex officio or upon the request of the person concerned.
1.INTRODUCTION
1.1 Purpose
Personal Data Retention and Disposal Policy (“Policy”), Mesay Otomotiv Sanayi Ve Ticaret A.Ş. (“Company or MESAY OTOMOTİV”) in order to determine the procedures and principles regarding the work and transactions related to the storage and destruction activities carried out by the Company. Company; In line with the mission, vision and basic principles determined in the Strategic Plan; Personal data belonging to company employees, employee candidates, service providers, visitors and other third parties Its Constitution prioritizes processing in accordance with international conventions, the Law on the Protection of Personal Data No. 6698 (“Law”) and other relevant legislation, and ensuring that the relevant persons use their rights effectively. Work and transactions regarding the storage and destruction of personal data are carried out in accordance with the Policy prepared by the Company in this direction.
1.2 Scope
Personal data belonging to company employees, employee candidates, service providers, visitors and other third parties are within the scope of this Policy, and this Policy is applied in all recording environments where personal data owned or managed by the Company are processed, and in activities for personal data processing.
1.3 Abbreviations and Definitions
Recipient Group: The natural or legal person category to which personal data is transferred by the data controller.
Explicit Consent: Consent on a specific subject, based on information and expressed with free will.
Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data.
Employee: MESAY AUTOMOTIVE personnel.
Electronic Media: Environments where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Media: All written, printed, visual etc. other than electronic media. other environments
Relevant Person: The natural person whose personal data is processed.
Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for technical storage, protection and backup of the data.
Destruction: Deletion, destruction or anonymization of personal data.
Law : Law on Protection of Personal Data No. 6698.
Recording Environment: Any environment in which personal data is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory, which is created by associating the personal data processing purposes and legal reason, the data category, the transferred recipient group and the data subject group, by explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security.
Processing of Personal Data: Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. or any kind of operation performed on the data, such as preventing its use.
Special Qualified Personal Data: Data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric data. and genetic data.
Periodic Destruction: The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all the conditions for processing personal data in the law are eliminated.
Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Registration System: A registration system in which personal data is processed and structured according to certain criteria.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry Information System: An information system created and managed by the Presidency, accessible over the internet, to be used by data controllers in applying to the Registry and in other related transactions.
VERBIS : Data Controllers Registry Information System
Regulation : Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017
2. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES
All units and employees of the company are responsible for the implementation of the technical and administrative measures taken within the scope of the Policy, training and awareness of the unit employees, prevention of unlawful processing of personal data, prevention of unlawful access to personal data and monitoring and continuous supervision of personal data. It actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to ensure that it is stored in accordance with the law.
3. RECORDING ENVIRONMENTS
Electronic Media:
Servers (Domain, backup, e-mail, database, web, file sharing, etc.) Software (office software, portal, Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.) Personal computers (Desktop, laptop) Mobile devices (phone, tablet, etc.) Optical discs (CD, DVD, etc.) Removable memories (USB, Memory Card, etc.) Printer, scanner, copier.
Non-Electronic Media:
Paper, Manual data recording systems (survey forms, visitor logbook) Written, printed and visual media.
4. EXPLANATIONS ON STORAGE AND DISPOSAL
By the company; Personal data belonging to employees of third parties, institutions or organizations that are in contact as employees, employee candidates, visitors and service providers are stored and destroyed in accordance with the Law. In this context, detailed explanations regarding storage and disposal are given below, respectively.
4.1 Remarks on Retention
In Article 3 of the Law, the concept of processing personal data is defined, in Article 4 it is stated that the processed personal data should be related to the purpose for which they are processed, limited and measured and should be kept for the period required for the purpose for which they are processed or as stipulated in the relevant legislation. counted. Accordingly, within the framework of our company's activities, personal data is stored for a period of time stipulated in the relevant legislation or suitable for our processing purposes.
4.1.1 Legal Reasons for Retention
Personal data processed in the company within the framework of its activities are kept for the period stipulated in the relevant legislation. In this context, personal data;
· Law on Protection of Personal Data No. 6698,
· Turkish Code of Obligations No. 6098,
· Turkish Commercial Code No. 6102
· Social Insurance and General Health Insurance Law No. 5510,
· Arrangement of Broadcasts on the Internet No. 5651 and These Broadcasts
· Occupational Health and Safety Law No. 6331,
· Law on Access to Information No. 4982,
· Law No. 3071 on the Use of the Right to Petition,
· Labor Law No. 4857,
· Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Attachments,
· Regulation on Archive Services
It is stored as long as the storage periods stipulated in the framework of other secondary regulations in force in accordance with these laws.
4.1.2 Processing Purposes Requiring Storage
The company stores the personal data it processes within the framework of its activities for the following purposes.
· Carrying out human resources processes.
· Ensuring corporate communication.
· Ensuring company security,
· To be able to perform statistical studies.
· To be able to perform work and transactions as a result of signed contracts and protocols.
· To determine the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors within the scope of VERBIS, to organize the services provided accordingly and to update them if necessary.
· Ensuring the fulfillment of legal obligations as required or mandated by legal regulations.
· Liaising with real / legal persons who have a business relationship with the company.
· Making legal reports.
· Obligation to prove as evidence in legal disputes that may arise in the future.
4.2 Reasons for Disposal
Personal data;
· Changing or repealing the provisions of the relevant legislation, which is the basis for processing,
· Elimination of the purpose that requires processing or storage
· In cases where the processing of personal data takes place only on the basis of explicit consent, the person concerned withdraws their explicit consent,
· Approval of the application made by the Company regarding the deletion and destruction of personal data within the framework of the rights of the person concerned, pursuant to Article 11 of the Law,
· In cases where the company rejects the application made by the person concerned for the deletion, destruction or anonymization of his personal data, finds the answer insufficient or does not respond within the time stipulated in the Law; Making a complaint to the Board and this request being approved by the Board,
· The maximum period requiring the storage of personal data has passed and there are no conditions to justify keeping personal data for a longer period of time,
cases, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by the Company at the request of the person concerned.
5. ADMINISTRATIVE AND TECHNICAL MEASURES
In accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law, the Company provides technical assistance within the framework of adequate measures determined and announced by the Board for personal data to be stored securely, to prevent illegal processing and access, and to destroy personal data in accordance with the law. and administrative measures are taken
5.1 Administrative Measures
The administrative measures taken by the company regarding the personal data it processes are listed below:
· Trainings are provided on Law No. 6698 and other relevant legislation in order to improve the quality of employees, to prevent the illegal processing of personal data, to prevent illegal access to personal data, and to ensure the protection of personal data.
· Employees are informed about confidentiality regarding the activities carried out by the Company, and the Company fulfills the obligation to inform the relevant persons before processing personal data.
· Personal data processing inventory has been prepared.
· Periodic and random audits are carried out within the company.
· In case the processed personal data is obtained by others unlawfully, it notifies the person concerned and the Board as soon as possible.
5.2 Technical Measures
· The technical measures taken by the company regarding the personal data it processes are listed below.
· Necessary measures are taken for the physical security of the company's information systems equipment, software and data.
· Risks to prevent unlawful processing of personal data are determined, appropriate technical measures are taken against these risks, and technical controls are carried out for the measures taken.
· Accesses to the storage areas where personal data are stored are recorded and inappropriate accesses or access attempts are kept under control.
· The company takes the necessary measures to make the deleted personal data inaccessible and reusable for the relevant users.
· Security vulnerabilities are monitored and appropriate security patches are installed and information systems are kept up-to-date.
· Data backup programs are used to keep personal data safe.
· Adequate security measures are taken for the physical environments where sensitive personal data is processed, stored and/or accessed, and unauthorized entries and exits are prevented by ensuring physical security.
· Access to personal data stored in electronic or non-electronic media is limited according to access principles.
6. PERSONAL DATA DISPOSAL TECHNIQUES
At the end of the storage period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data is destroyed by the Company ex officio or upon the application of the relevant person, again in accordance with the provisions of the relevant legislation, with the following techniques.
6.1 Deletion of Personal Data
Personal data is deleted by the following methods
Personal Data on Servers: The system administrator removes the access authorization of the relevant users and deletes the personal data on the servers for those whose period has expired.
Personal Data in the Electronic Media: The personal data in the electronic media, which require their storage, are rendered inaccessible and non-reusable in any way for other employees (related users) except the database administrator.
Personal Data in Physical Environment:
Among the personal data kept in the physical environment, the documents are made inaccessible and non-reusable for other employees, except the relevant manager, for those whose period of time has expired. In addition, the process of blackening is applied by drawing/painting/erasing in a way that cannot be read.
Personal Data in Portable Media: Personal data kept in flash-based storage media, which require storage, are encrypted by the system administrator and only the system administrator is authorized to access them, and are stored in secure environments with encryption keys.
6.2 Destruction of Personal Data
Personal data is destroyed by the Company by the methods given below.
Personal Data in the Physical Media: Personal data in the paper media, which need to be kept, are irreversibly destroyed in the paper clipping machines.
Personal Data in Optical / Magnetic Media: The physical destruction of personal data in optical media and magnetic media, such as melting, burning or pulverizing, is applied.
6.3 Anonymization of Personal Data
Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. In order for personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning the personal data by the data controller or third parties and/or matching the data with other data.
7. STORAGE AND DISPOSAL TIMES
Regarding the personal data being processed by the company within the scope of its activities;
Retention periods for all personal data within the scope of activities carried out depending on processes are determined according to Data Categories on the basis of personal data. For personal data whose storage period has expired, ex officio deletion, destruction or anonymization is carried out by the Data Liaison Officer or the relevant unit manager determined by the Data Controller. The table of storage and destruction periods on the basis of processes is as follows.
|
PROCESS |
PRESERVATION PEROUD |
EXTERMINATION PERIOD |
|
Company Transaction
|
10 years |
At the first periodic disposal period following the end of the storage period |
|
Preparation of contracts |
10 years after the expiration of the contract |
At the first periodic disposal period following the end of the storage period |
|
Execution of Company Communication Activities |
10 years after the end of the activity |
At the first periodic disposal period following the end of the storage period |
|
Execution of Human Resources Processes |
10 years after the end of the activity |
At the first periodic disposal period following the end of the storage period |
|
Execution of Hardware and Software Access Processes |
2 years |
At the first periodic disposal period following the end of the storage period |
|
Registration of visitors and meeting attendees |
2 years after the end of the event |
At the first periodic disposal period following the end of the storage period |
|
Camera Recordings |
2 years |
At the first periodic disposal period following the end of the storage period |
8. PERIODIC DISPOSAL TIME
Pursuant to Article 11 of the Regulation, the Company has determined the period of periodic destruction as 6 months. Accordingly, periodic destruction is carried out in the Firm in June and December each year.
9. PUBLICATION AND STORAGE OF THE POLICY
The policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website. The printed copy of the paper is also stored in the relevant folder of the Data Controller.
10. POLICY UPDATE PERIOD
The policy is reviewed as needed and the necessary sections are updated.
11. ENFORCEMENT AND ANNOUNCEMENT OF THE POLICY
The Policy is deemed to have entered into force after its publication on the Company's website. If it is decided to be revoked, old copies of the Policy with wet signatures are canceled and signed by the Data Controller (with the cancellation stamp or written cancellation) and stored in the relevant folder of the Data Controller for at least 5 years.
Mesay Automotive Industry and Trade Inc.
