KVKK Personal Data Storage and Destruction Policy

PART 1: QUALITY AND PURPOSE OF THE STORAGE AND DESTRUCTION POLICY

ENTRY

This policy of disposal of ÇOPUROĞLU SANAYİ MALZEMELERİ İMALAT VE TİCARET ANONİM ŞİRKETİ (“ÇOPUROĞLU A.Ş.”) is related to the deletion, destruction or anonymization of personal data in accordance with the Personal Data Protection Law No. 6698 and other legislation. A.S. It has been prepared in order to determine the procedures and principles to be applied by In this context, our employees, employee candidates, customers and for any reason ÇOPUROĞLU A.Ş. Personal data of all real persons with personal data at their disposal are managed in accordance with the laws within the framework of the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.

DEFINITIONS

Buyer Group: The category of natural or legal persons to whom personal data is transferred by the data controller
Open Consent: Consent regarding a specific subject, based on information and expressed with free will. Anonymization: Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching with other data.
Working: Personal Data Protection Authority staff.
EDMS: Electronic Document Management System

Electronic Environment: Media where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Media: All written, printed, visual and so on, other than electronic media. other environments.
Service Provider: A natural or legal person providing services within the framework of a specific contract with the Personal Data Protection Authority.
Related Person: The natural person whose personal data is processed.
Related User: Except for the person or unit responsible for the technical storage, protection and backup of the data, persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller.
Destruction: Deletion, destruction or anonymization of personal data.
Law: Personal Data Protection Law No. 6698.
Recording Media: Any medium containing personal data that is fully or partially automated or processed in non-automatic ways, provided that it is a part of any data recording system.
Personal Data: Any information pertaining to an identified or identifiable natural person.
Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on the business processes; The inventory that they have created by associating with the data category, the recipient group and the data subject group of personal data processing purposes and the legal reason, explaining the maximum retention period required for the purposes for which the personal data is processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.
Processing of Personal Data: Prevention of obtaining, recording, storing, storing, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automated or non-automatic means provided that they are part of any data recording system Any operations performed on such data.
Board: Personal Data Protection Board
Special Quality Personal Data: Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and membership of associations, foundations or trade unions, health, sexual life, criminal conviction and security measures and biometric and their genetic data.
Periodic Destruction: The process of deletion, destruction or anonymization specified in the personal data storage and destruction policy and to be carried out ex officio at repetitive intervals, in the event that all of the personal data processing conditions included in the Law are eliminated.
Policy: Personal Data Retention and Destruction Policy
Data Processor: Real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Recording System: A recording system in which personal data are structured and processed according to certain criteria.
Data Controller: Real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry Information System: The information system to be used by data controllers in application to the Registry and in other related transactions, accessible on the internet, created and managed by the Directorate.
VERBİS: Data Controllers Registry Information System
Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.
CHAPTER 2 ENVIRONMENTS AND SAFETY PRECAUTIONS
ENVIRONMENTS WHERE PERSONAL DATA IS STORED
ÇOPUROĞLU A.Ş. The personal data stored within the body are kept in a recording environment in accordance with the nature of the relevant data and our legal obligations.
The recording media used for the storage of personal data are generally listed below. However, some data may be kept in a different environment than the ones shown here due to their special characteristics or our legal obligations. ÇOPUROĞLU A.Ş. in any case, it acts as a data controller and processes and protects personal data in accordance with the Law, Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.
ELECTRONIC ENVIRONMENTS
• Servers (Domain, backup, e-mail, database, web)
• Software (ERP Programs, Office Software)
• Personal Computers (Desktop, Laptop)
• Mobile Devices (Phone, Tablet)
• Removable Drives (USB, Memory Card etc.)
NON-ELECTRONIC ENVIRONMENTS
• Paper
• Manual data recording systems
• Written and Printed Invoice
• ENSURING THE SECURITY OF THE ENVIRONMENTS
ÇOPUROĞLU A.Ş. takes all necessary technical and administrative measures in accordance with the characteristics of the environment in which it is kept with the relevant personal data in order to prevent the safe storage of personal data and illegal processing and access.
These measures include, but are not limited to, the following administrative and technical measures to the extent that they are in line with the nature of the relevant personal data and the environment in which it is stored.
Technical Measures
• As a result of real-time analysis with information security event management, risks and threats that will affect the continuity of information systems are constantly monitored.
• Access to information systems and authorization of users are done through access and authorization matrix and security policies over the corporate active directory.
• Necessary measures are taken for the physical security of the information systems equipment, software and data of the institution.
• In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 monitoring system, physical security of edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, network access control, systems that prevent malicious software, etc.) are taken.
• Risks to prevent unlawful processing of personal data are identified, technical measures are taken in accordance with these risks, and technical controls are carried out for the measures taken.
• The Authority takes the necessary measures to ensure that the deleted personal data are inaccessible and unavailable for the relevant users.
• Security vulnerabilities are followed, appropriate security patches are installed and information systems are kept up-to-date.
• Strong passwords are used in electronic environments where personal data are processed.
• Data backup programs are used to ensure that personal data are kept securely.
• It is encrypted with SHA 256 Bit RSA algorithm by using secure protocol (HTTPS) to access the corporate website.
Administrative Measures
• In order to improve the quality of employees, information is provided on the prevention of unlawful processing of personal data, prevention of unlawful access to personal data, protection of personal data, communication techniques, technical knowledge skills, Law No. 657 and other relevant legislation.
• Confidentiality agreements are made to the employees regarding the activities carried out by the institution.
• Personal data processing inventory has been prepared.
SECTION 3: DISPOSAL OF PERSONAL DATA STORAGE AND REASONS OF DESTRUCTION
STORAGE REASONS
ÇOPUROĞLU A.Ş. The data of the employees kept within the company are kept in order to fulfill the financial and personal rights of the employees. Data belonging to customers are contracts made with customers, processing of invoice information, issuing checks, bills and other commercial documents, ÇOPUROĞLU A.Ş. are kept within the scope of the ERP program used by
REASONS OF DESTRUCTION
ÇOPUROĞLU A.Ş. Personal data within the body is deleted, destroyed or anonymized ex officio in accordance with this disposal policy, upon the request of the person concerned or in case the reasons listed in Articles 5 and 6 of the Law disappear. The reasons listed in articles 5 and 6 of the Law consist of the following:
• It is clearly stipulated in laws.
• It is compulsory for the protection of the life or physical integrity of the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid.
• It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
• It is mandatory for the data controller to fulfill his legal obligation.
• It has been made public by the person concerned.
• When data processing is mandatory for the establishment, use or protection of a right.
• If data processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.
DISPOSAL METHODS
ÇOPUROĞLU A.Ş., in accordance with the Law and other legislation and the Personal Data Processing and Protection Policy, deletes the personal data, in case the reasons requiring the processing of the data disappear, upon the request of the relevant person or within the periods specified in this Personal Data Storage and Destruction Policy. , destroys or anonymizes. ÇOPUROĞLU A.Ş. The most commonly used deletion, destruction and anonymization techniques are listed below:
PERSONAL DATA IN THE PHYSICAL ENVIRONMENT
Those who have expired from the personal data in the paper environment, are irreversibly destroyed in the paper trimming machines.
PERSONAL DATA IN THE ELECTRONIC ENVIRONMENT
Those who have expired from the personal data in electronic environment are made inaccessible and unavailable in any way for other employees (relevant users), except for the database manager.
STORAGE AND DESTRUCTION PERIODS
STORAGE PERIODS
DATA OWNER
DATA CATORY
DATA RETENTION PERIOD
Working
 Recruitment documents and the Social Security Institution; Personal data based on notifications regarding service time and price It is kept for a period of 50 (fifty) years from the continuation and expiry of the service contract.
Working
 Recruitment documents and the Social Security Institution; Personal data excluding personal data based on notifications regarding service time and wages In the continuation of the service contract and the calendar year following its expiry, it is kept for 10 (ten) years from the beginning of the year.
Working
 Data in the Workplace Personal Health File It is kept for 30 (thirty) years following the continuation and expiry of the service contract.
Partner / Solution Partner / Consultant
 Business Partner / Solution Partner / Consultant and ÇOPUROĞLU A.Ş. Identity information, contact information, financial information, voice recordings taken from phone calls, Business Partner / Solution Partner / Consultant employee data Business Partner / Solution Partner / Consultant, ÇOPUROĞLU A.Ş. and for 10 years following the termination of the business / commercial relationship with the Turkish Code of Obligations and Article 82 of the Turkish Code of Obligations.
Visitor The Visitor’s name, surname, T.C.K.N. It is stored for 2 years.
Website Visitor Name, surname, e-mail address, navigation movements information of the Website Visitor It is stored for 2 years.
Customer Customer’s name, surname, T.R.K.N., contact information, payment information and methods, navigation information, product / service preferences, transaction history, special day information Each product / service purchased by the customer is kept for 10 years in accordance with the Turkish Code of Obligations Art.146 and Turkish Commercial Code Art.82.
Customer Camera images It is stored for a period of 1 month.
Potential Customer ÇOPUROĞLU A.Ş. Identity information, contact information, financial information obtained during the contract negotiations regarding the establishment of a commercial relationship between, It is stored for 2 years.
ÇOPUROĞ LU A.Ş. Institutions / Companies with which Cooperates (Supplier, Contract Manufacturer, Dealer / Franchise ÇOPUROĞLU A.Ş. Cooperating with the Institution / Firms ÇOPUROĞLU A.Ş. Identity information regarding the execution of the commercial relationship between, contact information, financial information, voice recordings taken from phone calls, data of the Institution / Company employee with which ÇOPUROĞLU A.Ş. ÇOPUROĞLU A.Ş. Cooperating with the Institutions / Companies, ÇOPUROĞLU A.Ş. and for 10 years following the termination of the business / commercial relationship with the Turkish Code of Obligations and Article 82 of the Turkish Code of Obligations.

The fact that a longer period is regulated in accordance with the legislation or the statute of limitations, limitation periods, retention periods, etc. in accordance with the legislation. In case a longer period is stipulated for the purpose, the periods in the provisions of the legislation are accepted as the maximum storage period.

DESTRUCTION TIMES

ÇOPUROĞLU A.Ş., in the first periodic destruction process following the date when the obligation to delete, destroy or anonymize personal data for which it is responsible in accordance with the Law, relevant legislation, Processing and Protection of Personal Data Policy and this Personal Data Storage and Destruction Policy, deletes, destroys or anonymizes data.

When the person concerned requests the deletion or destruction of his personal data by applying to ÇOPUROĞLU A.Ş. pursuant to Article 13 of the Law;

If all the conditions for processing personal data have disappeared; ÇOPUROĞLU A.Ş. It deletes, destroys or anonymizes the personal data subject to the request within 30 (thirty) days from the day the request is received, by explaining its justification, with the appropriate disposal method. ÇOPUROĞLU A.Ş. In order for to be deemed to have received the request, the person concerned must have made his request in accordance with the Personal Data Processing and Protection Policy. ÇOPUROĞLU A.Ş., in any case, informs the person concerned about the transaction.

If all the conditions for processing personal data are not eliminated, this request is made by ÇOPUROĞLU A.Ş. In accordance with the third paragraph of Article 13 of the Law, the reason is explained and the rejection is notified to the relevant person in writing or electronically within thirty days at the latest.

PERIODIC DESTRUCTION

In the event that all the conditions for the processing of personal data included in the law are eliminated; ÇOPUROĞLU A.Ş. It deletes, destroys or anonymizes the personal data whose processing conditions have ceased to be carried out ex officio at repetitive intervals specified in this Personal Data Storage and Destruction Policy.

Periodic destruction processes start on 30.06.2018 for the first time and repeat every 6 (six) months.

SECTION 4 PERSONAL DATA COMMITTEE
ÇOPUROĞLU A.Ş. establishes a Personal Data Committee within its body. The Personal Data Committee is authorized and responsible for carrying out the necessary procedures and supervising the processes for the storage and processing of the data of the relevant persons in accordance with the law, the Personal Data Processing and Protection Policy and the Personal Data Storage and Destruction Policy. The Personal Data Committee consists of three persons, one manager, one administrative expert and one technical expert. Working in the Personal Data Committee, ÇOPUROĞLU A.Ş. The titles and job descriptions of the employees are as follows:
Degree Job Description
Personal Data Committee Manager To direct all kinds of planning, analysis, research, risk determination studies in the projects carried out during the law compliance process The Law is obliged to manage the processes to be carried out in accordance with the Personal Data Processing and Protection Policy and the Personal Data Storage and Destruction Policy, and to decide on the requests from the relevant persons.
KVK Specialist (Technical and Administrative) From the requests of the relevant persons to be examined and reported to the Personal Data Committee Manager for evaluation; Fulfillment of the processes regarding the requests of the relevant persons evaluated and decided by the Personal Data Committee Manager in accordance with the decision of the Personal Data Committee Manager; auditing the storage and disposal processes and reporting these audits to the Personal Data Committee Manager; It is responsible for the execution of the storage and disposal processes.

SECTION 5 UPDATE AND COMPLIANCE

ÇOPUROĞLU A.Ş. reserves the right to make changes in the Personal Data Processing and Protection Policy or this Personal Data Storage and Destruction Policy in accordance with the decisions of the Institution or in line with the developments in the sector or in the field of informatics.

Changes made to this Personal Data Storage and Destruction Policy are immediately entered into the text and explanations regarding the changes are announced at the end of the policy.

6. ENTRY INTO FORCE AND TERMINATION OF THE POLICY

The policy is deemed to have entered into force after its publication on the institution’s website. In case of a decision to annul it, old copies of the Policy with wet signature are annulled by the Board Decision (by stamping or canceled) and kept by the Committee for at least 5 years.

 

KVKK Clarification Text

ÇOPUROĞLU A.Ş. KVKK DISCLOSURE TEXT

Within the scope of the 10th article of the Law on the Protection of Personal Data No. 6698 and the Communiqué on the Procedures and Principles for Fulfilling the Disclosure Obligation, Çopuroğlu A.Ş. Your personal data that you have shared with our institution;

  1. It is processed by our company in order to fulfill our commercial obligations within the scope of our commercial activities and to fill in the commercial documents and documents required by the law, to provide better and more accurate service to our customers, to ensure the legal and commercial security of the people in business relations, and to determine commercial and business strategies.
  2. Our company, to fulfill its legal obligations, with your company and / or you, both before the establishment of the contractual relationship, after the establishment of the contractual relationship and throughout the continuation, through all kinds of information, documents and documents obtained in physical or electronic environment and for reasons stipulated in the laws. collects via physical or electronic media.
  3. Your personal data, In order to fulfill legal obligations in accordance with Income Tax Law, Tax Procedure Law, Social Insurance and General Health Insurance Law, Corporate Tax Law and Stamp Tax and applicable legislation, laws, regulations and communiqués, in particular; It can be transferred to authorized public institutions and organizations for tax return notifications.
  4. These personal data are collected on the condition that they do not harm the fundamental rights and freedoms of the person concerned, stated in Articles 5 and 6 of the Law.
    • It is mandatory for the legitimate interest of the data controller,
    • It is directly related to the establishment or performance of a contract and it is necessary to process personal data belonging to the parties of the contract “,
    • In order to fulfill the legal obligations in accordance with the Income Tax Law, Tax Procedure Law, Corporate Tax Law and Stamp Tax Law and applicable legislation, laws, regulations and communiqués, in particular;
      • Submission of declarations,
      • Carrying out shipping processes,
      • Conducting the approval processes of purchase offers and requests,
      • Within the scope of the controls affecting the purchasing process;
        1. Tracking and storing supplier information,
        2. Identifying the system,
        3. Registration and follow-up of checks in the system,
        4. Execution of daily cash transactions,
        5. Processing of credit memo,
        6. Carrying out financial and accounting transactions,
        7. Reconciliation,
        8. Payment transactions,
    • Regarding the execution of all commercial activities, it is processed and maintained for the reasonable period specified in the relevant legislation or until the purpose of processing is eliminated, and in any case, the legal time-out periods.
  5. Your requests within the scope of Article 11 of the Law “regulating the rights of the data subject” are sent to Çopuroğlu A.Ş. You can forward it to.
  6. Çopuroğlu A.Ş. Our Personal Data Storage and Destruction Policy has been published at www.copuroglu.com.tr.