PART 1: QUALITY AND PURPOSE OF THE STORAGE AND DESTRUCTION POLICY
This policy of disposal of ÇOPUROĞLU SANAYİ MALZEMELERİ İMALAT VE TİCARET ANONİM ŞİRKETİ (“ÇOPUROĞLU A.Ş.”) is related to the deletion, destruction or anonymization of personal data in accordance with the Personal Data Protection Law No. 6698 and other legislation. A.S. It has been prepared in order to determine the procedures and principles to be applied by In this context, our employees, employee candidates, customers and for any reason ÇOPUROĞLU A.Ş. Personal data of all real persons with personal data at their disposal are managed in accordance with the laws within the framework of the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.
Buyer Group: The category of natural or legal persons to whom personal data is transferred by the data controller
Open Consent: Consent regarding a specific subject, based on information and expressed with free will. Anonymization: Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching with other data.
Working: Personal Data Protection Authority staff.
EDMS: Electronic Document Management System
Policy: Personal Data Retention and Destruction Policy
Data Processor: Real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Recording System: A recording system in which personal data are structured and processed according to certain criteria.
Data Controller: Real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry Information System: The information system to be used by data controllers in application to the Registry and in other related transactions, accessible on the internet, created and managed by the Directorate.
Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.
ENVIRONMENTS WHERE PERSONAL DATA IS STORED
The recording media used for the storage of personal data are generally listed below. However, some data may be kept in a different environment than the ones shown here due to their special characteristics or our legal obligations. ÇOPUROĞLU A.Ş. in any case, it acts as a data controller and processes and protects personal data in accordance with the Law, Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.
• Software (ERP Programs, Office Software)
• Personal Computers (Desktop, Laptop)
• Mobile Devices (Phone, Tablet)
• Removable Drives (USB, Memory Card etc.)
• Manual data recording systems
• Written and Printed Invoice
• ENSURING THE SECURITY OF THE ENVIRONMENTS
These measures include, but are not limited to, the following administrative and technical measures to the extent that they are in line with the nature of the relevant personal data and the environment in which it is stored.
• Access to information systems and authorization of users are done through access and authorization matrix and security policies over the corporate active directory.
• Necessary measures are taken for the physical security of the information systems equipment, software and data of the institution.
• In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 monitoring system, physical security of edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, network access control, systems that prevent malicious software, etc.) are taken.
• Risks to prevent unlawful processing of personal data are identified, technical measures are taken in accordance with these risks, and technical controls are carried out for the measures taken.
• The Authority takes the necessary measures to ensure that the deleted personal data are inaccessible and unavailable for the relevant users.
• Security vulnerabilities are followed, appropriate security patches are installed and information systems are kept up-to-date.
• Strong passwords are used in electronic environments where personal data are processed.
• Data backup programs are used to ensure that personal data are kept securely.
• It is encrypted with SHA 256 Bit RSA algorithm by using secure protocol (HTTPS) to access the corporate website.
• Confidentiality agreements are made to the employees regarding the activities carried out by the institution.
• Personal data processing inventory has been prepared.
• It is compulsory for the protection of the life or physical integrity of the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid.
• It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
• It is mandatory for the data controller to fulfill his legal obligation.
• It has been made public by the person concerned.
• When data processing is mandatory for the establishment, use or protection of a right.
• If data processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.
Those who have expired from the personal data in the paper environment, are irreversibly destroyed in the paper trimming machines.
Those who have expired from the personal data in electronic environment are made inaccessible and unavailable in any way for other employees (relevant users), except for the database manager.
DATA RETENTION PERIOD
|Recruitment documents and the Social Security Institution; Personal data based on notifications regarding service time and price||It is kept for a period of 50 (fifty) years from the continuation and expiry of the service contract.|
|Recruitment documents and the Social Security Institution; Personal data excluding personal data based on notifications regarding service time and wages||In the continuation of the service contract and the calendar year following its expiry, it is kept for 10 (ten) years from the beginning of the year.|
|Data in the Workplace Personal Health File||It is kept for 30 (thirty) years following the continuation and expiry of the service contract.|
Partner / Solution Partner / Consultant
|Business Partner / Solution Partner / Consultant and ÇOPUROĞLU A.Ş. Identity information, contact information, financial information, voice recordings taken from phone calls, Business Partner / Solution Partner / Consultant employee data||Business Partner / Solution Partner / Consultant, ÇOPUROĞLU A.Ş. and for 10 years following the termination of the business / commercial relationship with the Turkish Code of Obligations and Article 82 of the Turkish Code of Obligations.|
|Visitor||The Visitor’s name, surname, T.C.K.N.||It is stored for 2 years.|
|Website Visitor||Name, surname, e-mail address, navigation movements information of the Website Visitor||It is stored for 2 years.|
|Customer||Customer’s name, surname, T.R.K.N., contact information, payment information and methods, navigation information, product / service preferences, transaction history, special day information||Each product / service purchased by the customer is kept for 10 years in accordance with the Turkish Code of Obligations Art.146 and Turkish Commercial Code Art.82.|
|Customer||Camera images||It is stored for a period of 1 month.|
|Potential Customer||ÇOPUROĞLU A.Ş. Identity information, contact information, financial information obtained during the contract negotiations regarding the establishment of a commercial relationship between,||It is stored for 2 years.|
|ÇOPUROĞ LU A.Ş. Institutions / Companies with which Cooperates (Supplier, Contract Manufacturer, Dealer / Franchise||ÇOPUROĞLU A.Ş. Cooperating with the Institution / Firms ÇOPUROĞLU A.Ş. Identity information regarding the execution of the commercial relationship between, contact information, financial information, voice recordings taken from phone calls, data of the Institution / Company employee with which ÇOPUROĞLU A.Ş.||ÇOPUROĞLU A.Ş. Cooperating with the Institutions / Companies, ÇOPUROĞLU A.Ş. and for 10 years following the termination of the business / commercial relationship with the Turkish Code of Obligations and Article 82 of the Turkish Code of Obligations.|
The fact that a longer period is regulated in accordance with the legislation or the statute of limitations, limitation periods, retention periods, etc. in accordance with the legislation. In case a longer period is stipulated for the purpose, the periods in the provisions of the legislation are accepted as the maximum storage period.
ÇOPUROĞLU A.Ş., in the first periodic destruction process following the date when the obligation to delete, destroy or anonymize personal data for which it is responsible in accordance with the Law, relevant legislation, Processing and Protection of Personal Data Policy and this Personal Data Storage and Destruction Policy, deletes, destroys or anonymizes data.
When the person concerned requests the deletion or destruction of his personal data by applying to ÇOPUROĞLU A.Ş. pursuant to Article 13 of the Law;
If all the conditions for processing personal data have disappeared; ÇOPUROĞLU A.Ş. It deletes, destroys or anonymizes the personal data subject to the request within 30 (thirty) days from the day the request is received, by explaining its justification, with the appropriate disposal method. ÇOPUROĞLU A.Ş. In order for to be deemed to have received the request, the person concerned must have made his request in accordance with the Personal Data Processing and Protection Policy. ÇOPUROĞLU A.Ş., in any case, informs the person concerned about the transaction.
If all the conditions for processing personal data are not eliminated, this request is made by ÇOPUROĞLU A.Ş. In accordance with the third paragraph of Article 13 of the Law, the reason is explained and the rejection is notified to the relevant person in writing or electronically within thirty days at the latest.
In the event that all the conditions for the processing of personal data included in the law are eliminated; ÇOPUROĞLU A.Ş. It deletes, destroys or anonymizes the personal data whose processing conditions have ceased to be carried out ex officio at repetitive intervals specified in this Personal Data Storage and Destruction Policy.
Periodic destruction processes start on 30.06.2018 for the first time and repeat every 6 (six) months.
|Personal Data Committee Manager||To direct all kinds of planning, analysis, research, risk determination studies in the projects carried out during the law compliance process The Law is obliged to manage the processes to be carried out in accordance with the Personal Data Processing and Protection Policy and the Personal Data Storage and Destruction Policy, and to decide on the requests from the relevant persons.|
|KVK Specialist (Technical and Administrative)||From the requests of the relevant persons to be examined and reported to the Personal Data Committee Manager for evaluation; Fulfillment of the processes regarding the requests of the relevant persons evaluated and decided by the Personal Data Committee Manager in accordance with the decision of the Personal Data Committee Manager; auditing the storage and disposal processes and reporting these audits to the Personal Data Committee Manager; It is responsible for the execution of the storage and disposal processes.|
SECTION 5 UPDATE AND COMPLIANCE
ÇOPUROĞLU A.Ş. reserves the right to make changes in the Personal Data Processing and Protection Policy or this Personal Data Storage and Destruction Policy in accordance with the decisions of the Institution or in line with the developments in the sector or in the field of informatics.
Changes made to this Personal Data Storage and Destruction Policy are immediately entered into the text and explanations regarding the changes are announced at the end of the policy.
6. ENTRY INTO FORCE AND TERMINATION OF THE POLICY
The policy is deemed to have entered into force after its publication on the institution’s website. In case of a decision to annul it, old copies of the Policy with wet signature are annulled by the Board Decision (by stamping or canceled) and kept by the Committee for at least 5 years.