MARTAŞ OTOMOTİV YEDEK PARÇA TİC. VE SAN. A.Ş. PERSONAL DATA STORAGE AND DESTRUCTION POLICY
CONTENTS
1. PURPOSE
2. SCOPE
3. DEFINITIONS
4. RECORDING MEDIA WHERE PERSONAL DATA IS STORED
5. LEGAL AND TECHNICAL REASONS REQUIRING STORAGE AND DESTRUCTION OF PERSONAL DATA
6. PERSONAL DATA STORAGE AND STORAGE PERIODS TABLE AND INFORMATION ON PERIODIC DESTRUCTION PERIODS
7. METHODS AND MEASURES FOR DESTRUCTION OF PERSONAL DATA
7.1. Methods for Deletion and Destruction of Personal Data
7.2. Methods for Anonymizing Personal Data
7.2.1. Masking
7.2.2. Removal of Variables
7.2.3. Removal of Records
7.2.4. Randomization
7.2.4.1. Data Hashing
7.2.4.2. Addition of Noise
7.3. Measures Taken for the Lawful Destruction of Personal Data
8. TECHNICAL AND ADMINISTRATIVE MEASURES TO ENSURE THE SECURITY OF PERSONAL DATA
8.1. Technical Measures for the Security of Personal Data
8.2. Administrative Measures for the Security of Personal Data
9. PERSONS INVOLVED IN THE STORAGE AND DESTRUCTION PROCESSES OF PERSONAL DATA AND THEIR RESPONSIBILITIES
10. UPDATE PERIOD
11. ENFORCEMENT
12. REPEAL OF THE POLICY
1. PURPOSE
… (Company Trade Name) pays attention to the storage and destruction of personal data of real persons, including our visitors, guests, suppliers, business contacts, job candidates and employees, in accordance with the relevant legislation, primarily the Constitution of the Republic of Turkey, the Law on the Protection of Personal Data No. 6698 (“KVKK”) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”), which was published in the Official Gazette dated 28.10.2017 and numbered 30224 and entered into force, as well as the destruction of such data as required and in a timely manner.For this reason, we determine and carry out the maximum period required for the purpose for which all personal data we obtain during the business processes we carry out as the data controller, and the periods and procedures regarding their destruction in accordance with this Personal Data Storage and Destruction Policy (“Policy”).
In addition, during the storage and destruction of personal data, we take all kinds of technical and administrative measures to prevent the unlawful storage and destruction of these data. As Martaş Otomotiv Yedek Parça Tic. ve San. A.Ş., we attach importance to the protection of privacy in the storage and destruction of personal data and observe data security at the highest level.
This Policy includes explanations about the methods we follow for the storage and destruction of personal data obtained during our activities in the automotive sector.
2. SCOPE
This Policy covers all personal data of our visitors, guests, suppliers, employees, job candidates, business partners, business contacts, users who interact with us through our website or social networks and other third parties processed by Martaş Otomotiv Yedek Parça Tic. ve San. A.Ş.The Policy covers all personal data of Martaş Otomotiv Yedek Parça Tic. ve San. A.Ş. is related to the storage and destruction of these personal data processed by the Company in all kinds of electronic and printed media, and has been handled and prepared by taking into account the KVKK and other legislation on personal data, as well as international regulations and guiding documents in this field.
3. DEFINITIONS
This section briefly explains the technical and legal concepts mentioned in the Policy. Accordingly;a. Destruction: The process of deleting, destroying or anonymizing personal data,
b. Relevant user: The person who processes personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data,
c. Law: The Law on the Protection of Personal Data No. 6698 dated 7/4/2016,
ç. Personal data: Information belonging to any person whose identity is known or can be determined,
d. Personal data storage and destruction policy: The policy that data controllers base on the process of determining the maximum period required for the purpose for which personal data is processed and the deletion, destruction and anonymization process,
e. Anonymization of personal data: Making personal data incapable of being associated with an identified or identifiable natural person, even if it is matched with other data,
f. Erasure of personal data: Making personal data processed completely or partially by automatic means inaccessible and reusable by the relevant users in any way,
g. Destruction of personal data: Making personal data inaccessible, irretrievable and reusable by anyone in any way,
ğ. Periodic destruction: The deletion, destruction or anonymization process specified in the personal data storage and destruction policy and carried out ex officio at recurring intervals in the event that all of the processing conditions for personal data specified in the law are eliminated,
h. Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,
i. Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data, which was published in the Official Gazette dated 28.10.2017 and numbered 30224 and entered into force.
4. RECORDING ENVIRONMENTS WHERE PERSONAL DATA IS STORED
As Martas Otomotiv Yedek Parça Tic. ve San. A.Ş., in order to store the personal data we obtain while performing our activities in the automotive sector in accordance with the legal periods;Recording Environments
Physical/Printed
Digital/Electronic
Folders,
Files etc.
Databases, File sharing servers
External disks,
USB disks,
Application automations
(B2B, CRM and ERP),
DataCenter, Cloud environments etc.
5. LEGAL AND TECHNICAL REASONS REQUIRING THE STORAGE AND DESTRUCTION OF PERSONAL DATA
Many regulations in the legislation require the storage of personal data for a certain period of time. For this reason, we store the personal data we process for the period stipulated in the relevant legislation,or if such a period is not stipulated, for the period necessary for the purposes of processing the personal data.
In cases where we process personal data for more than one purpose, the data is deleted, destroyed or made anonymous if all the purposes of processing the data are eliminated or if there is no obstacle in the legislation to delete the data and the relevant person requests it.
6. INFORMATION ON STORAGE OF PERSONAL DATA AND STORAGE PERIOD TABLE AND PERIODIC DESTRUCTION PERIOD
Personal data must be stored by taking into consideration factors such as data category, data storage medium, legislation on data collection, beginning and end of the storage period and total storage period. You can access personal data categories from Martaş Otomotiv Yedek Parça Tic. ve San. A.Ş. information texts and review the Storage Period Table below for data storage periods.MARTAŞ OTOMOTİV YEDEK PARÇA TİC. VE SAN. A.Ş. PROCESSES
MAXIMUM STORAGE PERIOD ACCORDING TO RELEVANT LEGISLATIONDESTRUCTION PERIOD
| 1 | General company records / data |
| 10 years | During the first periodic destruction period following the end of the storage period |
| 2 | Records/data related to Tax and Financial Affairs |
| 5 - 10 years | During the first periodic destruction period following the end of the storage period |
| 3 | Pay slip and salary information/data |
| 5 - 10 years | During the first periodic destruction period following the end of the storage period |
| 4 | Positive Recruitment Process |
| 10 years | During the first periodic destruction period following the end of the storage period |
| 4 | Negative Process of Recruitment |
| 1 year | During the first periodic destruction period following the end of the storage period |
| 5 | HR, employment, retirement information/ dataemployee |
| 10 years | During the first periodic destruction period following the end of the storage period |
| 7 | Data kept on the departing employee |
| 10 years | During the first periodic destruction period following the end of the storage period |
| 8 | Employee health and safety records/data |
| 15 years | During the first periodic destruction period following the end of the storage period |
| 9 | Legal texts and contracts |
| 10 years | During the first periodic destruction period following the end of the storage period |
| 10 | Data on business contacts |
| 10 years | During the first periodic destruction period following the end of the storage period |
| 11 | It is recommended that data belonging to potential customers be stored for 5 to 10 years after the end of the relationship. During the first periodic destruction period following the end of the storage period. |
| 12 | Insurance data |
| 10 years | During the first periodic destruction period following the end of the storage period |
| 13 | Customer data |
| 10 years | During the first periodic destruction period following the end of the storage period |
| 14 | Security (CCTV, visitor registration, vehicle license plate etc. ) |
| 6 months to 1 year | During the first periodic destruction period following the end of the storage period |
| 15 | Intern Data |
| 10 years | During the first periodic destruction period following the end of the storage period |
| 16 | years after the termination of the business relationship Within 30 days following the application of the relevant person |
| 17 | Administrative Affairs Processes (Vehicle, equipment allocation etc. ) |
| 10 years | During the first periodic destruction period following the end of the storage period |
| 18 | IT Department Log / Record / Tracking Systems |
| 2 years | During the first periodic destruction period following the end of the storage period |
The complete and erroneous determination of personal data to be destroyed, the large volume of this data or the scattered storage of data, etc. cannot always be carried out quickly due to technical or administrative reasons. As a result, the need to determine a time interval in which the destruction process will be initiated and completed arises.
This mentioned interval corresponds to the periodic destruction period concept specified in the Regulation, and as per the regulation in the law, this period will not exceed 6 (six) months.
As Martaş Otomotiv Yedek Parça Tic. ve San. A.Ş., we carry out the destruction process of all your personal data within a maximum of 180-day intervals.
7. METHODS AND MEASURES FOR THE DESTRUCTION OF PERSONAL DATA
7.1. Methods for the Deletion and Destruction of Personal DataMartaş Otomotiv Yedek Parça Tic. ve San. A.Ş. As, we follow the following methods to delete and destroy your personal data in accordance with the law, but not limited to the following:
Destruction Methods
Deletion Methods
Shredding, burning and recycling methods with a paper cutting machine,
Preventing the relevant user from accessing the data with user account management,
Damaging data-containing media such as hard disk or USB memory with physical methods such as burning or drilling in a way that cannot be reversed,
Encrypting the data with encryption methods and preventing the relevant user from accessing the data,
Neutralizing the magnetic effect of magnetic media (hard disk, CD-ROM or USB memory, etc.) containing data (degaussing),
Preventing the relevant user from accessing the database by assigning roles and permissions in the databases where the data is located, and
Writing over existing data with new ones (wiping) by means of software or by restoring factory settings.
Preventing the relevant user from accessing the data with access policies.
7.2. Methods for Anonymizing Personal Data
As Martaş Otomotiv Yedek Parça Tic. ve San. A.Ş., we anonymize personal data whose storage period has expired, sever the link between the data and the relevant person, and thus prevent the relevant person from being identified. Some of the techniques used by us within the scope of anonymization processes and specified in the publications of the Personal Data Protection Authority are as follows:
7.2.1. Masking
This method refers to severing the link between a piece of information that is personal data and the relevant person by removing or changing certain fields. If necessary, as Martaş Otomotiv Yedek Parça Tic. ve San. A.Ş., when the storage period expires, some parts of personal data such as name, surname and similar data will be stored by starring them in the data we keep in the B2B, CRM, ERP environment.
7.2.2. Removing Variables
In this anonymization method, one or more of the variables are removed from the table in a column, thus making it difficult to identify the relevant person. This method; It is used in cases where the variable is sensitive data that cannot be disclosed to the public or when the variable is a high-level identifier.
7.2.3. Removing Records
In this method, anonymity is strengthened by removing a row in the dataset that constitutes a singularity. For example; there is only one person who participated in a survey and whose gender is female. By removing the row belonging to this person from the dataset, the possibility of generating assumptions about the dataset is reduced.
7.2.4. Randomization
Randomization includes a number of methods such as data shuffling and adding noise, which do not completely remove the connection between the data and the person in question, but weaken the accuracy of the data by reducing it.
7.2.4.1. Data Mixing
In this method; some information in a certain data set is mixed in a way that will not affect the examination to be performed on the said set. For example; in a department where the average age of the employees is desired to be obtained, data mixing is performed in case the values indicating the ages of the employees are changed with each other.
7.2.4.2. Adding Noise
With this method, the value in the data set is changed to the extent determined by the addition or subtraction process. For example, as a result of adding 5 to each age value in the data set, this age value is changed and new values are created.
7.3. Measures Taken for the Lawful Destruction of Personal Data
As Martaş Otomotiv Yedek Parça Tic. ve San. A.Ş., we pay attention to the fact that the destruction of the personal data we process is carried out in accordance with the law and we take certain technical and administrative measures within this scope.
As Martaş Otomotiv Yedek Parça Tic. ve San. A.Ş., for the lawful destruction of the personal data we process, including but not limited to the following;
• Keeping access records for access to databases and servers containing personal data,
• Determining the necessary approval process with a directive to authorize employees who will perform these operations when accessing and processing personal data is required,
• Preventing the access and reuse of deleted personal data by the relevant user,
• Preparing procedures, instructions and information notes to guide during the destruction operations to be performed,
• Recording the physical destruction operations of data recording media such as physical printed files and folders with a report that includes the date of the operation,
• Using up-to-date and standardized data deletion software (See Information Note on Data Deletion Software),
• Selecting and implementing the most appropriate method for anonymizing the environment where personal data is located,
• Making the necessary arrangements for software so that personal data can be subjected to anonymization again during the restoration of backups containing personal data,
• Providing the necessary legal and technical training for employees who will perform the destruction, deletion and anonymization operations,
• Preparing instructions regarding the operations to be performed,
• None We ensure that the necessary approval and control mechanisms are implemented regarding personal data to be deleted, anonymized and
�� Support is received from expert professionals when necessary.
8. TECHNICAL AND ADMINISTRATIVE MEASURES TO ENSURE THE SECURITY OF PERSONAL DATA
… As (Company Trade Name), we take all administrative and technical measures necessary considering the current technologies to securely store your personal data, prevent unlawful processing of this data and unlawful access to this information.8.1. Technical Measures for the Security of Personal Data
To ensure the security of personal data, but not limited to the following;
• Implementation of the existing ISO 27001 based Information Security Management System policies and procedures within the institution,
• Up-to-date antivirus programs used on company devices,
• Timely updates and patches of operating systems installed on company devices,
• Open firewalls on company computers,
• Physical and environmental security of system rooms,
• Users using different usernames and passwords with complex standards when logging into systems,
• Conducting vulnerability analysis and penetration tests for the systems used and taking the necessary measures as soon as possible within the framework of technical possibilities according to the results of the analysis and tests,
• Using the system as “3D secure” when making payments on virtual platforms,
• Using the SSL encryption system that ensures the confidentiality of information on a network,
• Storing information received from users and to be stored in databases in encrypted form in the relevant databases, if possible,
• Ensuring that passwords of authorized users and service accounts are managed with password management infrastructure or digital vault software,
• Ensuring that portable computers and portable data recording media have encrypted storage areas whenever possible,
• Importance We ensure that data classified according to its degree is backed up at certain intervals,
• Personal data is not shared with unauthorized persons or persons, including Company officials.
8.2. Administrative Measures for the Security of Personal Data
In order to ensure the security of personal data, we ensure, but are not limited to the following;
• Our employees are trained and informed about the legal processing of personal data,
• Procedures related to information security, such as password procedures, are organized and meticulously implemented,
• The measures to be taken in case of unlawful processing of personal data by Company employees are determined with various policies and procedures,
• Approval and audit mechanisms in the data access process are adopted, and
• The implementation of confidentiality agreements and other relevant confidentiality provisions in other agreements that determine the scope of data sharing with third parties.
9. PERSONS INVOLVED IN THE STORAGE AND DESTRUCTION PROCESSES OF PERSONAL DATA AND THEIR RESPONSIBILITIES
PERSONNELDUTY
RESPONSIBILITY
| IT Manager | Information Processing Department - Personal Data Storage and Destruction Policy Implementation Officer Ensuring compliance with the retention period of the processes within his/her duty and managing the personal data destruction process in accordance with the periodic destruction period. |
| Consultant Lawyer | Consultant Law Firm - Personal Data Storage and Destruction Policy Implementation Officer Ensuring compliance with the retention period of the processes within the scope of his/her duty and managing the personal data destruction process in accordance with the periodic destruction period. |
| Human Resources Manager | Human Resources Department - Personal Data Storage and Destruction Policy Implementation Officer Ensuring compliance with the retention period of the processes within his/her duty and managing the personal data destruction process in accordance with the periodic destruction period. |
| Audit Officer | Audit Department - Personal Data Storage and Destruction Policy Implementation Officer Ensuring compliance with the retention period of the processes within his/her duty and managing the personal data destruction process in accordance with the periodic destruction period. |
| Financial Affairs Manager | Financial Affairs Department - Personal Data Storage and Destruction Policy Implementation Officer Ensuring compliance with the retention period of the processes within his/her duty and managing the personal data destruction process in accordance with the periodic destruction period. |
| Purchasing Managers | Purchasing Departments - Personal Data Storage and Destruction Policy Implementation Officer Ensuring compliance with the retention period of the processes within his/her duty and managing the personal data destruction process in accordance with the periodic destruction period. |
| Product Management Managers | Product Management Departments - Personal Data Storage and Destruction Policy Implementation Officer Ensuring compliance with the retention period of the processes within his/her duty and managing the personal data destruction process in accordance with the periodic destruction period. |
| Marketing / Corporate Marketing Manager | Marketing / Corporate Marketing Departments - Personal Data Storage and Destruction Policy Implementation Officer Ensuring compliance with the retention period of the processes within his/her duty and managing the personal data destruction process in accordance with the periodic destruction period. |
10. UPDATE PERIOD
The policy is reviewed as needed and the necessary sections are updated.UPDATE DATE
SCOPE OF CHANGES
[*]
[*]
Changes made to this Policy are listed in the table above.
