Personal Data Protection Law (PDPL)
1.1. INTRODUCTION
This data destruction policy has been prepared by ARTOFİS MOBİLYA SAN. VE TİC. A.Ş., hereinafter referred to as (“MASACHI”), as the data controller, to determine the procedures and principles to be applied by MASACHİ regarding the deletion, destruction, or anonymization of personal data held by us in accordance with the Law No. 6698 on the Protection of Personal Data and other relevant legislation.
In this context, the personal data of our employees, job applicants, customers, and all natural persons whose personal data is held by MASACHİ for any reason are managed in accordance with the law within the framework of the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.
1.2. DEFINITIONS
Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller.
Explicit Consent: Consent given freely and based on informed knowledge regarding a specific matter.
Anonymization: The process of rendering personal data in such a way that it cannot be linked to an identified or identifiable natural person, even when combined with other data.
Electronic Environment: Environments where personal data can be created, read, modified, and written using electronic devices.
Non-Electronic Environment: All written, printed, visual, etc., environments other than electronic environments.
Data Subject: The natural person whose personal data is processed.
Relevant User: Individuals within the data controller organization or those processing personal data under the authority and instructions of the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.
Destruction: The deletion, destruction, or anonymization of personal data.
Law: Law No. 6698 on the Protection of Personal Data.
Recording Medium: Any medium containing personal data processed wholly or partially automatically, or through non-automatic means as part of a data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory: An inventory created by data controllers detailing their personal data processing activities related to their business processes; associating these activities with the purposes and legal basis for processing personal data, data category, recipient group to whom the data is transferred, and the data subject group; and specifying the maximum retention period necessary for the purposes for which the personal data is processed, personal data intended to be transferred to foreign countries, and measures taken regarding data security.
Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, keeping, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of data, whether wholly or partly automated or non-automated, provided that it is part of a data recording system.
Special Category Personal Data: Data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Destruction: The deletion, destruction or anonymization process that will be carried out automatically at recurring intervals as specified in the personal data storage and destruction policy when all the conditions for processing personal data stipulated in the law cease to exist.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Recording System: A recording system in which personal data is processed by structuring it according to specific criteria.
Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
SECTION: ENVIRONMENTS AND SECURITY MEASURES
2.1. ENVIRONMENTS WHERE PERSONAL DATA IS STORED
Personal data stored by MASACHI is kept in a recording medium appropriate to the nature of the data and our legal obligations.
The recording media used for storing personal data are generally listed below. However, some data may be kept in a different medium than those shown here due to their special characteristics or our legal obligations. In any case, MASACHI acts as the data controller and processes and protects personal data in accordance with the Law, the Personal Data Processing and Protection Policy, and this Personal Data Storage and Destruction Policy.
a) Printed media: Written, printed, and visual media where data is stored by printing on paper or microfilm. b) Local digital media: Servers, computers, fixed or other devices within MASACHI.
c) Cloud environments: These are digital media such as portable disks and optical disks.
2.2. ENSURING THE SECURITY OF ENVIRONMENTS
MASACHI takes all necessary technical and administrative measures to ensure the secure storage of personal data and to prevent its unlawful processing and access, in accordance with the nature of the relevant personal data and the environment in which it is stored.
These measures include, but are not limited to, the following administrative and technical measures, to the extent appropriate to the nature of the relevant personal data and the environment in which it is stored.
2.2.1. Technical Measures
MASACHI takes the following technical measures in all environments where personal data is stored, in accordance with the nature of the relevant data and the environment in which it is stored:
Only up-to-date and secure systems in line with technological developments are used in environments where personal data is stored. Security systems are used for environments where personal data is stored. Research is conducted to identify security vulnerabilities in information systems, and existing or potential risks identified as a result of these investigations are addressed. Access to environments where personal data is stored is restricted, and only authorized persons are allowed to access this data for the purpose of storing the personal data, and all accesses are recorded. MASACHI has sufficient technical personnel to ensure the security of environments where personal data is stored.
2.2.2. Administrative Measures
MASACHI takes the following administrative measures for all environments where personal data is stored, in accordance with the nature of the data and the environment in which the data is stored:
Efforts are made to increase the awareness and education of all MASACHI employees who have access to personal data regarding information security, personal data, and the privacy of private life. Legal and technical consultancy services are obtained to follow developments in the fields of information security, the privacy of private life, and the protection of personal data and to take necessary actions. When personal data is transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties for the protection of personal data, and all necessary care is taken to ensure that the relevant third parties comply with their obligations in these protocols.
2.2.3. Internal Audit
In accordance with Article 12 of the Law, MASACHI conducts internal audits regarding the implementation of the provisions of the Law and the provisions of this Personal Data Storage and Destruction Policy and the Personal Data Processing and Protection Policy.
If any deficiencies or errors are identified in the implementation of these provisions as a result of internal audits, these deficiencies or errors are immediately rectified.
If it is understood during an audit or otherwise that personal data under MASACHI's responsibility has been obtained by others through unlawful means, MASACHI will notify the relevant party and the Board as soon as possible.
SECTION: DESTRUCTION OF PERSONAL DATA
3.1. REASONS FOR STORAGE AND DESTRUCTION
3.1.1. Reasons for Retention
Personal data processed within the scope of company activities is retained for the period stipulated in the relevant legislation. In this context, personal data is retained for:
Personal data is stored for the retention periods stipulated within the framework of the following laws and other secondary regulations in force: Law No. 6698 on the Protection of Personal Data, Turkish Code of Obligations No. 6098 and Turkish Commercial Code No. 6102, Banking Law, Public Procurement Law No. 4734, Social Security and General Health Insurance Law No. 5510, Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications, Public Financial Management Law No. 5018, Occupational Health and Safety Law No. 6331, Law No. 4982 on the Right to Information, Identity Reporting Law, Law No. 3071 on the Exercise of the Right to Petition, Law No. 4857 on Labor, Law No. 5434 on Retirement Health, Law No. 2828 on Social Services, Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes, Regulation on Archival Services It is stored for the retention periods stipulated within the framework of these laws and other secondary regulations in force.
3.1.2 Storage Purposes of Processing Required
The company stores personal data processed within the scope of its activities for the following purposes:
To conduct human resources processes. To ensure corporate communication. To ensure company security, and to conduct statistical studies. To perform business and transactions as a result of signed contracts and protocols. To identify the preferences and needs of employees, data controllers, contact persons, data controller representatives, and data processors within the scope of VERBİS, to organize the services provided accordingly, and to update them if necessary. As required by legal regulations and
or to ensure the fulfillment of legal obligations as required. To maintain contact with natural/legal persons with whom the company has a business relationship. The burden of proof as evidence in future legal disputes.
3.1.3. Reasons for Destruction
Personal data held within MASACHI will be deleted, destroyed, or anonymized in accordance with this destruction policy, upon the request of the data subject or automatically if the reasons listed in Articles 5 and 6 of the Law cease to exist.
The reasons listed in Articles 5 and 6 of the Law are as follows:
Explicitly provided for in the laws. It is necessary for the protection of the life or physical integrity of the person who is unable to express their consent due to factual impossibility or whose consent is not legally valid, or of another person. It is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract. It is necessary for the data controller to fulfill its legal obligations. The data has been made public by the data subject themselves. Data processing is necessary for the establishment, exercise, or protection of a right. Data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
3.2 DELETION OF PERSONAL DATA
DESCRIPTION OF DATA STORAGE MEDIUM
Personal Data on Servers
For personal data on servers whose retention period has expired, the system administrator will delete the data by revoking the access rights of the relevant users.
Personal Data in Electronic Environment
For personal data in electronic environment whose retention period has expired, it will be rendered inaccessible and unusable for all employees except the database administrator.
Personal Data in Physical Environment
For personal data held in physical environment whose retention period has expired, it will be rendered inaccessible and unusable for all employees except the unit manager responsible for the document archive. Additionally, a blackout process will be applied by drawing over/painting over/erasing the data to make it unreadable.
3.2.1 DESTRUCTION METHODS
In accordance with the Law and other relevant legislation, and its Personal Data Processing and Protection Policy, MASACHI deletes, destroys, or anonymizes personal data it stores, upon the request of the data subject when the reasons requiring the processing of the data cease to exist, or automatically within the periods specified in this Personal Data Storage and Destruction Policy.
The most commonly used deletion, destruction, and anonymization techniques by MASACHI are listed below:
3.2.1.1 Deletion Methods
Deletion Methods for Personal Data Held in Printed Format Obstruction: Personal data in printed format is deleted using the obstruction method. The obstruction process involves cutting out the personal data on the relevant document where possible, or, where this is not possible, making it invisible by using permanent ink in a way that cannot be reversed and cannot be read by technological solutions. Deletion Methods for Personal Data Stored in Cloud and Local Digital Environments Secure deletion via software: Personal data stored in cloud or local digital environments is deleted using a digital command in a way that prevents its recovery. Data deleted in this way cannot be accessed again.
3.2.1.2 Destruction Methods
Destruction Methods for Personal Data Stored in Printed Media Physical destruction: Documents stored in printed media are destroyed by document shredders or by burning in a way that prevents them from being reassembled. Destruction Methods for Personal Data Stored in Local Digital Environments Physical destruction: This is the process of physically destroying optical and magnetic media containing personal data, such as melting, burning, or pulverizing them. Melting, burning, or pulverizing optical or magnetic media makes the data inaccessible. Overwriting: At least seven random data consisting of 0s and 1s are written onto magnetic media and rewritable optical media to prevent the old data from being read and recovered. Methods of Deleting Personal Data Stored in the Cloud Secure deletion via software: Personal data stored in the cloud is deleted using a digital command in a way that prevents its recovery, and all copies of the encryption keys necessary to make the personal data usable when the cloud computing service relationship ends are destroyed. Data deleted in this way cannot be accessed again.
3.2.1.3. Anonymization Methods
Anonymization is the process of making personal data impossible to link to an identified or identifiable natural person, even when combined with other data.
Removing variables:
Removing variables from the personal data of the data subject that target the data subject
This involves removing one or more direct identifiers that could be used to identify the individual.
This method can be used to anonymize personal data, or to delete information within the personal data that is not relevant to the data processing purpose.
Regional masking: This is the process of deleting information that could be distinctive to an exceptional data point within a data table where personal data is collectively stored in anonymized form.
Generalization: This is the process of combining personal data belonging to many individuals, removing distinctive information, and converting it into statistical data.
Data mixing and distortion: Direct or indirect identifiers within personal data are mixed or distorted with other values to sever their connection with the data subject and cause them to lose their identifying characteristics.
3.3. STORAGE AND DESTRUCTION PERIODS
3.3.1. Storage Periods
If a longer period is stipulated by legislation, or if there are statutes of limitations, forfeiture periods, storage periods, etc., as required by legislation… If a longer period is foreseen, the periods in the legislation are accepted as the maximum retention period.
Regarding personal data processed by MASACHI within the scope of its activities:
Retention periods for all personal data within the scope of activities carried out depending on the processes are included in the Personal Data Processing Inventory on a personal data basis; Retention periods based on data categories are included in the VERBİS registration; Retention periods based on processes are included in the Personal Data Retention and Destruction Policy.
3.3.2. Destruction Periods
In accordance with the Law, relevant legislation, the Personal Data Processing and Protection Policy, and this Personal Data Retention and Destruction Policy, MASACHI deletes, destroys, or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy, or anonymize personal data for which it is responsible arises.
When the data subject requests the deletion or destruction of their personal data by applying to MASACHI pursuant to Article 13 of the Law;
If all conditions for processing personal data have ceased to exist; MASACHI shall delete, destroy, or anonymize the personal data in question as soon as possible and at the latest within 30 (thirty) days from the date of receipt of the request, explaining the reason and using an appropriate destruction method. For MASACHI to be considered to have received the request, the data subject must have made the request in accordance with the Personal Data Processing and Protection Policy. In any case, MASACHI shall inform the data subject about the action taken. If all conditions for processing personal data have not ceased to exist, this request may be rejected by MASACHI pursuant to the third paragraph of Article 13 of the Law, explaining the reason, and the rejection response shall be notified to the data subject in writing or electronically within thirty days at the latest. PROCESS STORAGE PERIOD DESTRUCTION PERIOD Personal Data Required for the Preparation and Execution of the Contract 10 years following the termination of the contract At the first periodic destruction period following the end of the storage period
Execution of Communication Activities
10 years following the termination of the activity At the first periodic destruction period following the end of the storage period Execution of Human Resources Processes 10 years following the termination of the activity At the first periodic destruction period following the end of the storage period
Log Record Tracking Systems
10 years
At the first periodic destruction period following the end of the storage period Execution of Hardware and Software Access Processes
2 years
At the first periodic destruction period following the end of the storage period
Camera Recordings
30 days
At the first periodic destruction period following the end of the storage period
Financial Transactions
Provision of the service, from the end of the activity 10 years
At the first periodic destruction date following the expiration of the retention period
Customer Information
10 years in accordance with Article 82 of the Turkish Commercial Code
At the first periodic destruction date following the expiration of the retention period
Personal Data of Potential Customers
2 years
At the first periodic destruction date following the expiration of the retention period
Potential Customer Requests and Complaints
Retained for 10 years from the date of the request and/or complaint.
At the first periodic destruction date following the expiration of the retention period:
Partner and Consultant Information
During the duration of the relationship with the company and for 10 years after its termination
At the first periodic destruction date following the expiration of the retention period
Information Shared with the Company by Companies
During the duration of the relationship with the company and for 10 years after its termination
At the first periodic destruction date following the expiration of the retention period
Personnel Information
10 years
At the first periodic destruction date following the expiration of the retention period
Information on employees collected in accordance with Occupational Health and Safety legislation
15 years
At the first periodic destruction date following the expiration of the retention period
CORPORATE
PRODUCTS
Contact
CONTACT DEALERSHIP APPLICATION FORM
