Personal Data Storage and Destruction Policy

DMS CNC MAKİNA SAN.VE TİC.LTD.ŞTİ.

PERSONAL DATA STORAGE AND DESTRUCTION POLICY

PURPOSE

Dms Cnc Makina San.ve Tic.Ltd.Şti. (“COMPANY”) with this Personal Data Storage and Destruction Policy (“Storage and Destruction Policy”), technical and administrative protection of personal data in accordance with the Personal Data Protection Law No. 6698 (“Law”), in case the conditions for processing personal data are eliminated, 28 It is issued in order to regulate the implementation of the provisions of the Regulation on Deletion, Destruction or Anonymization of Personal Data ("Regulation") published in the Official Gazette dated 10/2017.

RECORDING ENVIRONMENTS WHERE PERSONAL DATA IS STORED

Personal data belonging to data owners are stored securely by the COMPANY in the environments listed below, in accordance with the relevant legislation, especially the provisions of the Law:

Electronic media:

  • Accounting Personnel Program
  • Email Box
  • Microsoft Office Programs
  • Video Recorders

Physical environments:

  • Unit Cabinets
  • folders
  • Archive

EXPLANATIONS REGARDING THE REASONS THAT REQUIRE STORAGE

Personal data belonging to data owners are processed by the COMPANY in particular:

  • Sustaining activities,
  • Fulfilling legal obligations,
  • Planning and execution of employee rights and benefits,
  • Managing business relationships,

For this purpose, it is stored securely in the physical or electronic media listed above, within the limits specified in the Law and other relevant legislation.

Reasons that require storage:

  • Personal data is directly related to the establishment and execution of contracts,
  • Establishment, use or protection of a right in personal data,
  • Provided that personal data does not harm the fundamental rights and freedoms of individuals, the COMPANY has a legitimate interest,
  • Personal data is required for the COMPANY to fulfill any legal obligations,
  • Storage of personal data is clearly stipulated in the legislation,
  • Explicit consent of data owners is required for storage activities that require explicit consent of data owners.

In accordance with the Regulation, personal data of data owners are deleted, destroyed or anonymized by the COMPANY ex officio or upon request in the following cases:

  • Amendment or abolition of the relevant legislative provisions that constitute the basis for the processing or storage of personal data,
  • Elimination of the purpose requiring the processing or storage of personal data,
  • Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law.
  • In cases where personal data is processed only on the basis of explicit consent, the relevant person withdraws his/her consent,
  • The data controller accepts the application made by the relevant person for the deletion, destruction or anonymization of his personal data within the framework of his rights in paragraphs 2 (e) and (f) of Article 11 of the Law,
  • In cases where the data controller rejects the application made to him by the data subject requesting the deletion, destruction or anonymization of his personal data, his response is found insufficient, or he does not respond within the period stipulated in the Law; Making a complaint to the Board and this request being approved by the Board,
  • Although the maximum period requiring personal data to be stored has passed, there are no conditions that would justify storing personal data for a longer period of time.

MEASURES TAKEN REGARDING THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the Law, the COMPANY takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and to carry out the necessary inspections or has it done. Even though all technical and administrative measures have been taken, if the processed personal data is obtained by third parties through illegal means, the COMPANY will notify the relevant units as soon as possible.

4.1 Technical Measures

  • Network security and application security are ensured.
  • Security measures are taken within the scope of supply, development and maintenance of information technology systems.
  • There are disciplinary regulations for employees that include data security provisions.
  • Training and awareness activities are carried out for employees at regular intervals regarding data security.
  • An authority matrix has been created for employees.
  • Data masking measures are applied when necessary.
  • Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
  • Confidentiality commitments are made.
  • The authorities of employees who change their duties or leave their jobs in this area are removed.
  • Up-to-date anti-virus systems are used.
  • The signed contracts contain data security provisions.
  • Personal data security policies and procedures have been determined.
  • Personal data security issues are reported quickly.
  • Personal data security is monitored.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
  • The security of environments containing personal data is ensured.
  • Personal data is reduced as much as possible.
  • Personal data is backed up and the security of the backed up personal data is ensured.
  • User account management and authorization control system is implemented and these are also monitored.
  • Periodic and/or random audits are carried out within the institution.
  • Current risks and threats have been identified.
  • Protocols and procedures for the security of special personal data have been determined and implemented.
  • If special personal data is to be sent via e-mail, it must be sent encrypted and using a KEP or corporate mail account.
  • Intrusion detection and prevention systems are used.
  • Cyber security measures have been taken and their implementation is constantly monitored.
  • Specially qualified persons' data transferred on portable memory, CD, DVD media is encrypted.
  • Data processing service providers are made aware of data security.

4.2 Administrative Measures

  • Employees are trained on the technical measures to be taken to prevent unlawful access to personal data.
  • Personal data processing and authorization processes are designed and implemented within the COMPANY in accordance with legal compliance requirements for personal data processing on a business unit basis. In restricting access, whether the data is of special nature and its degree of importance are also taken into account.
  • Any document that regulates the relationship between the COMPANY and its personnel and contains personal data must comply with the obligations stipulated by the Law in order to process personal data in accordance with the law, personal data should not be disclosed, personal data should not be used unlawfully, and the obligation of confidentiality regarding personal data is with the COMPANY. He added records indicating that the employment contract continued even after its termination.
  • Employees are informed that they cannot disclose the personal data they have learned to anyone else in violation of the provisions of the Law or use it for purposes other than the purpose of processing, and that this obligation will continue after they leave office, and the necessary commitments are taken from them in this regard.
  • Contracts concluded by the COMPANY with persons to whom personal data is transferred in accordance with the law; Provisions are added stating that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.
  • If the processed personal data is obtained by others through illegal means, it notifies the relevant person and the Board as soon as possible.
  • Where necessary, it employs knowledgeable and experienced personnel regarding the processing of personal data and provides training to its personnel within the scope of personal data protection legislation and data security.
  • The COMPANY carries out the necessary inspections and has them carried out in order to ensure the implementation of the provisions of the Law. It eliminates privacy and security vulnerabilities that arise as a result of audits.

PRECAUTIONS TAKEN REGARDING THE DESTRUCTION OF PERSONAL DATA

Even though it has been processed in accordance with the provisions of the relevant law, the COMPANY may delete or destroy personal data based on its own decision or upon the request of the personal data owner, in case the reasons requiring processing are eliminated. Following the deletion of personal data, the deleted data will not be accessed or used again by the relevant persons in any way. An effective data tracking process will be managed by the COMPANY to define and monitor the destruction processes of personal data. The order of the process will be identifying the data to be deleted, identifying the relevant persons, determining the access methods of the persons, and immediately deleting the data.

The COMPANY may use one or more of the following methods, depending on the medium in which the data is recorded, to destroy, delete or anonymize personal data:

Methods for Deleting, Destroying and Anonymizing Personal Data
Deletion of Personal Data

Deletion of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way. As a method of deleting personal data, the COMPANY may use one or more of the following methods:

  • Personal data on paper will be processed by drawing, painting, cutting or erasing using the blackout method.
  • The access right(s) of the user(s) for office files located in the central file will be eliminated.
  • Rows or columns containing personal information in the databases will be deleted with the 'Delete' command.

When necessary, it will be deleted securely with the help of an expert.

Destruction of Personal Data

Destruction of personal data is the process of making personal data inaccessible, irretrievable and unusable by anyone using the following methods.

Physical Destruction
Destruction with Paper Shredder

De-magnetization: It is the method of corrupting the data on the magnetic media in an unreadable way by passing it through special devices where it is exposed to high magnetic fields.

Anonymization of Personal Data

Anonymization of personal data means making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data. The COMPANY may use one or more of the following methods to anonymize personal data:
Masking: Data masking is the method of anonymizing personal data by removing the basic identifying information of personal data from the data set.

Removing Records: In the derecording method, the data line containing the singularity is removed from the records and the stored data is made anonymous.

Regional Hiding: In the regional hiding method, if a single data has a deterministic nature because it creates a very less visible combination, hiding the relevant data provides anonymization.

Global Coding: With the data derivation method, a more general content is created from the content of personal data and it is ensured that personal data cannot be associated with any person. For example; Specifying ages instead of dates of birth, stating the region of residence instead of full address.

Adding Noise: The method of adding noise to the data makes the data anonymous by adding some positive or negative deviations to the existing data at a determined rate, especially in a data set where numerical data is predominant. For example, in a data group containing weight values, using a deviation of (+/-) 3 kg prevents the actual values from being displayed and the data is anonymized. The deviation applies equally to each value.

In accordance with Article 28 of the Law; Anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the Law and the express consent of the personal data owner will not be required.

The COMPANY can make ex officio decisions regarding the deletion, destruction or anonymization of personal data and can freely determine the method to be used according to the category it has chosen. In addition, within the scope of Article 13 of the Regulation, if the relevant person chooses one of the categories of deletion, destruction or anonymization of his/her personal data during the application, the COMPANY will be free to choose the methods to be used in the relevant category.

PERSONAL DATA STORAGE AND DESTRUCTION PERIOD

The COMPANY stores personal data for the periods specified in Annex-1 for the purpose for which they are processed. If a period of time is stipulated in the legislation for the storage of personal data in question, this period is observed. If there is no period stipulated in the legislation, personal data will be stored for the maximum period for keeping the personal data in the table in Annex-1. These periods are; By evaluating the COMPANY's data categories and data owner groups; The data obtained as a result of this evaluation will ensure that the obligations stated in the law are fulfilled and has been determined by taking into account the maximum limitation period (10 years) in the Turkish Code of Obligations.

In case the obligation to delete, destroy or anonymise arises due to the expiration of these periods, the COMPANY will delete, destroy or anonymize personal data in the first periodic destruction process following this date.
All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.

PERIODIC DESTRUCTION PERIOD

In accordance with Article 11 of the Regulation, the periodic destruction period is determined as 6 months. Accordingly, periodic destruction is carried out every year in June and December. In the systems in question, the information will be irretrievably deleted from the documents, files, CDs, floppy disks and hard disks where the data is recorded, if any.

EMPLOYEE

As the COMPANY data controller within the scope of the Law, based on the 1st paragraph of Article 11 of the Regulation, the titles, units and job descriptions of the personnel whose obligations will be fulfilled in terms of the implementation of the data storage and destruction process of the Law are determined in the table in Annex-2 of the Storage and Destruction Policy. .
These persons, whose boundaries are determined, are responsible for the transactions and actions that occur within their authority within the scope of the Turkish Commercial Code, the Code of Obligations and the Turkish Penal Code. He was elected as the Chairman of the COMPANY Personal Data Protection Committee, with the authority to represent the COMPANY and to testify, especially in the Law Enforcement, Prosecutor's Offices, public institutions and courts. Each department manager will be responsible for checking whether the relevant users in the departments comply with the Storage and Disposal Policy and Personal Data Policy prepared within the framework of the Law and Regulation. All department heads will report the transactions carried out in line with this Storage and Destruction Policy to the Chairman of the COMPANY Personal Data Protection Committee within the specified periodic destruction periods. The decision made as a result of the work done for these reports will be put into practice.

REVISION AND REPEAL

If the Storage and Disposal Policy is changed or repealed, the new regulation will be announced on the COMPANY website.

FORCE

This Storage and Destruction Policy comes into force on the date of publication.

APPENDICES
ANNEX 1-Data Storage and Destruction Periods
ANNEX 2- Table of Personnel Responsible for Personal Data Storage and Destruction
ANNEX 3- Personal Data Protection Committee Internal Directive

ANNEX 1- Data Storage and Destruction Periods

Data Category Storage Period Destruction Period
Identity 10 years from the transaction date or the termination of the legal relationship During the first periodic destruction following the end of the storage period
Communication 10 years from the transaction date or the termination of the legal relationship During the first periodic destruction following the end of the storage period
personnel 10 years from termination of employment During the first periodic destruction following the end of the storage period
Legal action

5 years from the finalization of the judicial decision

10 years from the transaction date or the termination of the legal relationship

 During the first periodic destruction following the end of the storage period
Customer Transaction

10 years from the transaction date or the termination of the legal relationship

 During the first periodic destruction following the end of the storage period
Physical Space Security

15 days

 During the first periodic destruction following the end of the storage period
Transaction Security 10 years from the transaction date or the termination of the legal relationship During the first periodic destruction following the end of the storage period
Risk management 10 years from the transaction date or the termination of the legal relationship During the first periodic destruction following the end of the storage period
finance 10 years from the transaction date or the termination of the legal relationship During the first periodic destruction following the end of the storage period
Professional experience 10 years from termination of employment During the first periodic destruction following the end of the storage period
Marketing 10 years from termination of employment During the first periodic destruction following the end of the storage period
Audiovisual Records 10 years from the transaction date or the termination of the legal relationship During the first periodic destruction following the end of the storage period
Health Information 10 years During the first periodic destruction following the end of the storage period
Criminal Conviction and Security Measures 10 years from termination of employment During the first periodic destruction following the end of the storage period
Family Information 10 years During the first periodic destruction following the end of the storage period
Request/Complaint Management Information 2 years During the first periodic destruction following the end of the storage period

 

EK 2-Kişisel Veri Saklama, İmha ile Görevli Personel Tablosu

Employee Duty Responsibility
Personnel manager Application manager Management of the personal data destruction process in accordance with the periodic destruction period by ensuring that the processes within the task comply with the retention period
Administrative Financial Affairs Officer Application manager Management of the personal data destruction process in accordance with the periodic destruction period by ensuring that the processes within the task comply with the retention period
  Application manager Management of the personal data destruction process in accordance with the periodic destruction period by ensuring that the processes within the task comply with the retention period

ANNEX 3- Personal Data Protection Committee Internal Directive