TUGBA KURUYEMIS . STORAGE OF PERSONAL DATA AND DISPOSAL POLICY

 

INTRODUCTION. 3

  1. Purpose and Scope of Policy Preparation 3
  2. Definitions and Abbreviations 4
  3. Responsibility and Duty Distribution. 5
  4. Recording Media of Personal Data 6
  5. Retention and Disposal of Personal Data 7

5.1.    About the Retention of Personal Data 7

5.2.    Reasons for Retention of Personal Data 7

5.3.    Recording Objectives Requiring Processing of Personal Data 8

  1. Retention of Personal Data. 8

6.1.    Administrative Measures 8

6.2.    Technical Measures 8

  1. Personal Data Destruction Techniques 10

7.1.    Delete of the Personal Data 10

7.2.    Disposal of the Personal Data 10

7.3.    Making Personal Data Anonymous 10

  1. Periods of Retention and Disposal of Personal Date. 10
  2. Periodic Disposal Period of Personal Data 12

10.Updating of Retention and Disposal of Personal Data Policy 12

 

 

 

 

IN ACCORDANCE WITH THE 6698 NUMBERED LAW (“KVKK”) ON THE PROTECTION OF PERSONAL DATA

PERSONAL DATA RETANTION AND DISPOSAL POLICY

 

INTRODUCTION

 

1.     Purpose and Scope of Policy Preparation

 

Personal Data Retention and Disposal Policy (“Policy’’) is prepared in order to determine the procedures and principles regarding the business and transactions related to the personal data retention and destruction activities of Tugba Kuruyemis Şekerleme Gıda Meşrubat İnşaat Turizm Yerli Ürünleri İmalat San. Tic. İth ve İhr. Ltd. Şti. (“Company”) who is responsible for the data within the scope of the Personal Data Protection Law No. 6698 (“KVKK”).

Tugba Kuruyemis Şekerleme Gıda Meşrubat İnşaat Turizm Yerli Ürünleri İmalat San. Tic. İth ve İhr. Ltd. Şti. founded in Turkey has been determined as data controller in accordance with the basic principles, the Constitution of the Republic of Turkey, International Conventions, Law No. 6698 on Protection of Personal Data and other relevant legislation to ensure that the rights and effective use of the rights of the relevant people related to the personal data of the company employees, employee candidates, service providers, visitors, retail customers shopping from stores, the company’s customers shopping from the website of the company www.tugbacarsipazar.com and other third-party customers who shop.

The company employees are obliged to comply with the provisions of this Policy and the provisions of KVKK and all other relevant legislation while performing their duties.

In line with this Policy, necessary training is provided to raise personal data awareness in order to process and protect personal data. All administrative and technical measures necessary for the compliance of the Company, its shareholders, officials and employees and commercial business partners with the KVKK will be carried out and periodic audit processes will be conducted.

The work and transactions related to the storage and destruction of personal data will be carried out in accordance with this PERSONAL DATA RETENTION and DISPOSAL POLICY, which was prepared by the Company within the scope of the Personal Data Protection Law no. 6698.

 

 

 

 

 

 

2.     Definitions and Abbreviations

 

ABBREVIATION DEFINITION
RECEIVER GROUP The category of natural or legal person to whom personal data is transmitted by the data officer.
EXPRESS CONSENT Consent is based on information and expressed with free will on a particular subject.
ANONYMIZATION It means that, even if the data is mapped to other data, it can in no way be made identifiable to an identified or identifiable natural person.
EMPLOYEE Tugba Kuruyemis Staff
SERVICE PROVIDER A natural or legal person providing services under a specific contract with Tugba Kuruyemis.
DISRUPTION Deletion, destruction or anonymization of personal data
RELATED PERSON The real person whose personal data is processed
LAW / KVKK Law No. 6698 on Protection of Personal Data
RECORD ENVIRONMENT It is any kind of environment where personal data is processed.
PERSONAL DATA Any information relating to a particular or identifiable person
PERSONAL DATA PROCESSING A process that begins with the first-time acquisition of personal data, either fully or partially automated or non-automated, provided that it is part of any data recording system, and any subsequent processing is data processing.
RETENTION OF PERSONAL DATA Deletion of relevant users in a way that cannot be restored in any way.
COMMITTEE Personal Data Protection Board
AUTOMATIC PROCESSING Human intervention or assistance
SENSITIVE PERSONAL DATA is a data processing activity performed by an interconnected and interactive electrical or electronic system that minimizes the need.
PERIODIC DISPOSAL The process of deleting, destroying or anonymizing at the repeated intervals specified in the policy of storing and destroying personal data in the event that all of the personal data contained in the law is terminated.
POLICY Personal Data Retention and Disposal Policy
COMPANY Tugba Kuruyemis Şekerleme Gıda Meşrubat İnşaat Turizm Yerli Ürünleri İmalat San. Tic. İth ve İhr. Ltd. Şti.
DATA CONTROLLER A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
VERBIS Data Responsible Registry Information System
REGULATION All kinds of regulations issued within the scope of KVKK numbered 6698.

 

 

3.     Responsibility and Duty Distribution

All units and employees of the Company are required to implement the technical and administrative measures taken by the responsible units within the scope of the Policy and thet actively support the units responsible for taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to ensure that it is stored in accordance with the law. The distribution of titles, units and job descriptions of the individuals involved in the retention and destruction of personal data is shown in Table A.

Table A.

TITLE UNIT TASK
Legal Affairs Supervisor Legal Affairs Unit It is responsible for checking whether the purposes and methods of personal data processing are in compliance with the provisions set out in KVKK and other relevant legislation.
Data Management and Security Unit Supervisor Data Management and Security Unit It is responsible for the preparation, development, implementation, publication and updating of the Policy and the provision of the technical solutions needed to implement the Policy.

 

Human Resources Unit Supervisor Human Resources Department Responsible for the execution of the Policy in the context of personal data.

 

 

4.     Recording Media of Personal Data

 

The personal data are securely stored in accordance with the law in the environments listed in Table B safely by the Company.

 

Table B.

Electronic environment Non-Electronic Environment
Servers (Domain, backup, e-mail with company extension, database, web, file sharing, etc.)

 

Software (office software, portal, EBYS, VERBIS.) Our own software name? **

 

Information security devices (firewall, intrusion detection and blocking, log file, antivirus etc.)

 

Personal computers (desktop, laptop)

 

Mobile devices (phone, tablet, etc.)

 

Printer, scanner, copier

Paper Manual data recording systems (survey forms, visitor logbook)

 

Written, printed, visual media

 

5.     Retention and Disposal of Personal Data

 

The personal data we collect are stored securely in physical or electronic environment for the appropriate period of time in order to perform the Company’s activities. The KVKK acts heavily on the obligations of all relevant legislation. In the event that personal data processing purposes are terminated, they are deleted, destroyed or made anonymous by the Company at the latest 6 (six) months periodical destruction or at the request of those concerned.

Personal data will be destroyed in a way that cannot be restored in any way.

In cases where the company has a legitimate interest, if although the processing purpose and the periods mentioned in the related laws are ended the data controller will retain the personal data without causing any loss of fundamental rights and freedoms of the related person until the completion of the limitation periods mentioned in the legislation such as the Law of Obligations, Commercial Code, Labor Law, Consumer Law and other relevant legislation and after the expiry of the limitation periods the personal data will be deleted, destroyed or anonymized..

 

5.1. About the Retention of Personal Data

Pursuant to Article 4 of KVKK, personal data are recorded for a period of time required for the purpose for which they are processed or foreseen in the relevant legislation in a limited and measured manner..

5.2. Reasons for Retention of Personal Data

The personal data recorded by the Company are kept due to the following legislation and the provisions of the legislation published and to be published, including but not limited to those listed below.

1- Law No. 6698 on Protection of Personal Data

2- Turkish Code of Obligations No. 6098

3- Turkish Commercial Code No. 6102

4- Labor Law No. 4857

5- Law No. 5510 on Social Insurance and General Health Insurance

6- Tax Procedure Law No. 213

7- Occupational Health and Safety Law No. 6331

8- Law No. 6563 on the Regulation of Electronic Commerce

9- Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications

 

5.3. Recording Objectives Requiring Processing of Personal Data

Personal data is kept securely in physical or electronic environments within the scope of KVKK and other legislation in order to plan and manage employee processes, to conduct commercial activities, to manage legal disputes, to develop customer marketing techniques, and to develop the website. The following is detailed.

  • Conducting Emergency Management Processes
  • Conducting Information Security Processes
  • Carrying out the process of recruiting candidate / trainee / student
  • Carrying out the Application Process of the Candidates
  • Conducting Employee Satisfaction and Engagement Processes
  • Fulfillment of Obligations for Employees arising from Employment Contract and Legislation
  • Conducting Benefits and Benefits Processes for Employees
  • Conducting Audit / Ethical Activities
  • Conducting Training Activities
  • Execution of Access Powers
  • Conducting Activities in Accordance with the Legislation
  • Execution of Finance and Accounting
  • Conducting Loyalty Processes for Companies / Products / Services
  • Ensuring Physical Space Security
  • Execution of Assignment Processes
  • Monitoring and Execution of Legal Affairs
  • Conducting Internal Audit / Investigation / Intelligence Activities
  • Conducting Communication Activities
  • Human Resources Process Planning
  • Execution / Audit of Business Activities
  • Conducting Occupational Health / Safety Activities
  • Receiving and Evaluating Suggestions for Improving Business Processes
  • Conducting Business Continuity Activities
  • Conducting Logistics Activities
  • Conducting Procurement Processes
  • Conducting After Sales Support Services
  • Conducting Sales of Goods / Services
  • Execution of Goods / Services Production and Operation Processes
  • Conducting Customer Relationship Management Processes
  • Conducting Customer Satisfaction Activities
  • Organization and Event Management
  • Conducting Marketing Analysis Studies
  • Conducting Performance Evaluation Processes
  • Conducting Advertising / Campaign / Promotion Processes
  • Execution of Risk Management Processes
  • Conducting Custody and Archive Activities
  • Social Responsibility and Civil Society Activities
  • Conducting Contract Processes
  • Conducting Sponsorship Activities
  • Conducting Strategic Planning Activities
  • Tracking Requests / Complaints
  • Ensuring Security of Movable Goods and Resources
  • Conducting Supply Chain Management Processes
  • Execution of Remuneration Policy
  • Conducting Marketing Processes of Products / Services
  • Ensuring the Security of Data Officer Operations
  • Foreign Personnel Work and Residence Permit Procedures
  • Conducting Investment Processes
  • Carrying out Talent / Career Development Activities
  • Informing Authorized Persons, Institutions and Organizations
  • Conducting Management Activities
  • Creating and Tracking Visitor Records

 

 

 

6.     Retention of Personal Data

 

The Company undertakes the necessary technical and administrative measures to prevent unlawful processing, unlawful access to the personal data it is processing, and to ensure the safeguarding of the data.

In spite of all the technical and administrative measures taken, the company informs the related units and institutions as soon as possible if the personal data processed is unlawfully seized by third parties..

6.1.  Administrative measures

  • Employees are provided with KVKK and personal data awareness and importance training by the Company Legal Counsel.
  • Corporate policies on access, information security, usage, storage and disposal have been prepared and implemented.
  • There are disciplinary regulations including data security provisions for employees.
  • The Company employs its employees, who interact with personal data, from experienced persons and provides training on measures to prevent unlawful access to personal data.
  • Confidentiality commitments are made.
  • Access to personal data, which has been restricted to access to personal data within the Company, was closed to other employees except authorized personnel by using encrypted software.
  • Personal data security policies and procedures have been determined.
  • Extra security measures are taken for the personal data transferred via paper and the related documents are sent in confidential document format.
  • The authority of the employees who have changed their jobs or leave their jobs is removed.
  • Personal data security problems are reported quickly.
  • Personal data security is monitored.
  • Personal data is reduced as much as possible.
  • Signed contracts contain data security provisions.
  • Employees are told that they cannot disclose the personal data they learn through the Company’s search in contradiction with the provisions of KVKK and that they will never use the data except for the purpose of processing, and that they will continue after the termination of the job and the necessary commitments are taken in this regard.
  • Protocols and procedures for the security of personal data have been determined and implemented.
  • In the agreements made with third parties, it is stipulated that the personal data cannot be transferred within the scope of KVKK, if the transfer is done, the contracting party will have a criminal obligation, the compensation or administrative fine to be imposed to the Company as a result of the transfer of the third party shall be recourse to the third party.
  • Data service providers are regularly audited on data security.
  • Awareness of data service providers about data security is provided
  • The Company periodically performs the necessary audits for the implementation of the provisions of KVKK. Eliminates weaknesses resulting from audit.

 

6.2.Technical measures

  • Network security and application security are provided.
  • Current anti-virus systems are used.
  • Firewalls are used.
  • Access logs are kept regularly.
  • Log records are kept without user intervention.
  • Data masking is applied when necessary.
  • Risk, threats, weaknesses and openings, if any, are exposed to infiltration tests for the Company’s information systems and necessary measures are taken.
  • In order to ensure the security of information systems against environmental threats, hardware (encrypted access control system that allows only authorized personnel to enter the system room, 24/7 employee monitoring system, providing physical security of the edge switches constituting the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, intrusion prevention systems, network access control, systems preventing malicious software, etc.) are taken.
  • Access to the storage areas where personal data is stored is protected by a password lock and the areas are recorded and inappropriate access or access attempts are kept under control.
  • Data loss prevention software is used.
  • The institution ensures that the deleted personal data is destroyed by the subject’s expert so that it cannot be accessed and reused for the relevant users.
  • Security vulnerabilities are monitored and appropriate security patches are installed and information systems are kept up to date.
  • Personal data is backed up and the security of the personal data is backed up.
  • User account management and authorization control system is applied and these are also followed.
  • Intrusion detection and prevention systems are used.
  • Penetration test is applied.
  • Encryption is done.
  • If private personal data is to be sent by electronic mail, it is absolutely encrypted and sent using REM or corporate mail account.
  • Access to personal data stored in electronic or non-electronic environments is restricted to external access to authorized persons according to the access principles.
  • A policy has been determined for the security of personal data.
  • Trainings have been given for the employees involved in special personal data processing processes on special personal data security, confidentiality agreements have been made and the authorizations of the users who have access to the data have been defined.
  • Electronic media where special personal data are processed, stored and / or accessed are kept using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, media security updates are continuously monitored, necessary security tests are conducted regularly recording the results,
  • Adequate security measures are taken in the physical environments where special personal data are processed, stored and / or accessed, and physical security is ensured and unauthorized entry and exit is prevented.

 

7.     Personal Data Destruction Techniques

 

The data processed by the company shall be destroyed by the company at the end of the period stipulated in KVKK and the relevant legislation or the retention period required for the purpose for which they were processed, upon the application of the person or the person concerned, in accordance with the provisions of the relevant legislation through the below mentioned techniques.

7.1. Delete of the Personal Data

  • The personal data on the servers are deleted by technical personnel.
  • Personal Data in Electronic Environment is deleted by technical personnel.
  • Personal Data in Physical Environment, personal data determined by the responsible shall be made inaccessible, scratched or blacked out so that they cannot be erased.

7.2.Disposal of the Personal Data

1- Personal Data in Electronic Environment, personal data determined by the responsible is destroyed by means of paper destruction machine.

2- Personal Data in Optical / Magnetic (Harddisk) Media by the technical personnel …… ask the computer technician *** ??

7.3. Making Personal Data Anonymous

Making anonymous or anonymization means that the data cannot be associated with an identified or identifiable natural person, even if the data is mapped to other data. In this context, it cannot be assumed that this data is anonymized if it can be understood who belongs to the data after pairing and supporting with other data by monitoring the remaining data.

Within the Company, the policy of deleting and destroying personal data is implemented and the anonymization of personal data is not applied.

 

8.     Periods of Retention and Disposal of Personal Data

 

The liabilities of the legal regulations are taken into consideration when determining the storage period of the personal data processed by the Company. Apart from legal regulations, taking into account the purposes of processing personal data, the time period stipulated in KVKK and the related legislation or the retention period required for the purpose they are processed is determined. If the purpose of data processing is eliminated, the data is deleted, destroyed or made anonymous by the company, unless there is any other legal reason or basis for data retention.

If the purpose of processing personal data is over and the period stipulated in the KVKK and the relevant legislation or the retention period required for the purpose for which they are processed has been reached the personal data may only be stored in order to provide evidence in case of possible legal disputes or to assert the relevant right to personal data or to establish defense. The statutory limitation periods are set in order to claim the right mentioned in the establishment of the periods here. After these periods, personal data is deleted, destroyed or anonymized.

In the event that the period foreseen in the legislation for the retention of such personal data expires or if no time is stipulated in the relevant legislation for the retention of such data, the data shall be deleted, destroyed or anonymized by the data officer within 6 months at the latest. Unless otherwise decided by the Authority, the Company chooses the appropriate method of deleting, destroying or anonymizing personal data. Storage and disposal times on the basis of personal data are shown in Table C.

 

Table C.

PERSONAL DATA RETENTION PERIOD DISPOSAL PERIOD
ID 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Contact 10 years from the end of the legal relationship Immediately on the expiry of the retention period
Location 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Personal information 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Legal action 10 years from the end of the legal relationship Automatically after 3 months from the date of data processing
Customer Transaction 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Physical Space Security 3 Months During the first periodic destruction after the end of storage period
Transaction Security 2 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Risk management 10 years During the first periodic destruction after the end of storage period
finance 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Professional experience 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Marketing 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Audio-Visual Records 3 Months During the first periodic destruction after the end of storage period
Health Information 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Criminal Conviction and Security Measures 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Biometric Data 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Certificate and Training Information 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Bank information 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Board Member Information 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Employee Candidate Information 6 Months During the first periodic destruction after the end of storage period
Family members and close information 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Excuse Information 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Execution Followings 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Hand writing and Signature 10 years from the end of the legal relationship During the first periodic destruction after the end of storage period
Reference Information 6 Months During the first periodic destruction after the end of storage period
Request and Complaint Information 6 Months During the first periodic destruction after the end of storage period
Social Media Data 6 Months During the first periodic destruction after the end of storage period
Occupational health and Safety 15 years from the end of the legal relationship During the first periodic destruction after the end of storage period

 

 

  1. Periodic Disposal Period of Personal Data

 

The Company assessed the period of destruction within the scope of KVKK and determined it to be 6 months. The Company attaches importance to the destruction of personal data. According to this period, the Company carries out periodic destruction in June and December each year.

 

  1. Updating of Retention and Disposal of Personal Data Policy

 

Until the most current version is published, the most recent policy is accepted in force.

If necessary, the necessary sections are updated by the Company.

This policy was updated on 21/12/2019.