Yukarı Dudullu Organize Sanayi Bölgesi 1. Cad. No: 27 Ümraniye / İstanbul, Türkiye
info@beybi.com.tr
+90 216 420 11 04

Personal Data Storage and Destruction Policy

  1. Home
  2. Personal Data Storage and Destruction Policy

Personal Data Storage and Destruction Policy

ELOR HOLDING AND GROUP COMPANIES PERSONAL DATA STORAGE AND DISPOSAL POLICY

1.INTRODUCTION

1.1 Purpose

Personal Data Storage and Destruction Policy ("Policy") has been prepared by Elor Holding ("Holding") in order to determine the procedures and principles regarding the works and procedures regarding the storage and destruction activities carried out by the Holding. In line with the mission, vision and fundamental principles set out in the Strategic Plan, the Holding has prioritised the processing of personal data belonging to Holding employees, employee candidates, interns, service providers, suppliers, visitors, customers and other third parties in accordance with the Constitution of the Republic of Turkey, international conventions, the Law No. 6698 on the Protection of Personal Data ("Law") and other relevant legislation, and ensuring that the relevant persons effectively exercise their rights. Businesses and transactions regarding the storage and destruction of personal data are carried out in accordance with the Policy prepared by the Holding in this direction.

1.2 Scope

Personal data belonging to Holding employees, employee candidates, interns, service providers, suppliers, visitors, customers and other third parties are within the scope of this Policy, and this Policy applies to all recording media where personal data owned or managed by the Holding are processed and to all activities for processing personal data

1.3 Abbreviations and Definitions

Receiver Group: The category of natural or legal person to whom personal data are transferred by the data controller.

Explicit Consent: Consent on a specific subject, based on information and expressed with free will.

Anonymisation: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Employee: Elor Holding staff.

Electronic Environment: Environments where personal data can be created, read, changed and written with electronic devices.

Non-Electronic Media : All written, printed, visual, etc. media other than electronic media.

Service Provider: A natural or legal person who provides services under a specific contract with Elor Holding.

Related Person: Natural person whose personal data is processed

Related User: Persons who process personal data within the organisation of the data controller or in accordance with the authorisation and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.

Destruction: Deletion, destruction or anonymisation of personal data.

Law: Law No. 6698 on the Protection of Personal Data.

Recording Medium: Any medium in which personal data processed by fully or partially automatic means or by non-automatic means, provided that it is part of any data recording system.

Personal Data: Any information relating to an identified or identifiable natural person.

Personal Data Processing Inventory: </Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes and legal grounds for processing personal data, data category, transferred recipient group and data subject group and by explaining the maximum retention period required for the purposes for which personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.

Personal Data Processing: All kinds of operations performed on personal data such as obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system

Board: Personal Data Protection Board

Personal Data of Special Nature: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Periodic Destruction: The process of deletion, destruction or anonymisation to be carried out ex officio at recurring intervals specified in the personal data storage and destruction policy in the event that all of the conditions for processing personal data specified in the Law disappear.

Policy: Personal Data Retention and Destruction Policy

Data Processor: Natural or legal person who processes personal data on behalf of the data controller based on the authorisation granted by the data controller.

Data Recording System: A recording system in which personal data is structured and processed according to certain criteria.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data Controllers Registry Information System: The information system created and managed by the Presidency, accessible via the internet, which data controllers will use in the application to the Registry and other related transactions related to the Registry.

VERBIS: Data Controllers Registry Information System

Regulation : Regulation on Deletion, Destruction or Anonymisation of Personal Data published in the Official Gazette dated 28 October 2017.

2.RESPONSIBILITIES AND DUTIES

All units and employees of the Holding actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure that personal data is stored in accordance with the law through the proper implementation of technical and administrative measures taken by the responsible units within the scope of the Policy, training and awareness raising, monitoring and continuous supervision of unit employees.

The distribution of titles, units and job descriptions of those involved in the storage and destruction of personal data is given in Table 1

Table 1: Task distribution for storage and destruction processes

UNVAN Unit DUTY
Personal Data Protection Committee (All Unit Managers) Personal Data Protection Committee Responsible for ensuring that employees act in accordance with the policy.
Human Resources Unit Manager Human Resources Unit Responsible for the preparation, development, execution, publication in relevant media and updating of the Policy.
Information Technology Unit Manager Information Technologies Unit Responsible for providing technical solutions needed for the implementation of the Policy.
Legal Unit Officer, Elor Holding All Unit Managers All Units and Employees of Elor Holding Responsible for the execution of the Policy in accordance with its duties.

3.RECORDING MEDIA

Personal data is securely stored by the Holding in accordance with the law in the environments listed in Table 2.

Table 2: Personal data storage media

Electronic Media Non-Electronic Media

Servers (Domain, backup, e-mail, database, web, file sharing)

Software (all holding software software, e-mail systems)

Information security devices and software (firewall, intrusion detection and prevention, log file, antivirus, etc.)

Personal computers (desktop, laptop)

Mobile devices (phone, tablet, etc.)

Optical discs (CD, DVD etc.)

Removable memories (USB, Memory Card, etc.)

Printer, scanner, photocopier

Paper

Manual data recording systems (survey forms, visitor logbook)

Written, printed, visual media

4.EXPLANATIONS ON STORAGE AND DISPOSAL

Personal data belonging to employees of third parties, Holding or organisations with whom the Holding has a relationship as employees, employee candidates, interns, service providers, suppliers, suppliers, visitors and customers are stored and destroyed in accordance with the Law. In this context, detailed explanations on storage and destruction are given below respectively.

4.1 Explanations on Safekeeping

Article 3 of the Law defines the concept of processing personal data, article 4 states that the personal data processed must be related, limited and proportionate to the purpose for which they are processed and must be retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and articles 5 and 6 list the conditions for processing personal data. Accordingly, within the framework of the Holding's (holding) activities, personal data are stored for the period stipulated in the relevant legislation or in accordance with our processing purposes. Retention and destruction times on a process basis are detailed in the data inventory in the table.

4.1.1 Legal Grounds Requiring Retention

Personal data processed within the framework of the Holding's activities are retained for the period stipulated in the relevant legislation. In this context, personal data;

- Turkish Code of Obligations numbered 6098,

- Turkish Commercial Code No. 6102,

- Social Security and General Health Insurance Law No. 5510,

- Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through These Publications,

- Tax Procedure Law No. 213 and related legislation

- Occupational Health and Safety Law No. 6331,

- Labour Law No. 4857,

- Social Services Law No. 2828

- Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes, Other secondary regulations in force pursuant to these laws are retained for the retention periods stipulated within the framework of other secondary regulations. The legal and operational reasons for data retention are detailed in the data inventory.

The data is retained for the retention periods stipulated in the framework. The legal and operational reasons for data retention are detailed in the data inventory.

4.1.2 Processing Purposes Requiring Retention

Holding stores personal data processed within the framework of its activities for the following purposes.

● Execution of Emergency Management Processes

● Execution of Information Security Processes

● Execution of Employee Candidates and Internship Application Processes

● Fulfilment of Labour Contract and Legislative Obligations for Employees

● Execution of Employee Benefits and Benefits Processes

● Execution of Employee Satisfaction and Loyalty Processes

● Conducting Audit / Ethics Activities

● Conducting Training Activities

● Execution of Access Authorisations

● Execution of Activities in Compliance with the Legislation

● Execution of Finance and Accounting Affairs

● Ensuring Physical Space Security

● Monitoring and Execution of Legal Affairs

● Conducting Internal Audit / Investigation / Intelligence Activities

● Execution of Communication Activities

● Planning Human Resources Processes

● Execution / Supervision of Business Activities

● Execution of Occupational Health / Safety Activities

● Execution of Business Continuity Ensuring Activities

● Execution of Goods / Service Procurement Processes

● Execution of Goods / Service Sales Processes

● Organisation and Event Management

● Execution of Performance Evaluation Processes

● Execution of Contract Processes

● Ensuring Compliance with the Laws that our Company is subject to

● Execution of Wage Policy

● Ensuring the Security of Data Controller Operations

● Providing Information to Authorised Persons, Institutions and Organisations

● Foreign Personnel Work and Residence Permit Procedures

● Execution of Management Activities

4.2 Reasons Requiring Destruction

Personal data;

Amendment or abrogation of the provisions of the relevant legislation that constitute the basis for its processing,

- The purpose requiring the processing or storage of personal data disappears, - In cases where the processing of personal data is carried out only on the basis of explicit consent, the person concerned may withdraw his/her explicit consent,

- Acceptance by the Holding of the application made by the data subject for the deletion and destruction of his/her personal data within the framework of his/her rights pursuant to Article 11 of the Law,

- In cases where the Holding rejects the application made to it by the data subject with the request for deletion, destruction or anonymisation of his personal data, finds the answer insufficient or does not respond within the period stipulated in the Law, he makes a complaint to the Board and this request is approved by the Board,

- In the event that the maximum period required for the retention of personal data has expired and there is no condition that justifies the retention of personal data for a longer period of time, the personal data shall be deleted, destroyed or ex officio deleted, destroyed or anonymised by the Holding upon the request of the relevant person.

5.TECHNICAL AND ADMINISTRATIVE MEASURES

Technical and administrative measures are taken by the Holding within the framework of adequate measures determined and announced by the Board for special categories of personal data pursuant to Article 12 of the Law and Article 6, paragraph four of the Law for the safe storage of personal data, prevention of unlawful processing and access, and destruction of personal data in accordance with the law.

5.1 Technical Measures

The technical measures taken by the Holding in relation to the personal data it processes are listed below:

- Network security and application security are provided

- Domain passwords of employees are changed every 6 months. In addition, multi-factor authentication is performed in appropriate structures.

- Through penetration tests, risks, threats, vulnerabilities and vulnerabilities, if any, against our Holding's information systems are revealed and necessary measures are taken.

- Risks and threats that will affect the continuity of information systems are continuously monitored by the Information Technologies Unit as a result of analyses made in real time with information security incident management.

- Access to information systems, authorisation of users and user account management are carried out and controlled through access and authorisation matrix and Holding-based security policies.

- Cloud environments can be accessed with a username and password by defining the access authorisations of the relevant users. In this way, the security of stored personal data is ensured.

- Security measures within the scope of procurement, development and maintenance of information technology systems are implemented according to the relevant procedures. - Physical documents are destroyed with a paper shredder or by incineration within the company or by outsourcing.

- Necessary measures are taken for the physical security of Holding information systems equipment, software and data

- In order to ensure the security of information systems against environmental threats, hardware (fingerprint access control system that allows only authorised personnel to enter the system room, fire extinguishing system and air conditioning system) and software (firewalls, attack prevention systems, network access control, anti-virus software) measures are taken.

- Risks to prevent unlawful processing of personal data are identified, technical measures are taken in accordance with these risks, and technical controls are carried out for the measures taken.

- Personal data is backed up under the responsibility of our company and the companies we receive cloud services from, and the security of the backed up personal data is also ensured 10

- USB port usage is closed within the Holding. If there is a need for use, the system administrator allows temporary use for the requesting user. In case of termination of the need, the usb port is closed for the relevant user

- An access control procedure is established within the Holding and reporting and analyses are carried out regarding access to personal data - Access to storage areas containing personal data is recorded and inappropriate access or access attempts are kept under control,

- The Holding takes necessary measures to ensure that deleted personal data is inaccessible and non-reusable for the relevant users.

- In the event that personal data is unlawfully obtained by others, a suitable system and infrastructure has been established by the Holding to notify the relevant person and the Board.

- Security vulnerabilities are monitored, appropriate security patches are installed and information systems are kept up-to-date

- Strong passwords are used in electronic environments where personal data are processed. Passwords that do not comply with the password policy are not accepted.

- In accordance with Law No. 5651, log records are kept without user intervention. Data backup programmes are used to ensure the secure storage of personal data.

- Secure access is provided by using SSL security certificate on the Holding's website. Cyber security measures have been taken and their implementation is constantly monitored.

5.2 Administrative Measures

The administrative measures taken by the Holding in relation to the personal data it processes are listed below:

- In order to improve the quality of employees, trainings are provided on preventing unlawful processing of personal data, preventing unlawful access to personal data, ensuring the protection of personal data, communication techniques, technical knowledge skills, Labour Law and other relevant legislation.

- An authorisation matrix has been created for employees.

- Confidentiality agreements are signed by employees regarding the activities carried out by the Holding.

- A disciplinary procedure has been prepared for employees who do not comply with safety policies and procedures.

- Corporate policies and procedures on access, information security, use, personal data storage and destruction have been prepared and implemented.

- The authorisation of employees who have been reassigned or left their jobs is cancelled.

- Before starting to process personal data, the Holding fulfils its obligation to inform the data subjects.

- Necessary security measures are taken for entry and exit to and from physical environments containing personal data.

- Personal data security is monitored.

- Personal data processing inventory has been prepared.

- Periodic and non-periodic unplanned inspections are carried out within the Holding.

- Awareness of data processing service providers on data security is ensured.

- The data controller carries out data security internal and external audits of data processors.

- Information security trainings are provided for employees.

- The signed contracts contain provisions on the protection of personal data. Contracts are kept in locked cabinets.

- Notification was made to the Data Controllers, Registry Information System (VERBIS).

- A risk/threat assessment has been made with regard to the protection of personal data.

- Personal data is minimised as much as possible.

- Personal data security issues are reported quickly.

Technical measures taken for sensitive personal data: In addition to the technical measures taken,

  • Trainings are regularly provided on the Law and related regulations and special categories of personal data security.
  • Confidentiality agreements are in place.
  • The scope and duration of authorisation of users who are authorised to access data are clearly defined.
  • Authority checks are carried out periodically.
  • The authorisation in this area is immediately revoked for employees who change their duties or leave their jobs.
  • In this context, the inventory allocated by the data controller is returned.
  • According to the nature of the environment where sensitive personal data is located, it is ensured that adequate security measures (against electrical leakage, fire, flood, theft, etc.) are taken.
  • Providing physical security of these environments prevents unauthorised entry and exit.
  • If it is necessary to transfer data via paper media, necessary precautions are taken against risks such as theft, loss or unauthorised viewing of the document and the document is sent in the format of "confidential documents".
  • If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using KEP or corporate mail account. Secure encryption/cryptographic keys are used for sensitive personal data and managed by different units.

6. TECHNIQUES OF PERSONAL DATA DESTRUCTION

At the end of the period stipulated in the relevant legislation or the retention period required for the purpose for which they are processed, personal data are destroyed by the Holding ex officio or upon the application of the person concerned, in accordance with the provisions of the relevant legislation, using the following techniques.

6.1 Deletion of Personal Data

Personal Data on Servers : For the personal data on the servers, deletion is made by the system administrator by removing the access authorisation of the relevant users for those whose retention period has expired.

Personal Data in Electronic Media : Personal data in electronic media that expire after the expiry of the retention period are rendered inaccessible and non-reusable in any way for employees (relevant users) other than the database administrator.

Personal Data in Physical Environment : </For the personal data kept in the physical environment, those that require the expiry of the period required to be stored are made inaccessible and non-reusable in any way for other employees, except for the unit manager responsible for the document archive. In addition, the blackout process is also applied by drawing/painting/erasing in a way that cannot be read

Personal Data on Portable Media : Personal data stored in Flash-based storage media are stored encrypted. The personal data stored in these media are deleted with appropriate software and the relevant users are not authorised to access and retrieve the deleted data.

Personal Data in Cloud Environments : Access to personal data in cloud environments is encrypted. The data in the cloud system is deleted by the system administrator with the delete command and the access and retrieval authorisations of the relevant users to the personal data in these environments are eliminated.

6.2 Destruction of Personal Data

Personal data are destroyed by the Holding in the following ways.

Personal Data in Physical Media : Personal data in paper media that expire after the expiry of the retention period are irreversibly destroyed in paper shredding machines or by incineration within the company or by outsourcing.

Personal Data in Optical/Magnetic Media : The process of destroying the personal data in optical media and magnetic media by overwriting those whose period of storage has expired and preventing the retrieval of old data is applied.

Personal data in cloud environments : </During the storage and use of personal data in cloud environments, personal data should be encrypted by cryptographic methods and, where possible, encryption keys should be used for personal data, especially for each cloud solution that receives service. When the cloud computing service relationship ends, all copies of the encryption keys necessary to make personal data usable must be destroyed.

7. STORAGE AND DISPOSAL PERIODS

In relation to personal data processed by Holding within the scope of its activities;

Personal data-based retention periods for all personal data within the scope of the activities carried out depending on the processes can be found in the Personal Data Processing Inventory

Retention periods based on data categories in VERBIS registration;

The retention periods on a process basis are included in the Personal Data Retention and Destruction Policy. These retention periods are updated by the Personal Data Protection Committee if necessary. Ex officio deletion, destruction or anonymisation of personal data whose retention periods have expired shall be carried out by the Information Technologies unit

Table 5: Table of retention and disposal times by process

Process Storage Period DESTRUCTION TIME
Drafting of contracts 10 years following the expiry of the contract at the first periodic destruction following the end of the retention period
Execution of Holding Communication Activities 10 years following the cessation of activity In the first periodic destruction period following the end of the storage period
Execution of Human Resources Processes 10 years following the cessation of activity In the first periodic destruction period following the end of the storage period
Log Records Maximum 2 years In the first periodic destruction period following the end of the storage period
Execution of Hardware and Software Access Processes 2 years from the date of entry into the system In the first periodic destruction period following the end of the storage period
Visitors and Meeting Participants 2 years after the end of the event In the first periodic destruction period following the end of the storage period
Legal Transactions 10 years from the date of exit In the first periodic destruction period following the end of the storage period
Financial Transactions 10 years following the termination of the commercial relationship/activity In the first periodic destruction period following the end of the storage period
Camera Recordings 4 Months In the first periodic destruction period following the end of the storage period
Records of erasure or destruction of personal data 1 year from deletion or destruction In the first periodic destruction period following the end of the storage period
Records on employee candidates and references 1 month after application date In the first periodic destruction period following the end of the storage period
Financial Transactions 10 years from the termination of the commercial relationship/activity In the first periodic destruction period following the end of the storage period

8. PERIODIC DISPOSAL PERIOD

In accordance with Article 11 of the Regulation, the Holding has determined the periodic destruction period as 6 months. Accordingly, the Holding carries out periodic destruction operations in June and December every year.

All unit managers are responsible for the implementation and management of the Personal Data Storage and Destruction Policy. The requirements of the Non-Conformity and Corrective Action Procedure are applied in inappropriate situations such as breach events, security weaknesses that occur in the activities specified in the Storage and Destruction Process.

9. PUBLICATION AND STORAGE OF POLICY

The policy is published electronically, disclosed to the public on the website and kept in the document management system.

10.POLICY UPDATE PERIOD

The policy is reviewed once a year and as needed, and sections in need of change are updated.

11.EFFECTIVENESS AND ABOLITION OF THE POLICY

The Policy shall be deemed to have entered into force upon its publication on the website of the Holding and the relevant group companies. In case it is decided to abolish the Policy, the old copies of the Policy with wet signatures shall be cancelled by the decision of the Board of Directors and signed (by stamping or writing cancellation) and kept for at least 5 years. Documents in electronic media shall be cancelled by persons authorised to cancel by password control.

Please click to download the data subject application form.