SLPLUS METAL MADEN SANAYİ DIŞ TİCARET A.Ş. STORAGE AND DESTRUCTION POLICY
The Personal Data Storage and Destruction Policy was prepared to identify the procedures and principles for the activities relating to the storage and destruction of personal data processed by SLPLUS METAL MADEN SANAYİ DIŞ TİCARET A.Ş., within the scope of Article 7 of Law No. 6698 on the Protection of Personal Data (KVKK).
SLPLUS METAL MADEN SANAYİ DIŞ TİCARET A.Ş. processes and protects the personal data it stores while carrying out its operations, in keeping with the KVKK and applicable legislation. In addition to the requirement that personal data must be processed in compliance with law, they must also be destroyed lawfully, and this storage and destruction policy contains the phases relating to the planning of the process concerning the storage and destruction of the processed personal data.
The company acts diligently in order to perform the obligations prescribed for data controllers by the Law No. 6698 on the Protection of Personal Data, and carries out all procedural acts relating to the processing of personal data, as required by the Personal Data Protection Board.
The personal data belonging to the relevant persons who are recorded in the data inventory prepared by the company, as well as the personal data to be obtained from the relevant persons in the following process are covered by this policy.
|Law||Law No. 6698 on the Protection of Personal Data|
|Board||Personal Data Protection Board|
|Relevant Person/Data Subject||
The natural person whose personal data are processed.
|Personal Data||Any information relating to an identified or identifiable natural person|
|Private Personal Data||Data of persons in relation to their race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and their biometric and genetic data.|
|Any transaction carried out on the data, such as obtaining, recording, storage, preservation, alteration, reorganization, disclosure, transfer, takeover, making available, classification or prevention of use of personal data, by fully or partly automated means, or by non-automated means provided that they are part of a data recording system.|
|Data Controller||Natural or legal person identifying the processing objectives and means of personal data, and responsible for the establishment and management of the data recording system.|
|Data Processor||Natural or legal person processing personal data on behalf of the data controller, based on the authority granted by the data controller.|
|Recording media||Any environment containing personal data which are processed by fully or partly automated means, or by non-automated means provided that they are part of a data recording system,|
Personal Data Destruction
Destruction of personal data is the process of rendering personal data inaccessible, non-recoverable and non-reusable by any person in any manner whatsoever.
Deletion of Personal Data
|Deletion of personal data is the process of rendering personal data inaccessible and non-reusable by relevant users in any manner.|
|Anonymization||The process of rendering it impossible for personal data to be associated with any identified or identifiable natural person in any way, even if the personal data are matched with other data.|
|Periodical destruction||The deletion, destruction or anonymization of personal data, as specified in the personal data storage and destruction policy, which shall be carried out ex officio at recurrent intervals, in the case that all conditions for processing of personal data specified under the Law cease to exist.|
Personal Data Processing Inventory
The inventory formed by data controllers where they give details of their personal data processing activities which are carried out by them according to their business processes, by associating them to the purpose of the personal data processing, the data categories, the recipient group and the data subject group, and by explaining the maximum period for which personal data will be processed for the required purposes, the personal data anticipated to be transferred to foreign countries, and the measures taken regarding data security,
ELECTRONIC - PHYSICAL RECORDING MEDIA
Environment containing personal data which are processed by fully or partly automated means, or by non-automated means provided that they are part of a data recording system,
Personal data are processed in compliance with the provisions of the KVKK and applicable legislation, according to the recording media indicated in the following table.
- Backup Areas (servers)
- Paper etc.
DATA CONTROLLER AND THE RELEVANT PERSON
In processing personal data, SLPLUS METAL MADEN SANAYİ DIŞ TİCARET A.Ş. attaches importance to the protection of the fundamental rights and liberties of individuals, including in particular the right to privacy, and strives to make plans that are compliant with the procedures and principles identified in the law in order to ensure that the personal data that are processed or that will be processed are protected through the necessary administrative and technical measures.
The company makes all the necessary planning and conducts the related processes also in all procedural acts relating to the storage and destruction of personal data in compliance with the Law.
All natural persons with whom the company is in a commercial and/or legal relationship within the scope of the company’s sectoral operations may be data subjects/relevant persons, while all individuals who have indirectly developed commercial/legal relationships with the company may be also data subjects/relevant persons.
Relevant persons consist of persons who are listed in detail in the company’s data inventory, such as contracted personnel, visitors, customers, business partners (suppliers), other third parties etc.
6. PURPOSES AND LEGAL GROUNDS FOR THE PROCESSING OF PERSONAL DATA
The personal data in question are not processed by the data controller in the cases where any one of the data processing conditions such as the following is not present: such processing is expressly prescribed by the laws; processing of personal data belonging to parties to a contract is necessary provided that it is directly related to entering into or performing the contract; such processing is compulsory for the data controller to perform its legal obligation; the data processing is mandatory for the establishment, exercise or protection of a right; the data processing is mandatory for the lawful interests of the data controller provided that the fundamental rights and liberties of the relevant person are not impaired.
The data are recorded by the data controller in compliance with the applicable laws and legislation, and the storage and destruction terms of such data are regulated based on the provisions set forth in such laws.
When processing personal data, the company acts in accordance with the following principles specified in the law:
7. REMARKS REGARDING STORAGE AND DESTRUCTION
The company observes the law when storing the data it processes pursuant to Articles 5 and 6 of the KVKK and destroys the same in accordance with the destruction policies.
7.1. Legal Ground Necessitating Storage
The company keeps personal data recorded in compliance with the following procedures and principles:
7.2. Purpose for Processing that Necessitates Storage
7.3. Circumstances Necessitating Destruction
In the above cases, the data kept in physical media are destroyed, while those kept in electronic media (saved on computers, servers) are deleted (destruction without possibility of recovery).
8. INDIVIDUALS AND UNITS RESPONSIBLE FOR THE PROCESSING, STORAGE AND DESTRUCTION OF PERSONAL DATA
The company is primarily responsible for the lawful processing of personal data, and involves all individuals and units it has authorised for processing of personal data, in the process of planning and data processing within the scope of this responsibility. Within the scope of the policy, the company supports its personnel with whom it has signed a confidentiality agreement in connection with data confidentiality, its units that conduct disciplinary procedures, and its relevant units taking part in the safekeeping of the processed personal data, for the purpose of ensuring the proper implementation of administrative and technical measures; training unit employees and raising their awareness; preventing the unlawful processing of and unlawful access to personal data, and ensuring their lawful storage.
The company actively supports all data processing processes, and inspects, in particular, the authorized units that are charged with regularly ensuring the control of the administrative and technical measures taken to protect personal data.
|UNIT||The individual appointed as KVKK manager is responsible for all of the company’s departments, and data are processed only by the KVKK manager.|
|DUTY||The implementation of the policy and the units’ process management|
9. ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN WITH RESPECT TO THE PROTECTION/STORAGE OF PERSONAL DATA
9.1. Administrative measures
The company forms a data inventory relating to personal data acquired from relevant persons, and provides the relevant units’ employees with training to ensure that the data recorded in the inventory are up-to-date and accurate.
The data required to be recorded by the company are protected by the units authorised to process data, and access by unauthorised persons to the relevant personal data is prevented.
Physical security of the personal data that are kept in physical media is also ensured, and such data are kept away from the areas accessible by unauthorised and unrelated persons.
Private personal data kept by the company are data that require special protection, and are therefore protected only by the relevant officer in the relevant department.
The company has identified the risks relating to the unlawful processing of data, and prepared plans to prevent such risks. The unit authorised to process data consists of a single person, and it has been ensured that data cannot be processed by others.
Clauses relating to data security are included in contracts made with third parties, and, where necessary, separate contracts relating to data security are executed with third parties.
If the processed personal data are obtained unlawfully by others, the data controller notifies this situation to the data subject and the Board as soon as possible.
9.2. Technical measures
In the case that the processed personal data in question are recorded in electronic media, network security measures are taken to protect such records.
The company also creates a technical infrastructure to prevent the leakage of data to unauthorised persons, and effective controls are put in place to ensure the proper operation of the technical infrastructure system.
Software security of the applications through which data are accessed is ensured.
Encryption and password techniques are used for the company’s portals and applications.
Contracts are signed with consultancy companies that attach importance to confidentiality in the use of information systems, and technical support is received.
With respect to the use of data, access to the relevant data is limited to their purposes, and unnecessary flow of information is prevented.
10. TECHNIQUES FOR THE DESTRUCTION OF PERSONAL DATA
10.1. Deletion of personal data
Deletion of personal data is the process of rendering personal data inaccessible and non-reusable by relevant users in any manner.
10.2. Destruction of personal data
Destruction of personal data is the process of rendering personal data inaccessible, non-recoverable and non-reusable by any person in any manner whatsoever.
10.3. Anonymization of personal data
Anonymization of personal data is the process of rendering it impossible for personal data to be associated with any identified or identifiable natural person in any way, even if the personal data are matched with other data.
In order for personal data to be considered anonymized; it should become impossible for the data controller, the recipient or the recipient groups to associate such personal data with an identified or identifiable natural person, even by using techniques appropriate in terms of the recording medium and the relevant field of activity, such as data recovery or matching the data with other data.
SLPLUS METAL MADEN SANAYİ DIŞ TİCARET A.Ş. Destruction techniques relating to the destruction of personal data kept in physical media (incineration, shredding), and the deletion of data kept in electronic media (deletion without possibility of recovery) are implemented.
11. DESTRUCTION OF PERSONAL DATA AND DESTRUCTION PROCESSES
While personal data may be destroyed by the company ex officio, they may also be destroyed upon request of the relevant person. The company keeps personal data only for the period that is set forth in the legislation which it is obliged to comply with and/or is necessary for the purpose they are processed for, and deletes or destroys the same at the end of such period in keeping with the destruction policies.
In the case that a data subject applies to the company, requesting the destruction of the personal data belonging to them:
the company concludes the data subject’s request within no later than thirty days if the conditions for personal data processing have fully ceased to exist, and informs the data subject accordingly, and if the personal data that are the subject of the request have been transferred to third parties, the company also informs such third parties of the situation,
if the conditions for the processing of personal data have not ceased to exist completely, the company may reject the request of the data subject by providing an explanation for such rejection pursuant to paragraph three of article 13 of the Law, in which case it informs the data subject of the rejection in writing or in electronic medium within no later than thirty days.
In the case that the destruction of the processed personal data has become necessary and the relevant retention duration has expired, planning relating to the destruction process is made, and the relevant methods are used for the destruction of data within the scope of these plans.
12. STORAGE AND DESTRUCTION DURATIONS FOR PERSONAL DATA
The personal data and documents kept by the company, the details of which have been provided in the following list, are destroyed at the end of the indicated durations. At the end of such durations, the data are periodically destroyed automatically and/or manually.
DATA SUBJECT/RELEVANT PERSON
Personnel Employed under Employment Contract
Kept for a 10-year retention period following the termination/expiry of the contract.
Support Services Supplier
Kept for a 10-year retention period following the actual termination/expiry of the service contract.
Supplier of services or goods, supplier’s employees and officers
|Kept for a 10-year retention period following the actual termination/expiry of the commercial relation.|
|Logistics Services Provider||Kept for a 10-year retention period after the data are recorded.|
|Purchaser of Products and Services, Officer of the Purchaser of Products and Services, Potential Purchaser of Products and Services||Kept for a 10-year retention period following the actual termination/expiry of the relation.|
|Visitor||Kept for a 30-day period following the time of camera recording.|
|Other (Notary Public)||Kept for a 10-year retention period following the actual termination/expiry of the commercial relation.|
13. PERIODICAL DESTRUCTION PROCESS
Pursuant to Article 11 of the Regulation, the company has identified the periodical destruction duration as 6 months.
Accordingly, a periodical destruction procedure is carried out at the company annually in the months of January and July.
14. ADDITIONS AND CHANGES WITH RESPECT TO DESTRUCTION PROCESSES
Certain parts of this policy may be updated when necessary; the final version of the storage and destruction policy shall be published after the changes are made by completing the necessary fields in the following table.
DATE OF THE CHANGE/ADDITION MADE
SUBJECT OF THE CHANGE/ADDITION
|DETAILS REGARDING THE CHANGE/ADDITION|
15. PUBLICATION-SAFEKEEPING OF THE POLICY
The policy is published in electronic medium and is announced to the public on the website.
In the case that additions or changes are made to the policy, the version containing the addition and/or change shall be kept in pdf format.
16. ENTRY INTO FORCE AND BECOMING SUPERSEDED BY A NEW VERSION
The policy shall enter into force on the date of its publication.
In the case of any addition or change to the policy, the previous policy shall be superseded by such new version, and the new version containing the addition and/or change shall be published. The new version of the policy shall also enter into force on its date of publication.