Personal Data Retention, Erasure and Destruction Policy
PERSONAL DATA RETENTION, ERASURE AND DESTRUCTION POLICY
1. Purpose of Preparing the Personal Data Retention, Erasure, Destruction and Transfer Policy
The purpose of this Policy is to regulate the updating, transfer, anonymization, erasure, and destruction of personal data within PROTON OTOMASYON ELEKTRİK MAKİNA İNŞAAT TAAHHÜT SANAYİ VE TİCARET LİMİTED ŞİRKETİ (“PROTON” or “Company”).
The Policy enters into force with the decision of the Board of Directors. The implementation of the Policy is monitored by the Personal Data Protection Committee appointed by the decision of the Board of Directors or by the Responsible Person chosen by it.
2. Preparation of and Amendments to the Personal Data Retention and Destruction Policy
The Policy enters into force with the decision of the Company's Board of Directors. The implementation of the Policy is monitored by the Personal Data Protection Committee/Responsible Person appointed by the decision of the Board of Directors. The Board of Directors may renew the Policy or make amendments to the Policy ex officio or upon the proposal of the Committee/Responsible Person.
3. Definitions
In the implementation of this Personal Data Retention and Destruction Policy:
4. Mediums where Personal Data are Recorded
The Company retains the personal data obtained within the scope of data processing activities carried out in accordance with the Law, provided that it is limited to the extent required by the purpose of processing. In this context, the obtained personal data are stored by the Company in physical and electronic mediums.
5. Legal, Technical and Other Reasons Requiring the Retention and Destruction of Personal Data
Personal data obtained directly or indirectly in accordance with the data processing conditions set forth in the Law are retained by the Company in accordance with the law and the rules of honesty for the period stipulated by the relevant legislation or required by the processing purpose. The Company retains information and documents containing personal data regarding its commercial activities during the statutory limitation periods within the scope of fulfilling its legal obligations arising from the Turkish Commercial Code No. 6102, the Labor Law No. 4857, and other relevant legislation, and within the scope of the establishment, exercise, or protection of its rights, which is one of the data processing conditions specified in the Law. The Company keeps job applications made to it in company systems for a maximum of 2 years. In case of an erasure request, they are destroyed immediately without waiting for the 2-year period. From time to time, personnel needs are met from among the applications registered in the system.
In addition, the Company may retain the personal data it has obtained for a period to be determined by it after the expiration of the retention periods stipulated in the relevant legislation, provided that it meets and justifies the processing conditions set forth in Articles 5 and 6 of the Law.
Personal data must be erased if the reasons requiring their retention disappear in accordance with the general principles set forth in Article 4 of the Law. In addition, retention activities carried out based on the explicit consent of the data subject are terminated immediately if the consent is withdrawn by the data subject, and the relevant personal data must be erased.
In cases where the data subject has submitted a request to the Company for the erasure of their data within the scope of their rights set forth in Article 11 of the Law, the request is evaluated by authorized persons within the Company, and personal data are destroyed if all data processing conditions specified in the Law disappear.
6. Technical and Administrative Measures Taken for Safely Retaining Personal Data and Preventing Unlawful Processing and Access
The Company takes all kinds of technical and administrative measures to ensure the lawful processing and security of personal data; provides training to Company personnel to ensure compliance with these measures, and conducts audits at periodic intervals.
The Company analyzes the personal data processing processes carried out by each department within its structure and takes the necessary measures to ensure compliance with the law in existing and newly added processes.
All stages regarding data collection in the Company are reviewed one by one, and studies are carried out to obtain data in accordance with the law. While receiving job applications, approval texts regarding them are also obtained, and for those received via the Company's email address, they are responded to by email, thereby completing the approval process regarding their applications.
Company employees are informed not to disclose personal data they have learned within the scope of their work to any third party and/or institution. In this direction, confidentiality clauses are added to the service contracts between the employee and the Company; and a commitment is obtained from the employees that these obligations to maintain confidentiality will continue after they leave office.
In addition, provisions are added to the contracts between the Company and third parties and/or institutions to which personal data are transferred in accordance with Articles 8 and 9 of the Law, stating that the recipient group will take all kinds of measures to ensure the security of personal data.
The Company takes all kinds of technical measures within the framework of technological possibilities and costs to ensure the security of personal data in information systems. For example, the use of firewalls, real-time penetration tests, installation of security software on all devices, and access procedures on a unit and business process basis. In order to prevent unlawful access to personal data and the disclosure of personal data; employees' access to data is limited to their scope of work.
In addition to this, the Company has put into effect various policies and Rules within the scope of ensuring compliance with the law. This Policy and other policies are updated in accordance with the changing legislation and emerging needs.
Moreover;
Personal Data Retention and Destruction Processes
The processes regarding the retention and destruction of personal data are carried out by the Committee/Responsible Person established within the Company, which is in charge of ensuring the lawful processing of personal data.
Considering criteria such as the condition and density of processing special categories of data in business processes, the size of processing activities, and organizational structure, a “Personal Data Protection Committee” consisting of more than one officer or, if deemed sufficient, a “Responsible Person” is assigned within the Company. Again, based on need, a Deputy Data Protection Responsible Person can be appointed.
The duties of the Personal Data Protection Committee/Responsible Person are as follows:
The Company erases, destroys, or anonymizes personal data in the first periodic destruction operation following the date when the obligation to erase, destroy, or anonymize personal data arises.
The time interval at which periodic destruction will take place is 6 months. In January and July of each year, on behalf of the Data Controller, the digital and physical environments containing personal data are scanned by the KVK Committee, and data whose retention period has expired are erased and destroyed.
10. Retention and Destruction Periods
The retention and destruction periods regarding the personal data being processed by the Company are shown in the table below. The legislative provisions regarding the legal bases of retention periods are included in the annex of this Policy.
ANNEX: Statutory Limitation Periods
The statutory limitation periods to be considered within the framework of the Turkish Commercial Code No. 6102, the Turkish Penal Code No. 5237, and the Turkish Code of Obligations No. 6098 should be evaluated as follows:
1. Visitor Information
Since there is no special regulation regarding any judicial incident or investigation, it is destroyed in the first destruction process after the end of the company visitor logbook. Visitor data kept in digital form is retained for 1 year.
2. Data Belonging to Company Employees
Personnel files must be kept during the continuation of the employment relationship. When the employment relationship ends, the periods in question become subject to the periods under the former employee status.
3. Data Belonging to Former Employees
Data belonging to former employees is retained for 15 years, also considering occupational disease lawsuits, and is destroyed at the end of this period. If there is an ongoing lawsuit, files are retained until the lawsuit becomes finalized.
4. Camera Recordings
Erased automatically every 24 days. In the event of a situation that may be the subject of a lawsuit, these are separated and retained, while the rest is erased.
5. Supplier Information
Real person supplier information is destroyed after 10 years if contract relations have ended and will not continue.
6. Files with Ongoing Lawsuit Process
If a lawsuit process related to one of the above statutory limitation and destruction processes is ongoing -even if the destruction period has come- in this case, the data are retained until the end of the lawsuit process and the finalization of the court decision. Destruction is carried out 1 year after the finalization date or the continuation of the process with enforcement etc. transactions.
7. Data in Corporate email, Whatsapp etc. instant messaging and applications
Due to business practices and the legitimate interest of the employer, also considering the dynamics of commercial activity, data in instant messaging applications are erased from devices and servers at the end of the relevant fiscal year, and data in corporate emails are erased at the end of the 10th year.
8. Data processed within the scope of Production and Trading activities
The Company may re-determine the retention, erasure, and destruction periods related to transactions that may be the subject of licenses from the periods mentioned in the previous articles.
1. Purpose of Preparing the Personal Data Retention, Erasure, Destruction and Transfer Policy
The purpose of this Policy is to regulate the updating, transfer, anonymization, erasure, and destruction of personal data within PROTON OTOMASYON ELEKTRİK MAKİNA İNŞAAT TAAHHÜT SANAYİ VE TİCARET LİMİTED ŞİRKETİ (“PROTON” or “Company”).
The Policy enters into force with the decision of the Board of Directors. The implementation of the Policy is monitored by the Personal Data Protection Committee appointed by the decision of the Board of Directors or by the Responsible Person chosen by it.
2. Preparation of and Amendments to the Personal Data Retention and Destruction Policy
The Policy enters into force with the decision of the Company's Board of Directors. The implementation of the Policy is monitored by the Personal Data Protection Committee/Responsible Person appointed by the decision of the Board of Directors. The Board of Directors may renew the Policy or make amendments to the Policy ex officio or upon the proposal of the Committee/Responsible Person.
3. Definitions
In the implementation of this Personal Data Retention and Destruction Policy:
| ABBREVIATION | DEFINITION |
|---|---|
| Law | Refers to the Law on the Protection of Personal Data No. 6698, |
| Personal Data Protection Committee/ Responsible Person | Refers to the Personal Data Protection Committee formed within PROTON OTOMASYON ELEKTRİK MAKİNA İNŞAAT TAAHHÜT SANAYİ VE TİCARET LİMİTED ŞİRKETİ by the decision of the Board of Directors, which is responsible for the internal operation regarding the protection and processing of personal data, or the member elected by it, |
| Explicit Consent | Refers to freely given, specific, and informed consent regarding a specific subject, |
| Recipient Group | Refers to the category of real or legal persons to whom personal data is transferred by the data controller, |
| Data Subject (Related Person) | Refers to the real person whose personal data is processed. |
| Personal Data | Refers to any information relating to an identified or identifiable real person. |
| Anonymization of Personal Data | Refers to rendering personal data impossible to be associated with an identified or identifiable real person in any way, even if matched with other data, |
| Destruction of Personal Data | Refers to the erasure, destruction, or anonymization of personal data, |
| Erasure of Personal Data | Refers to the process of rendering personal data inaccessible and non-reusable for the relevant users in any way, |
| Destruction of Personal Data | Refers to the process of rendering personal data inaccessible, irretrievable, and non-reusable by anyone in any way, |
| Policy | Refers to PROTON OTOMASYON ELEKTRİK MAKİNA İNŞAAT TAAHHÜT SANAYİ VE TİCARET LİMİTED ŞİRKETİ Personal Data Retention, Erasure and Destruction Policy, |
| Company | Refers to PROTON OTOMASYON ELEKTRİK MAKİNA İNŞAAT TAAHHÜT SANAYİ VE TİCARET LİMİTED ŞİRKETİ (Briefly PROTON), |
| Board of Directors | Refers to the Board of Directors of PROTON OTOMASYON ELEKTRİK MAKİNA İNŞAAT TAAHHÜT SANAYİ VE TİCARET LİMİTED ŞİRKETİ, |
| Regulation | Refers to the Regulation on the Erasure, Destruction or Anonymization of Personal Data, which entered into force upon publication in the Official Gazette dated October 28, 2017. |
4. Mediums where Personal Data are Recorded
The Company retains the personal data obtained within the scope of data processing activities carried out in accordance with the Law, provided that it is limited to the extent required by the purpose of processing. In this context, the obtained personal data are stored by the Company in physical and electronic mediums.
5. Legal, Technical and Other Reasons Requiring the Retention and Destruction of Personal Data
Personal data obtained directly or indirectly in accordance with the data processing conditions set forth in the Law are retained by the Company in accordance with the law and the rules of honesty for the period stipulated by the relevant legislation or required by the processing purpose. The Company retains information and documents containing personal data regarding its commercial activities during the statutory limitation periods within the scope of fulfilling its legal obligations arising from the Turkish Commercial Code No. 6102, the Labor Law No. 4857, and other relevant legislation, and within the scope of the establishment, exercise, or protection of its rights, which is one of the data processing conditions specified in the Law. The Company keeps job applications made to it in company systems for a maximum of 2 years. In case of an erasure request, they are destroyed immediately without waiting for the 2-year period. From time to time, personnel needs are met from among the applications registered in the system.
In addition, the Company may retain the personal data it has obtained for a period to be determined by it after the expiration of the retention periods stipulated in the relevant legislation, provided that it meets and justifies the processing conditions set forth in Articles 5 and 6 of the Law.
Personal data must be erased if the reasons requiring their retention disappear in accordance with the general principles set forth in Article 4 of the Law. In addition, retention activities carried out based on the explicit consent of the data subject are terminated immediately if the consent is withdrawn by the data subject, and the relevant personal data must be erased.
In cases where the data subject has submitted a request to the Company for the erasure of their data within the scope of their rights set forth in Article 11 of the Law, the request is evaluated by authorized persons within the Company, and personal data are destroyed if all data processing conditions specified in the Law disappear.
6. Technical and Administrative Measures Taken for Safely Retaining Personal Data and Preventing Unlawful Processing and Access
The Company takes all kinds of technical and administrative measures to ensure the lawful processing and security of personal data; provides training to Company personnel to ensure compliance with these measures, and conducts audits at periodic intervals.
The Company analyzes the personal data processing processes carried out by each department within its structure and takes the necessary measures to ensure compliance with the law in existing and newly added processes.
All stages regarding data collection in the Company are reviewed one by one, and studies are carried out to obtain data in accordance with the law. While receiving job applications, approval texts regarding them are also obtained, and for those received via the Company's email address, they are responded to by email, thereby completing the approval process regarding their applications.
Company employees are informed not to disclose personal data they have learned within the scope of their work to any third party and/or institution. In this direction, confidentiality clauses are added to the service contracts between the employee and the Company; and a commitment is obtained from the employees that these obligations to maintain confidentiality will continue after they leave office.
In addition, provisions are added to the contracts between the Company and third parties and/or institutions to which personal data are transferred in accordance with Articles 8 and 9 of the Law, stating that the recipient group will take all kinds of measures to ensure the security of personal data.
The Company takes all kinds of technical measures within the framework of technological possibilities and costs to ensure the security of personal data in information systems. For example, the use of firewalls, real-time penetration tests, installation of security software on all devices, and access procedures on a unit and business process basis. In order to prevent unlawful access to personal data and the disclosure of personal data; employees' access to data is limited to their scope of work.
In addition to this, the Company has put into effect various policies and Rules within the scope of ensuring compliance with the law. This Policy and other policies are updated in accordance with the changing legislation and emerging needs.
Moreover;
- Updating Access Authorizations: Access authorizations in shared files were restricted, ensuring that employees can only access files related to their work. The new access authorization has been arranged to be granted after manager approval.
- Updating All HR Forms: All forms we receive at the start of employment or while working were evaluated, and unnecessary personal data were removed.
- Updating the HR Shared Folder: Our HR folders in the computer environment were scanned, and all unnecessary or no longer up-to-date personal data were cleaned.
- Updating Our Reports: All our reports were scanned, and reports containing personal data were evaluated, and unnecessarily used personal data were cleaned
- Letter of Commitment: Approval signatures were obtained from all personnel and the privacy notice was published. It has been added to the forms to be signed upon employment.
- Unless a contrary decision is taken by the Board, the Company is authorized to choose the appropriate method among erasing, destroying, or anonymizing personal data ex officio pursuant to the Regulation.
- Upon the request of the data subject, it chooses the appropriate method by explaining its justification.
- The Company takes all kinds of technical and administrative measures for the lawful erasure, destruction, or anonymization of personal data.
- The most appropriate methods are used by considering the technological possibilities and implementation costs possessed by the Company.
- Destruction processes are supervised by the Committee/Responsible Person formed within the Company to ensure compliance of personal data processing processes with the law.
- Periodic destruction processes are carried out jointly by at least two people within this unit, and a commitment is obtained from these people that no copy of the destroyed personal data has been taken.
- The officers will also be determined by the Committee/Responsible Person.
- If the devices containing personal data within the Company are no longer usable and if they are to be sold or left outside, the data inside the device is destroyed; if this is not possible, the device itself is destroyed.
Personal Data Retention and Destruction Processes
The processes regarding the retention and destruction of personal data are carried out by the Committee/Responsible Person established within the Company, which is in charge of ensuring the lawful processing of personal data.
Considering criteria such as the condition and density of processing special categories of data in business processes, the size of processing activities, and organizational structure, a “Personal Data Protection Committee” consisting of more than one officer or, if deemed sufficient, a “Responsible Person” is assigned within the Company. Again, based on need, a Deputy Data Protection Responsible Person can be appointed.
The duties of the Personal Data Protection Committee/Responsible Person are as follows:
- To ensure compliance of personal data processing processes with the Law, the Regulation, other secondary legislation, and the Company's privacy policies,
- To evaluate and conclude requests from data subjects,
- To physically participate in personal data destruction processes,
- To determine and ensure the taking of measures needed by the Company regarding personal data security,
- To conduct or have conducted periodic audits regarding the compliance status of the Company,
- To prepare and propose a training plan aimed at increasing the awareness of employees regarding developments and changes in the legal field and practice.
The Company erases, destroys, or anonymizes personal data in the first periodic destruction operation following the date when the obligation to erase, destroy, or anonymize personal data arises.
The time interval at which periodic destruction will take place is 6 months. In January and July of each year, on behalf of the Data Controller, the digital and physical environments containing personal data are scanned by the KVK Committee, and data whose retention period has expired are erased and destroyed.
10. Retention and Destruction Periods
The retention and destruction periods regarding the personal data being processed by the Company are shown in the table below. The legislative provisions regarding the legal bases of retention periods are included in the annex of this Policy.
| DATA CATEGORY | RETENTION AND DESTRUCTION PERIOD | LEGAL BASIS |
|---|---|---|
| Data belonging to visitors | Generally retained for a period of 1 year. Erased at the end of this period. | Turkish Commercial Code No. 6102, Highway Traffic Law, Turkish Penal Code No. 5237, Turkish Code of Obligations No. 6098, and other relevant legislation regulating statutory limitation periods. |
| Personal data regarding Company employees | Retained throughout the continuation of the service relationship. | Turkish Code of Obligations No. 6098, Labor Law No. 4857, and other relevant legislation regulating statutory limitation periods. |
| Personal data regarding suppliers and supplier representatives from whom the Company purchases goods and/or services | Retained as long as the commercial relationship continues. In cases where it is thought that there will be no commercial relationship or a commercial relationship has not been established for many years, it is retained for the legal statutory limitation period + 1 year. It is erased at the end of this period. | Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098, and other relevant legislation regulating statutory limitation periods. |
| Camera recordings obtained through Closed-Circuit Television Systems | Erased at the end of two months if a judicial incident has not occurred and it has not been requested by official institutions. | Retained for a reasonable period of 15 days within the scope of the legitimate interests of the Company as the data controller, in accordance with the Personal Data Protection Law No. 6698. |
| Items forgotten inside the Company and containing personal data | If the owner could not be reached, it is kept for a period of 6 months. Destroyed with a report at the end of the period. | Retained for a reasonable period of 6 months within the scope of the legitimate interests of the Company as the data controller, in accordance with the Personal Data Protection Law No. 6698. |
| Job Applications - Resumes | Applications are retained in the system until the deletion request of the applicant and are destroyed immediately upon the request of the approval holder. | Retained for a period of 10 years within the scope of the applicant's legitimate interest and application. |
| Data belonging to former employees who left their jobs | Retained for 15 years due to possible labor lawsuits, especially lawsuits based on occupational diseases. | Health data are retained for 15 years due to the Labor Law and the Occupational Health and Safety Law No. 6331. |
| Data in instant messaging applications such as Whatsapp etc. | Retained in the application during the fiscal year in which the business relationship continues. | Erased from the application at the end of the fiscal year due to the requirements of business practices and the legitimate interest of the employer. |
| Personal data in Corporate emails used for commercial purposes and personal emails | Retained on email devices and servers for 10 years due to the requirements of business practices and the legitimate interest of the employer. | Erased from servers and devices at the end of the 10th year due to the requirements of business practices and the legitimate interest of the employer. |
ANNEX: Statutory Limitation Periods
The statutory limitation periods to be considered within the framework of the Turkish Commercial Code No. 6102, the Turkish Penal Code No. 5237, and the Turkish Code of Obligations No. 6098 should be evaluated as follows:
1. Visitor Information
Since there is no special regulation regarding any judicial incident or investigation, it is destroyed in the first destruction process after the end of the company visitor logbook. Visitor data kept in digital form is retained for 1 year.
2. Data Belonging to Company Employees
Personnel files must be kept during the continuation of the employment relationship. When the employment relationship ends, the periods in question become subject to the periods under the former employee status.
3. Data Belonging to Former Employees
Data belonging to former employees is retained for 15 years, also considering occupational disease lawsuits, and is destroyed at the end of this period. If there is an ongoing lawsuit, files are retained until the lawsuit becomes finalized.
4. Camera Recordings
Erased automatically every 24 days. In the event of a situation that may be the subject of a lawsuit, these are separated and retained, while the rest is erased.
5. Supplier Information
Real person supplier information is destroyed after 10 years if contract relations have ended and will not continue.
6. Files with Ongoing Lawsuit Process
If a lawsuit process related to one of the above statutory limitation and destruction processes is ongoing -even if the destruction period has come- in this case, the data are retained until the end of the lawsuit process and the finalization of the court decision. Destruction is carried out 1 year after the finalization date or the continuation of the process with enforcement etc. transactions.
7. Data in Corporate email, Whatsapp etc. instant messaging and applications
Due to business practices and the legitimate interest of the employer, also considering the dynamics of commercial activity, data in instant messaging applications are erased from devices and servers at the end of the relevant fiscal year, and data in corporate emails are erased at the end of the 10th year.
8. Data processed within the scope of Production and Trading activities
The Company may re-determine the retention, erasure, and destruction periods related to transactions that may be the subject of licenses from the periods mentioned in the previous articles.