Kalite Politikamız Kalite Politikamız

1. PURPOSE OF THE POLICY

The purpose of this policy is to determine all rules, roles and responsibilities to be applied throughout the COMPANY in order to fulfil the obligations regarding the storage and destruction of personal data and other obligations specified in the Regulation in accordance with Articles 5 and 6 of the Regulation on Deletion, Destruction or Anonymisation of Personal Data (Regulation), which was issued based on the Law No. 6698 on the Protection of Personal Data (Law) and published in the Official Gazette No. 30224 on 28.10.2017.


 

2. SCOPE OF THE POLICY

Policy "TEKNOKROM MACHINE AND EQUIPMENT & TEKNİKİŞ İBRAHİM İLHAN ÖZGÜNER" kept in general (in the court), personal data and special quality personal data defined by Law No. 6698, all COMPANY employees, managers, consultants and in all cases where personal data sharing is in question, its affiliates, external service providers and real and legal persons with whom the COMPANY has other legal relations.

As stated in the Policy Law, it covers personal data in systems where data is processed by fully or partially automated or non-automated means, provided that it is part of any data recording system.

Unless otherwise stated in this Policy, personal data and special categories of personal data will be referred to as "Personal Data" in general.


3.  TANIMLAR

  • Anonymisation:  Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data,

  • Destruction: Deletion, destruction (destruction) of personal data,
  • Personal Data: All kinds of information relating to an identified or identifiable natural person,
  • Personal Data Retention Table (Periods) : The table showing the periods during which personal data will be kept by the COMPANY,
  • Personal Data Processing Inventory: Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating personal data processing purposes, data category, transferred recipient group and data subject group and by explaining the maximum period required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and measures taken regarding data security,
  • Deletion of Personal Data: The process of making personal data inaccessible and non-reusable in any way for the relevant users,
  • Destruction of Personal Data: The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way,
  • Sensitive Personal Data: Person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data,
  • Periodic destruction:  The process of deletion, destruction or anonymisation to be carried out ex officio at recurring intervals specified in the personal data storage and destruction policy in the event that all of the conditions for processing personal data specified in the Law disappear,
  • Data recording system: The recording system in which personal data are structured and processed according to certain criteria,
  • Direct identifiers:  Identifiers that, on their own, directly reveal, disclose and make distinguishable the person with whom they are associated,
  • Indirect identifiers:  Identifiers that, in combination with other identifiers, reveal, disclose and make distinguishable the person with whom they are associated,
  • Law: The Personal Data Protection Law No. 6698 published in the Official Gazette dated 07.04.2016 and numbered 29677,
  • Regulation:  Regulation on Deletion, Destruction or Anonymisation of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224,
  • Board: Personal Data Protection Board,
  • Recording medium: Any medium in which personal data processed by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system,
  • Personal Data Protection and Processing Policy: http://www.teknokrom.com  The policy that can be accessed from the address, which determines the procedures and principles regarding the management of personal data held by the "COMPANY",
  • Data recording system:  refers to the recording system in which personal data are structured and processed according to certain criteria.

4.  RECORDING ENVIRONMENTS REGULATED BY POLICY

Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system, falls within the scope of the recording medium.

4.1. MEDIA WHERE PERSONAL DATA ARE STORED

Personal data stored by the COMPANY is kept in a recording environment in accordance with the determined and legal limits of the relevant data.

The recording media used to store personal data are generally listed below. However, some data may be located and kept in a different environment than those shown here due to their special characteristics or our legal obligations. “ COMPANY “ acts as the data controller, KVK  It processes and protects in accordance with the Law, the Personal Data Protection and Processing Policy, and this Personal Data Storage and Destruction Policy.

a) Printed media These are environments where data is kept by printing on paper or microfilm.
b) Local digital media Servers within the "COMPANY" are other digital media such as hard or portable discs, optical discs.
c) Cloud environments These are the environments in which internet-based systems encrypted with cryptographic methods are used, which are in the use of "COMPANY '", although they are not included in "COMPANY". 
 

4.2. ENSURING THE SECURITY OF THE ENVIRONMENT

“ COMPANY“ takes all necessary technical and administrative measures, in accordance with the characteristics of the relevant personal data and the environment in which it is kept, in order to store personal data securely and to prevent unlawful processing and access.

These measures include, but are not limited to, the following administrative and technical measures, to the extent appropriate to the nature of the relevant personal data and the environment in which it is kept.

4.2.1. Technical Measures

“ COMPANY “ takes the following technical measures in accordance with the characteristics of all environments where personal data are stored, the relevant data and the environment where the data is kept:

  • Only up-to-date and secure systems that comply with technological developments are used in environments where personal data is kept. Security systems are used for environments where personal data are kept.
  • Security tests and research are carried out to detect security vulnerabilities on information systems, and existing or potential risks identified as a result of the tests and research are eliminated.
  • Access to the environments where personal data is kept is restricted and only authorized persons are allowed to access these data, limited to the purpose of storing personal data.
  • “ THE COMPANY “ has sufficient technical personnel to ensure the security of the environments where personal data is kept.

4.2.2. Administrative Measures

“ COMPANY “, all environments where personal data are stored, in accordance with the KVKK Law  in accordance with the qualifications of the relevant data and the environment where the data is kept. It takes the following administrative measures within its scope:

  • Efforts are being made to increase the awareness and awareness of all "COMPANY" employees who have access to personal data on information security, personal data and privacy of private life.
  • Legal and technical consultancy services are received to follow the developments in the field of information security, privacy of private life and protection of personal data and to take the necessary actions.
  • In case personal data is transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties to protect personal data, and all necessary care is taken to ensure that the relevant third parties comply with their obligations in these protocols.

4.2.3. Internal Audit

“ COMPANY “, pursuant to Article 12 of the Law, in accordance with the KVKK Law regarding the implementation of the provisions of the Law and this Personal Data Storage and Destruction Policy and the provisions of the Personal Data Protection and Processing Policy. Conducts appropriate internal company audits.

If deficiencies or defects regarding the implementation of these provisions are detected as a result of internal audits, these deficiencies or defects will be corrected immediately.

If it becomes clear during the audit or otherwise that the personal data under the responsibility of the " COMPANY " has been obtained by others through illegal means, the "COMPANY" shall notify the relevant party and the Board of this situation as soon as possible.

5.  DUTIES AND AUTHORITIES OF THE PERSONAL DATA PROTECTION COMMITTEE

  • Personal Data Protection Committee is responsible for announcing the Policy to the relevant business units and monitoring the fulfillment of its requirements by the "COMPANY" units

  • The Personal Data Protection Committee makes the necessary announcements and notifications so that the relevant business units can follow up on situations such as legislative changes regarding the protection of personal data, regulatory actions and decisions of the Board, court decisions or changes in processes, applications and systems and, if necessary, update their business processes,
  • li>
  • Personal Data Protection Committee; It determines the processes for examining, evaluating, monitoring and finalizing the law and its secondary regulations, the Board's decisions and regulations, court decisions and other competent authorities' decisions and/or requests, and sends them to the relevant units 

6.  WHAT TO BE DONE IN CASE THE CONDITIONS FOR PROCESSING PERSONAL DATA ARE DISSOLVED

  • In case the purpose element for the processing of personal data is eliminated, explicit consent is withdrawn, or all of the conditions for processing personal data in Articles 5 and 6 of the Law are eliminated, or if there is a situation where none of the exceptions in the mentioned articles apply, the processing will not be processed. Personal data whose conditions have been eliminated are deleted, destroyed or anonymized by the relevant business unit, taking into account business needs, within the scope of Articles 7, 8, 9 or 10 of the Regulation, and by explaining the reason for the method applied. However, in case of a final court decision, the destruction method ordered by the court decision must be applied.

  • All users and data owner "COMPANY units that process or store personal data shall check within four-month periods at the latest whether the conditions regarding the processing have been eliminated. They will review it in data recording environments. Upon the application of the personal data owner or the notification of the Board or a court, the relevant users and units will conduct this review of the data recording environments they use, regardless of the periodic audit period.
  • As a result of periodic reviews or if it is determined that the data processing conditions have been eliminated at any time, the relevant user or data owner will decide to delete, destroy (destroy) or anonymise the relevant personal data from the recording environment under his/her own responsibility, in accordance with this policy. . In cases of doubt, action will be taken by obtaining the opinion of the relevant data owner business unit. When it is necessary to make a decision regarding the destruction of personal data with multi-stakeholder data ownership in the Central Information Systems, the opinion of the Personal Data Protection Committee will be taken and the personal data in question will be stored or deleted, destroyed (destroyed) or anonymized in accordance with this policy. decision by the relevant data subject business unit
  • All transactions regarding the deletion, destruction or anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.
  • In accordance with Article 7.4 of the Regulation, the methods applied for the deletion, destruction and anonymization of personal data will be published and explained after the Policy comes into force.
  • Acting in accordance with the general principles in Article 4 of the Law and the technical and administrative measures to be taken within the scope of Article 12, relevant legislative provisions, Board decisions and court decisions in deleting, destroying or anonymizing personal data
  • When the real person who owns a personal data requests the deletion, destruction or anonymization of his/her personal data by applying to the " COMPANY"  pursuant to Article 13 of the Law, the relevant data owner business unit examines whether all the conditions for processing personal data have been eliminated. If all processing conditions are eliminated; deletes, destroys or anonymizes the personal data subject to the request. In this case, the details are determined in the Data Destruction Procedure; The request is concluded within thirty days from the date of application and the relevant person is informed through the KVKK contact person appointed by the KVKK Officer. If all the conditions for processing personal data are eliminated and the personal data subject to the request is transferred to third parties, the relevant data owner business unit immediately notifies the third party to whom the transfer was made and ensures that the necessary actions are taken within the scope of the Regulation before the third party.
  • In cases where all the conditions for processing personal data are not eliminated, the requests of personal data owners for the deletion or destruction of their data may be rejected by the "COMPANY " by explaining the reason in accordance with the 3rd paragraph of Article 13 of the Law. The rejection response will be notified to the relevant person in writing or electronically within 30 days at the latest.
  • Requests for deletion or destruction of personal data will only be evaluated provided that the identity of the person concerned has been identified. In case of requests made outside the mentioned channels, the relevant persons will be directed to the channels where identification or verification can be made.

7.  ENFORCEMENT OF THE POLICY, VIOLATION CASES AND SANCTIONS

  • This Policy will enter into force by being announced on the " COMPANY" website to all employees and Personal data owners, and as of its validity, all business units, consultants, customers, insurance companies, external service providers and other ""  COMPANY “ will be binding on everyone who processes personal data.

  • It will be the responsibility of the supervisors of the relevant employees to monitor whether "COMPANY" employees fulfill the requirements of the Policy. When behavior contrary to the policy is detected, the issue will be immediately reported to a superior by the relevant employee's supervisor. If the discrepancy is significant, the Personal Data Protection Committee will be informed by the superior immediately. 
  • Necessary administrative action will be taken against the employee who acts contrary to the policy, following the evaluation by Human Resources.
  • In order to fulfill the policy requirements, by “ COMPANY”  All necessary security measures are taken within the scope of the KVKK Law.

8.  PERSONS WHO WILL BE INVOLVED IN THE STORAGE AND DESTRUCTION PROCESS OF PERSONAL DATA AND THEIR RESPONSIBILITIES

“COMPANY”  concerning the destruction of data specified in the Law, Regulation and Policy. In fulfilling the requirements, all employees, customers, insurance companies, consultants, external service providers and anyone else who stores and processes personal data within the " COMPANY" are responsible for fulfilling these requirements.

Each business unit is obliged to store and protect the data it produces in its own business processes; However, if the data produced is found only in information systems outside the control and authority of the business unit, the data in question will be stored by the units responsible for the information systems.

Periodic destructions that will affect business processes and cause data integrity to be compromised, data loss and results contrary to legal regulations will be carried out by the relevant information systems departments, taking into account the type of personal data, the systems in which it is located and the data owner business unit.

 8.1. PERSONAL DATA PROTECTION COMMITTEE

It establishes a Personal Data Protection Committee within the "COMPANY". The Personal Data Protection Committee is authorized and responsible for taking the necessary actions and supervising the processes to store and process the data of the relevant persons in accordance with the law, the Personal Data Protection and Processing Policy and the Personal Data Storage and Destruction Policy.

The Personal Data Protection Committee consists of at least three people: a manager, an administrative expert and a technical expert. The titles and job descriptions of the "COMPANY" employees working in the Personal Data Committee are stated below: 

 

Title

Job Description

Personal Data Protection Committee Manager

To direct all kinds of planning, analysis, research and risk identification studies in projects carried out during the legal compliance process; It is obliged to manage the processes that must be carried out in accordance with the Law,  Personal Data Protection and Processing Policy and Personal Data Storage and Destruction Policy, and to decide on the requests made by relevant persons.

KVK Expert (Contact Officer)

(Technical and Administrative)

Examining the requests of the relevant persons and reporting them to the Personal Data Committee Manager for evaluation; Carrying out the transactions regarding the requests of the relevant person, which are evaluated and decided by the Personal Data Committee Manager, in accordance with the decision of the Personal Data Committee Manager; auditing the storage and destruction processes and reporting these audits to the Personal Data Committee Manager; Responsible for carrying out the storage and destruction processes.

8.2. REASONS FOR STORAGE AND DISPOSAL

8.2.1. Reasons for Storage

Personal data held within the “ COMPANY “ Law and our Personal Data Policy (see the relevant policy  http://www.teknokrom.com< strong>" It is stored for the purposes and reasons stated here.

8.2.2. Reasons for Destruction

The personal data contained within “ COMPANY “ will be deleted ex officio in accordance with this destruction policy upon the request of the relevant person or if the reasons listed in Articles 5 and 6 of the Law are eliminated, is destroyed or made anonymous. The reasons listed in the 5th and 6th articles of the KVKK Law consist of the following:

  • Clearly prescribed by law.
  • It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
  • It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
  • It is mandatory for the data controller to fulfill its legal obligation.
  • It has been made public by the person concerned.
  • Data processing is mandatory for the establishment, exercise or protection of a right.
  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.

    • 8.3. DISPOSAL METHODS

    “ COMPANY “, personal data that it keeps in accordance with the Law and other legislation and the Personal Data Protection and Processing Policy, upon the request of the relevant person in case the reasons requiring the processing of data disappear or ex officio deletes, destroys or anonymizes it within the periods specified in this Personal Data Storage and Destruction Policy.

    The most commonly used deletion, destruction and anonymization techniques by “ COMPANY” are listed below:

    8.3.1.1 Deletion Methods

    Deletion Methods for Personal Data Held in Printed Media

    Dimming

    Personal data contained in the printed media is deleted using the blackout method. The blackening process is done by cutting off the personal data on the relevant document when possible, and in cases where it is not possible, by making it invisible by using fixed ink in a way that is irreversible and unreadable with technological solutions.

    Deletion Methods for Personal Data Held in Cloud and Local Digital Environment

    Secure deletion from software

    Personal data stored in the cloud or local digital media is deleted by digital command so that it cannot be recovered again. Data deleted in this way cannot be accessed again.

    8.3.1.2 Destruction Methods

    Destruction Methods for Personal Data Held in Printed Media

    Physical destruction

    Documents kept in printed media are destroyed with shredder machines so that they cannot be put back together.

    Destruction Methods for Personal Data Held in Local Digital Environment

    Physical destruction

    It is the process of physically destroying optical and magnetic media containing personal data, such as melting, burning or pulverizing. Data is rendered inaccessible by processes such as melting, burning, pulverizing, physically cutting and/or drilling optical or magnetic media, or passing it through a metal grinder.

    De-magnetization (degauss)

    It is the process of exposing the magnetic media to a high magnetic field, causing the data on it to become unreadable.

    Overwrite

    Random data consisting of 0s and 1s is written at least seven times on magnetic media and rewritable optical media, preventing the reading and recovery of old data.

    Destruction Methods for Personal Data Held in the Cloud

    Secure deletion from software

    Personal data kept in the cloud environment is deleted with a digital command so that it cannot be recovered again, and when the cloud computing service relationship ends, all copies of the encryption keys required to make personal data usable are destroyed. Data deleted in this way cannot be accessed again.

     

    8.3.1.3. Anonymization Methods

    Anonymization is making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.

    Removing variables

    It is the removal of one or more direct identifiers contained in the personal data of the relevant person that can be used to identify the relevant person in any way.

    This method can be used to anonymize personal data, as well as to delete information that is not suitable for the purpose of data processing.

    Regional hiding

    It is the process of deleting potentially distinctive information about exceptional data in the data table where personal data is collectively anonymous.

    Generalization

    It is the process of bringing together the personal data of many people, removing their distinctive information and turning them into statistical data.

    Lower and upper bound coding / Global coding

    For a certain variable, the ranges of that variable are defined and categorized. If the variable does not contain a numerical value, then similar data within the variable are categorized.

    Values ​​within the same category are combined.

    Microjoining

    With this method, all records in the data set are first arranged in a meaningful order and then the whole set is divided into a certain number of subsets. Then, the value of each subset of the specified variable is averaged and the value of that variable of the subset is replaced with the average value. In this way, the indirect identifiers in the data will be corrupted, making it difficult to associate the data with the relevant person.

    Data hashing and corruption

    Direct or indirect identifiers in personal data are mixed with other values ​​or corrupted, thus severing their relationship with the relevant person and causing them to lose their identifying qualities.

    “ COMPANY“ uses one or more of these anonymization methods, depending on the nature of the relevant data, to anonymize personal data. “ COMPANY “, while using these anonymization methods, K-Anonymity, L-Diversity and T-Proximity  can use statistical methods.

    9.  PERSONAL DATA STORAGE AND DESTRUCTION PERIOD

    The Table Showing Personal Data Storage and Destruction Periods is included in Annex 1. These storage and destruction periods will be taken into account in periodic destruction or destruction upon request. The Table Showing the Storage and Destruction Periods of Personal Data COMPANY will be updated by the business units that own the processes that will be included in the personal data inventory, in case of doubt, by taking the evaluations of the Personal Data Protection Committee.

    9.1. Personal Data Storage Table (Periods)

    DATA OWNER

    DATA CATEGORY

    DATA RETENTION PERIOD

    Employee

    Recruitment documents submitted to the Social Security Institution; Personal data based on notifications regarding length of service and wages

    It is kept for a period of 15 (fifteen) years during the continuation of the service contract and from its termination.

    Employee

    Recruitment documents submitted to the Social Security Institution; Personnel data other than personnel data based on notifications regarding length of service and wages

    It is kept for a period of 15 (fifteen) years during the continuation of the service contract and from the beginning of the calendar year following its termination.

    Employee

    Data in the Workplace Personal Health File

    It is kept for a period of 15 (fifteen) years during the continuation of the service contract and from its termination.

    Business Partner/Solution Partner/Consultant

    Identity information, contact information, financial information, voice recordings of telephone calls, Business Partner/Solution Partner/Consultant employee data regarding the conduct of the commercial relationship between the Business Partner/Solution Partner/Consultant and the "COMPANY"

    It is kept for a period of 10 (ten) years in accordance with Turkish Code of Obligations Art. 146 and Turkish Commercial Code Art. 82, during and after the business/commercial relationship of the Business Partner/Solution Partner/Consultant with the "COMPANY".< /p>

    Visitor

    With the Visitor's name, surname, ID number (identification information), vehicle license plate taken at the entrance to the physical location of "COMPANY"  camera recordings

    Keeped for 1 (one) year.

    Website Visitor

    Name, surname, e-mail address, navigation information of the Website Visitor

    Keeped for 2 (two) years.

    Employee Candidate

    Information contained in the Employee Candidate's CV and job application form

    It is kept for a maximum of 2 (two) years, until the CV becomes outdated.

    Customer

    Customer's name, surname, ID number, contact information, payment information and methods, navigation information,  voice recordings of phone calls, product/service preferences, transaction history, special day information

    From the presentation of each product/service purchased by the Customer, it is stored for 10 (ten) years in accordance with Turkish Code of Obligations Art. 146 and Turkish Commercial Code Art. 82.

    Customer

    Camera images

    Keeped for 3 (three) months.

    Potential Customer

    Identity information, contact information, financial information obtained during contract negotiations regarding the establishment of a commercial relationship between the Potential Customer and the "COMPANY"

    Keeped for 10 (ten) years.

    Institution with which “COMPANY” cooperates/ COMPANY   (Supplier, Contract Manufacturer, Dealer/Franchise

    Identity information, contact information, financial information, voice recordings taken during phone calls, regarding the execution of the commercial relationship between the Institutions/Companies with which the "COMPANY" cooperates and the "COMPANY", employees of the Institutions/Companies with which the "COMPANY" cooperates data

    A period of 10 (ten) years is required for the institutions/companies with which the "COMPANY" cooperates, in accordance with the Turkish Code of Obligations Art. 146 and the Turkish Commercial Code Art. 82, during and after the termination of the business/commercial relationship with the "COMPANY". It is stored with.

    *   It may be regulated for a longer period of time in accordance with the legislation or statute of limitations, limitation period, retention periods, etc. in accordance with the legislation. If a longer period is stipulated for storage, the periods in the legislation are considered as the maximum storage period.

    3.3.2.   Destruction Times

    “ COMPANY “, deletes, destroys (destroys) the personal data for which it is responsible in accordance with the Law, relevant legislation,  Personal Data Protection and Processing Policy and this Personal Data Storage and Destruction Policy. It deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete or anonymise arises.

    When the relevant person requests the deletion or destruction of his/her personal data by applying to the "COMPANY " pursuant to Article 13 of the Law;

  • If all the conditions for processing personal data have been eliminated; “COMPANY” deletes, destroys or anonymizes the personal data subject to the request with an appropriate destruction method, explaining the reason within 30 (thirty) days from the day it receives the request. In order for the COMPANY to be deemed to have received the request, the relevant person must have made the request in accordance with the Personal Data Protection and Processing Policy. “COMPANY” in any case informs the relevant person about the transaction performed.
  • If all the conditions for processing personal data have not been eliminated, this request may be rejected by the "COMPANY" by explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the rejection response will be notified to the relevant person in writing or electronically within thirty days at the latest.

    • 10.  PERIODIC DESTRUCTION TIMES

    In case all of the conditions for processing personal data in the KVKK Law No. 6698 are eliminated; “ COMPANY “ deletes, destroys or anonymizes personal data whose processing conditions have been eliminated, through a process that is specified in this Personal Data Storage and Destruction Policy and will be carried out ex officio at recurring intervals. .

    10.1. INSPECTION OF THE LEGALITY OF THE DISPOSAL PROCESS

    “ COMPANY“ shall comply with the Law, other legislation, the Personal Data Protection and Processing Policy and this Personal Data Storage and Destruction Policy, both upon request and ex officio during periodic destruction processes. It does so appropriately.

    “ COMPANY “ takes a number of administrative and technical measures to ensure that destruction operations are carried out in accordance with these regulations.

    10.1.1. Technical Measures

    • “ COMPANY“ provides technical tools and equipment suitable for each destruction method included in this policy.
    • “ COMPANY “ ensures the security of the place where destruction operations are carried out.
    • “ COMPANY“ keeps access records of the people who carry out the destruction.
    • COMPANY “ employs competent and experienced personnel to carry out the destruction process or receives services from competent third parties when necessary.

    10.1.2. Administrative Measures

    • “ COMPANY “ carries out studies to increase and raise awareness of the employees who will perform the destruction process on information security, personal data and privacy of private life.
    • “ COMPANY “ receives legal and technical consultancy services to follow the developments in the field of information security, privacy of private life, protection of personal data and safe destruction techniques and to take the necessary actions.
    • In cases where the destruction is done by third parties due to technical or legal requirements, the "COMPANY" signs protocols with the relevant third parties for the protection of personal data, and takes all necessary care to ensure that the relevant third parties comply with their obligations in these protocols.
    • “ COMPANY“ regularly checks whether the destruction processes are carried out in accordance with the law and the terms and obligations specified in this Personal Data Storage and Destruction Policy, and takes the necessary actions.

    All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least two years, excluding other legal obligations

    11.  ENFORCEMENT

    • The policy comes into force as of the date of publication
    • It is the responsibility of the Personal Data Protection Committee to announce the policy throughout the COMPANY and make the necessary updates.

    12.  UPDATE and COMPATIBILITY

    “ COMPANY “, due to changes made in the Law, in accordance with the decisions of the Institution or in line with the developments in the sector or in the field of informatics, in the Personal Data Protection and Processing Policy or in this Personal Data Storage and Destruction It reserves the right to make changes to its policy.

    Changes made to this Personal Data Storage and Destruction Policy are recorded in the text without delay and explanations regarding the changes are announced at the end of the policy.