ARTI RETAIL FOOD INDUSTRY AND TRADE LIMITED COMPANY - HALKTAN
PERSONAL DATA RETENTION AND DESTRUCTION POLICY
1. INTRODUCTION
1.1 Purpose
This Personal Data Retention and Destruction Policy (“Policy”) applies to all operations of Artı Perakende Gıda Sanayi ve Ticaret Limited Şirketi – HALKTAN (hereinafter referred to as the “Company”) within the framework of the applicable legislation and is based on nationally accepted fundamental principles regarding the destruction of personal data. It contains the framework and principles regarding the implementation of the necessary destruction activities under the relevant legislation.
Paragraph 3 of Article 7 of the Personal Data Protection Law (“Law”) states that “the procedures and principles regarding the deletion, destruction or anonymization of personal data shall be regulated by a regulation.” Based on this provision and subparagraph (e) of paragraph 1 of Article 22 of the Law, the Personal Data Protection Board (“Board”) prepared the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”), which was published in the Official Gazette dated 28 October 2017 and numbered 30224.
Based on the above regulation, the purpose of this Policy is to determine the procedures and principles regarding the deletion, destruction or anonymization of personal data processed by the Company in the course of its activities in accordance with the Regulation.
1.2 Scope
This Policy covers the personal data of employees, employee candidates, visitors, third parties with whom we cooperate, and the employees of such third parties. This Policy applies to all recording environments where personal data owned or managed by the Company are processed, as well as to all activities related to the processing of personal data.
1.3 Abbreviations and Definitions
Term | Definition |
Recipient Group | The category of natural or legal persons to whom personal data are transferred by the data controller |
Explicit Consent | Consent relating to a specific subject, based on information and expressed with free will |
Anonymization | Rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching them with other data |
Electronic Environment | Environments in which personal data can be created, read, modified and written through electronic devices. |
Non-Electronic Environment | All written, printed, visual and other environments outside electronic environments. |
Data Subject | The natural person whose personal data are processed |
Relevant User | Persons who process personal data within the organization of the data controller or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data |
Destruction | Deletion, destruction or anonymization of personal data |
Law | Personal Data Protection Law No. 6698 |
Recording Environment | Any environment in which personal data processed wholly or partially by automatic means or by non-automatic means provided that they form part of a data recording system are located |
Personal Data | Any information relating to an identified or identifiable natural person |
Personal Data Subject | The natural person whose personal data are processed |
Processing of Personal Data | Any operation performed on personal data such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, wholly or partially by automatic means or by non-automatic means provided that they form part of a data recording system |
Personal Data Processing Inventory | An inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with processing purposes, data categories, recipient groups and data subject groups, and by explaining the maximum retention period required for the purposes for which personal data are processed, personal data planned to be transferred abroad and measures taken regarding data security |
Board | Personal Data Protection Board |
Authority | Personal Data Protection Authority |
Special Categories of Personal Data | Data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data |
Periodic Destruction | The deletion, destruction or anonymization process to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy when all conditions for processing personal data stipulated by the Law cease to exist |
Policy | The policy relied upon by data controllers for determining the maximum retention period necessary for the purposes for which personal data are processed and for carrying out deletion, destruction and anonymization procedures. |
Registry | The registry of data controllers maintained by the Presidency of the Personal Data Protection Authority |
Data Processor | The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller |
Data Recording System | The recording system in which personal data are structured and processed according to specific criteria |
Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system |
Regulation | The Regulation on the Deletion, Destruction or Anonymization of Personal Data, which entered into force upon publication in the Official Gazette dated 28.10.2017 and numbered 30224. |
RESPONSIBILITIES AND DISTRIBUTION OF DUTIES
All departments and employees of the Company actively support the responsible units in implementing the technical and administrative measures taken under the Policy, increasing the training and awareness of department employees, monitoring and continuous auditing, preventing the unlawful processing of personal data, preventing unlawful access to personal data, ensuring the lawful retention of personal data, and taking technical and administrative measures to ensure data security in all environments where personal data are processed.
The distribution of titles, departments and job descriptions of those involved in personal data retention and destruction processes is provided below.
Table 1: Distribution of Duties in Retention and Destruction Processes
Title | Department | Job Description |
Information Technology Officer | Information Technology | Ensuring compliance of the processes within their responsibility with retention periods, managing the periodic destruction process, and conducting the audits and controls necessary for responding to Data Subject requests |
Accounting Department Manager | Accounting | Ensuring compliance of the processes within their responsibility with retention periods, managing the periodic destruction process, monitoring the continuation of bookkeeping and document retention obligations arising from the Turkish Commercial Code and Tax Legislation and determining whether such obligations have ceased |
Human Resources Manager | Human Resources | Ensuring compliance of personnel personal data with retention periods, managing the periodic destruction process, receiving and responding to requests regarding employees' rights specified under the Law |
3. RECORDING ENVIRONMENTS
Personal data are securely retained in compliance with the law in the environments listed in Table 2 by the Company.
Table 2: Personal Data Storage Environments
Electronic Environments | Non-Electronic Environments |
· Servers (Domain, backup, e-mail, database, web, file sharing, etc.) · Software (office software) · Information security devices (firewall, intrusion detection and prevention systems, log files, antivirus, etc.) · Personal computers (desktop, laptop) · Mobile devices (phone, tablet, etc.) · Optical discs (CD, DVD, etc.) · Removable storage devices (USB, memory card, etc.) · Printer, scanner, photocopy machine · SQL · Mail and File Server · Mobile devices (such as phones and tablets) · Removable storage devices such as USB drives and hard disks · Desktop and laptop computers | · Paper · Manual data recording systems · Written, printed and visual media · Folders · Files |
EXPLANATIONS REGARDING RETENTION AND DESTRUCTION
The Company retains and destroys the personal data of natural persons, including employees, employee candidates, interns, supplier representatives, supplier employees, persons receiving products or services, potential recipients of products or services, shareholders/partners and other third parties, in accordance with the Personal Data Protection Law (“KVKK”).
Detailed explanations regarding retention and destruction are provided below respectively.
4.1 Explanations Regarding Retention
Article 3 of the Law defines the concept of processing personal data; Article 4 states that personal data must be processed in connection with, limited to and proportionate to the purpose for which they are processed and must be retained for the period stipulated by the relevant legislation or required for the purpose for which they are processed; Articles 5 and 6 set forth the conditions for processing personal data.
Accordingly, within the scope of the Company's activities, personal data are retained for the period prescribed by the relevant legislation or required for our processing purposes.
4.1.1 Legal Grounds Requiring Retention
The Company retains personal data processed within the scope of its activities for the periods stipulated in the relevant legislation. In this context, personal data are retained pursuant to:
Tax Procedure Law No. 213
Identity Notification Law No. 1774
Labour Law No. 4857
Turkish Penal Code No. 5237
Social Insurance and General Health Insurance Law No. 5510
Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through Such Publications
Turkish Code of Obligations No. 6098
Turkish Commercial Code No. 6102
Occupational Health and Safety Law No. 6331
Personal Data Protection Law No. 6698
as well as the retention periods specified in other secondary legislation currently in force.
4.1.2 Processing Purposes Requiring Retention
The Company retains personal data processed within the scope of its activities for the following purposes:
Carrying out information security processes
Carrying out employee candidate application processes
Fulfilment of obligations arising from employment contracts and legislation for employees
Carrying out employee fringe benefits and benefit processes
Carrying out audit / ethics activities
Carrying out training activities
Ensuring activities are carried out in compliance with legislation
Carrying out finance and accounting operations
Ensuring physical premises security
Carrying out assignment processes
Monitoring and conducting legal affairs
Carrying out communication activities
Managing human resources processes
Carrying out / auditing business activities
Carrying out occupational health and safety activities
Carrying out business continuity activities
Carrying out logistics activities
Carrying out goods/service procurement processes
Carrying out goods/service sales processes
Carrying out contract processes
Ensuring the security of movable property and resources
Providing information to authorized persons, institutions and organizations
4.2 Reasons Requiring Destruction
Personal data shall be destroyed where:
The relevant legislative provisions forming the basis for processing are amended or repealed,
The purpose requiring the processing or retention of the data ceases to exist,
In cases where personal data are processed solely on the basis of explicit consent, the data subject withdraws their explicit consent,
An application made by the data subject for the deletion or destruction of personal data pursuant to Article 11 of the KVKK is accepted,
The Company rejects the application made by the data subject requesting the deletion or destruction of personal data, finds the response inadequate, or fails to respond within the period stipulated by the KVKK, and the data subject files a complaint with the Board which is found justified by the Board, and
The maximum retention period requiring the retention of personal data has expired and there is no condition justifying the retention of personal data for a longer period.
In such cases, personal data shall be deleted, destroyed or anonymized by the Company upon the request of the data subject or ex officio.
TECHNICAL AND ADMINISTRATIVE MEASURES
In order to ensure the secure retention of personal data, prevent unlawful processing and access, and ensure the lawful destruction of personal data, the Company implements technical and administrative measures within the framework of Article 12 and paragraph 4 of Article 6 of the KVKK and the adequate measures announced by the Board for special categories of personal data.
5.1 Technical Measures
The measures taken by the Company regarding the personal data it processes are listed below:
A closed network system is used for personal data transfers conducted through networks.
Security measures are implemented within the scope of procurement, development and maintenance of information technology systems.
An authorization matrix has been established for employees.
Access logs are regularly maintained.
Up-to-date anti-virus systems are used.
Firewalls are used.
Monitoring of personal data security is carried out.
Personal data are backed up and the security of backed-up personal data is also ensured.
User account management and authorization control systems are implemented and monitored.
Log records are maintained in a manner that prevents user intervention.
Intrusion detection and prevention systems are used.
Cybersecurity measures are implemented and continuously monitored.
Encryption is applied.
Data loss prevention software is used.
5.2 Administrative Measures
The measures taken by the Company regarding the personal data it processes are listed below:
Training and awareness activities regarding data security are conducted for employees at regular intervals.
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
The security of environments containing personal data is ensured.
Personal data are minimized as much as possible.
PERSONAL DATA DESTRUCTION TECHNIQUES
At the end of the period stipulated in the relevant legislation or the retention period required for the purpose for which they are processed, personal data are destroyed by the Company ex officio or upon the application of the data subject, again in accordance with the provisions of the relevant legislation, by the techniques specified below.
6.1 Deletion of Personal Data
Personal data are deleted by the methods provided in Table-3.
Table 3: Deletion of Personal Data
Data Recording Environment | Explanation |
Personal data in physical environment | Personal data in physical environment are deleted by using the blackening method or by storing the document in a secure environment in a way that cannot be accessed by the relevant users in any manner. |
Personal Data Located on Servers | For personal data located on servers whose retention period has expired, the deletion process is carried out by the system administrator by removing the access authorization of the relevant users. |
Personal data located in databases | Access of the relevant user to personal data located in the database is prevented by assigning roles and permissions. |
Personal data located on central servers | The access rights of the relevant user on the directory where the file containing personal data is located are removed. |
Personal data located on portable devices (such as USB, hard disk, CD, DVD) | Access of the relevant user to the file is prevented. |
6.2 Destruction of Personal Data
As the Company, the methods used by us in order to carry out the destruction of personal data in accordance with the law are as follows:
Table 4: Destruction of Personal Data
Data Recording Environment | Explanation |
Personal data in physical environment | Personal data in paper environment whose retention period has expired are destroyed in paper shredders in a manner that cannot be recovered. |
Personal data located in peripheral devices (network devices, flash-based media, optical systems, etc.) and local systems | Devices containing personal data are destroyed by physical processes such as burning, shredding into small pieces and melting. In addition, personal data located on the device are rendered unreadable by the demagnetization method and the destruction process is carried out. Furthermore, destruction is carried out by preventing the recovery of old data as a result of entering random data over existing data through special software. |
6.3 Anonymization of Personal Data
Anonymization of personal data means rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even if matched with other data.
In order for personal data to be anonymized, personal data must be rendered incapable of being associated with an identified or identifiable natural person even through the use of techniques appropriate for the recording environment and the relevant field of activity, such as the reversal of personal data by the data controller or third parties and/or matching the data with other data.
RETENTION AND DESTRUCTION PERIODS
Regarding the personal data processed by the Company within the scope of its activities;
Retention periods on the basis of personal data for all personal data within the scope of activities carried out depending on processes are included in the Personal Data Processing Inventory;
Retention periods on the basis of data categories are included in the registration with VERBIS;
Retention periods on the basis of processes are included in this Personal Data Retention and Destruction Policy.
The destruction process of personal data is carried out by the Company in line with the retention periods determined in accordance with the relevant legislation for each relationship. Personal data whose retention periods have expired are deleted, destroyed or anonymized within the periodic destruction periods determined by the Company.
Table 5: Table of Retention and Destruction Periods by Process
PROCESS | RETENTION PERIOD | DESTRUCTION PERIOD |
Carrying out human resources employee processes | 10 years from the employee's departure from work | Within the first 6-month periodic destruction period following the end of the retention period |
Carrying out processes relating to employee candidates | 1 year from the date of application | Within the first periodic destruction period following the end of the retention period |
Carrying out contractual relationships | 15 years following the termination of the contract | Within the first periodic destruction period following the end of the retention period |
Camera Records | 1 month following recording | Within the first periodic destruction period following the end of the retention period |
Carrying out Accounting and Finance Processes | 10 years following recording | Within the first periodic destruction period following the end of the retention period |
Ex officio deletion, destruction or anonymization procedures for personal data whose retention periods have expired are carried out by the departments specified under the heading “2. RESPONSIBILITIES AND DISTRIBUTION OF DUTIES”.
PERIODIC DESTRUCTION PERIOD
Pursuant to Article 11 of the Regulation, the periodic destruction period has been determined by the Company as [6] months. Accordingly, the Company carries out periodic destruction procedures every year in June and December.
PUBLICATION AND RETENTION OF THE POLICY
The Policy is published in two different formats, namely with a wet signature (printed paper) and electronically, and is disclosed to the public on the website. A printed copy is also retained in the Human Resources Department files.
POLICY UPDATE PERIOD
The Policy shall be updated whenever necessary and when there are changes in processes.
EFFECTIVENESS AND REPEAL OF THE POLICY
This Policy shall be deemed to have entered into force upon its publication on the Company's website.
In the event that it is decided to repeal the Policy, the previous wet-signed copies of the Policy shall be cancelled with the company seal and the signature of the authorized company representative (by affixing a cancellation stamp or writing “cancelled”), signed accordingly, and retained by the Human Resources Department for a minimum period of 5 years.