Storage and Disposal Policy
1. PURPOSE
Urartu Göz Hizmetleri Limited Şirketi (“Urartu Göz”) enacts this Personal Data Retention and Disposal Policy (“Retention and Disposal Policy”) and technical and administrative protection of personal data in accordance with the Law on Protection of Personal Data No. 6698 (“Law”), in case the processing conditions for personal data cease, for the purpose of regulating the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28/10/2017 (“Regulation on Deletion, Destruction or Anonymization”).
2. RECORDING MEDIA WHERE PERSONAL DATA IS STORED
The personal data of the data owners are safely stored by Urartu Göz in the following listed environments in accordance with the relevant legislation, especially the provisions of the Law:
Electronic media:
CRM
SQL Server
Email Box
Microsoft Office Programs
Image Recorders
Physical environments:
Unit Cabinets
folders
Archive
3. EXPLANATIONS RELATING TO REASONS REQUESTING CONSERVATION
Personal data belonging to data owners are provided by Urartu Göz, in particular:
The continuation of the activities,
Fulfillment of legal obligations,
Planning and execution of employee rights and fringe benefits,
Managing business relations,
For this purpose, it is stored securely in the physical or electronic media listed above, within the limits specified in the Law and other relevant legislation.
Reasons for keeping:
Personal data is directly related to the establishment and performance of contracts,
Establishment, use or protection of a right of personal data,
Urartu Göz has a legitimate interest, provided that personal data does not harm the fundamental rights and freedoms of individuals,
Urartu Göz fulfilling any legal obligation of personal data,
Explicitly stipulating the storage of personal data in the legislation,
Explicit consent of data owners in terms of storage activities that require the explicit consent of data owners.
In accordance with the Regulation, the personal data of the data owners are deleted, destroyed or anonymized by Urartu Göz ex officio or upon request in the following cases:
Changing or repealing the provisions of the relevant legislation, which is the basis for the processing or storage of personal data,
The disappearance of the purpose that requires the processing or storage of personal data,
Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law.
In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject withdraws his consent,
The data controller accepts the application made by the data subject regarding the deletion, destruction or anonymization of his personal data within the framework of his rights in paragraphs 2 (e) and (f) of Article 11 of the Law,
In cases where the data controller rejects the application made by the data subject to the request for the deletion, destruction or anonymization of his personal data, his response is found to be insufficient or he does not respond within the time stipulated in the Law; Complaining to the Board and approval of this request by the Board,
The absence of any conditions justifying the retention of personal data for a longer period of time, although the maximum period for keeping personal data has passed.
4. MEASURES RELATED TO THE PROTECTION OF PERSONAL DATA
Urartu Göz takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the illegal processing of the personal data it processes, to prevent the illegal access to the data and to ensure the preservation of the data, in accordance with Article 12 of the Law, and in this context, it makes or has the necessary inspections made. In the event that the processed personal data is obtained by third parties by unlawful means, despite the technical and administrative measures taken, Urartu Göz informs the relevant units as soon as possible.
5. MEASURES TAKEN REGARDING THE DISPOSAL OF PERSONAL DATA
Although it has been processed in accordance with the provisions of the relevant law, Urartu Eye may delete or destroy personal data at its own discretion or upon the request of the personal data owner, in the event that the reasons for its processing disappear. After the deletion of personal data, the persons concerned will not be able to access and use the deleted data again in any way. An effective data tracking process will be managed by Urartu Göz regarding the identification and monitoring of personal data destruction processes. The sequence of the process will be to determine the data to be deleted, to identify the relevant persons, to determine the access methods of the persons and to delete the data immediately afterwards.
Urartu Göz can use one or more of the following methods, depending on the environment in which the data is recorded, in order to destroy, delete or anonymize personal data:
5.1Methods for Deletion, Destruction and Anonymization of Personal Data
Deletion of Personal Data
Deletion of personal data is the process of making personal data inaccessible and non-reusable for relevant users. Urartu Göz can use one or more of the following methods as a method of deleting personal data:
Personal data on paper will be processed by drawing, painting, cutting or deleting with the blackout method.
The access right(s) of the user(s) for the office files in the central file will be revoked.
Rows or columns containing personal information in databases will be deleted with the 'Delete' command.
When necessary, it will be securely deleted with the help of an expert.
5.2 Destruction of Personal Data
Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone with the following methods.
Physical Destruction
Paper Shredder
De-magnetization: It is the method of corrupting the data on it in an unreadable way by passing the magnetic media through special devices where it will be exposed to high magnetic fields.
5.3 Anonymization of Personal Data
Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching them with other data. Urartu Göz can use one or more of the following methods to anonymize personal data:
Masking: It is the method of anonymizing personal data by removing the basic determinant information of personal data from the data set with data masking.
Removing Records: In the deregistration method, the data line containing singularity among the data is removed from the records and the stored data is anonymized.
Regional Concealment: In the regional concealment method, since a single data creates a very rarely visible combination, if it has a determining feature, hiding the relevant data provides anonymization.
Global Coding: With the data derivation method, a more general content is created than the content of personal data and it is ensured that personal data cannot be associated with any person. For example; indication of ages instead of dates of birth; specifying the area of residence instead of the full address.
Adding Noise: The method of adding noise to the data is anonymized by adding some positive or negative deviations to the existing data at a determined rate, especially in a data set where numerical data are predominant. For example, in a data group with weight values (+/-) 3 kg deviation is used to prevent the real values from being displayed and the data is anonymized. The deviation applies equally to each value.
In accordance with Article 28 of the Law; Anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the Law and the explicit consent of the personal data owner will not be sought.
Urartu Göz will be able to take decisions ex officio regarding the deletion, destruction or anonymization of personal data and freely determine the method to be used according to the category it has chosen. In addition, if the person concerned chooses one of the categories of deletion, destruction or anonymization of his personal data during the application, within the scope of Article 13 of the Regulation, Urartu will have freedom of mind regarding the methods to be used in the relevant category.
6. PERSONAL DATA STORAGE AND DISPOSAL TIMES
Urartu Göz stores personal data for the period specified for the purpose for which they are processed. If a period is stipulated in the legislation regarding the storage of the personal data in question, this period shall be complied with. In the absence of a period stipulated in the legislation, personal data will be kept for the maximum period. These periods are; By evaluating Urartu Göz's data categories and data owner groups; The data obtained as a result of this evaluation has been determined by considering the maximum period of limitation (10 years) in the Turkish Code of Obligations, which will ensure the fulfillment of the obligations in the laws.
Urartu Göz deletes, destroys or anonymizes personal data in the first periodical destruction process following this date, in case the obligation to delete, destroy or anonymize due to the expiry of these periods.
All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.
7.PERIODIC DISPOSAL TIMES
In accordance with Article 11 of the regulation, the period of periodic destruction is determined as 6 months. Accordingly, periodic destruction is carried out in June and December each year. In the said systems, the information will be deleted in a way that it cannot be retrieved, and the documents, files, CDs, floppy disks, hard disks, if any, in which the data are recorded, will not be recycled.
8. STAFF
Within the scope of the Law, titles, units and job descriptions of the personnel whose obligations will be fulfilled in terms of the implementation of the data retention and destruction process of the Law, based on paragraph 1 of Article 11 of the Regulation, as Urartu Göz data controller, have been determined.
These persons, whose boundaries have been determined, are responsible for the transactions and actions that take place within their jurisdiction within the scope of the Turkish Commercial Code, the Code of Obligations and the Turkish Penal Code. Urartian Eye has been elected as the Chairman of the Personal Data Protection Committee, who is authorized to represent Urartian Göz in law enforcement, prosecutor's offices, public institutions and courts and to testify. Each department head will be responsible for inspecting whether the relevant users in the departments act in accordance with the Storage and Disposal Policy and Personal Data Policy prepared within the framework of the Law and Regulation. All department responsibles will report to the President of Urartu Eye Personal Data Protection Committee the transactions they have carried out in accordance with this Storage and Disposal Policy during the specified periodical destruction periods. The decision made in the results of the study for these reports will be put into practice.
9. REVISION AND REVOCATION
If the Storage and Disposal Policy is amended or repealed, the new regulation will be announced on the website www.urartgoz.com.tr.
10. ENFORCEMENT
This Retention and Disposal Policy is effective on the date of publication.
