Our Personal Data Storage and Destruction Policy
I. Purpose and Scope of the Data Storage and Destruction Policy
Law No. 6698 on the Protection of Personal Data (the Law) was published in the Official Gazette on April 7, 2016, and entered into force. This Law includes regulations in line with relevant European Union directives, ensuring the protection of individuals' data and, consequently, their personal rights.
For Yelken Kalıp Kapı Pencere Aksesuar Sanayi Ticaret Anonim Şirketi (Company), it is one of the basic principles to store and process the personal data of employees, job candidates, visitors, Company officials, business partners and their employees, shareholders, officials and third parties in accordance with the Law and other relevant legislation.
Therefore, this data storage and destruction policy has been prepared in accordance with the Law No. 6698 and the Regulation on the Deletion, Destruction or Anonymization of Personal Data, in order to determine the procedures and principles to be applied in this regard as the Company, in its capacity as the data controller.
The Company will store, delete, destroy, or anonymize the data of its employees, job candidates, customers, or anyone whose personal data has been obtained in any way, in accordance with the principles set forth in this policy and in accordance with relevant legislation. This policy will be used in the processing and recording of all personal information obtained by the Company. The Company also aims to provide necessary in-house training, implement administrative and technical measures, establish necessary internal procedures, and manage compliance processes in accordance with this policy and relevant legislation.
II. Principles to be Observed in the Processing of Personal Data
The Company's top priority when collecting and processing personal data is to comply with the Constitution, relevant legislation, and the law. To ensure that individuals whose data is processed do not suffer any loss of rights, the Company has adopted the following principles for use in all its activities.
II. 1. Compliance with Law and the Rule of Honesty
The first and fundamental principle observed by the Company when processing personal data is that all transactions be lawful and in good faith. This principle includes not misleading data subjects during the processing of personal data, not violating the express provisions and spirit of the law, not exceeding the stated purpose, not misleading individuals in any way, and conducting a transparent process to the extent permitted by law.
II. 2. The Principle of Commitment to Purpose
The Company undertakes to process personal data obtained through any means for the purposes specified in the disclosure statement. All data processing activities have a legal basis. Elements of this principle are that these purposes are specific, legitimate, and clear. If the purpose changes but the new purpose is not complementary or compatible with the previous purpose, the relevant person will be informed in accordance with the law, or their consent will be obtained if legally required.
II. 3. Principle of Proportionality
For every personal data it processes, the Company assesses whether the data is necessary for the purpose of processing. If personal data acquired is determined not to be necessary for the purpose of acquisition, the data is not retained in the Company's records. This prevents future personal data breaches. Similarly, this principle is also taken into consideration when determining data processing times.
II. 4. Principle of Data Accuracy
The Company operates all data-related processes with the understanding that it is legally obligated to ensure that the personal data it processes is accurate and, where necessary, up-to-date. Therefore, it diligently reviews and fulfills all requests from data subjects regarding the accuracy and up-to-date nature of their data. Personal data determined to be out of date or inaccurate as a result of periodic audits is deleted/anonymized/destroyed.
II. 5. Data Security Principle
The Company acts with the understanding that the personal data it collects and processes is within the scope of individual rights and protected by the Constitution. Therefore, ensuring data security is another fundamental principle. All necessary administrative and technical measures are taken to ensure data security. These measures are detailed in Section VI of the Policy.
III. Related Concepts and Definitions
Personal Data: Any information relating to an identified or identifiable natural person.
Special Personal Data: Data regarding individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Contact Person: The natural person whose personal data is processed.
Employee Candidate: Natural persons who have applied for a job in the Company through any means or who have disclosed their CV and relevant information to the Company.
Law: Personal Data Protection Law No. 6698
Regulations: Regulation on the Deletion, Destruction or Anonymization of Personal Data
Board: Personal Data Protection Authority
Recording Medium: The environment in which personal data processed, whether fully or partially automatically or not, is kept.
Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.
Anonymization: Personal data should be rendered in such a way that it cannot be associated with an identified or identifiable natural person, even when matched with other data.
Destruction: Deletion, destruction or anonymization of personal data.
II. Environments Where Personal Data Is Stored
Personal data collected and stored within the Company are classified and stored in accordance with their characteristics and the Company's obligations as data controller, regardless of the way they are collected.
Personal data is stored in the environments listed below, with necessary security measures taken under all circumstances.
| DIGITAL MEDIA | PHYSICAL ENVIRONMENTS |
| Personal computers (laptops and desktops) | Manual record document recording system |
| Portable electronic devices (tablets, mobile phones) | Company contracts |
| Printers, scanners, copiers | Papers |
| Portable memories such as USB and memory cards | |
| Company email accounts, backup database, website | |
| Servers within the company |
II. Distribution of Responsibilities and Duties
Access to the environments where personal data is stored within the company, whether digital or physical, is limited. This access is provided through a username and password provided to authorized and responsible individuals. These individuals are also responsible for the lawful acquisition, storage, and processing of personal data.
They are responsible for the processing of your data and deletion/anonymization in accordance with the Law and policy.
| TITLE | DUTY |
| Accounting Department Manager | Responsible for planning the inspections that need to be carried out periodically. |
| IT Department Manager | Responsible for the continuity of the administrative and technical measures required by the Policy and the Law and for establishing the necessary contacts. |
| Human Resources Manager | Responsible for the training to be given to new employees, making necessary updates to the policy when necessary, and publishing these updates. |
III. Ensuring the Security of Processing and Destruction Processes
In accordance with the first paragraph of Article 12 of Law No. 6698, the data controller must take all necessary technical and administrative measures to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the appropriate level of security in order to ensure the preservation of personal data.
Pursuant to this provision, the Company takes all necessary precautions to securely store all personal and sensitive data, as required by the relevant law and regulations, and to prevent any violation of rights. In addition to implementing technical and administrative measures, it also monitors and reports on the reliability of these systems every six months.
VI. 1. Administrative Measures
– In order to ensure the security of personal data, the Company conducts a risk analysis by determining the data processed, the purposes and means by which they are obtained, the forms and purposes of processing.
– During periodic audits, the processed data that no longer needs to be stored is deleted/anonymized/destroyed.
– All employees are given in-company training explaining the new legislation, its requirements and sanctions.
– Company employees who have access to personal data are specific and limited. Their authority is also distributed.
– The company’s obligation to inform, as the data controller, is fulfilled in the necessary environments and in a way that third parties can see.
– A person is selected to closely follow the regulations on the protection of personal data within the company and to follow the necessary changes in the policy, information texts and contracts.
– It is ensured that the personal data inventory remains up-to-date and compliant with legislation.
– Regular audits are conducted within the Company to ensure data security and ensure that the system established to protect personal data is up-to-date, and these are reported. Any deficiencies are promptly addressed.
VI. 2. Technical Measures
– The company implements technical measures that are complementary to many principles and are regularly checked.
– It uses firewalls and gateways for precautionary and defensive purposes against attacks that may occur from the Internet.
– Patching methods and software updates are used to ensure that software and hardware operate properly, to regularly check whether the security measures taken for the systems are sufficient, and to close possible security vulnerabilities.
– Access to systems where personal data is stored is limited to authorized individuals and their authority and responsibilities. Such access is provided through usernames and passwords provided to authorized individuals.
– Personal data stored in physical environments is kept locked and access is provided only to authorized persons.
– The security of data kept in physical and electronic media is tested during the periodic audit period and any deficiencies are corrected.
– Data backup programs are used to ensure the safe storage of personal data.
– Encrypted corporate e-mail is used when transferring sensitive personal data within the Company or to persons outside the Company.
– Secure record keeping systems are used in electronic environments where personal data is processed.
VII. Storage and Destruction of Personal Data
The Company obtains personal data, and in limited cases, special categories of personal data, in lawful ways. At every stage of processing personal data, the Company abides by the principles set forth in Article 4 of the Law: When processing personal data, it must comply with the law and rules of integrity; be accurate and up-to-date where necessary; be processed for specific, clear, and legitimate purposes; be relevant, limited, and proportionate to the purpose for which it is processed; and be retained for the period stipulated in relevant legislation or necessary for the purpose for which it is processed.
VII. 1. Legal Reasons Requiring Storage and Destruction
– Law No. 6698 on the Protection of Personal Data,
– Turkish Code of Obligations No. 6098,
– Law No. 1136 on Attorneyship,
– Social Insurance and General Health Insurance Law No. 5510, Occupational Health and Safety Law No. 6331,
– Law No. 4982 on the Right to Information, Law No. 3071 on the Exercise of the Right to Petition,
– Labor Law No. 4857, Retirement Health Law No. 5434, Social Services Law No. 2828
– Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes,
– Regulation on Archive Services
– Other secondary regulations in force pursuant to these Laws
VII. 2. Processing Purposes Requiring Storage
– The Company’s activity regarding the processing of personal data, excluding personal data related to health and sexual life, is clearly prescribed by law.
– The processing of personal data by the Company is directly related to and necessary for the establishment or performance of a contract.
– Processing of personal data is necessary for the Company to fulfill its legal obligations.
– Provided that personal data is made public, it is processed by the Company in a limited way for the purpose of making it public.
– The processing of personal data by the Company is necessary for the establishment, exercise or protection of the rights of the Company or the persons whose data is processed or third parties.
– It is necessary to process personal data for the Company's legitimate interests, provided that it does not harm the fundamental rights and freedoms of the persons whose data is processed.
– If the processing of personal data by the Company is necessary to protect the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to give his consent due to actual impossibility or legal invalidity.
– Special personal data other than the health and sexual life of the personal data owner, in cases stipulated by law.
– Event management.
– Planning and execution of business activities.
– Planning and execution of corporate communication activities.
– Planning and execution of corporate sustainability activities.
– Wage management.
– Planning of human resources processes.
– Following up on legal processes.
– The burden of proof as evidence in legal disputes that may arise in the future.
VII. 3. Reasons Requiring Destruction
– Amendment or repeal of relevant legislative provisions that form the basis for the processing of personal data.
– The purpose for which personal data is processed or stored disappears.
– In cases where the processing of personal data is carried out solely on the basis of explicit consent, the data subject withdraws his/her explicit consent.
– Acceptance by the Company of the application made by the relevant person for the deletion and destruction of his/her personal data within the framework of his/her rights in accordance with Article 11 of the Law.
– In cases where the company rejects the application made by the relevant person requesting the deletion, destruction or anonymization of his/her personal data, finds the response insufficient or does not respond within the period stipulated in the Law; to file a complaint with the Board.
and this request is approved by the Board.
– The maximum period for which personal data must be stored has passed and there are no circumstances that would justify storing personal data for a longer period.
In the cases listed above, the Company destroys the personal data it stores and processes.
VIII. Storage Periods of Personal Data
The Company retains the personal data it processes for the period stipulated in relevant legislation to fulfill its legal obligations. In the absence of a provision in relevant legislation regarding the retention period for such data, the Company retains this data for a period not inconsistent with the relevant law, legislation, or law, for the relevant activity, the burden of proof in case of disputes, and the duration required by commercial activities.
Personal data processed by the Company will be deleted, destroyed, or anonymized in cases where the purpose of processing is no longer necessary, the data becomes inaccurate or outdated, the nature of the data changes and processing becomes unlawful, the retention periods specified by relevant legislation or the Company expire, the request of the relevant person is accepted, or an institutional decision is made. In the event of a discrepancy between the retention periods specified by the Company and those specified in legislation, the periods specified in the legislation shall be deemed the maximum retention period.
All operations regarding the deletion, destruction and anonymization of personal data are recorded and the records in question are kept for at least three years, excluding other legal obligations.
If all personal data processing conditions stipulated in the Law are no longer met, the Company will delete, destroy, or anonymize the personal data for which the processing conditions have been eliminated, through a process specified in this Policy and carried out ex officio at recurring intervals. Periodic destruction processes will be repeated every six (6) months.
IX. Update and Adaptation
The Company reserves the right to update this policy due to changes in the law, decisions made by the Institution, developments in the IT sector, or changes to the Company's structure. These updates and changes will be disclosed at the end of this policy and will be announced on the Company's website.