BENLİ RECYCLING MACHINERY INDUSTRY AND TRADE ANONYMOUS COMPANY PERSONAL DATA STORAGE AND DESTRUCTION POLICY
1. Identity of the Data Controller and Scope of the Policy
BENLİ RECYCLING MACHINERY INDUSTRY AND TRADE ANONYMOUS COMPANY Personal Data Storage and Destruction Policy (hereinafter referred to as the “POLICY”) is implemented by BENLİ RECYCLING MACHINERY INDUSTRY AND TRADE ANONYMOUS COMPANY (hereinafter referred to as “Benli”) and aims to determine the procedures and principles regarding data storage and destruction activities.
Benli has determined as its primary goal to ensure that the personal data of company employees, candidates, suppliers and other third parties are processed in accordance with the Constitution of the Republic of Turkey, international agreements, the Law on the Protection of Personal Data No. 6698 (hereinafter referred to as “KVKK”) and other relevant legislation, and that individuals can effectively exercise their rights.
2. DEFINITIONS
Personal Data: Any information relating to an identified or identifiable natural person.
Special Personal Data: Data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, association or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
Data Owner: The natural person whose personal data is processed.
Data Controller: The person or legal entity that determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller in accordance with the authority granted to him.
Explicit Consent: Consent based on information and expressed with free will regarding a specific subject.
Processing of Personal Data: Any operation carried out with respect to personal data, such as obtaining, recording, storing, changing, disclosing, transferring, taking over, classifying or preventing its use, which is carried out completely or partially by automatic means or by non-automatic means provided that it is part of a data recording system.
Anonymization of Personal Data: Making personal data incapable of being associated with an identified or identifiable natural person.
Deletion of Personal Data: The process of rendering personal data unprocessable, unusable and irreversible.
Destruction: The process of completely deleting or anonymizing personal data.
Recipient Group: Third party or group of persons to whom personal data is transferred by the data controller.
Data Storage Medium: The medium in which personal data is stored or accessed by automatic or non-automatic means within the scope of a data recording system.
Data Recording System: A system in which personal data is processed according to certain criteria.
Institution: Personal Data Protection Authority.
Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.
3. LEGAL BASIS FOR DATA PROCESSING ACTIVITIES
- Personal Data Protection Law No. 6698
- Turkish Code of Obligations No. 6098
- Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications
- Occupational Health and Safety Law No. 6331
- Labor Law No. 4857
- Regulation on Health and Safety Measures to be Taken in Buildings and Annexes in Workplaces
- Regulation on Archive Services
- Other secondary legislation in force within the framework of these laws
4. RESPONSIBILITY
All units and employees of Benli are responsible for implementing the technical and administrative measures taken, training the relevant unit employees and raising their awareness, and maintaining audit and control processes in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law.
5. DATA PROCESSING PURPOSES
Benli processes personal data within the scope of its business activities for the following purposes:
- Carrying out human resources processes
- To ensure corporate communication
- Ensuring company security
- Conducting statistical studies
- To fulfill legal obligations as required by legal regulations or as required by law.
- Communicating with real/legal persons who have business relations with the Company
- Making legal reports
- To manage the actual and legal processes arising from contracts and legislation provisions of employees, those who buy and sell goods or services and other persons within the scope of commercial relations.
6. RECORDING MEDIA
- Personal computers
- Mobile devices
- Magnetic and optical recording media
- Portable memories
- Servers
- Softwares
- Information security devices and software
- Audio and video recording devices
- Document production and duplication devices
- Written and printed visual materials
7. STORAGE AND DESTRUCTION PERIOD OF PERSONAL DATA
Personal data obtained by Benli is stored and protected within the periods specified in the table below.
İşlem |
Depolama Süresi |
Yıkım Dönemi |
|---|---|---|
Preparation of Contracts | 10 Years | At the first periodic destruction after the end of the storage period |
Conducting Communication Activities | 10 Years | At the first periodic destruction after the end of the storage period |
Human Resources Activities | 10 Years | At the first periodic destruction after the end of the storage period |
Customer Transactions (Purchase and sale of goods and services) | 10 Years | At the first periodic destruction after the end of the storage period |
Finance, Accounting Records, Risk Information | 10 Years | At the first periodic destruction after the end of the storage period |
Legal Documents Covered by the Employment Contract | 10 Years | At the first periodic destruction after the end of the storage period |
Health Information (Health Reports Within the Scope of the Employment Contract) | 10 Years | At the first periodic destruction after the end of the storage period |
Records for Security Purposes | 3 Months | At the first periodic destruction after the end of the storage period |
Location Information | 2 Years | At the first periodic destruction after the end of the storage period |
Audio and Video Recordings | 10 Years | At the first periodic destruction after the end of the storage period |
- PERIODIC DESTRUCTION PERIOD
Benli has determined the periodic destruction period as 6 months in accordance with Article 11 of the regulation. Accordingly, periodic destruction is carried out in June and December every year.
- DELETION OF PERSONAL DATA
Personal data processed by Benli;
- Amendment or repeal of the relevant legislative provisions that form the basis for processing,
- The purpose requiring processing or storage is eliminated,
- In cases where personal data is processed only with explicit consent, the person concerned must withdraw his/her explicit consent,
- The relevant person, Article 11 of the Law. The company accepts the application made for the deletion or destruction of personal data in accordance with the article,
- If the maximum period for which personal data must be stored has expired and there is no reason justifying the longer storage of personal data, they will be deleted, destroyed or made anonymous.
- MEASURES TAKEN FOR DATA SECURITY
10.1 TECHNICAL MEASURES
The technical measures taken by Benli regarding personal data processed are listed below:
- Risks and threats that may affect the continuity of information systems are constantly monitored.
- Hardware measures are taken to ensure the security of information systems.
- Access to environments containing personal data is determined and limited by security policies.
- Risks to prevent unlawful processing of personal data are identified, technical measures appropriate to these risks are taken, and the measures taken are audited.
- Necessary measures are taken to ensure that deleted personal data is inaccessible and unusable for the relevant users.
- Information systems are kept up to date by monitoring security vulnerabilities.
- Employees involved in special processes regarding the security of sensitive personal data have been trained, confidentiality agreements have been made, and access rights of authorized users have been defined.
- Adequate security measures are taken in physical environments where sensitive personal data is processed, stored and/or accessed, and unauthorized entry and exit are prevented by ensuring physical security.
10.2 ADMINISTRATIVE MEASURES
The administrative measures taken regarding personal data processed by Benli are listed below:
- In order to increase the qualifications of employees, training is provided on preventing the unlawful processing of personal data, preventing unlawful access, ensuring the protection of data, Law No. 6698 and other relevant legislation.
- Within the scope of the activities carried out, employees are asked to sign a confidentiality agreement.
- Disciplinary procedures have been prepared for employees who do not comply with security policies and procedures.
- Before starting the processing of personal data, the relevant persons are informed.
- A personal data processing inventory has been prepared.
- Regular and random inspections are conducted.
- Employees are given information security training.
- DELETION AND DESTRUCTION OF PERSONAL DATA
- Personal data stored in electronic media becomes inaccessible and unusable for the relevant users when the period requiring its storage expires.
- Personal data stored in physical media is irreversibly destroyed using paper shredders when the storage period expires.
- OTHER MATTERS
- The policy is published in two different media: with wet signature (hard copy) and electronically, and is made public on the website.
- In case of any inconsistency between the provisions of the KVKK and relevant legislation and this policy, the provisions of the KVKK and relevant legislation shall prevail.
- The policy is published on the Benli corporate website and announced to relevant persons.
- In case the policy is updated, the new policy document comes into force by being announced and published in the same manner.