CORPORATE
- SECTION: NATURE AND PURPOSE OF THE EXTERMINATION POLICY
1.1. entry
This destruction policy is PUNTEKS TEKSTIL MAKINE SANAYI VE TICARET A.Sh. it has been prepared for the purpose of determining the procedures and principles to be applied by PUNTEKS regarding the deletion, destruction or anonymization of personal data in accordance with the Personal Data Protection Law No. 6698 and other legislation of the personal data we hold in the capacity of data controller (briefly referred to as “PUNTEKS”).
In this context, the personal data of our employees, employee candidates, customers and all natural persons who have personal data with PUNTEKS for any reason are managed in accordance with the laws within the framework of the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.
| LAW | : | the Law on the Protection of Personal Data numbered 6698 published in the Official Gazette dated 07.04.2016 and numbered 29677, |
| Regulation | : | The Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224 |
| Assembly | : | The Personal Data Protection Board |
| Related person | : | The real person whose personal data is processed, |
| Extermination | : | Deletion, destruction or anonymization of personal data, |
| Periodic Destruction | : | In case all the conditions for processing personal data contained in the Law disappear, the deletion, destruction or anonymization of personal data will be carried out ex officio at December intervals specified in the retention and destruction policy, |
| Anonymization | : | To ensure that personal data cannot be associated with an identified or identifiable real person under any circumstances, even by matching it with other data, |
| Recording media | : | Any environment in which personal data is processed by means that are fully or partially automatic or that are not automatic provided that they are part of any data recording system, |
| Personal Data Processing and Protection Policy | : | “www.punteks.com ” the policy that determines the procedures and principles for the management of personal data held by PUNTEKS, which can be accessed at the address, |
| Data recording system | : | The registration system in which personal data is processed by structuring according to certain criteria, |
expresses.
- SECTION: ENVIRONMENTS AND SECURITY MEASURES
2.1. ENVIRONMENTS WHERE PERSONAL DATA IS STORED
The personal data stored by PUNTEKS is kept in a recording environment in accordance with the nature of the relevant data and our legal obligations.
The recording media used for the storage of personal data are generally listed below. However, some data may be stored in an environment different from the environments shown here due to their special characteristics or our legal obligations. PUNTEKS acts as a data controller in any case and processes and protects personal data in accordance with the Law, the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.
| a) Printed media | : | These are the media in which data is stored by printing on paper or microfilms. |
| b) Local digital media | : | The servers included in PUNTEKS are other digital media such as hard or portable disks, optical disks. |
| c) Cloud environments | : | Although not included in the PUNTEKS, these are the environments where internet-based systems encrypted with cryptographic methods are used in the use of PUNTEKS. |
2.2. ENSURING THE SECURITY OF ENVIRONMENTS
PUNTEKS takes all necessary technical and administrative measures in accordance with the characteristics of the relevant personal data and the environment in which it is stored in order to store personal data securely and prevent illegal processing and access.
These measures include, but are not limited to, the following administrative and technical measures to the extent that they correspond to the nature of the relevant personal data and the environment in which it is stored.
2.2.1. Technical Measures
PUNTEKS takes the following technical measures in accordance with the characteristics of the relevant data and the environment in which personal data is stored in all environments where personal data is stored:
Only up-to-date and secure systems suitable for technological developments are used in the environments where personal data are stored.
Security systems are used for the environments where personal data are stored.
Security tests and researches are carried out to identify security vulnerabilities on information systems, and issues that pose a current or possible risk are eliminated as a result of the tests and researches carried out.
By restricting access to data in the environments where personal data is stored, only authorized persons are allowed to access this data limited to the purpose of storing personal data, and all accesses are recorded.
PUNTEKS has sufficient technical personnel to ensure the security of the environments where personal data are stored.
2.2.2. Administrative Measures
PUNTEKS takes the following administrative measures in accordance with the characteristics of the relevant data and the environment in which personal data is stored in all environments where personal data is stored in accordance with the following administrative measures:
Efforts are being made to increase and raise awareness of information security, personal data and privacy of all PUNTEKS employees who have access to personal data.
Legal and technical consultancy services are provided in order to follow the developments in the field of information security, privacy of private life and protection of personal data and to take the necessary actions.
If personal data is transferred to third parties due to technical or legal requirements, contracts are signed with the relevant third parties for the protection of personal data, and all necessary care is taken to comply with the obligations of the relevant third parties in these contracts.
2.2.3. Internal Audit of the Company
PUNTEKS conducts internal audits regarding the implementation of the provisions of the Law and the provisions of this Personal Data Storage and Destruction Policy and the Personal Data Processing and Protection Policy in accordance with Article 12 of the Law.
If deficiencies or defects related to the implementation of these provisions are detected as a result of internal audits, these deficiencies or defects will be corrected immediately.
If it becomes clear that the personal data held under the responsibility of PUNTEKS has been obtained by others through illegal means during the audit or in any other way, PUNTEKS notifies the relevant person and the Board of this situation as soon as the Law prescribes.
- SECTION: DESTRUCTION OF PERSONAL DATA
3.1. REASONS FOR STORAGE AND DESTRUCTION
3.1.1. Reasons for Retention
The personal data held within PUNTEKS are stored in accordance with the Law and our Personal Data Policy for the purposes and reasons stated here.
3.1.2. Causes of Destruction
The personal data contained in PUNTEKS shall be deleted, destroyed or anonymized in accordance with this destruction policy upon the request of the relevant person or in the event of the disappearance of the reasons listed in Articles 5 and 6 of the Law.
The reasons listed in Articles 5 and 6 of the Law consist of the following:
To be clearly stipulated in the laws.
The fact that a person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid is mandatory for the protection of the life or body integrity of himself or someone else.
It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
It is mandatory for the data controller to fulfill his/her legal obligation.
The fact that the relevant person has been publicly identified by himself.
The data processing is mandatory for the establishment, use or protection of a right.
It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
3.2. METHODS OF DESTRUCTION
PUNTEKS shall delete, destroy or anonymize the personal data stored in accordance with the Law and other legislation and the Personal Data Processing and Protection Policy in accordance with the request of the relevant person or within the periods specified in this Personal Data Storage and Destruction Policy in case the reasons requiring the processing of the data disappear.
The most commonly used deletion, destruction and anonymization techniques by PUNTEKS are listed below:
3.2.1.1 Deletion Methods
| Deletion Methods for Personal Data Stored in Printed Media | ||
| Blackout | : | The personal data contained in the printed medium are deleted using the blackout method. The blackout process is carried out in the form of cutting off the personal data on the relevant documents, if possible, and making it invisible using fixed ink in such a way that it cannot be returned and read with technological solutions in impossible cases. |
| Deletion Methods for Personal Data Stored in the Cloud and Local Digital Environment | ||
| Secure deletion from software | : | Personal data stored in the cloud or local digital media is deleted by digital command in such a way that it can never be recovered again. The data deleted in this way cannot be accessed again. |
3.2.1.2 Methods of Destruction
| Methods of Destruction for Personal Data Stored in the Printed Environment | ||
| Physical annihilation | : | Documents kept in the printed environment are destroyed in such a way that they cannot be put back together with document Deconstruction machines. |
| Methods of Destruction for Personal Data Stored in the Local Digital Environment | ||
| Physical annihilation | : | It is the process of physical destruction of optical and magnetic media containing personal data, such as melting, burning or pulverizing. Data is rendered inaccessible by processes such as melting, burning, pulverizing optical or magnetic media, or passing it through a metal grinder. |
| De-magnetizing (degauss) | : | It is the process of unreadable distortion of data on magnetic media by exposing it to a high magnetic field. |
| Writing on | : | Random data consisting of 0s and 1s is written at least seven times on magnetic media and rewritable optical media, preventing the reading and recovery of old data. |
| Methods of Destruction for Personal Data Stored in the Cloud | ||
| Secure deletion from software | : | Personal data stored in the cloud environment is deleted by digital command in such a way that it can never be recovered again, and when the cloud computing service relationship ends, all copies of the encryption keys necessary to make the personal data usable are destroyed. The data deleted in this way cannot be accessed again. |
3.2.1.3. Anonymization Methods
Anonymization is the mapping of personal data with other data to make it impossible to be associated with an identifiable or identifiable real person under any circumstances.
| Removing variables | : | It is the removal of one or more of the direct identifiers contained in the personal data of the relevant person that will help to identify the relevant person in any way. |
| This method can be used to anonymize personal data, or it can also be used to delete such information if there is information in the personal data that is not suitable for the purpose of data processing. | ||
| Regional concealment | : | It is the process of deleting information that may have a distinctive character related to data that is in an exceptional situation in the data table where personal data is stored anonymously in bulk. |
| Generalization | : | It is the process of bringing together the personal data belonging to many people and Deconstructing their distinctive information and turning them into statistical data. |
| Lower and upper limit coding / Global coding | : | For a certain variable, the December of that variable is defined and categorized. If the variable does not contain a numerical value, then the data that are close to each other in the variable are categorized. |
| The remaining values in the same category are combined. | ||
| Micro-merging | : | With this method, all the records in the dataset are first sorted in a meaningful order, and then the entire set is divided into a certain number of subsets. Then, the average of the value of each subset belonging to the specified variable is taken and the value of that variable of the subset is replaced by the average value. In this way, since the indirect identifiers contained in the data will be corrupted, it will be difficult to associate the data with the relevant person. |
| Data hashing and corruption | : | The direct or indirect identifiers in the personal data are mixed with other values or corrupted so that their relationship with the relevant person is severed and they lose their identifying qualities. |
PUNTEKS uses one or more of these anonymization methods in order to anonymize personal data, depending on the nature of the relevant data. PUNTEKS can use K-Anonymity (K-Anonymity), L-Diversity (L-Diversity) and T-Closeness (T-Closeness) statistical methods when using these anonymization methods.
3.3. STORAGE AND DISPOSAL PERIODS
3.3.1. Storage Periods
| DATA OWNER | DATA CATEGORY | DATA STORAGE PERIOD |
| Employee | Personnel data based on the recruitment documents and notifications made to the Social Security Institution about the duration of service and salary | It is maintained for a period of 10 (ten) years during the continuation of the service contract and from the date of its execution. |
| Employee | Personal data made out to the Social Security Institution with the recruitment documents; personal data other than the personal data based on notifications about the duration of service and salary | It is maintained for a period of 10 (ten) years after the continuation of the service agreement and from the beginning of the calendar year following the hitam. |
| Employee | Data Contained in the Workplace Personal Health File | It is maintained for a period of 10 (ten) years in the continuation of the service contract and from the date of its execution. |
| Business Partner / Solution Partner / Consultant | Identity information, contact information, financial information, Business Partner/Solution Partner/Consultant employee data on the execution of the commercial relationship between the Business Partner/Solution Partner/Consultant and PUNTEKS Dec. | During and after the termination of the business /commercial relationship of the Business Partner / Solution Partner / Consultant with PUNTEKS, Art.Art. 146 of the Turkish Commercial Code.according to Article 82, it is stored for a period of 10 years. |
| Visitor | The name, surname, T of the Visitor received at the entrance to the physical space belonging to PUNTEKS.C.K.N., camera recordings with vehicle license plate, | it is stored for a period of 2 years. |
| Website Visitor | Name, surname, e-mail address, navigation movements information of the Website Visitor | it is stored for a period of 2 (two) years. |
| Employee Candidate | The information contained in the Employee Candidate’s resume and job application form | It is stored for a maximum of 2 (two) years, up to the period when the resume will lose its timeliness. |
| Intern(student) | The information contained in the internship file belonging to the intern | During the continuation of the internship relationship and the calendar year following its completion, it is maintained for a period of 10 (ten) years from the beginning of the year. |
| Customer | Customer’s first name, last name, T.C.K.N., contact information, pay information and methods, navigation movements information, product/service preferences, transaction history, special day information | Art. of the Turkish Code of Obligations from the moment of presentation of each product / service purchased by the Customer.Art. 146 of the Turkish Commercial Code.according to Article 82, it is stored for a period of 10 (ten) years. |
| Customer | Camera footage, vehicle license plate information | it is stored for a period of 2 (two) years. |
| Potential Customer | Identity information, contact information, financial information, voice recordings taken during the contract negotiations Decoupling the commercial relationship between the Potential Customer and PUNTEKS | it is stored for a period of 2 (two) years. |
| Institutions / Companies with Which PUNTEKS Cooperates | Identity information, contact information, financial information, voice recordings taken during telephone calls, employee data of the Institution /Company with which PUNTEKS Cooperates regarding the execution of the commercial relationship between PUNTEKS and the Institution/Companies with which PUNTEKS Cooperates Dec. | The Institutions / Companies with which PUNTEKS Cooperates during the business / commercial relationship with PUNTEKS and from the end of the Turkish Code of Obligations art.Art. 146 of the Turkish Commercial Code.according to Article 82, it is stored for a period of 10 years. |
| (Supplier, Contract Manufacturer, Dealer/Franchise) |
* The fact that a longer period has been arranged in accordance with the legislation, or the statute of limitations, reduced period of rights, retention periods, etc. in accordance with the legislation. if a longer period is provided for, the periods in the provisions of the legislation are considered to be the maximum retention period.
3.3.2. Destruction Times
PUNTEKS deletes, destroys or anonymizes personal data in the first periodic destruction process following the date of occurrence of the obligation to delete, destroy or anonymize the personal data for which it is responsible in accordance with the Law, relevant legislation, the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.
When the data subject requests the deletion or destruction of his/her personal data by applying to PUNTEKS in accordance with Article 13 of the Law;
If all the conditions for processing personal data have disappeared; PUNTEKS deletes, destroys or anonymizes the personal data subject to the request by explaining its justification within 30 (thirty) days from the day it receives the request, using the appropriate method of destruction. In order for PUNTEKS to be deemed to have received the request, the relevant person must have made the request in accordance with the Personal Data Processing and Protection Policy. PUNTEKS provides information to the relevant person about the transaction performed in any case.
If all the conditions for processing personal data have not been eliminated, this request may be rejected by PUNTEKS by explaining the justification in accordance with the third paragraph of Article 13 of the Law, and the rejection response is notified to the relevant person in writing or electronically no later than 30 (thirty) days.
3.4. PERIODIC DESTRUCTION
In the event that all of the conditions for processing personal data contained in the law disappear, PUNTEKS deletes, destroys or anonymizes the personal data whose processing conditions have disappeared by a process specified in this Personal Data Storage and Destruction Policy and to be performed on your own at repeated intervals. December 2019, PUNTEKS deletes, destroys or anonymizes the personal data that have disappeared.
Periodic destruction processes for the first time ……….. it starts on the date and repeats every 6 (six) months.
3.5. AUDIT OF THE LEGAL COMPLIANCE OF THE DESTRUCTION PROCESS
PUNTEKS performs the destruction operations that it performs ex officio, both on request and during periodic destruction processes, in accordance with the Law, other legislation, the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.
PUNTEKS takes a number of administrative and technical measures to ensure that the destruction operations are carried out in accordance with these regulations Jul.
3.5.1. Technical Measures
PUNTEKS ensures the security of the place where the destruction operations are carried out.
PUNTEKS keeps access records of the people who performed the destruction process.
PUNTEKS employs competent and experienced personnel who will perform the destruction process, or receives services from competent third parties when necessary.
3.5.2. Administrative Measures
PUNTEKS makes efforts to increase and raise awareness of information security, personal data and privacy issues of its employees who will perform the destruction process.
PUNTEKS receives legal and technical consultancy services in order to follow the developments in the field of information security, privacy of private life, protection of personal data and secure destruction techniques and to take the necessary actions.
PUNTEKS signs protocols with the relevant third parties for the protection of personal data in cases where the destruction process is performed by third parties due to technical or legal requirements, and shows all necessary care to comply with the obligations of the relevant third parties in these protocols.
PUNTEKS regularly checks whether the destruction operations are carried out in accordance with the law and the terms and obligations set out in this Personal Data Storage and Destruction Policy and takes the necessary actions.
PUNTEKS records all transactions related to the deletion, destruction and anonymization of personal data and stores these records for at least three years, excluding other legal obligations.
- SECTION: PERSONAL DATA COMMITTEE
Establishes a Personal Data Committee within PUNTEKS. The Personal Data Committee is authorized and responsible for performing / having performed the necessary operations for the storage and processing of the data of the relevant persons in accordance with the law, the Personal Data Processing and Protection Policy and the Personal Data Storage and Destruction Policy, and supervising the processes.
The Personal Data Committee consists of three people: an administrator, an administrative specialist and a technical specialist. The titles and job descriptions of the PUNTEKS employees working in the Personal Data Committee are stated below:
| Title | Mission Description | |
| Personal Data Committee Manager | : | It is obliged to direct all kinds of planning, analysis, research, risk determination studies in projects carried out during the compliance process with the Law; to manage the processes that must be carried out in accordance with the Law, the Personal Data Processing and Protection Policy and the Personal Data Storage and Destruction Policy, and to decide on the requests received by the relevant persons. |
| Personal Data Committee Specialist | : | Responsible for the examination and evaluation of the requests of the relevant persons and reporting them to the Manager of the Personal Data Committee; for the execution of the procedures related to the requests of the relevant persons evaluated and decided by the Manager of the Personal Data Committee in accordance with the decision of the Manager of the Personal Data Committee; for the audit of the storage and destruction processes and the reporting of these audits to the Manager of the Personal Data Committee; for the execution of the storage and destruction processes. |
| (Technical and Administrative) |
- SECTION: UPDATE AND ADAPTATION
PUNTEKS reserves the right to make changes to the Personal Data Processing and Protection Policy or this Personal Data Storage and Destruction Policy due to amendments made to the Law, in accordance with Corporate decisions or in line with developments in the sector or in the field of informatics.
The changes made to this Personal Data Storage and Destruction Policy are immediately processed into the text and the explanations related to the changes are explained at the end of the policy.
5.1 NOTES OF CHANGES
……….. : The Personal Data Storage and Destruction Policy has been published.
*there are no changes dated earlier.*
- SECTION: NATURE AND PURPOSE OF THE EXTERMINATION POLICY
1.1. entry
This destruction policy is PUNTEKS TEKSTIL MAKINE SANAYI VE TICARET A.Sh. it has been prepared for the purpose of determining the procedures and principles to be applied by PUNTEKS regarding the deletion, destruction or anonymization of personal data in accordance with the Personal Data Protection Law No. 6698 and other legislation of the personal data we hold in the capacity of data controller (briefly referred to as “PUNTEKS”).
In this context, the personal data of our employees, employee candidates, customers and all natural persons who have personal data with PUNTEKS for any reason are managed in accordance with the laws within the framework of the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.
| LAW | : | the Law on the Protection of Personal Data numbered 6698 published in the Official Gazette dated 07.04.2016 and numbered 29677, |
| Regulation | : | The Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224 |
| Assembly | : | The Personal Data Protection Board |
| Related person | : | The real person whose personal data is processed, |
| Extermination | : | Deletion, destruction or anonymization of personal data, |
| Periodic Destruction | : | In case all the conditions for processing personal data contained in the Law disappear, the deletion, destruction or anonymization of personal data will be carried out ex officio at December intervals specified in the retention and destruction policy, |
| Anonymization | : | To ensure that personal data cannot be associated with an identified or identifiable real person under any circumstances, even by matching it with other data, |
| Recording media | : | Any environment in which personal data is processed by means that are fully or partially automatic or that are not automatic provided that they are part of any data recording system, |
| Personal Data Processing and Protection Policy | : | “www.punteks.com ” the policy that determines the procedures and principles for the management of personal data held by PUNTEKS, which can be accessed at the address, |
| Data recording system | : | The registration system in which personal data is processed by structuring according to certain criteria, |
expresses.
- SECTION: ENVIRONMENTS AND SECURITY MEASURES
2.1. ENVIRONMENTS WHERE PERSONAL DATA IS STORED
The personal data stored by PUNTEKS is kept in a recording environment in accordance with the nature of the relevant data and our legal obligations.
The recording media used for the storage of personal data are generally listed below. However, some data may be stored in an environment different from the environments shown here due to their special characteristics or our legal obligations. PUNTEKS acts as a data controller in any case and processes and protects personal data in accordance with the Law, the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.
| a) Printed media | : | These are the media in which data is stored by printing on paper or microfilms. |
| b) Local digital media | : | The servers included in PUNTEKS are other digital media such as hard or portable disks, optical disks. |
| c) Cloud environments | : | Although not included in the PUNTEKS, these are the environments where internet-based systems encrypted with cryptographic methods are used in the use of PUNTEKS. |
2.2. ENSURING THE SECURITY OF ENVIRONMENTS
PUNTEKS takes all necessary technical and administrative measures in accordance with the characteristics of the relevant personal data and the environment in which it is stored in order to store personal data securely and prevent illegal processing and access.
These measures include, but are not limited to, the following administrative and technical measures to the extent that they correspond to the nature of the relevant personal data and the environment in which it is stored.
2.2.1. Technical Measures
PUNTEKS takes the following technical measures in accordance with the characteristics of the relevant data and the environment in which personal data is stored in all environments where personal data is stored:
Only up-to-date and secure systems suitable for technological developments are used in the environments where personal data are stored.
Security systems are used for the environments where personal data are stored.
Security tests and researches are carried out to identify security vulnerabilities on information systems, and issues that pose a current or possible risk are eliminated as a result of the tests and researches carried out.
By restricting access to data in the environments where personal data is stored, only authorized persons are allowed to access this data limited to the purpose of storing personal data, and all accesses are recorded.
PUNTEKS has sufficient technical personnel to ensure the security of the environments where personal data are stored.
2.2.2. Administrative Measures
PUNTEKS takes the following administrative measures in accordance with the characteristics of the relevant data and the environment in which personal data is stored in all environments where personal data is stored in accordance with the following administrative measures:
Efforts are being made to increase and raise awareness of information security, personal data and privacy of all PUNTEKS employees who have access to personal data.
Legal and technical consultancy services are provided in order to follow the developments in the field of information security, privacy of private life and protection of personal data and to take the necessary actions.
If personal data is transferred to third parties due to technical or legal requirements, contracts are signed with the relevant third parties for the protection of personal data, and all necessary care is taken to comply with the obligations of the relevant third parties in these contracts.
2.2.3. Internal Audit of the Company
PUNTEKS conducts internal audits regarding the implementation of the provisions of the Law and the provisions of this Personal Data Storage and Destruction Policy and the Personal Data Processing and Protection Policy in accordance with Article 12 of the Law.
If deficiencies or defects related to the implementation of these provisions are detected as a result of internal audits, these deficiencies or defects will be corrected immediately.
If it becomes clear that the personal data held under the responsibility of PUNTEKS has been obtained by others through illegal means during the audit or in any other way, PUNTEKS notifies the relevant person and the Board of this situation as soon as the Law prescribes.
- SECTION: DESTRUCTION OF PERSONAL DATA
3.1. REASONS FOR STORAGE AND DESTRUCTION
3.1.1. Reasons for Retention
The personal data held within PUNTEKS are stored in accordance with the Law and our Personal Data Policy for the purposes and reasons stated here.
3.1.2. Causes of Destruction
The personal data contained in PUNTEKS shall be deleted, destroyed or anonymized in accordance with this destruction policy upon the request of the relevant person or in the event of the disappearance of the reasons listed in Articles 5 and 6 of the Law.
The reasons listed in Articles 5 and 6 of the Law consist of the following:
To be clearly stipulated in the laws.
The fact that a person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid is mandatory for the protection of the life or body integrity of himself or someone else.
It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
It is mandatory for the data controller to fulfill his/her legal obligation.
The fact that the relevant person has been publicly identified by himself.
The data processing is mandatory for the establishment, use or protection of a right.
It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
3.2. METHODS OF DESTRUCTION
PUNTEKS shall delete, destroy or anonymize the personal data stored in accordance with the Law and other legislation and the Personal Data Processing and Protection Policy in accordance with the request of the relevant person or within the periods specified in this Personal Data Storage and Destruction Policy in case the reasons requiring the processing of the data disappear.
The most commonly used deletion, destruction and anonymization techniques by PUNTEKS are listed below:
3.2.1.1 Deletion Methods
| Deletion Methods for Personal Data Stored in Printed Media | ||
| Blackout | : | The personal data contained in the printed medium are deleted using the blackout method. The blackout process is carried out in the form of cutting off the personal data on the relevant documents, if possible, and making it invisible using fixed ink in such a way that it cannot be returned and read with technological solutions in impossible cases. |
| Deletion Methods for Personal Data Stored in the Cloud and Local Digital Environment | ||
| Secure deletion from software | : | Personal data stored in the cloud or local digital media is deleted by digital command in such a way that it can never be recovered again. The data deleted in this way cannot be accessed again. |
3.2.1.2 Methods of Destruction
| Methods of Destruction for Personal Data Stored in the Printed Environment | ||
| Physical annihilation | : | Documents kept in the printed environment are destroyed in such a way that they cannot be put back together with document Deconstruction machines. |
| Methods of Destruction for Personal Data Stored in the Local Digital Environment | ||
| Physical annihilation | : | It is the process of physical destruction of optical and magnetic media containing personal data, such as melting, burning or pulverizing. Data is rendered inaccessible by processes such as melting, burning, pulverizing optical or magnetic media, or passing it through a metal grinder. |
| De-magnetizing (degauss) | : | It is the process of unreadable distortion of data on magnetic media by exposing it to a high magnetic field. |
| Writing on | : | Random data consisting of 0s and 1s is written at least seven times on magnetic media and rewritable optical media, preventing the reading and recovery of old data. |
| Methods of Destruction for Personal Data Stored in the Cloud | ||
| Secure deletion from software | : | Personal data stored in the cloud environment is deleted by digital command in such a way that it can never be recovered again, and when the cloud computing service relationship ends, all copies of the encryption keys necessary to make the personal data usable are destroyed. The data deleted in this way cannot be accessed again. |
3.2.1.3. Anonymization Methods
Anonymization is the mapping of personal data with other data to make it impossible to be associated with an identifiable or identifiable real person under any circumstances.
| Removing variables | : | It is the removal of one or more of the direct identifiers contained in the personal data of the relevant person that will help to identify the relevant person in any way. |
| This method can be used to anonymize personal data, or it can also be used to delete such information if there is information in the personal data that is not suitable for the purpose of data processing. | ||
| Regional concealment | : | It is the process of deleting information that may have a distinctive character related to data that is in an exceptional situation in the data table where personal data is stored anonymously in bulk. |
| Generalization | : | It is the process of bringing together the personal data belonging to many people and Deconstructing their distinctive information and turning them into statistical data. |
| Lower and upper limit coding / Global coding | : | For a certain variable, the December of that variable is defined and categorized. If the variable does not contain a numerical value, then the data that are close to each other in the variable are categorized. |
| The remaining values in the same category are combined. | ||
| Micro-merging | : | With this method, all the records in the dataset are first sorted in a meaningful order, and then the entire set is divided into a certain number of subsets. Then, the average of the value of each subset belonging to the specified variable is taken and the value of that variable of the subset is replaced by the average value. In this way, since the indirect identifiers contained in the data will be corrupted, it will be difficult to associate the data with the relevant person. |
| Data hashing and corruption | : | The direct or indirect identifiers in the personal data are mixed with other values or corrupted so that their relationship with the relevant person is severed and they lose their identifying qualities. |
PUNTEKS uses one or more of these anonymization methods in order to anonymize personal data, depending on the nature of the relevant data. PUNTEKS can use K-Anonymity (K-Anonymity), L-Diversity (L-Diversity) and T-Closeness (T-Closeness) statistical methods when using these anonymization methods.
3.3. STORAGE AND DISPOSAL PERIODS
3.3.1. Storage Periods
| DATA OWNER | DATA CATEGORY | DATA STORAGE PERIOD |
| Employee | Personnel data based on the recruitment documents and notifications made to the Social Security Institution about the duration of service and salary | It is maintained for a period of 10 (ten) years during the continuation of the service contract and from the date of its execution. |
| Employee | Personal data made out to the Social Security Institution with the recruitment documents; personal data other than the personal data based on notifications about the duration of service and salary | It is maintained for a period of 10 (ten) years after the continuation of the service agreement and from the beginning of the calendar year following the hitam. |
| Employee | Data Contained in the Workplace Personal Health File | It is maintained for a period of 10 (ten) years in the continuation of the service contract and from the date of its execution. |
| Business Partner / Solution Partner / Consultant | Identity information, contact information, financial information, Business Partner/Solution Partner/Consultant employee data on the execution of the commercial relationship between the Business Partner/Solution Partner/Consultant and PUNTEKS Dec. | During and after the termination of the business /commercial relationship of the Business Partner / Solution Partner / Consultant with PUNTEKS, Art.Art. 146 of the Turkish Commercial Code.according to Article 82, it is stored for a period of 10 years. |
| Visitor | The name, surname, T of the Visitor received at the entrance to the physical space belonging to PUNTEKS.C.K.N., camera recordings with vehicle license plate, | it is stored for a period of 2 years. |
| Website Visitor | Name, surname, e-mail address, navigation movements information of the Website Visitor | it is stored for a period of 2 (two) years. |
| Employee Candidate | The information contained in the Employee Candidate’s resume and job application form | It is stored for a maximum of 2 (two) years, up to the period when the resume will lose its timeliness. |
| Intern(student) | The information contained in the internship file belonging to the intern | During the continuation of the internship relationship and the calendar year following its completion, it is maintained for a period of 10 (ten) years from the beginning of the year. |
| Customer | Customer’s first name, last name, T.C.K.N., contact information, pay information and methods, navigation movements information, product/service preferences, transaction history, special day information | Art. of the Turkish Code of Obligations from the moment of presentation of each product / service purchased by the Customer.Art. 146 of the Turkish Commercial Code.according to Article 82, it is stored for a period of 10 (ten) years. |
| Customer | Camera footage, vehicle license plate information | it is stored for a period of 2 (two) years. |
| Potential Customer | Identity information, contact information, financial information, voice recordings taken during the contract negotiations Decoupling the commercial relationship between the Potential Customer and PUNTEKS | it is stored for a period of 2 (two) years. |
| Institutions / Companies with Which PUNTEKS Cooperates | Identity information, contact information, financial information, voice recordings taken during telephone calls, employee data of the Institution /Company with which PUNTEKS Cooperates regarding the execution of the commercial relationship between PUNTEKS and the Institution/Companies with which PUNTEKS Cooperates Dec. | The Institutions / Companies with which PUNTEKS Cooperates during the business / commercial relationship with PUNTEKS and from the end of the Turkish Code of Obligations art.Art. 146 of the Turkish Commercial Code.according to Article 82, it is stored for a period of 10 years. |
| (Supplier, Contract Manufacturer, Dealer/Franchise) |
* The fact that a longer period has been arranged in accordance with the legislation, or the statute of limitations, reduced period of rights, retention periods, etc. in accordance with the legislation. if a longer period is provided for, the periods in the provisions of the legislation are considered to be the maximum retention period.
3.3.2. Destruction Times
PUNTEKS deletes, destroys or anonymizes personal data in the first periodic destruction process following the date of occurrence of the obligation to delete, destroy or anonymize the personal data for which it is responsible in accordance with the Law, relevant legislation, the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.
When the data subject requests the deletion or destruction of his/her personal data by applying to PUNTEKS in accordance with Article 13 of the Law;
If all the conditions for processing personal data have disappeared; PUNTEKS deletes, destroys or anonymizes the personal data subject to the request by explaining its justification within 30 (thirty) days from the day it receives the request, using the appropriate method of destruction. In order for PUNTEKS to be deemed to have received the request, the relevant person must have made the request in accordance with the Personal Data Processing and Protection Policy. PUNTEKS provides information to the relevant person about the transaction performed in any case.
If all the conditions for processing personal data have not been eliminated, this request may be rejected by PUNTEKS by explaining the justification in accordance with the third paragraph of Article 13 of the Law, and the rejection response is notified to the relevant person in writing or electronically no later than 30 (thirty) days.
3.4. PERIODIC DESTRUCTION
In the event that all of the conditions for processing personal data contained in the law disappear, PUNTEKS deletes, destroys or anonymizes the personal data whose processing conditions have disappeared by a process specified in this Personal Data Storage and Destruction Policy and to be performed on your own at repeated intervals. December 2019, PUNTEKS deletes, destroys or anonymizes the personal data that have disappeared.
Periodic destruction processes for the first time ……….. it starts on the date and repeats every 6 (six) months.
3.5. AUDIT OF THE LEGAL COMPLIANCE OF THE DESTRUCTION PROCESS
PUNTEKS performs the destruction operations that it performs ex officio, both on request and during periodic destruction processes, in accordance with the Law, other legislation, the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.
PUNTEKS takes a number of administrative and technical measures to ensure that the destruction operations are carried out in accordance with these regulations Jul.
3.5.1. Technical Measures
PUNTEKS ensures the security of the place where the destruction operations are carried out.
PUNTEKS keeps access records of the people who performed the destruction process.
PUNTEKS employs competent and experienced personnel who will perform the destruction process, or receives services from competent third parties when necessary.
3.5.2. Administrative Measures
PUNTEKS makes efforts to increase and raise awareness of information security, personal data and privacy issues of its employees who will perform the destruction process.
PUNTEKS receives legal and technical consultancy services in order to follow the developments in the field of information security, privacy of private life, protection of personal data and secure destruction techniques and to take the necessary actions.
PUNTEKS signs protocols with the relevant third parties for the protection of personal data in cases where the destruction process is performed by third parties due to technical or legal requirements, and shows all necessary care to comply with the obligations of the relevant third parties in these protocols.
PUNTEKS regularly checks whether the destruction operations are carried out in accordance with the law and the terms and obligations set out in this Personal Data Storage and Destruction Policy and takes the necessary actions.
PUNTEKS records all transactions related to the deletion, destruction and anonymization of personal data and stores these records for at least three years, excluding other legal obligations.
- SECTION: PERSONAL DATA COMMITTEE
Establishes a Personal Data Committee within PUNTEKS. The Personal Data Committee is authorized and responsible for performing / having performed the necessary operations for the storage and processing of the data of the relevant persons in accordance with the law, the Personal Data Processing and Protection Policy and the Personal Data Storage and Destruction Policy, and supervising the processes.
The Personal Data Committee consists of three people: an administrator, an administrative specialist and a technical specialist. The titles and job descriptions of the PUNTEKS employees working in the Personal Data Committee are stated below:
| Title | Mission Description | |
| Personal Data Committee Manager | : | It is obliged to direct all kinds of planning, analysis, research, risk determination studies in projects carried out during the compliance process with the Law; to manage the processes that must be carried out in accordance with the Law, the Personal Data Processing and Protection Policy and the Personal Data Storage and Destruction Policy, and to decide on the requests received by the relevant persons. |
| Personal Data Committee Specialist | : | Responsible for the examination and evaluation of the requests of the relevant persons and reporting them to the Manager of the Personal Data Committee; for the execution of the procedures related to the requests of the relevant persons evaluated and decided by the Manager of the Personal Data Committee in accordance with the decision of the Manager of the Personal Data Committee; for the audit of the storage and destruction processes and the reporting of these audits to the Manager of the Personal Data Committee; for the execution of the storage and destruction processes. |
| (Technical and Administrative) |
- SECTION: UPDATE AND ADAPTATION
PUNTEKS reserves the right to make changes to the Personal Data Processing and Protection Policy or this Personal Data Storage and Destruction Policy due to amendments made to the Law, in accordance with Corporate decisions or in line with developments in the sector or in the field of informatics.
The changes made to this Personal Data Storage and Destruction Policy are immediately processed into the text and the explanations related to the changes are explained at the end of the policy.
5.1 NOTES OF CHANGES
……….. : The Personal Data Storage and Destruction Policy has been published.
*there are no changes dated earlier.*