1. PURPOSE
This Personal Data Retention and Disposal Policy (“Policy”) has been prepared in order to determine the procedures and principles regarding the business and transactions regarding the storage and destruction activities carried out by Başakşehir Konut A.Ş. (“Company”).
The company, in line with the basic principles, has prioritized the processing of personal data belonging to its employees, employee candidates, service providers, visitors, customers, suppliers and other third parties in accordance with the Constitution of the Republic of Turkey, International Conventions, the Law on the Protection of Personal Data No. 6698 (“Law”) and other relevant legislation and ensuring that the relevant persons exercise their rights effectively as a priority. Works and transactions regarding the storage and destruction of personal data, It is carried out in accordance with the Policy prepared by the Company in this direction.
2. SCOPE
Personal data belonging to Başakşehir Konut A.Ş. employees, employee candidates, service providers, visitors, customers, suppliers and other third parties are within the scope of this policy, and this policy is applied in all recording environments where personal data owned or managed by the company are processed, and in activities for personal data processing.
3. DEFINITIONS AND ABBREVATIONS
Receiving group: The category of natural or legal person to whom personal data is transferred by the data controller.
Open Consent: Consent on a specific subject, based on information and expressed with free will.
Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Employee: Company employee.
Electronic Environment: Environments where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Media: All written, printed, visual etc. media other than electronic media.
Service Provider: A natural or legal person providing services within the framework of a specific contract with the company.
Related Person: The real person whose personal data is processed.
Related User: Persons who are responsible for the technical storage, protection and backup of the data, excluding the person or unit, who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller.
Dispose: Deletion, destruction or anonymization of personal data.
Law: Law No. 6698 on the Protection of Personal Data.
Recording Media: Any environment where personal data is processed wholly or partially automatically or by non-automatic means, provided that it is a part of any data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes, personal data processing purposes and legal reason, data category, the inventory they have created by associating with the transferred recipient group and the data subject group, explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data that is foreseen to be transferred to foreign countries, if any, and the measures taken regarding data security.
Processing of Personal Data: All kinds of operations performed on data such as obtaining and recording personal data completely or partially automatically or non-automatically provided that it is a part of any data recording system, storing, keeping, changing, rearranging, disclosing, transferring, taking over, making it available, classifying or preventing its use.
Board: Personal Data Protection Board.
Authority: Personal Data Protection Authority.
Special Qualified Personal Data: It is the data that may cause discrimination or victimization about the persons concerned if it is learned pursuant to Article 6 of the Law. According to the law, these data are; Data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership of associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Disposal: In the event that all of the personal data processing conditions in the law are eliminated, personal data storage, deletion, destruction or anonymization to be carried out ex officio at repetitive intervals as specified in the destruction policy.
Policy: Personal Data Retention and Disposal Policy.
Registry: Registry of data controllers held by the Presidency of the Personal Data Protection Authority.
Data Processor: The person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Recording System: The registration system in which personal data is processed and structured according to certain criteria.
Data Supervisor: The natural or legal person responsible for the establishment and management of the data recording system that determines the purposes and means of processing personal data.
Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.
4. RECORDING ENVIRONMENTS
Personal data is stored by the Company in the environments listed in Table 1, in accordance with the law, in a secure manner.
Tablo 1: Personal Data Storage Medias
- Electronic Media Non-Electronic Media
- Servers (Domain, backup, email, database, web, file sharing etc.) Software (office software, portal) Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.) Personal computers (Desktop, laptop) Mobile devices (phone, tablet, etc.) Optical discs (CD, DVD, etc.) Removable memories (USB, Memory Card etc.) Paper Manual data recording systems (survey forms, visitor logbook) Written, printed, visual media
5. RESPONSIBILITY
All units and employees of the company, regarding the proper implementation of technical and administrative measures taken by the responsible units within the scope of the Policy, training and awareness raising of unit employees, their monitoring and continuous supervision, and prevention of unlawful processing of personal data, shall take technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law.
The distribution of the titles, units and job descriptions of those assigned in the storage and destruction processes of personal data is given in Table 2.
Tablo 2: Task Distributions
- TITLE UNIT TASK
- Company Manager Başakşehir Konut A.Ş. Responsible for the employees to act in accordance with the Policy. Human Resources Manager Human Resources Department It is responsible for the preparation, development, execution, publication and updating of the policy in relevant environments. Accounting, Finance, Marketing-Sales Managers and Company Lawyers Other Units In accordance with his/her duties, s/he is responsible for the execution of the policy.
6. LEGAL LIABILITY
6.1. Obligation to Clarify
The data controller is obliged to provide the following information to the data subject, personally or through the person he/she has authorized, during the acquisition of personal data within the framework of Article 10 of the Law:
- Identity of the data controller and its representative, if any,
- For what purpose personal data will be processed,
- To whom and for what purpose personal data can be transferred,
- Method of collecting personal data and legal reason,
- To specify other rights listed in Article 11 of the Law.
6.2. Obligation to Ensure Data Security
According to Article 12 of the Law on data security, the data controller;
- To prevent the unlawful processing of personal data,
- To prevent unlawful access to personal data,
- To ensure the protection of personal data,
7. PROCESSING OF PERSONAL DATA
We process Personal Data in accordance with the principles below;
7.1. To be in compliance with the law and the rules of honesty, to be accurate and up-to-date when necessary, to be processed for specific, clear and legitimate purposes, to be related, limited and proportionate to the purpose for which they are processed, to be stored for the period required for the purpose for which they are processed or stipulated in the relevant legislation.
7.2. Processing of personal data and special categories of personal data:
7.2.1. Personal data is processed within the framework of the provisions in Articles 5 and 6 of the Law.
7.2.2. Processing of special categories of personal data: As mentioned in the "Definitions and Abbreviations" section 3 of this Policy, Personal data that carries the risk of causing victimization or discrimination when processed unlawfully are determined as "special quality". These data are processed by the Company within the framework of the rules stipulated by the Law, in cases where the express consent of the relevant person is obtained or as stipulated by the relevant Laws.
8. EXPLANATIONS ON STORAGE AND DISPOSAL
Personal data belonging to third parties, which are in contact as employees, employee candidates, visitors, customers, suppliers and service providers, are stored and destroyed by the Company in accordance with the Law.
In this context, detailed explanations regarding storage and disposal are given below, respectively.
8.1. Remarks on Storage
The concept of processing personal data is defined in Article 3 of the Law, in Article 4, it is stated that the processed personal data should be related to the purpose for which they are processed, limited and measured, and that they should be kept for the period required for the purpose for which they are processed or stipulated in the relevant legislation. Accordingly, within the framework of our Company's activities, personal data is stored for a period of time that is appropriate for our processing purposes or stipulated in the relevant legislation
8.1.1. Legal Reasons Requiring Concealment:
The personal data processed within the framework of the company's activities are kept for the period stipulated in the relevant legislation. In this context, personal data;
- Law No. 6698 on the Protection of Personal Data,
- Turkish Code of Obligations No. 6098,
- Regulation of Broadcasts on the Internet No. 5651 and the Law on Combating Crimes Committed Through These Publications,
- 6563 Law on Regulation of Electronic Commerce,
- Turkish Code of Commerce No. 6102,
- Vocational Education Law No. 3308,
- Social Insurance and General Health Insurance Law No. 5510,
- Occupational Health and Safety Law No. 6331,
- Labor Law No. 4857,
- Social Services Law No. 2828,
- Tax Procedure Law No. 213,
- Law No. 6502 on Consumer Protection,
- Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Attachments,
- In accordance with these laws, it is stored for the period of storage stipulated in the framework of other secondary regulations in force.
- In cases where no time is stipulated in the laws, the first periodical destruction process after the disappearance of the need for the data.
8.1.2. Processing Purposes Requiring Storage:
The Company processes personal data within the framework of its activities and stores it for the following purposes:
- Fulfillment of Employment Contract and Legislative Obligations for Employees,
- Execution of Benefits and Benefits Processes for Employees,
- Carrying out human resources processes,
- Execution / Supervision of Business Activities,
- Execution of Goods / Service Sales Processes,
- Ensuring internal and external communication,
- To be able to perform statistical studies,
- To be able to perform works and transactions as a result of signed contracts and protocols,
- Execution of Advertising-Campaign-Promotion processes,
- As required or mandated by legal regulations, to ensure the fulfillment of legal obligations,
- To contact real / legal persons who have a business relationship with the company,
- To make legal reports,
- Obligation of proof as evidence in legal disputes that may arise in the future,
- Providing Information to Authorized Persons, Institutions and Organizations,
- Foreign Personnel Work and Residence Permit Procedures.
8.1.3. Reasons Requiring Disposal:
Personal Data;
- Changing or repealing the provisions of the relevant legislation, which is the basis for processing,,
- The disappearance of the purpose that requires processing or storage,
- Withdrawing the explicit consent of the person concerned, in cases where the processing of personal data takes place only on the condition of explicit consent,
- The Company accepts the application made for the deletion and destruction of personal data within the framework of the rights of the person concerned, pursuant to Article 11 of the Law,
- In cases where the company rejects the application made by the person concerned with the request for the deletion, destruction or anonymization of his personal data, finds the answer insufficient or does not respond within the time stipulated in the Law; Making a complaint to the Board, and this request being approved by the Board,
- In the event that the maximum period requiring the storage of personal data has passed and there are no conditions to justify keeping the personal data for a longer period of time, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by the Company upon the request of the person concerned.
9. TECHNICAL AND ADMINISTRATIVE MEASURES
For the safe storage of personal data, prevention of unlawful processing and access, and destruction of personal data in accordance with the law, technical and administrative measures are taken by the Company within the framework of adequate measures determined and announced by the Board for special quality personal data pursuant to article 12 of the Law and paragraph four of article 6 of the Law.
9.1. Technical Measures
The technical measures taken by the company regarding the personal data it processes are listed below:
- Current anti-virus systems are used.
- Personal data is backed up and the security of the backed up personal data is also ensured.
- Encryption is being made.
9.2.Administrative Measures
The administrative measures taken by the Company regarding the personal data it processes are listed below:
- Training and awareness activities are carried out at regular intervals on data security for employees.
- Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
- Personal data security policies and procedures have been determined.
- Necessary security measures are taken regarding entrances and exits to physical environments containing personal data.
- Physical environments containing personal data are secured against external risks (fire, flood, etc.).
- The security of environments containing personal data is ensured.
- Personal data is reduced as much as possible.
- Protocols and procedures for special quality personal data security have been determined and implemented.
10. PERSONAL DATA DISPOSAL METHODS
Personal data at the end of the period stipulated in the relevant legislation or the storage period required for the purpose for which they are processed, are destroyed by the company ex officio or upon the application of the relevant person, again in accordance with the provisions of the relevant legislation, with the following techniques.
10.1. Deletion of Personal Data
Personal data is deleted with the methods given in Table-3.
Table 3: Deletion Methods of Personal Data
- Data Recording Media Remark
- Personal Data on Servers For the personal data on the servers, whose storage period has expired, the system administrator will remove the access authorization of the relevant users and delete them. Personal Data in Electronic Media Among the personal data in the electronic environment, those whose period of time has expired are rendered inaccessible and non-usable in any way for other employees (relevant users) except the database administrator. Personal Data in the Physical Environment Among the personal data kept in the physical environment, it is rendered inaccessible and non-usable in any way for those who need to be kept, except for the unit manager responsible for the document archive. In addition, the process of blackening is applied by drawing/painting/erasing in a way that cannot be read. Personal Data in Portable Media Of the personal data kept in flash-based storage media, the expired personal data is encrypted by the system administrator and the access authorization is given only to the system administrator, and are stored in secure environments with encryption keys.
10.2. Disposal of Personal Data
Personal data shall be disposed by the methods specified in Table-4 by the Company.
Table 4: Personal Data Disposal Methods
- Data Recording Media Remark
- Personal Data in the Physical Environment Of the personal data in the paper medium, the ones that need to be kept are destroyed, irreversibly, in the paper clipping machines. Personal Data in Optical/Magnetic Media In case of expiration of the period that requires keeping personal data contained in optical media and magnetic media, physical destruction such as melting, burning or pulverizing is applied. In addition, magnetic media is passed through a special device and the data on it is rendered unreadable by exposing it to a high magnetic field.
10.3. Anonymization of Personal Data
Anonymization of personal data is the rendering of personal data that cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.
The method of anonymization of personal data, is to render personal data unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning personal data by the data controller or third parties and/or matching the data with other data. Anonymization is carried out by the company as stated above.
11. STORAGE AND DISPOSAL TIMES
Regarding the personal data being processed by the Company within the scope of its activities;
- For all personal data within the scope of activities carried out in connection with the processes, the storage periods on the basis of the relevant personal data are in the Personal Data Processing Inventory;
- Storage periods on the basis of data categories are recorded in VERBIS;
- On a process basis, retention periods are included in the Personal Data Retention and Disposal Policy.
Over the said storage periods, if necessary, updates are made by the company.
For personal data whose storage period has expired, ex officio deletion, destruction or anonymization is carried out by the Data Controller.
Table 5: Process-based storage and disposal times table
- PROCESS STORAGE PERIOD DISPOSAL TIME
- Execution of Human Resources Processes 10 Years from the End of the Employment Contract At the first periodic disposal period following the end of the storage period Execution of Marketing Activities 10 Years From The Termination Of The Agreement At the first periodic disposal period following the end of the storage period Execution of Financial Transactions 10 Years From The Termination Of The Agreement At the first periodic disposal period following the end of the storage period Execution of Accounting Transactions 10 Years From The Termination Of The Agreement At the first periodic disposal period following the end of the storage period Execution of Legal Actions 10 Years From The Termination Of The Agreement At the first periodic disposal period following the end of the storage period Execution of Company Communication Activities 1 Year Following End of Activity At the first periodic disposal period following the end of the storage period
12. PERIODIC DISPOSAL TIMES
Pursuant to Article 11 of the Regulation, the company has determined the period of periodic destruction as 6 months. Accordingly, periodic destruction is carried out in the company in January and July of each year.
13. PUBLICATION AND STORAGE OF THE POLICY
The policy is published in two different media, with wet signature (printed paper) and electronically, and is also published on the website.
14. UPDATING THE POLICY
The policy is updated and republished as needed.
Başakşehir Konut A.Ş.