PERSONAL DATA STORAGE OF DESTRUCTION POLICY
In accordance with the Personal Data Protection Law No. 6698, the basis of this policy has been prepared by Menatek Savunma Teknolojileri San. Tic. A.Ş. (“COMPANY”) as the Data Controller for the purpose of determining the procedures and principles regarding the processing and protection of personal data carried out in accordance with the legal legislation and the deletion, destruction, and anonymization of the personal data processed.
This Policy, while providing the services of the COMPANY, especially its users, visitors, commentators, the COMPANY employees, employee candidates, managers, related users, third parties that the COMPANY is in cooperation with, and their employees, managers, and other third parties; It covers the processing of personal data by the COMPANY in fully or partially automated or non-automated ways provided that it is part of any data recording system.
The people of data owners mentioned above may be subjected to entire provisions of this Policy or only the certain of it.
This Policy has been issued on the basis of the Code No. 6698 on the Protection of Personal Data, the Regulation No. 30286 on the Registry of Data Controllers, and the Regulation No. 30224 on the Deletion, Destruction or Anonymization of Personal Data.
If there is a difference between this Policy and the legislation in force regarding the processing, protection, and destruction of personal data, the Legislative provisions will be applied first.
The following terms shall have the meanings set forth below for the purpose of the enforcement of this Policy
- a) Recipient group: The group of natural or legal persons, to whom the personal data are transferred by the data controller
- b) Inventory: Personal Data Inventory prepared by the COMPANY in accordance with the legislation,
- c) Concerned user: Persons who process personal data within the organization of the data controller or upon authorization and instructions received from the data controller, other than the person or department which is responsible for the technical storage, protection and back up of personal data,
- d) Destruction: The deletion, destruction, or anonymization of personal data.
- e) Law: Personal Data Protection Law No. 6698 and of 24/3/2016,
- f) Recording media: Any medium, where the personal data are processed fully or partially automatically or through non-automatic means as a part of any data recording system.
- g) Personal data: Any information or data that is related to an identified or identifiable natural person.
- h) Personal data owner: The natural person, whose personal data are processed.
- i) Personal data processing inventory: the inventory which are detailed by explanations of the followings: personal data processing activities of data controllers according to COMPANY’s business processes; purposes and legal ground of personal data processing; data category; maximum data storage period required for the purposes formed relating to the recipient group to whom the data are transferred and with data subject groups, and for personal data processing; personal data envisaged to be transferred to foreign countries; and measures taken relating to the data security
- j) Anonymization of personal data: Anonymization is the process of rendering personal data impossible to link with an identified or identifiable natural person, even though matching them with other data.
- k) All kinds of data transactions such as obtaining, recording, storing, maintaining, altering, re-organizing, disclosing, transferring, taking over, making obtainable, classifying, or preventing the usage of personal data through the ways that are automatic in full or part or that are not automated but a part of any data recording system.
- l) Deletion of personal data; is the process of making personal data inaccessible and non-reusable by any means for the Related Users
- m) Destruction of personal data; is the process of making personal data inaccessible, non-recoverable and non-reusable by any means by any person
- n) Board: Personal Data Protection Board,
- o) Institution: Personal Data Protection Institution
- p) Sensitive personal data: The data related to the persons' race, ethnic origin, political view, philosophic belief, religion, sect or other beliefs, appearance and dressing, affiliation to associations, foundations or trade unions, health, sexual life, conviction and safety precautions as well as biometric and genetic data;
- q) Periodical Destruction: means the process of deletion, destruction or anonymization process which is determined in the personal data storage and disposal policy and to be carried out periodically ex officio, in the event that all of the conditions for processing laid down in the Law no longer exist,
- r) Policy; the policy which the COMPANY is deemed to be as the data controller pursuant to the Law issues as a basis for erasure, destruction, and anonymization of personal data and determination of maximum storage period for the purpose for which personal data are processed,
- s) Registry; Data Controllers’ Registry kept by Personal Data Protection Authority
- t) Company; Commercial title Menatek Savunma Teknolojileri San. Tic. A.Ş.the legal person data controller
- u) Data processor: Any natural or legal person, who or which processes personal data on behalf of the data controller on the basis of the power delegated thereby
- v) Data recording system; recording system where personal data are processed by being structured according to specific criteria,
- w) Data Controller: the natural or legal person who determines the purpose and means of processing personal data and is responsible for the establishment and management of the data recording system,
For the definitions not included in this Policy, the definitions in the Law shall apply.
Personal Data Recording Medium
General Principles in Storage and Destruction of Personal Data
- Personal data of the data owners are stored securely by the COMPANY in the mediums listed in the table below, in accordance with the provisions of the personal data protection Law (KVKK), in accordance with the relevant legislation and within the framework of international data security principles:
- Technical recording medium:
- Computers and servers registered on behalf of the COMPANY,
- Shared / unshared disk drives used for data storage over the network,
- Mobile phones and all storage areas in it,
- Flash memories,
- Optical discs
- Non-technical data recording medium:
- Cabinet for each unit
The COMPANY is a Data Controller having a recording obligation to the registry, and accepts, declares and undertakes that it is obliged to act in accordance with this Policy, to store the personal data it holds to delete when needed, to destruct and to anonymize in a proper way of the inventory.
The following principles will apply to the storage and destruction of personal data:
- The COMPANY will comply with the general principles stipulated in Article 4 of the Law,
- The COMPANY does not mean that having prepared this Policy not only means that personal data has been deleted, destructed, or anonymized in accordance with the legislation,
- The COMPANY will act in accordance with the security measures stated in Article 12 of the Law, the provisions of the relevant Legislation, Board decisions, and Policy, while storing, deleting, destructing, or anonymizing personal data,
- The COMPANY shall comply with this Policy and the channels, programs, and processes to be applied in connection with Policy while the deletion, destruction, or anonymization of the personal data, which processed wholly or partially by automated means or by non-automated means which provided that form part of a data recording system
- The COMPANY will record all transactions regarding the deletion, destruction and anonymization of personal data and keep these records for at least 3 (three) years, excluding other legal obligations,
The COMPANY accepts, declares, and undertakes above mentioned descriptions
Processing Purposes Requiring Storage
Your personal data is processed in accordance with the 20 article of the Constitution and the 4 article of the Law on Protection of Personal Data (KVKK), as the data controller is in the personal data inventory and for the purposes.
Legal, Technical and Other Reasons Requiring Destruction of Personal Data
Personal data of data owners by the COMPANY
- General principles in article 4 of the Law,
- The request of the data owner relevant person
- The termination of legal obligations,
For legal, technical, and other reasons; including but not limited to, it is destructed for similar purposes and reasons.
Technical and Administrative Measures Taken To Prevent Illegal Accessing and Processing of Personal Data And Storing Safely
The technical and administrative measures taken by the COMPANY for the safe storage of personal data belonging to the data owners and to prevent illegal processing and access are listed below:
The COMPANY takes technical and administrative measures according to the technological possibilities and application cost to ensure that the personal data are processed in accordance with the law. Employees are informed that they cannot disclose the personal data they have learned to anyone else in violation of the provisions of personal data protection law KVKK) and that they will not be able to use them for purposes other than processing, and that this obligation will continue after they leave their jobs and necessary commitments are taken accordingly.
When The COMPANY processes the personal data as the data controller, the obligations have to be met and the necessity to have complied with legally administrative and technical measures developed on this subject, The Company requires from data processing establishments that are associated with various adjectives such as suppliers and business partners to load legally with the updates made in the contracts in accordance with the nature of their activities about the data processing.
Technical and Administrative Measures Taken to Destruction of Personal Data in Conformity with Law
- The COMPANY takes technical and administrative measures according to the technological possibilities and application cost to ensure that the personal data are processed in accordance with the law. Employees are informed that they cannot disclose the personal data they have learned to anyone else in violation of the provisions of personal data protection law KVKK) and that they will not be able to use them for purposes other than processing, and that this obligation will continue after they leave their jobs and necessary commitments are taken accordingly.
- When The COMPANY processes the personal data as the data controller, the obligations have to be met and the necessity to have complied with legally administrative and technical measures developed on this subject, The Company requires from data processing establishments that are associated with various adjectives such as suppliers and business partners to load legally with the updates made in the contracts in accordance with the nature of their activities about the data processing.
- The COMPANY carries out or makes it performed the necessary audits within its body in accordance with article 12 of the Personal Data Protection Law (KVKK). These audit results are reported to the relevant department within the scope of the internal operation of The Company and the necessary activities are carried out to improve the measures taken.
- If the personal data processed in accordance with article 12 of the Personal Data Protection Law (KVKK) is obtained by others in an illegal way, The COMPANY operates the system that ensures that this situation is reported to the relevant personal data owner and the Protection Data Board as soon as possible.
The technical measures taken by the COMPANY for the destruction of the personal data of the data owners in accordance with the law are stated below.
- The access, retrieval, reusing powers and methods of the related users within the scope of personal data are closed, eliminated and the authority to restore deleted data is removed,
- The elimination of technical recording medium for the appropriate ones (physical de-magnetizing, overwriting),
- Application of deletion, destruction (physical destruction) methods for the destruction of personal data in non-technical recording media,
Administrative measures taken by the COMPANY for destruction of personal data of the data owners in accordance with the law are stated below.
Official Units and their information at Personal Data Storage and Destruction Processes
1. Conducting regularly necessary application work and trainings on the destruction of personal data,
2. The necessary equipment for the physical destruction of non-technical data recording medium within the workplace of the COMPANY,
The personnel in charge of the personal data storage and destruction processes of the COMPANY are titled as Administrative Affairs and Personnel Officer and they work at the Company with a job description such as administrative affairs and recruitment expertise.
Time Period for Storage and Destruction
The storage and destruction periods according to their categories of the personal data of the data owners are as follows:
Personal data are divided into two as personal data and personal data in accordance with the Personal Data Protection Law (KVKK) article 6th. In this context, all sensitive personal data are destructed.
Transactions regarding the destruction of personal data are recorded and these records are kept for 2 (two) years except for other liabilities.
Periodic Destruction Times
According to the categories of personal data processed by the COMPANY, periodic destruction times are 6 (six) months, except for the periods indicated in the table showing the storage and destruction periods attached to this policy
Time period for deletion and destruction of personal data upon request of data subject
When the data subject requests deletion or destruction of his/her personal data from the COMPANY, pursuant to Article 13 of the Law.
- If all conditions for the processing no longer exist; The COMPANY shall delete, destruct or anonymize the mentioned personal data which are subject to the request. The COMPANY shall act on the request of the data subject at the latest within 30 (thirty) days and inform the data subject.
- If all conditions for the processing no longer exist and the personal data which are subject to the request have been transferred to any third party; The COMPANY controller shall notify the third party of such request at the latest within 10 days and ensure the performance of necessary operations by the third party within the scope of this By-Law.
- In the event that all of the conditions for the processing have not disappeared completely, the request may be rejected by the COMPANY in accordance with the Article 13(3) of the Law together with its justified grounds and such rejection shall be communicated to the data subject in writing or by electronic means at the latest within 30 (thirty) days.
This Policy, prepared by the COMPANY, came into force as of the date of its publication on the website of the COMPANY.
In case of inconsistency between Personal Data Protection Law (KVKK) and other relevant Legislation provisions and this Policy, Personal Data Protection Law (KVKK) and other relevant Legislation provisions will be applied first.