1. Purpose of the Policy
The purpose of our personal data retention and destruction policy is to reveal the framework, purpose and action plan that we will follow in our processes as the data controller to determine the maximum time required for the purpose of processing personal data, deleting, destroying and making it anonymous. In this context, our aim is to enlighten our employees whose personal data we process, our administrative staff, our visitors and the companies we cooperate with, and all third parties that are in contact with PLUS HUMAN RESOURCES, in the process of processing and rights of their data, and to ensure transparency in this regard, and to respect the personal data and therefore private lives.
2. Basis of the Policy Our Policy is the Law on the Protection of Personal Data No. 6698 dated 7.4.2016 (KVK No. 6698) and the “Regulation on the Deletion, Destruction or Anonymization of Personal Data” published in the Official Gazette dated 28.10.2017 and numbered 30224. (Regulation) It has been established as a requirement of Articles 5 and 6.
3. Scope of the Policy
Our policy for our employees, administrative staff, visitors and the institutions we cooperate with, and all real and legal persons who are in legal relationship with PLUS HUMAN RESOURCES and their KVKK No. 6698. includes all personal data, with and without special qualifications, defined by. The policy includes personal data included in systems that are fully or partially automated or non-automated, provided that they are part of any data recording system, as specified in KVKK No. 6698. Unless otherwise specified in the policy, personal data and special personal data will be referred to together as "Personal Data".
4. Definitions
Contact person: The real person whose personal data is processed.
Personal data: All kinds of information about an identified or identifiable person.
Personal data of special quality: race, ethnic origin, political thoughts, philosophical beliefs, religion, sect or other beliefs, costume and outfit, association, foundation or union membership, health, sexual life, criminal conviction and security measures data and biometrics and their genetic data,
Explicit consent: Information responsible: the real or legal person responsible for the establishment and management of the data recording system, which determines the informed and informed consent of a particular subject, Data responsible: The purposes and means of processing personal data.
Processing of personal data: Acquisition, recording, storage, preservation, modification, reorganization, disclosure, transfer, inheritance, making it available, which is fully or partially automated or non-automated provided that it is part of any data recording system, any action taken on data, such as its classification or inhibition of its use,
Destruction: Deletion, destruction or making anonymous of personal data,
Personal data retention and destruction table: The table showing the times when personal data will be kept at PLUS HUMAN RESOURCES
Personal data processing inventory: Personal data processing activities carried out depending on the business processes of the data responsible; the inventory that they have detailed by describing the personal data processing purposes, the data category, the group of recipients transmitted, and the maximum time required for the purposes for which the personal data is processed, the personal data foreseen to be transferred to foreign countries, and the measures taken for data security,
Deletion of personal data: The process of making personal data inaccessible and unusable for the relevant users.
Destruction of personal data: The process of making personal data inaccessible, unretrievable and non-reusable by anyone,
Making anonymous: Making personal data unrelated to an identifiable or identifiable person by any means, even if it is matched with other data.
Periodic destruction: The process of deleting, destroying or making anonymous the personal data, which will be carried out automatically at regular intervals specified in the policy of destruction, in the event that all the conditions of the processing of personal data in the law are eliminated.
Data recording system: The recording system in which personal data is processed according to certain criteria.
Board: Refers to the Personal Data Protection Board.
5. General Principles Based on Policy
The data officer PLUS HUMAN RESOURCES acts in the processing of personal data within the framework of the following principles.
5.1. Personal data can only be processed in accordance with the procedures and principles stipulated in KVKK No. 6698 and other laws.
5.2. The following principles are mandatory when processing personal data:
a) Being in compliance with the law and honesty rules.
b) Being accurate and up-to-date when necessary.
c) Processing for specific, clear and legitimate purposes.
ç) Being connected, limited and restrained for the purpose for which they are processed.
d) Preservation for the period required by the relevant legislation or for the purpose for which they are processed.
6. Recording Environments Under the Policy.
Any media containing personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system, falls within the scope of the recording medium.
7. Duties and Powers of the Personal Data Protection Committee
7.1. The Personal Data Protection Committee is responsible for the announcement of this Policy to the relevant business units and for the monitoring of its requirements by the PLUS HUMAN RESOURCES units.
7.2. The Personal Data Protection Committee makes the necessary announcements and notifications for the related business units to follow up and update the business processes if necessary, such as legislative changes related to the protection of personal data, regulatory actions and decisions of the Personal Data Protection Board (Board), court decisions or changes in processes, practices and systems.
7.3. Personal Data Protection Committee No. 6698 KVKK. and the secondary regulations and the Board's decisions and regulations, court decisions and processes for the review, evaluation, follow-up and finalization of the decisions and / or requests of the other competent authorities and announcements to the relevant units.
8. What to do If the Processing Conditions of Personal Data Are Eliminated
8.1. In cases when the purpose of the processing of personal data has disappeared, the explicit consent has been withdrawn, or the processing of personal data in articles 5 and 6 of KVK No. 6698 has disappeared, or there is a situation in which none of the exceptions in the mentioned articles can be applied. In these cases, the personal data whose processing conditions have disappeared are deleted, destroyed or made anonymous by the relevant business unit within the scope of articles 7 to 10 of the Regulation, by explaining the reason for the method applied. However, in the event of a final court decision, it is obligatory to apply the method of destruction ruled by the court decision.
8.2. All users who process or store personal data and data owner PLUS HUMAN RESOURCES units will review whether the conditions related to processing that have disappeared within six months at the latest, in the data recording environments they use. Upon the application of the personal data owner or the notification of the Board or a court, the relevant users and units will make this review in the data recording environments they use, regardless of the periodic audit period.
8.3. As a result of periodic reviews or when it is determined that the data processing conditions have disappeared at any time, the relevant user or data owner will decide to delete, destroy or make anonymous the relevant personal data from the recording medium under his / her own policy. In cases of hesitation, the transaction will be done by taking the opinion of the relevant data owner business unit. If a decision is needed to destroy personal data with multi-stakeholder data ownership in the Central Information Systems, the opinion of the Personal Data Protection Committee will be taken and the data owner has the right to store or delete, destroy or make anonymous the data according to this policy. It will be decided by the unit.
8.4. All transactions regarding the deletion, destruction or designated anonymous of personal data are recorded and these records are kept for at least one year, excluding other legal obligations.
8.5. Pursuant to Articles 4 and 7 of the Regulation, the methods applied for the deletion, destruction and making anonymous of personal data will be explained in the Data Destruction Procedure that will be published after the entry into force of this Policy.
8.6. It is mandatory to act in accordance with the general principles in article 4 of KVKK numbered 6698 and the technical and administrative measures to be taken within the scope of article 12, relevant legislation provisions, Board decisions and personal data retention and destruction policy in erasing, destroying or making anonymous personal data.
8.7. When the actual person who owns personal data, by applying to the PLUS HUMAN RESOURCES according to the 13th article of KVKK numbered 6698, requests that his personal data be deleted, destroyed or made anonymous, the relevant data owner business unit examines whether it has disappeared. It checks if all the processing conditions have disappeared, deleted, destroyed or made anonymous, according to the personal data subject’s request. In this case, the details will be determined in the Data Destruction Procedure; the request is finalized within thirty days from the date of application and the applicant is informed through the relevant board. If all the conditions for processing personal data have disappeared and the personal data subject to the request has been transferred to third parties, the relevant data owner business unit shall notify this to the third party to whom it has been transferred immediately, and ensure that the necessary procedures are carried out within the scope of the regulation.
8.8. In cases where all the conditions for processing personal data have not disappeared, the requests of personal data owners for deletion or destruction of their data may be rejected by PLUS HUMAN RESOURCES under paragraph 3 of article 13 of KVK K., justification. The rejection response is notified to the concerned person in writing or electronically within 30 days at the latest.
8.9. Requests for deletion or destruction of personal data will only be evaluated provided that the identity of the person concerned has been determined. For requests to be made outside these channels, the relevant persons will be directed to the channels where identification or verification can be made.
9. Policy Enforcement, Violations and Sanctions
9.1. This Policy will be announced by announcing to all employees and will be binding for all business units, consultants, external service providers and anyone who processes personal data in PLUS HUMAN RESOURCES.
9.2. The follow-up of the employees of the PLUS HUMAN RESOURCES will be under the responsibility of their supervisors. When a policy violation is detected, the matter will be immediately reported to the superior, who is affiliated with the supervisor of the relevant employee. If the contradiction is significant information will be provided to the Personal Data Protection Committee by the senior supervisor without loss of time.
9.3. The necessary administrative action will be taken after evaluation by the Human Resources unit of the employee who acts against the policy.
9.4. In order to fulfill the policy requirements by PLUS HUMAN RESOURCES all necessary security measures are taken, including the ISO standard and the measures taken by all relevant ministries.
10. Persons with Responsibilities to Take Part in the Retention and Destruction of Personal Data
within PLUS HUMAN RESOURCES - all employees, consultants, external service providers and everyone who stores and processes personal data before PLUS HUMAN RESOURCES - are responsible for fulfilling the requirements regarding the destruction of the data specified by the Regulation and 668 numbered KVKK. Each business unit is responsible for storing and protecting the data it generates in its business processes. However, if the produced data is only available in information systems outside the control and authority of the business unit, the data will be stored by the units responsible for the information systems. Periodic destruction that will affect business processes and lead to data integrity deterioration, loss of data and results in violation of legal regulations will be made by relevant information system departments, taking into account the type of personal data, the systems in which it is located, and the business unit that owns the data.
11. Personal Data Retention and Destruction Times.
Personal Data Retention and Destruction Times are listed below. In the periodic destruction or upon destruction- upon request- the storage and destruction periods in question will be taken into consideration. It will be updated by the business units who own the processes to be included in the Table Showing the Periods of Personal Data Retention and Destruction, in cases of hesitation, taking into account the evaluation of the Personal Data Protection Committee.
TBK Article 6098, 146: 10 Years
Relevant Legislation: Foreseen time
12. Periodic Destruction Times
Periodic Destruction of Personal Data is determined by the relevant business units that own the data. In any case, this period cannot exceed 6 (six) months.
13. Enforcement
13.1. The policy will enter into force on the date of publication.
13.2. It is the responsibility of the Personal Data Protection Committee to announce the policy across PLUS HUMAN RESOURCES and make necessary updates.