PERSONAL DATA RETENTION AND DISPOSAL POLICY
This Policy is signed by Elit Teknolojik Uuml;rünler ve electrical Ev Aletleri Teknik Servis Hizmetleri San. ve Tic. Ltd. Ltd. Şti. (the "Company"), on the processing and protection of personal data, and the deletion, destruction and anonymization of the processed personal data, in accordance with the legislation on which this Policy is based. It has been prepared for the purpose of determining the procedures and principles.
Scope
This Policy applies to the Company's employees, employee candidates, managers, related users, especially the users, visitors and commentators to whom the Company is related while providing its services, and that the Company is in cooperation with. ;The third; persons and their employees, managers and other third parties; contacts; It covers the processing of personal data by the Company through fully or partially automatic or non-automatic means, provided that it is a part of any data recording system.
The above-mentioned personal data owners can be applied to the entirety of this Policy, as well as only some of its provisions.
Foundation
This Policy has been prepared based on the Law on the Protection of Personal Data No. 6698, the Regulation on the Registry of Data Controllers No. 30286 and the Regulation on the Deletion, Destruction or Anonymization of Personal Data No. 30224.
If there is a difference between this Policy and the applicable legislation on the processing, protection and destruction of personal data, the provisions of the Legislation will be applied first.
Definitions
In the implementation of this Policy;
1. Recipient group: The category of real or legal person to whom personal data is transferred by the data controller,
2. Inventory: Personal Data Inventory prepared by the Company in accordance with the Legislation,
3. Relevant User: Except for the person or unit responsible for technical storage, protection and backup of data; Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller,
4. Destruction: Deletion, destruction or anonymization of personal data,
5. Website: Company's website http://www.elitssh.com.tr
6. Law: Law on Protection of Personal Data No. 6698 dated 24/3/2016,
7. Recording medium: All kinds of personal data that are processed completely or partially automatically or non-automatically, provided that they are part of any data recording system; environment,
8. Personal data: All kinds of personal data relating to an identified or identifiable natural person; information,
9. Personal data owner: The real person whose personal data is processed,
10. Personal data processing inventory: Personal data processing activities carried out by the Company depending on business processes; The maximum period required for the purposes of processing personal data, which is created by associating the personal data with the data category, the transferred recipient group and the data subject group, and the personal data that is expected to be transferred to foreign countries. the inventory in which he detailed the data and the measures taken regarding data security,
11. Anonymization of personal data: Making personal data incapable of being associated with an identified or identifiable real person under any circumstances, even if it is matched with other data,
12. Processing of personal data: Obtaining, recording, storing, preserving, changing, re-transferring personal data completely or partially automatically or non-automatically provided that it is a part of any data recording system; All kinds of activities performed on the data such as its encoding, disclosure, transfer, takeover, making available, classifying or preventing its use; process,
13. Deletion of personal data: Personal data for relevant usersThe process of making the city inaccessible and unusable in any way,
14. Destruction of personal data: No personal data; the process of making it inaccessible, irretrievable and unusable by anyone,
15. Board: Personal Data Protection Board,
16. Authority: Personal Data Protection Authority,
17. Logging: Analyzing event records, in other words logs, produced by information systems covering all critical networks and devices, according to determined rules, comprehensively collecting, combining, storing in their original form It is a log tracking format that consists of steps such as analysis and presentation as text, allowing to obtain indicators and evidence of a possible attack, helping to obtain important information such as from which channels and when the attack was carried out, which protocols were used and where the attack started. ;imini,
18. Öprivate personal data: People's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or data on union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data,
19. Periodic destruction: The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the conditions for processing personal data in the law are eliminated, /> 20. Policy: The purpose for which personal data is processed, of the Company, which is considered to be the data controller in accordance with the law; This Personal Data Retention and Disposal Policy, on which it is based, for the process of determining the maximum time required for the process of deletion, destruction and anonymization,
21. Secure Sockets Layer (SSL): meaning "Secure Input Layer" in Turkish Third, personal data, which aims to establish a secure connection between the website and its user, security protocol to prevent it from falling into the hands of persons,
22. Registry: The registry of data controllers kept by the Presidency of the Personal Data Protection Authority,
23. Company: Trade name Elit Teknolojik & Uuml;rünler ve electrical Ev Aletleri Teknik Servis Hizmetleri San. ve Tic. Ltd. Sti. company,
24. Data processor: The real and legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,
25. Data recording system: The recording system in which personal data is structured and processed according to certain criteria,
26. Data controller: Represents the real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
For the definitions not included in this Policy, the definitions in the Law are valid.
Personal Data Recording Environments
The personal data of the data owners are securely stored by the Company in the environments listed in the table below, in accordance with the relevant legislation, especially the KVKK provisions, and within the framework of international data security principles:
1. Technical recording media:
1. Computers and servers registered on behalf of the company,
2. Network devices,
3. Shared/non-shared disk drives used for data storage over the network,
4. Cloud systems,
5. Mobile phones and all storage areas inside,
6. Flash drives,
7. Optical discs
8. Printers,
2. Non-technical data recording environments:
1. Paperâpaper,
2. Unit Cabinets,
3. ARCHIVE
General Principles on Storage and Disposal of Personal Data
The company is obliged to register in the Registry; is a Data Controller, and to store the personal data it keeps in accordance with the Inventory and, when necessary, delete or destroy it.Obligated to act in accordance with this Policy in order to make it public or anonymous; accepts, declares and undertakes that it is.
The following principles will apply to the storage and destruction of personal data:
1. The Company is the 4th & rsquo;th of the Law; that the general principles set forth in the article will be complied with,
2. The company, having prepared this Policy, alone does not mean that personal data is deleted, destroyed or anonymized in accordance with the legislation,
3. While the company is storing, deleting, destroying or anonymizing personal data, the security measures in Article 12 of the Law, provisions in the relevant Legislation, Board decisions and Policy; either he will act appropriately,
4. The Company does not comply with this Policy during the deletion, destruction or anonymization of the personal data that is processed by non-automatic means, provided that the purpose of the personal data is fully or partially automatic or is part of any recording system. that it will comply with the tools, programs and processes to be applied depending on,
5. The company will record all transactions related to the deletion, destruction and anonymization of personal data, and the said records, excluding other legal obligations; to keep it for at least 3 (three) years,
accepts, declares and undertakes.
Legal, Technical and Other Reasons Requiring the Storage and Disposal of Personal Data
Personal data belonging to data owners by the company;
1. Providing the products and services you request in line with your needs,
2. Planning and executing commercial and/or business strategies, keeping records of our services you use,
3. The realization of meetings, organizations, campaigns, raffles and announcements made within our company,
4. Performing our commercial activities through the provision of our services as a company, carrying out the necessary studies for this by the business units and carrying out the relevant business processes,
5. Issuing invoices in accordance with the current legislation,
6. Sharing requested information with relevant public institutions and organizations in accordance with the relevant legislation,
7. Preserving the information about your data that should be kept in accordance with the relevant legislation,
8. Conducting communication activities,
9. Execution of goods, services, production and operation processes,
10. Managing customer relations management processes,
11. Executing activities aimed at customer satisfaction,
12. Executing marketing and analysis studies,
13. Execution of the contracting processes,
14. It can be processed for the purposes of carrying out the marketing processes of the products and services.
For legal, technical and other reasons; but not limited to, similar purpose; and reasons.
Personal data belonging to data owners by the company;
1. The 4th’th of the Law; The general principles contained in the article,
2. The request of the data owner,
3. Expiration of legal obligations,
For legal, technical and other reasons; but not limited to, similar purpose; and are destroyed for reasons.
Technical and Administrative Measures Taken to Safely Keep Personal Data and to Prevent Unlawful Processing and Accessing
Technical measures taken by the Company to securely store personal data of data subject persons and to prevent their unlawful processing and access;
1. Using the most up-to-date technological security and virus protection systems regarding the storage areas of personal data, taking privacy and information security measures,
2. Ensuring network and application security,
3. Using cyber attack detection and prevention systems,
4. Keeping log records without user intervention,
5. Taking data masking measures when necessary,
6. Using necessary software to prevent data loss,
7. All kinds of Website’ Using the security protocol called Secure Sockets Layer (SSL) in order to prevent data theft and forgery,
8. Using backup programs in accordance with the law and relevant Legislation,
9. Monitoring all accesses to data recording environments containing personal data against inappropriate accesses or access attempts by logging method,
10. Detecting current and potential threats,
11. regularly and as needed; control of system vulnerabilities by applying penetration tests when it occurs,
12. Regular keeping of access logs
Administrative measures taken by the Company to securely store personal data of data subject persons and to prevent their unlawful processing and access;
13 Third party data controller and/or data processor to whom personal data is transferred; requesting commitments from individuals regarding the fulfillment of certain standards in the storage of personal data, signing contracts and/or adding new provisions to existing contracts,
14. Ensuring the security of areas containing personal data,
Technical and Administrative Measures Taken for the Lawful Disposal of Personal Data
Technical measures taken by the Company for the legal destruction of personal data belonging to data subjects,
1. Using the most up-to-date technological systems regarding the destruction of personal data, taking privacy and information security measures,
2. Closing and eliminating the access, retrieval, re-use authorization and methods of the Related Users within the scope of personal data, and removal of the authority to restore the deleted data,
3. Irreversible deletion of personal data on the central server with cloud systems by issuing a deletion command,
4. Other than those listed above, choosing the appropriate one among the methods of destruction (physical de-magnetization, overwriting) or anonymization for the appropriate technical recording environments,
5. The application of deletion (black-out, etc.), destruction (physical destruction) methods for the destruction of personal data in non-technical recording media,
Administrative measures taken by the Company for the legal destruction of personal data belonging to data subjects,
6. Regularly carrying out the necessary implementation work on the destruction of personal data and providing trainings,
7. Having the necessary equipment for the physical destruction of non-technical data recording media within the workplace of the company,
The Units Responsible for the Storage and Disposal of Personal Data and Their Information
The list showing the titles and job descriptions of the personnel working in the official units involved in the company's personal data storage and destruction processes is included in ANNEX-1.
Containment and Disposal Periods
The table showing the storage and destruction periods according to the categories of the personal data belonging to the data subjects is included in ANNEX-2.
Periodic Destruction Times
Periodic destruction periods are 6 (six) months, except for the periods specified in the table showing the storage and destruction periods attached to this Policy, according to the categories of personal data processed by the company.
Deletion and Destruction Periods of Personal Data at the Request of the Relevant Person
The person concerned is the 13th of the Law. When applying to the Company and requesting the deletion or destruction of his/her personal data;
1. All conditions for processing personal data are mediumif it has departed from; The company deletes, destroys or anonymizes the personal data subject to the request. The company delays the request of the person concerned. It concludes within 30 (thirty) days and informs the relevant person.
2. All the conditions for processing personal data have been removed and the personal data subject to the request is the third; If it has been transferred to persons, the Company may change this situation to third parties. the lastest person notify within 30 (thirty) days; Third; It ensures that the necessary actions are taken before the person.
3. If all of the personal data processing conditions have not been eliminated, this request is made by the Company in the 13th of the Law; the third of the article; It can be rejected by explaining the reason in accordance with the paragraph and the refusal answer is given to the person concerned at the latest; It is notified in writing or electronically within 30 (thirty) days.
Effectiveness
This Policy prepared by the company has entered into force as of the date of its publication on the website.
In case of incompatibility between KVKK and other relevant Legislation provisions and this Policy, KVKK and other relevant Legislation provisions will be applied first.