top of page

1. INTRODUCTION AND PURPOSE OF PREPARING THE POLICY

 

This Personal Data Retention and Destruction Policy (“Policy”), Personal Data Protection Law No. 6698 (“KVKK” or “Law”) and Personal Data Enforcement, which entered into force after being published in the Official Gazette dated 28 October 2017, which constitutes the secondary regulation of the Law. As a data controller, in order to fulfill our obligations pursuant to the Regulation on Deletion, Destruction or Anonymization (“Regulation”) and to inform data owners about the principles of determining the maximum storage period required for the purpose for which your personal data is processed, and the processes of deletion, destruction and anonymization.  Prepared by (“RITUEL COMPANY” or “Company”).

2. DEFINITIONS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3. PRINCIPLES

 

RİTÜEL COMPANY acts within the framework of the following principles in the storage and destruction of personal data:  

  1. In the deletion, destruction and anonymization of personal data, the principles listed in Article 4 of the Law1 and Article 12, which must be taken into consideration, and 6.2 of this Policy. The technical and administrative measures specified in the article, the provisions of the relevant legislation, the Board decisions and this Policy are fully complied with.  

 

  1. All transactions regarding the deletion, destruction and anonymization of personal data are recorded by RİTÜEL COMPANY and these records are kept for at least 10 years, excluding other legal obligations.  

 

  1. Unless a contrary decision is taken by the Board, the appropriate method of deletion, destruction or anonymization of personal data ex officio is chosen by us. However, upon the request of the Relevant Person, the appropriate method will be chosen by explaining the reason.  

 

  1. In the event that all the conditions for processing personal data in Articles 5 and 6 of the Law are eliminated, personal data is deleted, destroyed or anonymized by RITUEL SPECIAL COMPANY ex officio or upon the request of the person concerned. In this regard, by the Relevant Person RITUEL COMPANY  In case of application;  

 

  1. Requests submitted are finalized within 30 (thirty) days at the latest and the relevant person is informed,

 

  1. In case the data subject to the request has been transferred to third parties, this situation is notified to the third party to which the data is transferred and necessary actions are taken before the third parties.

4. EXPLANATIONS RELATING TO REASONS REQUESTING STORAGE AND DISPOSAL

 

Personal data of data owners are stored by RITUEL COMPANY in physical or electronic media, especially for the purpose of (1) maintaining commercial activities, (2) fulfilling legal obligations, (3) planning and fulfilling employee rights and fringe benefits, and (4) managing customer relations. It is stored securely within the limits specified in the KVKK and other relevant legislation.  

The reasons for keeping it are as follows:

  1. Storing personal data as it is directly related to the establishment and performance of contracts,  

 

  1. Storing personal data for the purpose of establishing, exercising or protecting a right,  

 

  1. It is mandatory to keep personal data for the legitimate interests of RİTÜEL COMPANY, provided that it does not harm the fundamental rights and freedoms of individuals,  

 

  1. Storing personal data in order for RİTÜEL COMPANY to fulfill any of its legal obligations,

 

  1. Explicitly stipulating the storage of personal data in the legislation,

 

  1. Explicit consent of data owners in terms of storage activities that require the explicit consent of data owners.

In accordance with the Regulation, the personal data of the data owners are deleted, destroyed or anonymized by RITUEL COMPANY ex officio or upon request in the following cases:  

 

  1. Changing or repealing the provisions of the relevant legislation, which is the basis for the processing or storage of personal data,

 

  1. The disappearance of the purpose that requires the processing or storage of personal data,

 

  1. Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law.

 

  1. In cases where the processing of personal data takes place only on the basis of express consent, the data subject withdraws his consent,

 

  1. The data controller accepts the application made by the data subject regarding the deletion, destruction or anonymization of his personal data within the framework of his rights in subparagraphs (e) and (f) of Article 11 of the Law,

 

  1. In cases where the data controller rejects the application made by the data subject with the request for the deletion, destruction or anonymization of his personal data, his response is found to be insufficient or he does not respond within the time stipulated in the Law; Complaining to the Board and approval of this request by the Board,

 

  1. Although the maximum period for keeping personal data has passed, there are no conditions that justify keeping personal data for a longer period of time,

 

5. STORAGE AND DISPOSAL TIMES

 

The following criteria are used to determine the storage and destruction periods of your personal data obtained by RİTÜEL COMPANY in accordance with the provisions of the KVKK and other relevant legislation:

1. If a period of time is stipulated in the legislation regarding the storage of the personal data in question, this period shall be complied with. Following the expiry of the aforementioned period, the data is processed within the scope of the second paragraph.

2. In the event that the period stipulated in the legislation regarding the storage of the said personal data expires or if no period is stipulated in the relevant legislation regarding the storage of the said data, respectively;

  1. Personal data is classified as personal data and sensitive personal data, based on the definition in Article 6 of the KVKK. All personal data determined to be of a private nature will be destroyed. The method to be applied in the destruction of the said data is determined according to the nature of the data and the importance of its storage in the eyes of RITUEL COMPANY.

  2. Compliance of data storage with the principles specified in Article 4 of the KVKK, for example; It is questioned whether RITUEL COMPANY has a legitimate purpose in storing the data. Data that are detected to be kept in violation of the principles set forth in Article 4 of the KVKK are deleted, destroyed or anonymized.

  3. It is determined which of the exceptions stipulated in the 5th and 6th articles of the KVKK that data storage can be evaluated within the scope of. Within the framework of the detected exceptions, reasonable periods for data storage are determined. In the event of the expiration of these periods, the data is deleted, destroyed or anonymized.

 

You can find the retention, destruction and periodic destruction periods determined by RİTÜEL COMPANY from the "Personal Data Processing Inventory" in the annex (Annex-2) of this Policy.  

Personal data whose storage period has expired, within the framework of the destruction periods specified in the annex (Annex-2) of this Policy,  It is destroyed in 6 monthly periods in accordance with the procedures set forth in this Policy.

All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least 10 years, excluding other legal obligations.  

 

6. PROCEDURES FOR STORAGE AND DISPOSAL OF PERSONAL DATA BY RITUAL COMPANY

 

I. RECORDING ENVIRONMENTS

 

Personal data of data owners, RITUEL COMPANY  are stored securely in the environments listed in the table below, in accordance with the relevant legislation, especially the provisions of the KVKK, and within the framework of international data security principles:

Physical environments:

  • Unit Cabinets

  • ARCHIVE STORAGE

     II. TECHNICAL AND ADMINISTRATIVE MEASURES

  All the administrative and technical measures taken by RİTÜEL COMPANY within the framework of the principles in Article 12 of the KVKK in order to keep your personal data safe, to process it unlawfully, to prevent access and to destroy the data in accordance with the law are listed below:

A. Administrative Measures:

 

Within the scope of RITUEL COMPANY administrative measures;

  1. Restricts internal access to the stored personal data to the personnel required by the job description. In limiting access, whether the data is of a special nature and its importance are also taken into account.

 

  1. In case the processed personal data is obtained by others unlawfully, it notifies the person concerned and the Board as soon as possible.

 

  1. Regarding the sharing of personal data, it provides data security with the persons to whom personal data is shared, by signing a framework agreement on the protection of personal data and data security, or by the provisions added to the existing agreement.

 

  1. It employs knowledgeable and experienced personnel about the processing of personal data and provides its personnel with the necessary training within the scope of personal data protection legislation and data security.

 

  1. It carries out and has the necessary inspections made in order to ensure the implementation of the provisions of the Law within its own legal entity. Eliminates privacy and security vulnerabilities that arise as a result of audits.

 

  1. There are disciplinary regulations that include data security provisions for employees.

 

  1. Confidentiality commitments are made.

 

  1. The authorizations of employees who have a change of job or quit their job in this field are removed.

  2. The signed contracts contain data security provisions.

 

  1. Necessary security measures are taken regarding entry and exit to physical environments containing personal data.

 

  1. Physical environments containing personal data are secured against external risks (fire, flood, etc.).

 

  • The security of environments containing personal data is ensured.

 

  1. Personal data is reduced as much as possible.

         

B. Technical Measures:

 

Within the scope of RITUEL COMPANY technical measures;

  1. Performs necessary internal controls within the scope of established systems.

 

  1. It carries out the processes of information technology risk assessment and business impact analysis within the scope of established systems.

 

  1. It ensures the provision of the technical infrastructure to prevent or monitor the leakage of data outside the institution and the creation of relevant matrices.

 

  1. It ensures that the access to personal data of employees in information technology units is kept under control.

 

  1. The destruction of personal data is ensured in a way that cannot be recycled and leaves no audit trail.

 

  1. Pursuant to Article 12 of the Law, all kinds of digital media where personal data are stored are protected by encrypted or cryptographic methods to meet information security requirements.

  2. Network security and application security are provided.

 

  1. The security of personal data stored in the cloud is ensured.

 

  1. User account management and authorization control system are implemented and these are also followed.

 

III.     EMPLOYEE

You can find the titles, units and job descriptions of the personnel involved in the personal data storage and destruction process from the list in Annex-1 of this Policy.

 

 

IV.     DISPOSAL OF PERSONAL DATA

 

Personal data obtained by RİTÜEL COMPANY in accordance with the KVKK and other relevant legislation, in case the personal data processing purposes listed in the Law and the Regulation are eliminated, by RİTÜEL COMPANY ex officio or upon the application of the Relevant Person, again in accordance with the provisions of the Law and relevant legislation, with the techniques specified below. will be destroyed.

 

A. Deletion and Destruction Techniques of Personal Data:

The procedures and principles regarding the techniques of deletion and destruction of personal data by RİTÜEL COMPANY are listed below:  

 

Deletion of Personal Data:

Secure Deletion from Software: While deleting data processed by fully or partially automated means and stored in digital media; Methods for deleting the data from the relevant software are used so that it cannot be accessed and reused in any way for the Relevant Users.  

Deletion of relevant data in the cloud system by issuing a delete command; removing the access rights of the relevant user on the file or the directory where the file is located on the central server; Deleting the relevant rows in databases with database commands or deleting the data in the portable media, that is, in the flash media, by using appropriate software can be counted within this scope.

However, if the deletion of personal data will result in the inaccessibility of other data within the system and the inability to use this data, the personal data will also be deemed deleted if the personal data is archived in a way that cannot be associated with the data subject, provided that the following conditions are met.

  1. Being closed to the access of any other institution, organization or person,

 

  1. Taking all necessary technical and administrative measures to ensure that only authorized persons can access personal data.  

 

Secure Deletion by Expert: In some cases, it may hire an expert to delete personal data on its behalf. In this case, the personal data is securely deleted by the person who is an expert on this subject so that it cannot be accessed and reused in any way for the Relevant Users.  

Blackening of Personal Data in Paper Media: It is a method of physically cutting and removing the relevant personal data from the document in order to prevent the unintended use of personal data or to delete the data requested to be deleted, or to make them invisible by using fixed ink, which cannot be read by means of technological solutions.

Destruction of Personal Data:

 

Physical Destruction: Personal data can also be processed by non-automatic means, provided that they are part of any data recording system. When such data is destroyed, a system of physical destruction of personal data is applied so that it cannot be used later. The destruction of data in paper and microfiche media should also be carried out in this way, since it is not possible to destroy them in any other way.

Overwriting: The overwrite method is a data destruction method that makes it impossible to read and recover old data by writing random data consisting of 0s and 1s at least seven times over magnetic media and rewritable optical media via special software.   

 

B. Techniques for Anonymization of Personal Data:  

The procedures and principles regarding the techniques of anonymization of personal data by RİTÜEL COMPANY are listed below:

Anonymization Methods That Do Not Ensure Value Distortion  

Anonymization methods that do not provide value irregularity, without any change or addition/removal of stored personal data; are the methods of anonymization applied by generalizing any personal data group, replacing each other or removing a certain data or sub-data group from the group.

Removing Records: In the deregistration method, the data line containing singularity is removed from the records, and the stored data is anonymized. For example, if there is only one senior manager in a company, the remaining data can be anonymized by removing the data belonging to this person from the records where the seniority, salary and gender data of the employees at the same level are kept.

Lower and Upper Bound Coding: With the lower and upper bound coding method, the values in a data group containing predefined categories are anonymized by determining a certain criterion and combining them.  

For example, it can be anonymized by combining (very experienced), (experienced) or (inexperienced) personnel working in a workplace, depending on whether the working year in the workplace is less than 5 years, between 5 and 10 years or more than 10 years:

 

Generalization: With the data aggregation method, many data are aggregated and personal data is rendered unrelated to any person.

E.g; revealing that there are as many as Z employees at the age of X without showing the age of the employees one by one.   

Coding: With the data derivation method, a more general content is created than the content of personal data and it is ensured that personal data cannot be associated with any person. E.g; indication of ages instead of dates of birth; Indication of the region of residence instead of the full address.   

Pursuant to Article 28 of the KVKK, if personal data is processed for purposes such as research, planning and statistics by anonymizing with official statistics, this situation will be outside the scope of the Law and express consent will not be required.

This Policy prepared by RITUEL COMPANY entered into force on 01.01.2019. In case of a change in the Policy, the effective date of the Policy and the relevant articles will be updated accordingly. The update table is in Annex-3.

ANNEX 1  

STAFF TITLE, UNIT AND TASK LIST

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ANNEX-2

PERIOD  STORAGE PERIOD  DISPOSAL TIME

ANNEX-3

 

UPDATE TABLE

 

Changes made in this Policy will be included in the relevant tables.  

 

DATE OF UPDATE

SCOPE OF CHANGES

[12/11/2020]

[All Coverage]

kvkk tanım.jpg
KVKK Görev Tanımı.jpg
İmha Süreleri.jpg
bottom of page