Storage and Disposal Policy

 

1. PURPOSE

This Personal Data Storage and Destruction Policy (“Policy”), as Trakya Grup Plastik Alüminyum ve Cam Sanayi Ticaret Limited Şirketi (“Trakya Group” or “Company”), is the procedure and procedures regarding the storage and destruction activities carried out as the data controller. It was prepared to determine the principles.

As part of its legal and social responsibility, Trakya Group undertakes to comply with national personal data protection, processing, storage and destruction regulations within the scope of the Personal Data Protection Law No. 6698 (“Law”).

In this context, the personal data of our employees, prospective employees, customers, service providers, visitors and those held by Trakya Group for any reason, within the framework of the Trakya Group Personal Data Processing and Protection Policy and this policy; T.R. It is stored and destroyed in accordance with the Constitution, international agreements, law and other relevant legislation.

2. SCOPE OF DATA PROTECTION STORAGE AND DESTRUCTION POLICY

This Policy is implemented at Trakya Grup Plastic Aluminum and Cam Industry Trade Limited Company.

Personal data belonging to Trakya Group employees, employee candidates, customers, service providers, visitors and other third parties are within the scope of this Policy, and this Policy is applied in all recording environments where personal data owned or managed by our Company is processed and in activities related to personal data processing.

The policy may be updated from time to time. Therefore, we kindly request you to visit www.trakyagrup.com.tr regularly to access the most current version of the Policy.

3. DEFINITIONS

Law/PDPL Personal Data Protection Law No. 6698
Board/Institution Personal Data Protection Board/Personal Data Protection Authority
Personal Data It is any information regarding an identified or identifiable natural person.
Related person Real person whose personal data is processed
Buyer Group Category of natural or legal person to whom personal data is transferred by the Data Controller
Service provider Real or legal person who provides services within the framework of a specific contract with our company
Explicit Consent Consent regarding a specific issue, based on information and expressed with free will
Anonymization Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.
Deletion of Personal Data Deletion of personal data; making personal data inaccessible and unusable in any way for Relevant Users
Destruction of Personal Data The process of making personal data inaccessible, irretrievable and reusable by anyone.
Processing of Personal Data Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any action performed on data, such as blocking.
Data Processor Natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller
Data Controller Natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system
Special Personal Data
(Sensitive Data)
Data regarding people’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data
Lighting Obligation During the acquisition of personal data, the data controller or the person authorized by the data controller; To provide information about the identity of the data controller and his representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and other rights listed in Article 11 of the Law.
Data Controllers Registry Information System Information system created and managed by the Presidency, accessible over the internet, that data controllers will use in applying to the Registry and other relevant transactions related to the Registry.
Data Recording System A recording system where personal data is structured and processed according to certain criteria.
Personal Data Processing Inventory Personal data processing activities carried out by data controllers depending on their business processes; The inventory they create by associating personal data with the purposes of processing personal data, data category, transferred recipient group and data subject person group, and detailing the maximum period required for the purposes for which personal data are processed, personal data envisaged to be transferred to foreign countries and measures taken regarding data security.
Policy Personal Data Storage and Destruction Policy
Regulation Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette No. 30224 dated 28.10.2017
Destruction Deletion, destruction or anonymization of personal data
Periodic Destruction If all the conditions for processing personal data specified in the law are eliminated, the deletion, destruction or anonymization process specified in the personal data storage and destruction policy will be carried out ex officio at recurring intervals.
Recording Media Any environment where personal data is processed by fully or partially automated or non-automatic means, provided that it is part of any data recording system

4. RESPONSIBILITY AND PERSONAL DATA PROTECTION COMMITTEE

Trakya Grup has established a Personal Data Committee (“Committee”) within the company. Committee; is authorized and responsible for carrying out the necessary actions and supervising the processes for the data of the relevant persons to be stored and processed in accordance with the law, the Personal Data Processing and Protection Policy and this Policy.

All employees of Trakya Group support the Committee in the proper implementation of the technical and administrative measures taken by the Committee within the scope of the Policy.

Committee; It consists of three people: a manager, an administrative expert and a technical expert. The titles and job descriptions of Trakya Grup employees serving in the committee are as follows:

UNIT TITLE JOB DESCRIPTION
General Manager Personal Data Protection Committee Manager Directing all kinds of planning, analysis, research and risk identification studies in projects carried out during the process of compliance with the law; It is obliged to manage the processes that must be carried out in accordance with the Law, the Personal Data Processing and Protection Policy and the Personal Data Storage and Destruction Policy and to decide on the requests made by the relevant persons.
IT SpecialistLawyer PDPL Expert (Technical and Administrative) Examining the requests of the relevant persons and reporting them to the Personal Data Committee Manager for evaluation; Carrying out the transactions regarding the requests of the relevant person, which are evaluated and decided by the Personal Data Committee Manager, in accordance with the decision of the Personal Data Committee Manager; auditing the storage and destruction processes and reporting these audits to the Personal Data Committee Manager; Responsible for carrying out the storage and destruction processes.

5. RECORDING MEDIUMS WHERE PERSONAL DATA IS STORED

Your personal data within Trakya Group is stored securely in accordance with the law in the recording environments listed below, in accordance with the nature of the relevant data and our legal obligations.

Electronic Media Non-Electronic Media
Servers (domain, backup, e-mail, database, web, file sharing, etc.) Software (office software, portal,) Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.) Video recording and audio recordingPersonal computers (desktop, laptop)Cloud systemMobile devices (phone, tablet, etc.)Optical discs (CD, DVD, etc.)Removable memories (USB, memory card, etc.)Printer, scanner, photocopier. PaperManual data recording systems (survey forms, visitor login book) Written, printed, visual media.

6. ENSURING THE SECURITY OF RECORDING MEDIA

Trakya Group takes all necessary technical and administrative measures to store your personal data safely, prevent it from being processed and accessed unlawfully, and destroy your personal data in accordance with the law.

6.1. Technical Measures

Trakya Group takes the following technical measures in the environments where your personal data is stored, to the extent that they comply with the characteristics of the relevant data and the environment in which it is kept:

  • • System security is being improved.
  • • Users’ access to information systems is limited and an access and authorization matrix is created.
  • • Precautions are taken for the physical security of the institution’s information systems equipment, software and data.
  • • In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 monitoring system, fire extinguishing system) and software (firewalls, attack prevention systems, network access control, blocking malware) systems etc.) precautions are taken.
  • • In accordance with Article 12 of the Law, it protects any digital environment where personal data is stored with encrypted or cryptographic methods to meet information security requirements.
  • • Risks to prevent unlawful processing of personal data are identified, technical measures appropriate to these risks are taken, and technical controls are carried out for the measures taken.
  • • Trakya Grup takes the necessary measures to ensure that deleted personal data is inaccessible and unusable for relevant users.
  • • In case personal data is obtained by others unlawfully, an appropriate system and infrastructure has been created by the Company to notify the relevant person and the Board.
  • • Security vulnerabilities are monitored, appropriate security patches are installed and information systems are kept up to date.
  • • Passwords are used in electronic environments where personal data is processed.
  • • Secure record keeping (logging) systems are (partially) used in electronic environments where personal data is processed.
  • • Data backup programs are used to ensure safe storage of personal data.
  • • Access to personal data stored in electronic or non-electronic media is limited according to access principles.
  • • Security measures are taken in the physical environments where special personal data are processed, stored and/or accessed.
  • • Destruction of personal data; It is provided in a way that cannot be recycled and does not leave an audit trail.

6.2. Administrative Measures

Administrative measures taken by Trakya Group regarding your processed personal data are listed below:

  • • In order to ensure effective compliance with the legislation regarding the protection of personal data, a Personal Data Protection Committee has been established by the Board of Directors, with the ultimate responsibility falling on the Board of Directors.
  • • Compliance with KVKK obligations is periodically audited by the Internal Audit unit.
  • • Access authorization restrictions are foreseen.
  • • Data minimization has been achieved.
  • • Data retention periods have been determined.
  • • Trakya Grup’s business and operational processes have been harmonized with the Law.
  • • With the data inventory, it was determined in which cases the data processing conditions were met.
  • • Provisions regarding the Protection of Personal Data have been added to the contracts made with our employees and all third parties.
  • • Training has been provided on the security of special personal data for employees involved in the processing of special personal data, confidentiality agreements have been signed, and the powers of users who have access to data have been defined.
  • • Trakya Grup’s website provides necessary guidance and an application form to receive applications from relevant persons regarding their personal data.

7. EXPLANATIONS REGARDING THE REASONS REQUIRING STORAGE AND DISPOSAL

By Trakya Grup; Personal data of employees, employee candidates, visitors and third parties who have relations with our company as suppliers/service providers; It is stored and destroyed in accordance with the Law, Regulation, Trakya Group Personal Data Protection and Processing Policy and this Policy.

Trakya Grup retains your personal data only for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed. In this context, first of all, it is determined whether the relevant legislation stipulates a period for storing personal data, and if a period is determined, this period is complied with. If a period is not determined, personal data are stored for the period necessary for the purpose for which they are processed.

If the period expires or the reasons requiring processing no longer exist, your personal data will be deleted, destroyed or anonymized in accordance with Trakya Grup Policy, unless there is a legal reason that allows them to be processed for a longer period of time.

All transactions made by our Company regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least 3 (three) years, excluding other legal obligations.

7.1. 7.1. Reasons That Require Storage

  • • Being directly related to the establishment and execution of contracts,
  • • For the purpose of establishing, exercising or protecting a right,
  • • Since it is necessary to keep it for the legitimate interests of Trakya Group, provided that it does not harm the fundamental rights and freedoms of individuals,
  • • In order for Trakya Grup to fulfill its legal obligations,
  • • Since the storage of personal data is clearly stipulated in the legislation;
  • • Personal Data Protection Law No. 6698
  • • Turkish Code of Obligations No. 6098
  • • Social Insurance and General Health Insurance Law No. 5510
  • • Occupational Health and Safety Law No. 6331
  • • Access to Information Law No. 4982
  • • Labor Law No. 4857
  • • Turkish Commercial Code No. 6102 and other secondary regulations in force pursuant to these laws
  • • In terms of storage activities that require the explicit consent of the data owners, data is stored due to the explicit consent of the data owners.

7.2. 7.2. Reasons Requiring Destruction

In accordance with the Regulation, personal data of data owners are deleted, destroyed or anonymized by Trakya Group ex officio or upon request in the following cases:

  • • Amendment or abolition of the relevant legislative provisions that constitute the basis for the processing or storage of personal data,
  • • Elimination of the purpose requiring the processing or storage of personal data,
  • • Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law,
  • • In cases where personal data is processed only on the basis of explicit consent, the relevant person withdraws his/her consent,
  • • The data controller accepts the application made by the relevant person regarding the deletion, destruction or anonymization of his personal data within the framework of his rights in paragraphs (e) and (f) of Article 11 of the Law,
  • • In cases where the data controller rejects the application made to him by the data subject requesting the deletion, destruction or anonymization of his personal data, his response is found insufficient, or he does not respond within the period stipulated in the Law; Making a complaint to the Board and this request being approved by the Board,
  • • Although the maximum period requiring personal data to be stored has passed, there are no conditions that justify storing personal data for a longer period of time,

8. PERSONAL DATA DESTRUCTION METHODS

At the end of the period stipulated in the relevant legislation or the storage period required for the purpose for which they are processed, personal data are destroyed by Trakya Group ex officio or upon the application of the relevant person, in accordance with the relevant legislation, using the techniques specified below.

8.1. 8.1. Deletion of Personal Data

Deletion of personal data is the process of making personal data inaccessible and unusable in any way. Deletion methods according to recording media applied by Trakya Grup are as follows:

Deletion Methods for Personal Data Kept in Physical Environment
Blackout Personal data in the printed media is deleted using the blackout method. The darkening process is done by cutting off the personal data on the relevant document when possible, and in cases where it is not possible, by making it invisible by using fixed ink in a way that is irreversible and unreadable with technological solutions. For personal data kept in physical media, for which the period requiring its storage has expired, it is made inaccessible and unusable in any way for other employees, except for the unit manager responsible for the document archive. In addition, blackening is also applied by drawing/painting/erasing the surface so that it cannot be read.
Deletion Methods for Personal Data Held Electronically
Deletion Methods for Personal Data Held Electronically While data processed wholly or partially automatically and stored in digital media are deleted; Methods are used to delete the data from the relevant software in a way that makes it inaccessible and unusable for the relevant users. Deleting the relevant data in the cloud system by issuing a delete command; Removing the access rights of the relevant user on the file or the directory where the file is located on the central server; deleting relevant rows in databases with database commands; or by deleting the data on portable media, i.e. flash media, using appropriate software.

8.2. 8.2. Destruction of Personal Data

Destruction of personal data is the process of making personal data inaccessible, irretrievable, and unusable by anyone. Deletion methods according to recording media applied by Trakya Grup are as follows:

Destruction Methods for Personal Data Kept in Physical Environment
Physical Destruction Personal data on paper is clipped and destroyed irreversibly.
Deletion Methods for Personal Data Held Electronically
Physical Destruction It is the process of physically destroying optical and magnetic media containing personal data, such as melting, burning or pulverizing. Data is rendered inaccessible by processes such as melting optical or magnetic media, burning them, pulverizing them, or passing them through a metal grinder.

8.3. 8.3. Anonymization of Personal Data

Anonymization means making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data. Trakya Grup does not use any methods of anonymization of personal data.

9. STORAGE AND DISPOSAL PERIOD

9.1. 9.1. Storage Periods

PROCESS STORAGE PERIOD
Planning and Execution of Corporate Communication Activities 10 Years following the termination of the employment relationship
Answering Court/Enforcement Information Requests Regarding Personnel 10 Years following the termination of the employment relationship
Preparation of Contracts 10 Years following the termination of the employment relationship
Submitted to the Social Security Institution with Recruitment Documents; Personnel Data Based on Notifications Regarding Duration of Service and Wage 10 Years following the termination of the employment relationship
Occupational Health and Safety Practices 10 Years following the termination of the employment relationship
Identity Information, Contact Information, Financial Information, Business Partner/Solution Partner/Consultant Employee Data Regarding the Execution of the Commercial Relationship Between the Business Partner/Solution Partner/Consultant and Trakya Grup 10 Years during and after the termination of the Business Partner/Solution Partner/Consultant’s business/commercial relationship with Trakya Grup
Customer’s Name, Surname, TR ID Number, Contact Information, Payment Information and Methods, Navigation Information, Product/Service Preferences, Transaction History 10 years from the date of delivery of each product/service purchased by the Customer.
Identity Information, Contact Information, Financial Information, Employee Data of Institutions/Companies with which Trakya Group Collaborates, Regarding the Execution of the Commercial Relationship Between Trakya Group and the Institutions/Companies with which Trakya Grup Collaborates 10 Years from the end of the business/commercial relationship of the Institutions/Companies with which Trakya Group cooperates with Trakya Grup.
Log/Recording/Tracking Systems 3 Years following the termination of the employment relationship
Payment Transactions 10 Years following the termination of the employment relationship
Personnel Financing Processes 10 Years following the termination of the employment relationship
Security Camera Recordings in Trakya Group Buildings 3 months

9.2. 9.2. Destruction Periods

Trakya Grup is obliged to delete, destroy or anonymize the personal data for which it is responsible in accordance with the law, relevant legislation, Trakya Group Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy; It is carried out in the first periodic destruction process following the date of emergence (within 180 days following the storage period at the latest).

When the relevant person applies to Trakya Group pursuant to Article 13 of the Law and requests the deletion or destruction of his personal data;

If all the conditions for processing personal data have been eliminated; Trakya Group deletes, destroys or anonymizes the personal data subject to the request with an appropriate destruction method, explaining the reason within 30 (thirty) days from the day it receives the request. In order for Trakya Grup to be deemed to have received the request, the relevant person must have made the request in accordance with the Personal Data Processing and Protection Policy. Trakya Group informs the relevant person in line with the transactions made.

If all the conditions for processing personal data have not been eliminated, this request may be rejected by Trakya Group by explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the rejection response will be notified to the relevant person in writing or electronically within thirty days at the latest.

10. PERIODIC DISPOSAL

2nd paragraph of Article 11 of the Regulation: “The time period in which periodic destruction will be carried out is determined by the data controller in the personal data storage and destruction policy. by the data controller in the personal data storage and destruction policy.

In any case, this period cannot exceed six months. ” is the commanding decision. In accordance with the regulation, Trakya Group has determined the periodic destruction period as 6 (six) months. Accordingly, Trakya Group Periodic destruction processes start for the first time on 30.06.2020 and repeat every 6 (six) months. Periodic destruction is carried out every year in June and December.

11. PUBLISHING AND UPDATING OF THE POLICY

This Policy prepared by Trakya Group entered into force on 30.09.2020.

This Policy is also published on the Company’s website www.trakyagrup.com.tr and is made available to personal data owners upon request. In case of incompatibility between the provisions of KVKK and other relevant legislation and this Policy, the provisions of KVKK and other relevant legislation will be applied first.

This Policy is updated when and where necessary. If there is a change in the Policy, the effective date of the Policy and relevant articles will be updated accordingly.

Regards.

Trakya Grup Plastic Aluminum and Glass Industry Trade Limited Company