Skip to content

Personal Data Retention and Destruction Policy

PURPOSE OF THE POLICY:
This policy has been prepared based on the Regulation on the Deletion, Destruction, or Anonymization of Personal Data to define our company’s approach to managing the storage and destruction of personal data that it collects and processes.

DEFINITIONS:

Destruction: Refers to the deletion, destruction, or anonymization of personal data.

Recording medium: Any environment where personal data is processed fully or partially by automated means or through non-automated means provided that it is part of a data recording system.

Periodic destruction: The deletion, destruction, or anonymization of personal data to be carried out ex officio at recurring intervals specified in the personal data storage and destruction policy, in cases where all conditions for data processing under the law are no longer applicable.

Data recording system: A recording system in which personal data is processed by being structured according to specific criteria.

REASONS FOR STORAGE AND DESTRUCTION, RETENTION AND DESTRUCTION PERIODS:
Our company securely stores the personal data it processes in physical and/or electronic environments during the retention periods determined in the Personal Data Inventory and publicly declared in VERBIS (Data Controllers’ Registry), for the purpose of fulfilling its legal obligations and commercial activities. The Personal Data Inventory defines where each piece of personal data is processed and stored, and which methods are used for its destruction. Personal data is preserved in accordance with all relevant legislation, primarily the Law No. 6698 on the Protection of Personal Data, Labor Law No. 4857, Occupational Health and Safety Law No. 6331, and other regulations related to our company’s operations.

When determining the retention period for personal data, the legal basis or purpose of processing is taken into consideration. If the data is collected and processed due to legal obligations, the retention period is determined in the Personal Data Inventory in accordance with the period specified in the relevant legislation. For other data, a retention period suitable for the purpose of processing and operational needs is determined and defined in the Personal Data Inventory. Retention periods may be defined in terms such as “months,” “years,” or conditionally as “… until the end of …” or “… until … is performed.” Therefore, each piece of personal data may have a different retention period depending on the legal requirement or purpose of processing.

Personal data is stored by taking the “Data Security Measures” declared publicly in VERBIS. In addition to administrative measures such as creating an authority matrix for employees, providing training, and signing confidentiality agreements with employees and data processors, technical security measures such as using up-to-date antivirus systems, firewalls, backups, and encryption are also implemented.

For the destruction of personal data, the selected method of deletion, destruction, or anonymization is applied in a way that makes it impossible to access, retrieve, use, or associate the data with the data subject again.

Personal data whose retention period has expired is destroyed using defined destruction methods and the process is documented using a Data Destruction Record. These records are retained for at least 3 years.

The individuals responsible for data storage and destruction are determined based on the “Personal Data Inventory” and the “Authority Matrix and Authorization Management Table for Personal Data.” Those involved in destruction operations are listed in the Data Destruction Record.

Our company reviews personal data every 3 months (March, June, September, and December) and identifies data whose retention period has expired. It deletes, destroys, or anonymizes the data in the first periodic destruction process following the date on which the obligation to delete, destroy, or anonymize arises. This period shall not exceed six months.

DESTRUCTION OF PERSONAL DATA UPON REQUEST OF THE DATA SUBJECT

Data subjects may request information about their data by using the communication methods provided in our General Disclosure Statement on Personal Data. If the request is for the deletion of personal data:

  1. If all legal conditions for processing the personal data no longer exist, the personal data in question will be destroyed. The request will be concluded within a maximum of 30 days, and the data subject will be informed in writing or electronically.
  2. If all legal conditions for processing the personal data no longer exist and the data in question has been transferred to data processors, our company will inform the data processor and ensure the destruction of the data.
  3. If the legal conditions for processing the personal data still exist, the request will be rejected by our company with a justification, and the data subject will be notified of the rejection in writing or electronically within 30 days.