_edited.png)
STORAGE AND DISPOSAL POLICY
1. Purpose of the Policy
The purpose of our personal data retention and destruction policy is to determine the maximum period required for the purpose of processing personal data, as a data controller, to reveal the philosophy, purpose and action plan we will follow in our processes of deletion, destruction and anonymization. In this context, our aim is to inform our employees, whose personal data we process, our administrative staff, our visitors and the companies we cooperate with, and all third parties in contact with WEST HUMAN RESOURCES about the processing of their data and their rights, and to provide transparency in this regard and to act respectfully to personal data and therefore to private life.
2. Basis of Policy
Our policy is based on the Law on the Protection of Personal Data No. 6698 dated 7.4.2016 (KVK K. No. 6698) and the "Regulation on the Deletion, Destruction or Anonymization of Personal Data", which was published in the Official Gazette dated 28.10.2017 and numbered 30224. It was formed as a requirement of the 5th and 6th articles of the (Regulations).
3. Scope of the Policy
Our policy, our employees, our administrative staff, our visitors and the institutions we cooperate with, and all real and legal persons in legal relations with WEST HUMAN RESOURCES and their KVKK numbered 6698. It covers all personal data of special nature and non-personal data defined by The Policy also covers personal data in systems where data is processed by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, as specified in KVKK No. 6698. Unless otherwise stated in the policy, personal data and sensitive personal data will be referred to as "Personal Data" together.
4. Definitions
Related person : The real person whose personal data is processed,
personal data : Any information relating to an identified or identifiable natural person,
Special categories of personal data: Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric data. and genetic data,
express consent Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, all kinds of operations carried out on the data, such as the classification or prevention of its use,
Destruction : Deletion, destruction or anonymization of personal data,
Personal data retention and destruction table: The table showing the periods during which personal data will be kept in the presence of WEST HUMAN RESOURCES,
Personal data processing inventory : Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data with the purposes of processing, the data category, the transferred recipient group and the data subject group, explaining the maximum time required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security,
Deletion of personal data : The process of making personal data inaccessible and unusable for the relevant users,
Destruction of personal data : The process of making personal data inaccessible, unrecoverable and reusable by anyone,
Anonymization : Even if personal data is matched with other data, making it impossible to associate with an identified or identifiable natural person under any circumstances,
periodic destruction : The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all of the personal data processing conditions in the law are eliminated,
data logging system : The recording system in which personal data is processed and structured according to certain criteria,
Board : Refers to the Personal Data Protection Board.
5. General Principles Based on the Policy
The data controller acts within the framework of the following principles in the processing of personal data by WEST HUMAN RESOURCES.
5.1. Personal data can only be processed in accordance with the procedures and principles stipulated in the KVKK No. 6698 and other laws.
5.2. It is obligatory to comply with the following principles in the processing of personal data:
a) Compliance with the law and honesty rules.
b) Being accurate and up-to-date when necessary.
c) Processing for specific, explicit and legitimate purposes.
ç) Being connected, limited and restrained with the purpose for which they are processed.
d) To be kept for the period required by the relevant legislation or for the purpose for which they are processed.
6. Recording Media Regulated by the Policy
Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system, is within the scope of the recording medium.
7. Duties and Powers of the Personal Data Protection Committee
7.1. The Personal Data Protection Committee is responsible for the announcement of this Policy to the relevant business units and the follow-up of the fulfillment of its requirements by the WEST HUMAN RESOURCES units.
7.2. The Personal Data Protection Committee makes the necessary announcements and notifications for the relevant business units to follow up on the legislation changes regarding the protection of personal data, the regulatory actions and decisions of the Personal Data Protection Board (Board), court decisions or changes in the processes, practices and systems, and update their business processes if necessary. .
7.3. Personal Data Protection Committee KVKK No. 6698. and secondary regulations as well as the decisions and regulations of the Board, court decisions, and the processes for the examination, evaluation, follow-up and conclusion of the decisions and/or requests of other competent authorities and announces them to the relevant units.
8. What To Do In Case The Conditions for Processing Personal Data Are No longer applicable
8.1. The disappearance of the purpose factor for the processing of personal data, the withdrawal of express consent or the disappearance of all the conditions for the processing of personal data in Articles 5 and 6 of the KVK Law No. 6698, or there is a situation where none of the exceptions in the mentioned articles can be applied. In the event that the processing conditions are no longer valid, the personal data is deleted, destroyed or anonymized by the relevant business unit, taking into account the business needs, by explaining the reason for the method applied, within the scope of articles 7 to 10 of the Regulation. However, in case of a finalized court decision, it is obligatory to apply the method of destruction determined by the court decision.
8.2. All users who process or store personal data and WEST HUMAN RESOURCES units, which are data owners, will review the data recording media they use, within six-month periods at the latest, whether the conditions related to processing have disappeared. Upon the application of the personal data owner or the notification of the Board or a court, the relevant users and units will make this review in the data recording media they use, regardless of the period of periodic inspection.
8.3. As a result of periodic reviews or at any time, when it is determined that the data processing conditions have been removed, the relevant user or data owner will decide to delete, destroy or anonymize the relevant personal data from the recording medium under his responsibility in accordance with this policy. In case of hesitation, action will be taken by obtaining the opinion of the relevant data owner business unit. When it is necessary to take a decision on the destruction of personal data with multi-stakeholder data in the Central Information Systems, the opinion of the Personal Data Protection Committee will be taken and the data owner will be responsible for the storage, deletion, destruction or anonymization of the personal data in accordance with this policy. will be decided by the unit.
8.4. All transactions regarding the deletion, destruction or anonymization of personal data are recorded and these records are kept for at least one year, excluding other legal obligations.
8.5. Pursuant to Articles 4 and 7 of the Regulation, the methods applied for the deletion, destruction and anonymization of personal data will be explained in the Data Destruction Procedure to be published after the entry into force of this Policy.
8.6. In the deletion, destruction or anonymization of personal data, to act in accordance with the general principles in Article 4 of the KVKK No. 6698 and the technical and administrative measures to be taken within the scope of Article 12, the provisions of the relevant legislation, the Board decisions and the personal data storage and destruction policy. mandatory.
8.7. When the real person who owns a personal data requests the deletion, destruction or anonymization of his personal data by applying to WEST HUMAN RESOURCES, pursuant to Article 13 of the KVKK No. 6698, the relevant data owner business unit shall comply with all of the personal data processing conditions. Checks to see if it's gone. If all the processing conditions have disappeared; deletes, destroys or anonymizes the personal data subject to the request. In this case, as the details will be determined in the Data Disposal Procedure; The request is finalized within thirty days at the latest from the date of application and the applicant is informed through the relevant board. If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, the relevant data owner business unit immediately notifies the third party to whom the transfer is made and ensures that the necessary actions are taken within the scope of the Regulation before the third party.
8.8. In cases where all the conditions for processing personal data are not eliminated, the requests of personal data owners for the deletion or destruction of their data may be rejected by WEST HUMAN RESOURCES by explaining the reason in accordance with the 3rd paragraph of Article 13 of the KVK Law No. 6698. The rejection response is notified to the relevant person in writing or electronically within 30 days at the latest.
8.9. Requests for the deletion or destruction of personal data will only be considered if the identity of the person concerned has been identified. In requests to be made outside of the said channels, the relevant persons will be directed to the channels where identification or verification can be made.
9. Policy Enforcement, Violations and Sanctions
9.1. This Policy will enter into force by being announced to all employees and will be binding on all business units, consultants, external service providers and anyone who processes personal data before other WEST HUMAN RESOURCES.
9.2. It will be the responsibility of the supervisors of the relevant employees to monitor whether WEST HUMAN RESOURCES employees fulfill the requirements of the Policy. When a violation of the policy is detected, the issue will be immediately reported to a higher supervisor by the supervisor of the relevant employee. If the violation is significant, the Personal Data Protection Committee will be informed without delay by the superior.
9.3. Necessary administrative action will be taken about the employee who violates the policy, after the evaluation to be made by the Human Resources unit.
9.4. By WEST HUMAN RESOURCES in order to fulfill the policy requirements; All necessary security measures are taken, including the ISO standard and the measures prescribed by all relevant ministries.
10. Persons to be Involved in the Storage and Disposal Processes of Personal Data and Their Responsibilities
All employees, consultants, external service providers and anyone else who stores and processes personal data before WEST HUMAN RESOURCES is responsible for fulfilling the requirements regarding the destruction of data specified in the Regulation of KVKK No. 6698 and this Policy within WEST HUMAN RESOURCES. Each business unit is obliged to store and protect the data it produces in its own business processes; however, if the data produced is only in information systems outside the control and authority of the business unit, the data in question will be stored by the units responsible for the information systems. Periodic destructions, which will affect business processes and cause data integrity, data loss and results against legal regulations, will be made by the relevant information systems departments, taking into account the type of personal data, the systems in which it is included, and the data owner business unit.
11. Periods of Retention and Disposal of Personal Data
Personal Data Retention and Disposal Periods are listed below. The storage and destruction periods in question will be taken into account in the periodic destruction or on-demand destruction processes. In case of hesitation, it will be updated by the business units that own the processes to be included in the Table Showing the Periods of Retention and Disposal of Personal Data, taking into account the evaluation of the Personal Data Protection Committee.
TCO no 6098 article 146 : 10 years
Related Legislation : Up to the stipulated time
12. Periodic Disposal Times
The Periodic Destruction Period of Personal Data is determined by the relevant business units that own the data. This period cannot exceed 6 (six) months in any case.
13. Enforcement
13.1. The policy will enter into force as of the date of publication.
13.2. It is the responsibility of the Personal Data Protection Committee to announce the policy throughout PLUS HUMAN RESOURCES and make the necessary updates.