HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ.
PERSONAL DATA STORAGE AND DISPOSAL POLICY
SECTION 1: NATURE AND PURPOSE OF THE DISPOSAL POLICY
1.1. INTRODUCTION
This disposal policy has been prepared by HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. (hereinafter referred to as “HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ.”) as the data controller, in accordance with the Law No. 6698 on the Protection of Personal Data and other relevant legislation, to establish the procedures and principles related to the deletion, destruction, or anonymization of personal data held by HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ.
In this context, the personal data of all individuals, including our employees, employee candidates, customers, and any other individuals whose personal data is processed by HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. for any reason, are managed in accordance with the Personal Data Processing and Protection Policy and this Personal Data Storage and Disposal Policy, in compliance with the law.
| Contact person | The real person whose personal data is processed, |
| Destruction | Deletion, destruction or anonymization of personal data, |
Law
| Personal Data Protection Law No. 6698 published in the Official Gazette No. 29677 dated 07.04.2016, |
| Regulations | Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224. |
| Board | Personal Data Protection Board |
| Recording media | Any environment containing personal data processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system, |
| Personal Data Processing and Protection Policy | The policy outlining the procedures and principles for managing personal data held by HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. can be accessed at www.haseryapi.com.tr. |
| Data recording system | The recording system in which personal data is structured and processed according to certain criteria, |
expresses.
SECTION 2: ENVIRONMENTS AND SECURITY MEASURES
2.1. ENVIRONMENTS WHERE PERSONAL DATA IS STORED
Personal data held by HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. is stored in environments appropriate to the nature of the data and in compliance with legal obligations.
The general environments where personal data is stored include the following, but some data may be kept in different environments due to their special nature or legal obligations. In all cases, HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. acts as the data controller and processes and protects personal data in accordance with the law, the Personal Data Processing and Protection Policy, and this Personal Data Retention and Destruction Policy.
| a) Print media | These are environments where data is kept by printing on paper or microfilm. |
| b) Local digital environments | HASER ALUMINUM PLASTIC INDUSTRY AND TRADE LTD. ŞTİ. The servers included in it are other digital media such as hard or portable disks and optical disks. |
| c) Cloud environments | HASER ALUMINUM PLASTIC INDUSTRY AND TRADE LTD. ŞTİ. Although it is not a part of HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. These are the environments in which internet-based systems encrypted with cryptographic methods are used by ŞTİ. |
2.2. ENSURING THE SECURITY OF ENVIRONMENTS
HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. takes all necessary technical and administrative measures in accordance with the nature of the personal data and the environment where it is stored, to ensure that personal data is stored securely and to prevent its unlawful processing and access.
These measures include, but are not limited to, the following administrative and technical measures, as deemed appropriate in accordance with the nature of the relevant personal data and the environment in which it is held.
2.2.1. Technical Measures
HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. implements the following technical measures in all environments where personal data is stored, based on the nature of the relevant data and the storage environment:
- Only up-to-date and secure systems that comply with technological advancements are used in environments where personal data is stored.
- Security systems are implemented in environments where personal data is held.
- Security tests and research are conducted to detect vulnerabilities in IT systems, and any identified risks are addressed based on the results.
- Access to environments where personal data is stored is restricted to authorized personnel, and access is limited to the purpose for which the data is stored. All access is logged.
- HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. employs adequate technical personnel to ensure the security of environments where personal data is stored.
2.2.2. Administrative Measures
HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. takes the following administrative measures for all environments where personal data is stored, in accordance with the nature of the data and the storage environment:
- Efforts are made to raise awareness and educate all HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. employees with access to personal data about information security, personal data, and the confidentiality of private life.
- Legal and technical consultancy services are obtained to monitor developments in the fields of information security, privacy, and personal data protection, and to take necessary actions.
- When personal data is shared with third parties due to technical or legal requirements, protocols are signed to protect the data, and all necessary efforts are made to ensure that third parties comply with these obligations.
2.2.3. Internal Audits
HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. conducts internal audits to ensure the implementation of the provisions of the Law and this Personal Data Retention and Disposal Policy, as well as the Personal Data Processing and Protection Policy.
If any deficiencies or faults are identified during internal audits regarding the implementation of these provisions, they are immediately addressed.
If it is determined that personal data under the responsibility of HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. has been unlawfully obtained by others during an audit or by any other means, HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. promptly informs the relevant person and the Board.
3. SECTION: DESTRUCTION OF PERSONAL DATA
3.1. REASONS FOR RETENTION AND DISPOSAL
3.1.1. Reasons for Retention
Personal data held by HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. is stored for the purposes and reasons specified in the Law and our Personal Data Policy (accessible at “www.haseryapi.com.tr”).
3.1.2. Reasons for Disposal
Personal data held by HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. is deleted, destroyed, or anonymized upon the request of the relevant person or when the reasons outlined in Articles 5 and 6 of the Law no longer exist, in accordance with this disposal policy.
The reasons listed in Articles 5 and 6 of the Law are as follows:
- Explicitly stipulated by laws.
- It is mandatory to protect the life or physical integrity of the person or another person who is unable to disclose their consent due to actual impossibility or whose consent is not legally valid.
- It is necessary to process personal data for the establishment or performance of a contract, provided that it is directly related to the establishment or performance of the contract.
- It is mandatory for the data controller to fulfill its legal obligation.
- The data has been made public by the relevant person.
- Data processing is mandatory for the establishment, exercise, or protection of a right.
- Data processing is mandatory for the legitimate interests of the data controller, provided it does not harm the fundamental rights and freedoms of the data subject.
3.2. DESTRUCTION METHODS
HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. deletes, destroys, or anonymizes personal data, which it stores in compliance with the Law and other relevant legislation, at the request of the relevant person or when the reasons for processing the data no longer exist, or within the periods specified in this Personal Data Retention and Disposal Policy.
The most commonly used deletion, destruction, and anonymization techniques by HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. are listed below:
3.2.1.1. Deletion Methods
| Deletion Methods for Personal Data Kept in Printed Media | |
| Blackout | Personal data in the printed media is deleted using the blackout method. The blacking process is done by cutting the personal data on the relevant document when possible, and in cases where it is not possible, by making it invisible by using a fixed correction strip in a way that is irreversible and unreadable with technological solutions. |
| Deletion Methods for Personal Data Held in Cloud and Local Digital Environment | |
| Secure deletion from software | Personal data stored in the cloud or local digital environment is deleted by digital command so that it cannot be recovered again. Data deleted in this way cannot be accessed again. |
3.2.1.2 Destruction Methods
| Destruction Methods for Personal Data Kept in Printed Media | |
| Physical destruction | Documents kept in printed media are destroyed with shredder machines so that they cannot be put back together. |
| Destruction Methods for Personal Data Held in Local Digital Environment | |
| Physical destruction | It is the process of physically destroying optical and magnetic media containing personal data, such as melting, burning or pulverizing them. Data is rendered inaccessible by processes such as melting optical or magnetic media, burning them, pulverizing them, or passing them through a metal grinder. |
| De-magnetization (degauss) | It is the process of exposing magnetic media to a high magnetic field and corrupting the data on it in an unreadable way. |
| Destruction Methods for Personal Data Held in the Cloud | |
Secure deletion from software
| Personal data kept in the cloud environment is deleted by digital command so that it cannot be recovered again, and when the cloud computing service relationship ends, all copies of the encryption keys required to make personal data usable are destroyed. Data deleted in this way cannot be accessed again. |
3.2.1.3. Anonymization Methods
Anonymization means making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.
| Subtracting variables | It is the removal of one or more of the direct identifiers contained in the personal data of the relevant person and which can be used to identify the relevant person in any way. This method can be used to anonymise personal data, as well as to delete personal data if there is information that is not suitable for the purpose of data processing. |
| Regional hiding | It is the process of deleting potentially distinguishing information regarding exceptional data within the data table where personal data is collectively anonymous. |
| Generalization | It is the process of bringing together the personal data of many people, removing their distinctive information and turning them into statistical data. |
| Lower and upper bound coding / Global coding | For a certain variable, the ranges of that variable are defined and categorized. If the variable does not contain a numerical value, then similar data within the variable are categorized. Values within the same category are combined. |
| Micro joining | With this method, all records in the data set are first arranged in a meaningful order and then the whole set is divided into a certain number of subsets. Then, the value of each subset of the specified variable is averaged and the value of that variable of the subset is replaced with the average value. In this way, indirect identifiers in the data will be corrupted, making it difficult to associate the data with the relevant person. |
| Data hashing and corruption | Direct or indirect identifiers in personal data are mixed with other values or corrupted, thus severing their relationship with the relevant person and causing them to lose their identifying qualities. |
HASER ALUMINUM PLASTIC INDUSTRY AND TRADE LTD. ŞTİ. uses one or more of these anonymization methods to anonymize personal data, depending on the nature of the relevant data. HASER ALUMINUM PLASTIC INDUSTRY AND TRADE LTD. ŞTİ. may use K-Anonymity, L-Diversity and T-Closeness statistical methods when using these anonymization methods.
3.3. STORAGE AND DISPOSAL PERIOD
3.3.1. Storage Periods
| DATA OWNER | DATA CATEGORY | DATA STORAGE PERIOD |
| Worker | Submitted to the Social Security Institution with recruitment documents; Personal data based on notifications regarding length of service and remuneration | It is retained for 10 years from the termination of the Business Relationship. |
| Worker | Submitted to the Social Security Institution with recruitment documents; Personnel data other than personnel data based on notifications regarding length of service and wages | It is kept for a period of 10 (ten) years during the continuation of the service contract and from the beginning of the calendar year following its termination. |
| Worker | Data in Workplace Personal Health File | It is kept for a period of 15 (fifteen) years following the continuation and termination of the service contract. |
| Business Partner/Solution Partner/Consultant | With Business Partner/Solution Partner/Consultant HASER ALUMINUM PLASTIC INDUSTRY AND TRADE LTD. ŞTİ. Identity information, contact information, financial information, voice recordings of phone calls, Business Partner / Solution Partner / Consultant employee data regarding the conduct of the commercial relationship between | Business Partner/Solution Partner/Consultant, HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. It is kept for 10 years during and after the termination of the business/commercial relationship with ŞTİ. in accordance with the Turkish Code of Obligations Article 146 and the Turkish Commercial Code Article 82. |
| Website Visitor | Name, surname, e-mail address, navigation movements information of the Website Visitor | It is stored for 2 years. |
| Employee Candidate | Information contained in the Employee Candidate's CV and job application form | It is kept for as long as the CV becomes out of date, a maximum of 2 years. |
| Intern(student) | Information contained in the intern's internship file | It is retained for a period of 10 (ten) years during the continuation of the internship relationship and from the beginning of the calendar year following its termination. |
| Customer | Customer's name, surname, ID number, contact information, payment information and methods, navigation information, voice recordings of phone calls, product/service preferences, transaction history, special day information. | Each product/service purchased by the Customer is stored for 10 years in accordance with the Turkish Code of Obligations Article 146 and the Turkish Commercial Code Article 82, starting from the presentation. |
| Customer | Camera images, vehicle license plate information | It is stored for 2 years. |
| Potential Customer | Potential Customer and HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. Identity information, contact information, financial information, voice recordings taken during telephone calls during contract negotiations regarding the establishment of commercial relations between | It is stored for 2 years.
|
| HASER ALUMINUM PLASTIC INDUSTRY AND TRADE LTD. ŞTİ.'s Cooperating Institutions/Companies (Supplier, Contract Manufacturer, Dealer/Franchise | HASER ALUMINUM PLASTIC INDUSTRY AND TRADE LTD. With the Institutions/Companies with which ŞTİ. cooperates HASER ALUMINUM PLASTIC INDUSTRY AND TRADE LTD. ŞTİ. Identity information, contact information, financial information, voice recordings taken during phone calls, HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. Data of employees of the Institution/Company with which ŞTİ. cooperates | HASER ALUMINUM PLASTIC INDUSTRY AND TRADE LTD. ŞTİ.'s Collaborating Institutions/Companies: HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. It is kept for 10 years during and after the termination of the business/commercial relationship with ŞTİ. in accordance with the Turkish Code of Obligations Article 146 and the Turkish Commercial Code Article 82. |
In cases where a longer period is stipulated by legislation, or where a longer period is provided for statute of limitations, prescription periods, retention periods, etc., the periods specified in the relevant legislation are considered the maximum retention periods.
3.3.2. Destruction Periods
HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ., in accordance with the Law, relevant legislation, the Personal Data Processing and Protection Policy, and this Personal Data Retention and Destruction Policy, deletes, destroys, or anonymizes personal data in the first periodic destruction process following the date the obligation to delete, destroy, or anonymize the personal data arises.
When the relevant person applies to HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. based on Article 13 of the Law, requesting the deletion or destruction of their personal data:
- If all conditions for processing personal data have been eliminated, HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. deletes, destroys, or anonymizes the personal data subject to the request within 30 (thirty) days from the date of the request, explaining the reasons and using an appropriate destruction method. For the request to be deemed valid, the relevant person must submit the request in accordance with the Personal Data Processing and Protection Policy. In all cases, HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. informs the relevant person about the action taken.
- If not all conditions for processing personal data have been eliminated, this request may be rejected by HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. by explaining the reasons for rejection, in accordance with Article 13, paragraph 3 of the Law, and the rejection will be communicated to the relevant person in writing or electronically within thirty days at the latest.
3.4. PERIODIC DESTRUCTION
If all conditions for processing personal data, as stated in the Law, have been eliminated, HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. will delete, destroy, or anonymize the personal data whose processing conditions have ceased, through a recurring process carried out ex officio as specified in this Personal Data Retention and Destruction Policy.
The periodic destruction process will begin on 03.06.2024 and will be repeated every 6 (six) months.
3.5. SUPERVISION OF THE LEGALITY OF DESTRUCTION
HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. performs destruction processes, whether upon request or in the context of periodic destruction processes, in accordance with the Law, other relevant legislation, the Personal Data Processing and Protection Policy, and this Personal Data Retention and Destruction Policy.
HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. takes various administrative and technical measures to ensure that destruction processes comply with these regulations.
3.5.1. Technical Measures
- HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. keeps technical tools and equipment suitable for each destruction method listed in this policy.
- HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. ensures the security of the location where destruction takes place.
- HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. maintains access records for individuals performing the destruction.
- HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. employs competent and experienced personnel for the destruction process or, if necessary, obtains services from qualified third parties.
3.5.2. Administrative Measures
- HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. raises awareness and provides training to employees performing destruction operations on issues such as information security, personal data protection, and privacy.
- HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. seeks legal and technical consultancy to monitor developments in information security, privacy, personal data protection, and secure destruction techniques, and takes necessary actions accordingly.
- HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. signs protocols with third parties involved in destruction operations to ensure personal data protection, and takes all necessary care to ensure that third parties comply with these protocols.
- HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. regularly audits whether the destruction processes comply with the law and the conditions and obligations specified in this Personal Data Retention and Destruction Policy, and takes necessary actions as required.
- The company logs all activities related to the deletion, destruction, and anonymization of personal data and keeps these records for a minimum of three years, except for other legal obligations.
SECTION 4: PERSONAL DATA COMMISSION
HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. establishes a Personal Data Commission within its organization. The Personal Data Commission is authorized and responsible for conducting or overseeing the necessary processes to ensure that the personal data of individuals are stored and processed in accordance with the law, the Personal Data Processing and Protection Policy, and the Personal Data Retention and Destruction Policy.
SECTION 5: UPDATES AND COMPLIANCE
HASER ALÜMİNYUM PLASTİK SANAYİ VE TİCARET LTD. ŞTİ. reserves the right to amend the Personal Data Processing and Protection Policy and this Personal Data Retention and Destruction Policy in response to changes in the Law, decisions of the Authority, or developments in the sector or in the field of information technology.
Any changes to this Personal Data Retention and Destruction Policy will be immediately incorporated into the text, and explanations regarding the changes will be provided at the end of the policy.
5.1 CHANGE NOTES
| 02.01.2024 | Personal Data Storage and Destruction Policy has been published. |