BETA PHARMACEUTICAL WAREHOUSE TRADE INDUSTRY LIMITED COMPANY
PERSONAL DATA RETENTION, ANONYMIZATION AND DESTRUCTION POLICY
TABLE OF CONTENTS
1.INTRODUCTION
1.1.Objective
1.2.Scope
1.3.Definitions and Abbreviations
2.PRINCIPLES
- EXPLANATIONS ON THE REASONS FOR RETENTION AND DESTRUCTION
- PRINCIPLES ON RETENTION AND DESTRUCTION PERIODS
- PROCEDURES FOR STORAGE AND DESTRUCTION OF PERSONAL DATA BY THE COMPANY
5.1.Recording Mediums
5.2.Administrative and Technical Measures
5.2.1. Administrative Measures
5.2.2. Technical Measures
- DISTRIBUTION OF RESPONSIBILITIES AND DUTIES
- PERSONAL DATA DESTRUCTION PROCEDURES
7.1. Deletion of Personal Data
7.2. Destruction of Personal Data
7.3. Anonymization of Personal Data
- STORAGE AND DISPOSAL PERIODS
- PERIODIC DESTRUCTION PERIOD
- PUBLICATION AND STORAGE OF THE POLICY
- POLICY UPDATE PERIOD
12.ENFORCEMENT AND REPEAL OF THE POLICY
13.OTHER MATTERS
ANNEX-1: DESTRUCTION REPORT
| BETA PHARMACEUTICAL WAREHOUSE TRADE INDUSTRY LIMITED COMPANY |
| PERSONAL DATA RETENTION, ANONYMIZATION AND DESTRUCTION POLICY |
- INTRODUCTION
1.1.Objective
The Personal Data Storage and Destruction Policy has been prepared in order to specify the procedures and principles to be applied regarding the business and transactions regarding the storage and destruction of personal data carried out by Beta Ecza Deposu Ticaret Sanayi Limited Şirketi.
The third paragraph of Article 7 of the Law on the Protection of Personal Data stipulates that “The procedures and principles regarding the deletion, destruction or anonymization of personal data are regulated by regulation”. Based on this provision and subparagraph (e) of the first paragraph of Article 22 of the Law, the Regulation on Deletion, Destruction or Anonymization of Personal Data was prepared by the Personal Data Protection Board and published in the Official Gazette dated October 28, 2017 and numbered 30224.
Turkuaz Waste Management has prioritized the processing of personal data belonging to company employees, employee candidates, customers, visitors and other third parties in accordance with the Constitution of the Republic of Turkey, international conventions, the Law No. 6698 on the Protection of Personal Data and other relevant legislation and ensuring that the relevant persons effectively use their rights.
Businesses and transactions regarding the storage and destruction of personal data are carried out in accordance with the Policy prepared by the Company in this direction.
1.2. Scope
This Policy relates to the personal data of employees, employee candidates, shareholders/partners, visitors, third parties and their employees (business partners, suppliers and their employees) and third parties who receive products/services within our company and the personal data of third parties who receive products/services, which are processed in whole or in part by automatic or non-automatic means provided that they are part of any data recording system, and the storage and destruction of this data.
| BETA PHARMACEUTICAL WAREHOUSE TRADE INDUSTRY LIMITED COMPANY |
| PERSONAL DATA RETENTION, ANONYMIZATION AND DESTRUCTION POLICY |
1.3. Definitions and Abbreviations
| ABBREVIATIONS | DEFINITIONS |
| Open Consent | Consent on a specific subject, based on information and expressed with free will. |
| Related User | Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data. |
| Destruction | Deletion, destruction or anonymization of personal data. |
| Recording Environment | Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Processing of Personal Data | Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system. |
| Anonymization of Personal Data | Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data. |
| Deletion of Personal Data | Deletion of personal data; making personal data inaccessible and non-reusable in any way for the Relevant Users. |
| Kişisel Verilerin Yok Edilmesi | The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way. |
| BETA PHARMACEUTICAL WAREHOUSE TRADE INDUSTRY LIMITED COMPANY |
| PERSONAL DATA RETENTION, ANONYMIZATION AND DESTRUCTION POLICY |
| Assembly | Personal Data Protection Assembly. |
| Periodic Destruction | In the event that all of the conditions for processing personal data specified in the Law disappear, the deletion, destruction or anonymization process to be carried out ex officio at recurring intervals specified in the personal data storage and destruction policy. |
| Data Owner/Related Person | Data Owner/Related Person |
2.PRINCIPLES
Beta Ecza Deposu Ticaret Sanayi Limited Şirketi acts within the framework of the following principles in the storage and destruction of personal data.
- In the deletion, destruction and anonymization of personal data, the principles listed in Article 4 of the Law and the technical and administrative measures to be taken within the scope of Article 12 and specified in Article 5.2 of this Policy, the provisions of the relevant legislation, Board decisions and this Policy are fully complied with.
- All transactions regarding the deletion, destruction and anonymization of personal data are recorded by the Company and such records are kept for at least 3 years, excluding other legal obligations.
- Unless otherwise decided by the Board, the appropriate method of ex officio deletion, destruction and anonymization of personal data is selected by us. However, if requested by the Data Subject, the method will be selected by explaining the reason.
- In the event that all of the conditions for the processing of personal data specified in Articles 5 and 6 of the Law disappear, personal data are deleted, destroyed or anonymized by the Company ex officio or upon the request of the Data Subject. In case the Data Subject applies to the Company in this regard;
- The requests are finalized within 30 (thirty) days at the latest and the Data Subject is informed.
- In the event that the data subject to the request is transferred to third parties, this situation is notified to the third party to whom the data is transferred and it is ensured that necessary actions are taken before third parties.
| BETA PHARMACEUTICAL WAREHOUSE TRADE INDUSTRY LIMITED COMPANY |
| PERSONAL DATA RETENTION, ANONYMIZATION AND DESTRUCTION POLICY |
- EXPLANATIONS ON THE REASONS FOR RETENTION AND DESTRUCTION
- Personal data of data subjects are securely stored by the Company in physical or electronic media specified in Article 5.1. within the limits specified in the KVKK and other relevant legislation, especially for the following purposes.
- Maintaining commercial activities
- Planning and execution of employee rights and benefits
- Managing customer relations and providing better service to customers
- Ensuring company security
- To establish contact with real/legal persons who have a business relationship with the organization
- Storing personal data as it is directly related to the establishment and performance of contracts
- Storing personal data for the purpose of establishing, exercising or protecting a right
- It is mandatory to store personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of individuals
- Storage of personal data in order for the Company to fulfill any legal obligation
- The legislation clearly stipulates the storage of personal data
- Burden of proof as evidence in future legal disputes
- Pursuant to the Regulation, in the cases listed below, the personal data of the data subjects shall be deleted, destroyed or anonymized by the Company ex officio or upon request.
- Amendment or abrogation of the provisions of the relevant legislation that constitute the basis for the processing or storage of personal data
- The purpose requiring the processing or storage of personal data disappears
- The disappearance of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law
- In cases where the processing of personal data takes place only on the basis of explicit consent, the Data Subject’s withdrawal of consent
- In cases where the Data Controller rejects the application made by the Data Subject with the request for deletion, destruction or anonymization of personal data, the response is found insufficient or does not respond within the period stipulated in the Law; In case of a complaint to the Board and this request is approved by the Board
- Acceptance by the Data Controller of the application made by the Data Subject regarding the deletion, destruction or anonymization of personal data within the framework of the rights in paragraphs (e) and (f) of Article 11 of the Law
- Although the maximum period required for the retention of personal data has expired, there is no condition that would justify the retention of personal data for a longer period of time
| BETA PHARMACEUTICAL WAREHOUSE TRADE INDUSTRY LIMITED COMPANY |
| PERSONAL DATA RETENTION, ANONYMIZATION AND DESTRUCTION POLICY |
- PRINCIPLES ON RETENTION AND DESTRUCTION PERIODS
In determining the retention and destruction periods of your personal data obtained by the Company in accordance with the provisions of the KVKK and other relevant legislation, the following measures are used respectively.
- If a period of time is stipulated in the legislation regarding the storage of such personal data, this period is complied with. Following the expiration of the aforementioned period, action is taken about the data within the scope of subparagraph 2 below.
- In the event that the period stipulated in the legislation regarding the storage of the personal data in question expires or if no period is stipulated in the relevant legislation regarding the storage of the data in question, respectively;
- Personal data shall be classified as personal data and personal data of special nature based on the definition in Article 6 of the KVKK. All personal data determined to be of special nature shall be destroyed. The method to be applied in the destruction of the data in question is determined according to the nature of the data and the importance of its storage before the Company.
- The compliance of the storage of the data with the principles specified in Article 4 of the KVKK is questioned. Data that is determined to be in violation of the principles set forth in Article 4 of the LPPD shall be deleted, destroyed or anonymized.
- It is determined within the scope of which of the exceptions stipulated in Articles 5 and 6 of the KVKK the storage of the data can be evaluated. Within the framework of the determined exceptions, reasonable periods of time for data retention are determined. At the end of these periods, the data is deleted, destroyed or anonymized.
- Health-related documents must be kept for at least 15 years after the employee leaves the workplace.
- Documents relating to any activity related to occupational health and safety must be kept for at least 15 years.
- Care must be taken to destroy expired documents related to health data. After the documents are destroyed, no data should be readable.
- All transactions regarding the deletion, destruction and anonymization of personal data shall be recorded and such records shall be kept for at least 3 years, excluding other legal obligations.
| BETA PHARMACEUTICAL WAREHOUSE TRADE INDUSTRY LIMITED COMPANY |
| PERSONAL DATA RETENTION, ANONYMIZATION AND DESTRUCTION POLICY |
- PROCEDURES FOR STORAGE AND DESTRUCTION OF PERSONAL DATA BY THE COMPANY
5.1. Recording Media
Personal data are securely stored by the Company in accordance with the law in the following environments.
- Electronic Media
Servers (Domain, backup, e-mail, database, web, file sharing, etc.), Software (office software, portal), Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.), Personal computers (Desktop, laptop) Mobile devices (phone, tablet, etc.) Optical disks (CD, DVD, etc.) Removable memories (USB, Memory Card, etc.) Printer, scanner, copier
- Non-Electronic Media
Paper, Manual data recording systems (survey forms, visitor logbook), Written, Printed, Visual Media
5.2.1.Administrative Measures
Turkuaz Waste Management takes the following administrative measures.
- There are disciplinary regulations that include data security provisions for employees.
- Training and awareness raising activities on data security for employees are carried out at regular intervals.
- An authorization matrix has been established for employees.
- Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
- Confidentiality undertakings are made.
- The authorizations of employees who change their duties or leave their jobs in this area are removed, and the signed contracts contain data security provisions.
- Personal data security policies and procedures have been determined.
- Personal data security issues are reported quickly.
- Awareness of data processing service providers on data security is ensured.
| BETA PHARMACEUTICAL WAREHOUSE TRADE INDUSTRY LIMITED COMPANY |
| PERSONAL DATA RETENTION, ANONYMIZATION AND DESTRUCTION POLICY |
5.2.2. Technical Measures
- The Company takes the following technical measures.
- Network security and application security are ensured.
- Closed system network is used for personal data transfers through the network.
- Key management is implemented.
- Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
- Security of personal data stored in the cloud is ensured.
- Access logs are kept regularly. Data masking measures are applied when necessary.
- Up-to-date anti-virus systems are used.
- Firewalls are used. Personal data security is monitored.
- Necessary security measures are taken for entry and exit to physical environments containing personal data.
- Physical environments containing personal data are secured against external risks (fire, flood, etc.).
- Security of environments containing personal data is ensured.
- Personal data is minimized as much as possible.
- User account management and authorization control system is implemented and monitored.
- Log records are kept without user intervention.
- Existing risks and threats have been identified.
- Attack detection and prevention systems are used.
- Cyber security measures have been taken and their implementation is constantly monitored.
- Encryption is performed.
- Data loss prevention software is used.
6.PERSONAL DATA DISPOSAL PROCEDURES
Personal data obtained by the Company in accordance with the KVKK and other relevant legislation will be destroyed by the Company ex officio or upon the application of the Data Subject in accordance with the provisions of the Law and the relevant legislation in the event that the personal data processing purposes listed in the Law and Regulation disappear.
| BETA PHARMACEUTICAL WAREHOUSE TRADE INDUSTRY LIMITED COMPANY |
| PERSONAL DATA RETENTION, ANONYMIZATION AND DESTRUCTION POLICY |
6.1. Deletion of Personal Data
- Personal Data on Servers
For the personal data on the servers, deletion is made by the system administrator by removing the access authorization of the relevant users for those whose retention period has expired.
- Personal Data in Electronic Media
The personal data in electronic media that expire after the period of time required for their retention are rendered inaccessible and non-reusable in any way for employees other than the database administrator.
- Personal Data in Physical Environment
Fiziksel ortamda tutulan kişisel verilerden saklanmasını gerektiren süre sona erenler için evrak arşivinden sorumlu birim yöneticisi hariç diğer diğer çalışanlar için hiçbir şekilde erişilemez ve tekrar kullanılamaz hale getirilir. Ayrıca, üzeri okunamayacak şekilde çizilerek/boyanarak/silinerek karartma işlemi de uygulanır.
- Personal Data on Portable Media
The personal data stored in Flash-based storage media and those whose period of storage has expired are encrypted by the system administrator and access authorization is given only to the system administrator and stored in secure environments with encryption keys.
6.2. Destruction of Personal Data
- Personal Data in Physical Environment
Personal data in paper form that expires after the period of time required for its retention is irreversibly destroyed in paper shredding machines.
- Personal Data in Optical/Magnetic Media
The personal data contained in optical media and magnetic media are physically destroyed, such as melting, incinerating or pulverizing those whose retention period has expired. In addition, the magnetic media is passed through a special device and the data on it is rendered unreadable by exposing it to a high magnetic field.
| BETA PHARMACEUTICAL WAREHOUSE TRADE INDUSTRY LIMITED COMPANY |
| PERSONAL DATA RETENTION, ANONYMIZATION AND DESTRUCTION POLICY |
7.3. Anonymization of Personal Data
Anonymization of Personal Data is to render personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data. In order for personal data to be anonymized; personal data must be rendered unrelated to an identified or identifiable natural person even by using appropriate techniques in terms of the recording medium and the relevant field of activity, such as the return of personal data by the Data Controller or third parties and / or matching the data with other data.
- STORAGE AND DESTRUCTION PERIOD
The obligations imposed by legal regulations are taken into consideration when determining the retention period of personal data. Apart from legal regulations, the retention period is determined by taking into account the purposes of processing personal data. In the event that the purpose of data processing disappears, the data is deleted, destroyed or anonymized unless there is another legal reason or basis that allows the data to be kept.
If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and the company have come to an end; personal data can only be stored for the purpose of constituting evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. In the establishment of the periods here, the retention periods are determined based on the statute of limitations for the assertion of the right in question and the examples of the requests previously addressed to the company on the same issues despite the expiration of the statute of limitations.
These periods are shown in the company inventory. After these periods expire, personal data are deleted, destroyed or anonymized. In the event that the period stipulated in the legislation for the storage of the personal data in question expires or no period is stipulated in the relevant legislation for the storage of the data in question, the data is deleted, destroyed or anonymized by the data controller in 6-month periods. Unless otherwise decided by the Authority, the appropriate method of deleting, destroying or anonymizing personal data is selected by the Company. When the relevant person applies to the Company and requests the deletion or destruction of his/her personal data, the relevant request is evaluated according to whether the conditions for processing personal data have disappeared. If the conditions for processing personal data have completely disappeared, the Company deletes, destroys or anonymizes the personal data subject to the request. If the conditions for processing personal data have not been completely eliminated, the relevant request is rejected by explaining the reason. Requests are finalized within 30 days in any case and notified to the relevant person
| BETA PHARMACEUTICAL WAREHOUSE TRADE INDUSTRY LIMITED COMPANY |
| PERSONAL DATA RETENTION, ANONYMIZATION AND DESTRUCTION POLICY |
| DATA CATEGORY | STORAGE TIME |
| Identity | 10 Years |
| Contact | 10 Years |
| Personnel | 10 Years |
| Customer Transaction | 10 Years |
| Physical Space Security | 1 Month |
| Process Security | 10 Years |
| Finance | 10 Years |
| Professional Experience | 10 Years |
| Audio and Visual Recordings | 10 Years |
| Health Information | 15 Years |
| Criminal Conviction and Security Measures | 10 Years |
- PERIODIC DESTRUCTION PERIOD
Pursuant to Article 11 of the Regulation, the Company has set the periodic destruction period as 6 months. Accordingly, the Company performs periodic destruction in June and December each year.
- PUBLICATION AND STORAGE OF THE POLICY
This policy, with the wet signature of the Board of Directors, is located in the Company’s KVK Folder.
- PERIOD FOR UPDATING THE POLICY
The Policy is reviewed and the necessary sections are updated as needed in line with the Agency’s decisions and changes in the Law.
- ENTRY INTO FORCE AND ABROGATION OF THE POLICY
The Policy was approved by the Board of Directors of Beta Ecza Deposu Ticaret Sanayi Limited Şirketi and entered into force on 28.12.2022.
The repeal of the Policy is decided by the Board of Directors.
13.OTHER ISSUES
In case of incompatibility between the provisions of the KVKK and other relevant legislation and this Policy, the provisions of the KVKK and other relevant legislation will be applied first.
| BETA PHARMACEUTICAL WAREHOUSE TRADE INDUSTRY LIMITED COMPANY |
| PERSONAL DATA RETENTION, ANONYMIZATION AND DESTRUCTION POLICY |
Annex-1: Destruction Record
| PERSONAL DATA DESTRUCTION REPORT | Date ofArrangement | ||
| The …………………………… documents sent/delivered to Beta Ecza Deposu Ticaret Sanayi Limited Şirketi between …………….-……………. were subjected to the sorting process by the ………………. unit with the ……………………….. method in accordance with the Law on the Protection of Personal Data No. 6698, since there is no longer any interest to keep them, and were destroyed in the presence of the persons who signed this report. The names, positions and signatures of the person who carried out the destruction process and the witnesses are given below. | |||
| Person to whom the document belongs | Person to whom the document belongs | ||
| Those Performing the Destruction | Witnesses to the Destruction |
| Name-Surname-Signature | Name-Surname-Signature |