PDPL Personal Data Storage and Destruction Policy

PDPL Personal Data Storage and Destruction Policy

PDPL Personal Data Storage and Destruction Policy

A. PURPOSE OF DESTRUCTION POLICY

Our destruction policy is hereby drafted to define and govern such procedures and rules applicable by the Company to erase, destroy or anonymize personal data held in possession of TTS ULUSLARARASI NAKLİYAT VE TİCARET ANONİM ŞİRKETİ (the “Company”)  pursuant to the Personal Data Protection Law no. 6698 and other applicable legislation.

Accordingly, personal data of our employees, employee candidates, customers as well as all individuals whose personal data are in the Company’s possession for any reason whatsoever are managed in line with the Personal Data Processing and Protection Policy and the present Personal Data Storage and Destruction Policy,

A.1. DEFINITIONS

Direct identifiers

:

mean any identifier that individually and directly reveals, discloses or distinguish the person with whom they are in relation;

Indirect identifiers

:

mean any identified that may reveal, disclose or distinguish the person with whom they are related to only in conjunction with other identifiers;

Data subject

:

means an individual whose personal data are processed;

Destruction

:

means an act of destroying, erasure or anonymization of personal data;

Law

:

means the Personal Data Protection Law no. 6698 as published in the Official Gazette issued on 07.04.2016 under no. 29677

Regulation

:

means such Regulation for Erasure, Destruction or Anonymization of Personal Data as published in the Official Gazette issued on 28.10.2017 under no. 30224

Committee

:

means Personal Data Protection Committee

Recording Media

:

means any media where personal data processed by partially or fully automated means, or provided to be a part of any data recording system, by non-automated means are stored;

Personal Data Processing and Protection Policy

:

means such policy which determines terms and conditions applicable to the management of personal data that the Company holds in its possession and to which one can have access by visiting www.tts.com.tr;

Data recording system

:

means the recording system where personal data are structured and processed according to certain criteria.

B. MEDIA AND SECURITY MEASURES

B.1. MEDIA WHERE PERSONAL DATA ARE STORED

Personal data stored by the Company shall be stored in a medium that is suitable for the nature of the personal data and meets our legal obligations.

Recording media used to store personal data are listed below in general terms, provided that  certain data may be stored in such media that are different than the ones set out herein due to their unique characteristics or because of our legal obligations. The Company shall in any event act as a data controller and process and protect personal data in line with the Law, the Personal Data Processing and Protection Policy and the present Personal Data Storage and Destruction Policy.

a) Printed media

:

mean the media in which data are stored by printing them on paper or microfilms

b) Local digital media

:

mean services, hard or floppy discs, optic discs and other similar digital media kept in the Company.

c) Cloud Media

:

mean the media which is used by the Company and where Internet-based systems encrypted by means of cryptographic methods are used while they are not within the Company’s premises.

B.2. SECURITY OF MEDIA

The Company adopts all kinds of technical and administrative measures that may be required and commensurate with the nature of the media where the relevant personal data are stored. The purpose here is to store personal data in a secure manner and to prevent any unlawful processing and access.

B.2.1. Technical measures

The Company takes technical measures below in line with the nature of the relevant data and the media where it is stored for all media where such data are stored.

  • Only such secure and current systems backed by technological advancements  are used in media where personal data are stored.
  • Security systems for such media where the personal data are stored are used.
  • Security tests and researches are made to identify any security gap on information systems, and any item that represents an actual or potential risk and that is identified as a result of these tests and researches are remedied.
  • Access to data in media where personal data are stored is restricted, and only authorized officers are allowed to have ac cess to such data in a manner limited to the purpose of storing personal data, and all accesses are logged.

B.2.2.Administrative Measures

The Company adopts administrative measures below in line with the nature of the relevant data and the media where it is stored for all media where such data are stored

  • Works are carried out to raise the awareness of all Company employees who have access to personal data in respect of data security, personal data and privacy of personal life.
  • Legal and technical consultancy services are retained to take necessary actions and to keep track of developments in the fields of data security, privacy of personal life and protection of personal data.
  • In the event that personal data are transferred to third parties due to technical or legal requirements, protocols are signed with such third parties with the purpose of protecting personal data, and due care and diligence is shown in order to ensure that such third parties comply with their obligations therein.

B.2.3. In-house Audit

The Company carries out in-house audits in line with Article 12 of the Law for the enforcement of the Law, the present Personal Data Storage and Destruction Policy as well as the Personal Data Processing and Protection Policy. If certain gaps or defects are identified in respect of the application of those provisions as a result of in-house audits, these gaps or defects shall be immediately cured. If, during the audit or in some other way, it is discovered that personal data under the responsibility of the Company are unlawfully intercepted by third parties, the Company shall report this to the data subject and the Committee as soon as possible.

SECTION C: DESTRUCTION OF PERSONAL DATA

C.1. REASONS FOR STORAGE AND DESTRUCTION

C.1.1. Reasons for storage

Personal data kept by the Company are stored for such purposes and reasons defined herein in line with the Law and our Personal Data Policy (accessible at www.tts.com.tr).

C.1.2. Reasons for destruction

Personal data kept by the Company shall be erased, destroyed or anonymized pursuant to this destruction policy, ex officio, upon the request by the data subject or in the event that reasons listed in Articles 5 and 6 of the Law are no longer applicable.
Reasons listed in Articles 5 and 6 of the Law include the following:

  1. If it is expressly prescribed in the laws;
  2. In case it is necessary to protect the life or bodily integrity of a person who shall not be able to make known his consent due to actual impossibility or whose consent is not legally valid, or of a third party
  3. Provided to be directly related to the establishment or performance of a contract, where it is necessary to process personal data of contractual parties,
  4. If it is necessary to allow data controller to perform its legal obligations,
  5. If such data are made public by the data subject himself,
  6. Where data processing is mandatory to assert, use or protect a right;
  7. Provided not to prejudice fundamental rights and freedoms of the data subject, where data processing is mandatory for legitimate interests of the data controller

C.2. METHODS FOR DESTRUCTION

The Company shall erase, destroys or anonymize personal data it stores in line with the Law and other legislation and the Personal Data Processing and Protection Policy upon the request of the data subject, or ex officio within such time periods set out in the present Personal Data Storage and Destruction Policy in the event that reasons that require data processing are no longer applicable.

Below are listed the methods that the Company employs most for erasure, destruction and anonymization:

C.2.1.1 Methods for erasure

Methods to erase personal data kept in printed media

Black-out

:

Personal data stored in printed media shall be erased by way of black-out method. Under this method, personal data on the relevant document shall be cut out if possible, or if not possible, are made invisible by using a fixed ink in a manner that it shall be irreversible and may not be readable by technological solution.

Methods to erase personal data stored in clouds and local digital media

Secure erasure from the software

:

Personal data stored in cloud or local digital media shall be erased by way of a digital command in a non-retrievable manner. No access is possible to such data erased this way.

C.2.1.2  Methods for destruction

Methods for destruction of personal data stored in printed media:

Physical destruction

:

Documents kept in printed media are destroyed by paper shredders in a manner that it will not possible to bind them together again.

Methods to destroy personal data kept in local digital media

Physical destruction

:

A physical destruction such as melting, burning or powdering of optical and magnetic media storing personal data. This way data shall be irretrievable by way of melting, burning or powdering optical or magnetic media or by grinding them through a metal grinder

Degaussing

:

Operation to damage data on the magnetic media by exposing it to a high magnetic field so that they will be unreadable

Overwriting

:

By overwriting some random data consisting of 0 and 1 on the magnetic media and rewritable optical media for minimum seven times, it will be no more possible to read and recover former data.

Methods to destroy personal data stored in cloud environment:

Secure erasure from the software

:

Personal data stored in cloud shall be erased by way of a digital command to an irretrievable extend and when the cloud information service relation is terminated, all copies of encryption keys required to make personal data useable shall be destroyed. This way it will not be possible to have re-access to erased data.

 C.2.1.3. Methods for anonymization

Anonymization is to convert personal data into such form that even if they are matched or paired with some other data they can be no longer associated with an
Identified or identifiable individual.

Data masking

:

Masking one or more than one direct identifiers that could be used to identify the data subject somehow and that are embedded within the personal data of that data subject.

This method may be used to anonymize personal data or to delete any personal data which is not suitable for the purpose of data processing.

Local suppression

:

Means the erasure of such identifiable data that appears as an exception in the data table where personal data are aggregately anonymized.

Generalization

:

means an operation where personal data of several people are combined and turned into statistical data by erasing distinctive data.

Top and bottom coding / Global coding

:

For a specific variable, ranges for that variable are defined and categorized. If the variable does not contain any numeric value, data in the variable that are close to each other are categorized.

Micro-aggregation

:

By means of this method, all records in the data set are first put in a significant order and then the entire set is subdivided to its sub-sets in a specific number. Later, the mean value of the variable defined for each sub-set is taken and the value of that variable for that sub-set is replaced with the average value. This way, as identifiers in the data shall have been disintegrated, it will be difficult to associate data with the data subject.

Data shuffling and perturbation

:

Direct or indirect identifiers within the personal data shall be shuffled with other values or will be perturbed and impaired so that its relations with the data subject are torn away and they will lose their identifying nature.

The Company shall employ one or more than one anonymization methods depending on the nature of the relevant personal data in order to anonymize them.

C.3. TIME PERIODS FOR STORAGE AND DESTRUCTION

C.3.1. Time periods for storage

DATA SUBJECT

DATA CATEGORY

DATA STORAGE TIME

Employee, Trainee, Employed Family Member, Supplier Employee, Supplier Officer, Product or Service Buyer

ID

10 .years

Employee, Trainee, Employed Family Member, Supplier Employee, Supplier Officer, Product or Service Buyer

Contact

10 years

Employee

Location

1 month

Employee, Trainee

Personnel records data

10 years

Employee, Shareholder, Trainee, Supplier Employee, Supplier Officer, Product or Service Buyer

Legal procedures

10 years

Supplier Employee, Supplier Officer, Product or Service Buyer

Customer operations

10 years

Employee, visitor

Security of physical space

1 year

Employee, Trainee

Transaction security

3 years

Employee, Supplier Employee, Supplier Officer, Product or Service Buyer

Finance

10 years

Employee

Professional experience

10 years

Product or service buyer

Marketing

Until the first destruction period

Employee, Trainee, Visitor

Audiovisual records

10 years

Employee

Health data

15 years

Employee, Product or Service Buyer

Bank account data

10 years

Employee

Family Member and Next of Kin Data

10 years

*          Where according to the applicable legislation, a longer time period is set, or a longer time period is set in the applicable legislation for time bar, lapse of time or storage periods etc, time periods therein shall be considered maximum storage times.

C.3.2.  Time periods for destruction

The Company shall erase, destory or anonymize personal data during the first periodic destruction operation following the date on which the obligation to erase, destroy  or anonymize personal data for which it is responsible under the Law, applicable legislation, Personal Data Processing and Protection Policy and the present Personal Data Storage and Dustruc tion Policy arises.

In the event that data subject applies to the Company pursuant to Article 13 of the Law and emands that his personal data should be erased or destroyed:

  1. Where all conditions to process personal data are no longer applicable, the Company shall erase, destroy or anonymize personal data withinz 30 (thirty) days following the receipt of such request by also explaining its reasons. The Company shall be deemed to have received the request onlyi f the data subject submits his request in line with the Personal Data Processing and Protection Policy.  The Company shall in any event duly inform the data subject about the operation applied to the data.
  2. In the event that not all conditions for processing personal data are no longer applicable, then this request shall be rejected by the Company pursuant to third paragraph of Article 13 of the Law with the explanations to back it up, and shall be notified to the data subject at the latest within thirty days in writing or electronically.

C.4. PERIODIC DESTRUCTION

Where all conditions to process personal data as set out in the Law are no longer applicable, the Company shall erase, destroy or anonymize such personal data which are no longer to be processed, ex officio, at such recurring intervals stated in the present Personal Data Storage and Destruction Policy.

Periodic destruction intervals shall be at every 6 (six) months,

C.5. CHECKING IF DESTRUCTION IS IN COMPLIANCE WITH THE LAW

The Company shall carry out destruction operations either upon request or at periodic destruction ex officio in line with the Law, other legislation, Personal Data Processing and Protection Policy and the present Personal Data Storage and Destruction Policy. The Company takes a variety of administrative and technical measures in order to ensure that destruction operations are carried out in line with the said regulations.

C.5.1.Technical Measures

  • The Company shall keep such technical instruments and equipment suitable for each destruction method defined herein.
  • The Company shall ensure the security of the place where destruction takes place.
  • The Company shall keep access records of those who destroy personal data.
  • The Company shall either employ highly qualified and experienced staff members for destruction or shall outsource this destruction process to competent third parties.

C.5.2. Administrative measures

  • The Company shall carry out works out to raise the awareness of all Company employees who have access to personal data in respect of data security, personal data and privacy of personal life.
  • The Company shall retain legal and technical consultancy services to take necessary actions and to keep track of developments in the fields of data security, privacy of personal life and protection of personal data.
  • In the event that the Company hires the services of third parties to destroy the data due to technical or legal requirements, it shall sign protocol with such these third parties with the purpose of protecting personal data, and due care and diligence is shown in order to ensure that such third parties comply with their obligations therein.
  • The Company shall regularly audit and take necessary actions to check if destruction is carried out in compliance with the Law and in the conditions and obligations set out in the present Personal Data Storage and Destruction Policy.
  • The Company shall record all operations for the erasure, destruction and anonymization of personal data, and shall keep those records for minimum three yeas unless other legal obligations dictate otherwise.

SECTION D: PERSONAL DATA COMMITTEE

The Company shall set up an in-house Personal Data Committee. The Personal Data Committee shall be authorized and under the duty to take/ procure the taking of, necessary actions to ensure the personal data of data subjects in compliance with the law, Personal Data Processing and Protection Policy and Personal Data Storage and Destruc tion Policy and it is also responsible to audit these processes.

The Personal Data Committee consists of three members, including a manager, an administrative specialist and a technical specialist. Titles and task descriptions of those Company employees staffed at the Personal Data Committee are as follows:

Title

Task Definition

Personal Data Committee Manager

:

He shall be under the duty to supervise any kind of planning, analysis, research and risk identification works in all projects carried out in compliance with the law; and to administer processes that should be carried out in line with the law, Personal Data Processing and Protection Policy and Personal Data Storage and Destruction Policy and to decide on the requests received from data subjects.

PDP Specialist

(technical and administrative)

:

He shall be responsible to report requests from data subjects to the Personal Data Committee Manager for review and evaluation purposes; to fulfil the requests of data subjects in line with the decision of the Manager following the Manager’s evaluation and decision, to carry out audits over storage and destruction processes, to report these audits to the Personal Data Committee Manager and to carry out storage and destruction processes.

SECTION E: UPDATES AND COMPLIANCE

 The Company reserves to change the Personal Data Processing and Protection Policy or the present Personal Data Storage and Destruction Policy on account of the amendments to the Law, pursuant to the Agency decisions or in line with advancements in the sector or in information industry.

Amendments made to the present Personal Data Storage and Destruction Policy shall be immediately applied to the text, and explanations for changes shall be made at the end of the policy.

İstoç Oto ve Ticaret Merkezi, Askar Plaza, Kat:2, No:22-23 34214 Bağcılar İstanbul
P: +90 212 911 87 00 F: +90 212 911 87 20