Hisarlar Brand
TR EN DE
Reach Us
Hisarlar Brand

Personal Data Protection Law

  1. Homepage >
  2. Personal Data Protection Law

HİSARLAR MAKİNA PERSONAL DATA RETENTION AND DISPOSAL POLICY

1. OBJECTIVE OF THE DISPOSAL POLICY

The objective of this Disposal Policy (Policy) is to outline the procedures for the deletion, disposal, or anonymisation of personal data by HİSARLAR MAKİNA, either ex officio or upon the request of the data subject, in accordance with the Regulation on the Deletion, Disposal, or Anonymisation of Personal Data (Regulation) published in the Official Gazette on 28/10/2017. This applies when the conditions for processing personal data, as defined in Articles 4, 5, and 6 of the Law on the Protection of Personal Data No. 6698 (Law), no longer exist.

Disposal:

The process of deleting, disposing, or anonymising personal data.

Recording Medium:

Any medium containing personal data that is either fully or partially automated, or processed manually, as long as it is part of a data recording system.

Personal Data:

Information relating to an identified or identifiable natural person.

Personal Data Policy:

Refers to the Personal Data Protection and Privacy Policy prepared by HİSARLAR MAKİNA.

Processing of Personal Data:

Any action performed on personal data, such as collecting, recording, storing, retaining, altering, reorganizing, disclosing, transferring, acquiring, making available, classifying, or restricting the use of personal data by fully or partially automated means, or manually as part of a data recording system.

Anonymisation of Personal Data:

The process of making personal data impossible to link with an identified or identifiable natural person, even when matched with other data.

Deletion of Personal Data:

Making personal data inaccessible and non-reusable in any way by the relevant users.

Disposal of Personal Data:

Rendering personal data permanently inaccessible, irretrievable, and non-reusable by anyone.

Periodic Disposal:

The regular process of deleting, disposing, or anonymising personal data at recurring intervals, carried out ex officio, in cases where the conditions for processing personal data specified in the Law no longer exist, as stipulated in the personal data retention and disposal policy.

3. MEDIA USED FOR STORING PERSONAL DATA

The personal data of data subjects are securely stored by HİSARLAR MAKİNA in the environments listed below, in compliance with the relevant legislation, particularly the provisions of the Law:

Electronic media:

• Customer Relationship Management (CRM) systems

• MS SQL Server

• Email accounts

• Microsoft Office applications

• Image recording devices

(Additional electronic media used by HİSARLAR MAKİNA may be included)

Physical media:

• Departmental cabinets

• Folders

• Archives

(Additional physical environments used by HİSARLAR MAKİNA may be included)

4. REASONS FOR DATA RETENTION AND DISPOSAL

Personal data related to data subjects may be collected and stored by HİSARLAR MAKİNA for the following purposes:

a. Ensuring the continuity of business operations,

b. Complying with legal obligations,

c. Planning and implementing employee rights and benefits,

d. Managing customer relationships, public relations, advertising, and social responsibility projects. These data are securely stored in the electronic and physical media outlined above, in accordance with the limits set by the Law and other relevant legislation.

The justifications for storing personal data include:

a. The personal data is directly related to the formation and execution of contracts,

b. The establishment, exercise, or protection of a legal right concerning personal data,

c. HİSARLAR MAKİNA has a legitimate interest in processing personal data, provided it does not infringe upon individuals’ fundamental rights and freedoms,

d. Compliance with HİSARLAR MAKİNA’s legal obligations regarding personal data,

e. Legal provisions that mandate the retention of personal data,

f. The explicit consent of the data subjects, where storage activities necessitate such consent.

In accordance with the Regulation, personal data will be deleted, disposed, or anonymised by HİSARLAR MAKİNA either ex officio or upon request in the following situations:

a. If the relevant legislative provisions that justify the processing or storage of personal data are amended or repealed,

b. If the purpose for processing or storing personal data ceases to exist,

c. If the conditions specified in Articles 5 and 6 of the Law, which justify the processing of personal data, are no longer met,

d. If personal data was processed solely based on explicit consent, and the data subject withdraws their consent,

e. If a data subject’s request for the deletion, disposal, or anonymisation of their personal data is accepted by the data controller pursuant to their rights under Article 11(2)(e) and (f) of the Law,

f. If the data controller rejects or provides an insufficient response to a data subject’s request for deletion, disposal, or anonymisation of their personal data, or fails to respond within the timeframes specified in the Law, and the subject files a complaint with the Board, which approves the request,

g. If the maximum period for retaining personal data has expired and no legal justification exists for extending the retention period.

5. MEASURES IMPLEMENTED FOR PERSONAL DATA PROTECTION

Pursuant to Article 12 of the Law, HİSARLAR MAKİNA implements the necessary technical and administrative measures to ensure an adequate level of security to prevent unlawful processing of personal data, unauthorized access to such data, and to ensure its proper retention. The necessary audits are conducted or commissioned to ensure compliance with these measures.

All technical and administrative precautions are outlined in the Personal Data Policy. In the event that processed personal data is unlawfully obtained by third parties despite all protective measures, HİSARLAR MAKİNA promptly notifies the relevant authorities (Personal Data Protection Authority).

5.1. Technical Safeguards:

• Technical precautions are taken in line with technological advancements, and these measures are periodically updated and renewed.

• Access and authorization controls are implemented based on legal compliance requirements specific to business units.

• Access rights are limited, and these authorizations are regularly reviewed.

• The effectiveness of technical measures is regularly assessed, risks are re-evaluated, and necessary technological solutions are applied.

• Security software and hardware, including antivirus systems and firewalls, are employed.

• Qualified personnel with technical expertise are hired.

• Regular security scans are conducted to identify vulnerabilities in applications where personal data is processed, and identified vulnerabilities are promptly addressed.

• Penetration testing services are obtained to detect system vulnerabilities when necessary.

• Personal data is securely disposed in a manner that ensures it cannot be recovered or leaves no audit trace.

5.2. Administrative Safeguards:

• Employees receive training on technical measures to prevent unauthorized access to personal data.

• Access and authorization processes for personal data are designed and implemented in accordance with the legal compliance requirements specific to each business unit. The sensitivity and importance of the data are considered when determining access restrictions.

• HİSARLAR MAKİNA includes provisions in all documents governing the relationship between the company and its personnel, which contain personal data, stating that processing personal data in compliance with the Law, maintaining confidentiality, and not disclosing or unlawfully using personal data are mandatory obligations that continue even after the termination of employment.

• Employees are informed that they must not disclose personal data they have accessed or use it for purposes other than its lawful processing, with this obligation continuing after their employment ends. Employees are required to sign commitments confirming this.

• Contracts with third parties to whom personal data is lawfully transferred include provisions that require the recipient to implement necessary security measures for the protection of personal data and ensure compliance within their own organizations.

• If personal data is unlawfully accessed by unauthorized individuals, HİSARLAR MAKİNA will promptly notify both the data subjects and the relevant regulatory authority.

• Knowledgeable and experienced personnel are employed as necessary to manage personal data processing, and employees are provided with ongoing training on data protection legislation and data security.

• Audits are conducted to ensure the effective implementation of the Law’s provisions. Identified vulnerabilities in confidentiality and security are promptly addressed following the audits.

6. MEASURES FOR THE DISPOSAL OF PERSONAL DATA

Although HİSARLAR MAKİNA processes personal data in accordance with the applicable legal provisions, it may delete or dispose such data either at its own discretion or upon the request of the data subject, should the reasons necessitating the processing of the data cease to exist. Once personal data has been deleted, the relevant individuals will no longer be able to access or use the deleted information in any manner. HİSARLAR MAKİNA will implement an effective data monitoring system to oversee the identification and tracking of personal data disposal processes. This process involves identifying the data to be deleted, identifying the relevant individuals, determining the methods of access to the data by these individuals, and promptly deleting the data.

HİSARLAR MAKİNA may utilize one or more of the following methods to delete, dispose, or anonymize personal data, depending on the medium in which the data is stored.

6.1. Methods for Deletion, Disposal, and Anonymisation of Personal Data

6.1.1. Deletion of Personal Data

Deletion of personal data refers to the process by which such data is made inaccessible and non-reusable by authorized users. HİSARLAR MAKİNA may employ one or more of the following methods for deleting personal data:

• Personal data stored in paper format will be rendered inaccessible by drawing, painting, cutting, or blacking out the information.

• Users’ access rights to office files in the central file system will be revoked.

• Rows or columns containing personal information in databases will be deleted using the ‘Delete’ command.

• Where necessary, secure deletion will be performed by a qualified expert.

6.1.2. Disposal of Personal Data

Disposal of personal data means rendering the data permanently inaccessible, unrecoverable, and unusable by anyone. The methods of disposal include:

• Physical Disposal

• Paper Shredding

• De-magnetisation: This involves distorting the data on magnetic media by exposing it to high magnetic fields through specialized devices, rendering the data unreadable.

6.1.3. Anonymisation of Personal Data

Anonymisation of personal data refers to the process whereby the data can no longer be linked to an identified or identifiable individual, even when combined with other data. HİSARLAR MAKİNA may use one or more of the following anonymisation techniques:

• Masking: Personal data is anonymized by removing key identifying information through data masking.

• De-registration: This involves removing unique records from the dataset to anonymize the remaining data.

• Regional Hiding: Anonymisation is achieved by concealing data when a single piece of information creates a rare combination that could identify an individual.

• Global Coding: By generalizing the content of personal data, such as using age ranges instead of exact birth dates or specifying a region instead of a full address, personal data becomes unassociated with any individual.

• Incorporating Noise: The process of incorporating noise into the data, particularly in a dataset dominated by numerical values, serves to anonymize the information by introducing specified deviations in both the positive and negative directions at a predetermined rate. For instance, in a dataset containing weight measurements, a deviation of ±3 kg is applied to obscure the actual values and ensure the data remains anonymous. This deviation is uniformly applied to each individual value.

In accordance with Article 28 of the Law, anonymized personal data may be processed for purposes such as research, planning, and statistical analysis. Such processing falls outside the scope of the Law, and the explicit consent of the data subject is not required.

HİSARLAR MAKİNA reserves the right to decide, at its discretion, on the deletion, disposal, or anonymization of personal data and to determine the method to be used, based on the category of data involved. Furthermore, pursuant to Article 13 of the Regulation, if the data subject selects a specific category of deletion, disposal, or anonymization when making a request, HİSARLAR MAKİNA may freely choose the method to be applied within the selected category.

7. STORAGE AND DISPOSAL PERIODS FOR PERSONAL DATA

HİSARLAR MAKİNA retains personal data for the duration necessary to achieve the purpose for which it was collected. If the primary purpose for collecting personal data, or any secondary processing basis as outlined in this Policy, ceases to exist, personal data may still be retained for the periods mandated by law.

If a specific retention period is prescribed by applicable legislation for the relevant personal data, this period will be adhered to. In the absence of such a legislative requirement, personal data will be stored for the maximum duration allowed under personal data laws and relevant legislation. These retention periods are determined based on an assessment of HİSARLAR MAKİNA’s data categories and data subject groups, ensuring compliance with legal obligations, including the maximum statute of limitations (10 years) under the Turkish Code of Obligations.

Once these retention periods expire and the obligation arises to delete, dispose, or anonymize personal data, HİSARLAR MAKİNA will undertake such actions in the first periodic disposal process following the expiration date.

8. COMPANY PERIODIC DISPOSAL PERIODS

HİSARLAR MAKİNA’s periodic disposal period is set at (PERIODIC DISPOSAL PERIOD SHOULD BE SPECIFIED) years. Personal data that has reached the end of its retention period will be disposed in accordance with the procedures outlined in this Policy, within … annual periods as specified by this disposal policy. Data stored in any medium—such as documents, files, CDs, floppy disks, or hard disks—will be deleted in a manner that ensures the information cannot be recovered or restored.

9. PERSONNEL

As the data controller under the Law, HİSARLAR MAKİNA is responsible, in conjunction with its personnel, for ensuring compliance with the legal requirements regarding data retention and disposal, as per Article 11(1) of the Regulation. Each responsible department is obligated to supervise that the relevant personnel within the department adhere to this Policy and the Personal Data Policy prepared in accordance with the Law and Regulation. Department supervisors must report the actions taken under this Policy to the HİSARLAR MAKİNA Personal Data Controller during the prescribed periodic disposal periods. The decisions based on these reports will be implemented accordingly.

10. APPLICATION BY THE RELEVANT INDIVIDUAL

The relevant individual may apply to HİSARLAR MAKİNA, using a written application form available by request, to seek the deletion or disposal of their personal data, in accordance with Article 13 of the Law and Article 12 of the Regulation.

1. If all conditions for processing personal data no longer apply, the data controller must delete, dispose, or anonymize the personal data as requested. The data controller must resolve the individual’s request within thirty days and notify them of the outcome.

2. If all conditions for processing personal data have ceased to exist and the data has been transferred to third parties, the data controller will notify the third party and ensure the necessary actions are taken under the Regulation.

3. If the conditions for processing personal data have not been fully extinguished, the data controller may reject the request by providing a justification. The rejection response will be provided in writing or electronically within thirty days. HİSARLAR MAKİNA may refuse to delete personal data on the following grounds:

a. The processing of personal data for purposes such as research, planning, and statistics by anonymizing it in compliance with official statistics.

b. Processing personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that such processing does not infringe national defense, national security, public safety, public order, economic security, privacy, or personal rights, and does not constitute a crime.

c. Processing personal data within the scope of preventive, protective, or intelligence activities conducted by public institutions or organizations legally authorized to ensure national defense, national security, public safety, public order, or economic security.

d. Processing personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials, or execution procedures.

e. Processing personal data is necessary for the prevention of crime or during a criminal investigation.

f. Processing personal data made public by the data subject themselves.

g. Processing personal data is necessary for the execution of supervisory or regulatory functions or disciplinary investigations by legally authorized public institutions or professional bodies with public institution status.

h. Processing personal data is essential for the protection of the economic and financial interests of the state concerning budgetary, taxation, and financial matters.

i. The request by the data subject could potentially obstruct the rights and freedoms of other individuals.

j. The request entails an effort disproportionate to its objective.

k. The information requested is already public.

10.1 The Right of the Data Subject to File a Complaint with the PDP Board

In accordance with Article 14 of the Law, if the application is rejected, the response is deemed unsatisfactory, or no response is provided within the prescribed time, the data subject may lodge a complaint with the PDP Board within thirty days from the date they became aware of HİSARLAR MAKİNA’s response, and in any case, within sixty days from the date of application.

11. INFORMATION THE COMPANY MAY REQUEST FROM THE APPLICANT DATA SUBJECT

HİSARLAR MAKİNA may request information from the relevant individual to verify whether the applicant is indeed the data subject. Additionally, HİSARLAR MAKİNA may ask the data subject questions regarding their application to clarify any matters raised within it.

12. REVISION AND REPEAL

Should the Policy be amended or repealed, the updated version or the new policy will be published on the HİSARLAR MAKİNA website (https://hisarlar.com.tr/).


Mote Lift Yükleniyor...