PERSONAL DATA STORAGE AND TERMINATION POLICY
1. PURPOSE AND SCOPE
HEYBİE BİLİŞİM TEKNOLOJİLERİ VE DİJİTAL HİZMETLER ANONİM ŞİRKETİ ("Our Company") commits to comply with personal data protection, processing, and destruction regulations in accordance with its legal responsibilities arising from relevant legislation. This Personal Data Storage and Destruction Policy ("Policy") contains the framework and principles for carrying out necessary storage and destruction work within the scope of relevant legislation.
Pursuant to the Regulation on Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017, and numbered 30224 ("Regulation"), data controllers are obligated to prepare a personal data storage and destruction policy in accordance with the personal data processing inventory. The purpose of this Policy, prepared based on the above regulation, is to determine the maximum periods required for the purposes for which personal data processed by our Company is processed, and to define the deletion, destruction, or anonymization processes and the roles and responsibilities of persons involved in these processes.
The scope of this Policy includes: maximum storage periods for personal data, technical and administrative measures taken for lawful storage and destruction of personal data, units involved in relevant processes within our Company, and recording environments.
2. DEFINITIONS
Electronic Environment: Environments where personal data can be created, read, modified, and written with electronic devices.
Non-Electronic Environment: All written, printed, visual, etc. other environments outside of electronic environments.
Law: Personal Data Protection Law No. 6698.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing of Personal Data: Any operation performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means, or otherwise than by automatic means which form part of a filing system.
Data Controller: HEYBIE INC.
PDP Committee: Personal Data Protection (PDP) Committee, the committee to be established to carry out administrative follow-up of processes created within the scope of the Personal Data Protection Law and sub-regulations, appointed by the Data Controller.
Data Subject: The natural person whose personal data is processed.
Board: Personal Data Protection Board.
Anonymization: Making personal data impossible to link with an identified or identifiable natural person, even through matching with other data.
Destruction: Deletion, destruction, or anonymization of Personal Data.
Recording Environment: Any environment where Personal Data processed by fully or partially automatic means or non-automatic means as part of any data recording system is located.
Personal Data Processing Inventory: The inventory detailing personal data processing activities by associating them with data processing purposes, data category, recipient group, and data subject group, and explaining the maximum period required for the purposes for which personal data is processed, personal data foreseen to be transferred, and measures taken regarding data security.
Personal Data Storage and Destruction Policy/Policy: This policy that data controllers use as a basis for determining the maximum period required for the purposes for which personal data is processed and for deletion, destruction, and anonymization operations.
Periodic Destruction: The deletion, destruction, or anonymization process to be carried out ex officio at recurring intervals specified in the Personal Data Storage and Destruction Policy in case all conditions for processing Personal Data specified in the Law cease to exist.
Relevant User: Persons who process Personal Data within the organization of the Data Controller or based on the authority and instruction received from the Data Controller, excluding the person or unit responsible for technical storage, protection, and backup of Personal Data.
Regulation: Regulation on Deletion, Destruction, or Anonymization of Personal Data
VERBIS: Data Controllers Registry Information System
3. RECORDING ENVIRONMENTS
During our Company's activities, personal data is collected from employees, employee candidates, customers, visitors, and supplier employees and officials, and the collected personal data is stored in accordance with relevant legal legislation in the following environments:
Electronic Environments
Servers (Domain, backup, email, database, web, file sharing, etc.)
Software (office software, portal, EBYS, VERBIS)
Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)
Personal computers (Desktop, laptop)
Mobile devices (phone, tablet, etc.)
Optical discs (CD, DVD, etc.)
Removable memory (USB, Memory Card, etc.)
Printer, scanner, photocopier
Non-Electronic Environments
Paper
Manual data recording systems (survey forms, service forms, job application forms)
Other written, printed, visual environments
4. RESPONSIBILITY
For the purpose of publishing, keeping current, and monitoring the implementation of this Policy, a PDP Committee will be established by our Company's Board of Directors, and the PDP Committee will be authorized for all these matters. The PDP Committee will consist of the Human Resources Manager, Administrative Affairs Manager, and Information Processing Manager. The PDP Committee fulfills the following duties and responsibilities:
Ensure compliance with personal data storage period
Manage the personal data destruction process during the periodic destruction period
Review the Policy at least annually
Develop and publish Personal Data Storage and Destruction Procedure and other procedures it deems necessary, detailing operating rules based on the Policy
Make necessary task distribution for implementation of Policy and procedures, authorize appropriate persons, and organize training on Law compliance
Monitor and plan auditing of implementation of all technical and administrative measures taken pursuant to Article 12 of the Law
Identify matters required for ensuring compliance with the Law and relevant legislation, monitor implementation, and ensure necessary coordination
Monitor processes related to applications and requests made by natural persons whose Personal Data is processed and ensure necessary actions are taken to resolve issues that may arise regarding implementation of the Law and/or policy and procedures
Conduct relations with the Board
5. REASONS REQUIRING DATA STORAGE
Article 3 of the Law defines the concept of processing personal data, and Article 4 requires compliance with the following principles in processing personal data:
a) Being in conformity with the law and good faith b) Being accurate and if necessary, up to date c) Being processed for specified, explicit, and legitimate purposes d) Being relevant, limited, and proportionate to the purposes for which they are processed e) Being stored for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed
Articles 5 and 6 of the Law list the conditions for processing personal data. Accordingly, personal data within the scope of our Company's activities is stored for the period stipulated in relevant legislation or appropriate for our processing purposes.
5.1. LEGAL REASONS
Personal Data Protection Law No. 6698
Turkish Code of Obligations No. 6098
Turkish Commercial Code No. 6102
Social Insurance and General Health Insurance Law No. 5510
Law No. 5651 on Regulation of Publications on the Internet and Suppression of Crimes Committed by Means of Such Publications
Occupational Health and Safety Law No. 6331
Labor Law No. 4857
Other secondary regulations in force under these laws
5.2. PROCESSING PURPOSES REQUIRING STORAGE
Personal data held within our Company is stored in accordance with the Law and our Personal Data Policy (you can access the relevant policy at "www.heybie.com") for the purposes and reasons stated herein.
6. TECHNICAL AND ADMINISTRATIVE MEASURES
Our COMPANY takes all necessary technical and administrative measures appropriate to the nature of the relevant personal data and the environment in which it is held to ensure secure storage of personal data and prevent unlawful processing and access.
These measures include, but are not limited to, the following administrative and technical measures to the extent appropriate to the nature of the relevant personal data and the environment in which it is held.
6.1. TECHNICAL MEASURES
Network security and application security are maintained
Closed system network is used for personal data transfers via network
Security measures are taken within the scope of procurement, development and maintenance of information technology systems
Security of personal data stored in the cloud is ensured
Authorization matrix has been created for employees
Access logs are regularly maintained
Data masking measures are applied when necessary
Current anti-virus systems are used
Firewalls are used
Necessary security measures are taken regarding entry and exit to physical environments containing personal data
Security of physical environments containing personal data is ensured against external risks (fire, flood, etc.)
Security of environments containing personal data is ensured
Personal data is minimized as much as possible
Personal data is backed up and security of backed-up personal data is also ensured
User account management and authorization control system is implemented and monitored
Current risks and threats have been identified
Intrusion detection and prevention systems are used
Penetration testing is applied
Cyber security measures have been taken and their implementation is continuously monitored
Encryption is performed
6.2. ADMINISTRATIVE MEASURES
Disciplinary regulations containing data security provisions exist for employees
Training and awareness activities on data security are conducted for employees at regular intervals
Confidentiality agreements are made
Corporate policies on access, information security, usage, storage and destruction have been prepared and implemented
Authorities in this area are revoked for employees who change positions or leave employment
Signed contracts contain data security provisions
Personal data security policies and procedures have been determined
Personal data security problems are reported quickly
Personal data security is monitored
Regular audits of data processing service providers regarding data security are ensured
Awareness of data processing service providers regarding data security is ensured
Internal periodic and/or random audits are conducted and commissioned
7. REASONS REQUIRING DATA DESTRUCTION
Personal data stored within our Company shall be deleted, destroyed, or anonymized by our Company upon request of the data subject or ex officio in the following situations:
Amendment or repeal of relevant legislation provisions that form the basis for processing
Cessation of the purpose requiring processing or storage
In cases where personal data processing is carried out solely based on explicit consent, withdrawal of explicit consent by the data subject
Acceptance by our Company of the application made by the data subject for deletion and destruction of personal data within the framework of rights under Article 11 of the Law
In cases where our Company rejects the application made by the data subject for deletion, destruction or anonymization of personal data, finds the response insufficient or does not respond within the period specified in the Law; complaint to the Board and approval of this request by the Board
Expiration of the maximum storage period required for personal data and absence of any conditions justifying longer storage of personal data
8. DESTRUCTION METHODS
8.1. DELETION OF DATA
This is the process of making Personal Data inaccessible and unusable in any way for Relevant Users.
Personal Data in Physical Environment: Data in such environments whose storage period has expired is made inaccessible and unusable in any way. In this context, the blackout method can be used on relevant data. The blackout method is performed by cutting the personal data on the relevant document where possible, and where not possible, by using permanent ink to make it invisible to other users in a way that cannot be reversed and cannot be read with technological solutions.
Personal Data in Electronic Environment: For data in such environments whose storage period has expired, methods are used to delete the data from the relevant software in a way that cannot be recovered.
8.2. DESTRUCTION OF DATA
This is the process of making Personal Data inaccessible, irretrievable, and unusable by anyone in any way.
Data in such environments whose storage period has expired is destroyed using appropriate methods among physical destruction or overwriting methods.
Network Devices: Switch, router, etc. are destroyed using appropriate methods among magnetization, physical destruction, or overwriting methods.
Flash-Based Media: Destroyed using methods recommended by the relevant manufacturer or appropriate methods among physical destruction or overwriting.
SIM Card and Fixed Memory Cards: Destroyed using appropriate methods among physical destruction or overwriting methods.
Optical Discs: Destroyed by physical methods.
Data Recording Media with Fixed Storage like Printers, Fingerprint Door Access Systems: Destroyed using appropriate methods among physical destruction or overwriting methods.
Paper and similar media: Personal data on paper media is destroyed using paper shredders.
8.3. ANONYMIZATION OF DATA
This is the process of making Personal Data impossible to associate with any identified or identifiable natural person, even when matched with other data. Anonymization is the process of removing and/or changing all direct and/or indirect identifiers in a data set to prevent the identification of the relevant person or losing the ability to be distinguishable within a group or crowd in a way that cannot be associated with a real person. Data that does not point to a specific person as a result of preventing or losing these characteristics is considered anonymized data. All disconnection processes carried out on records in the data recording system where Personal Data is held, using methods such as automatic or non-automatic grouping, masking, derivation, generalization, randomization, are called anonymization methods. It is essential to investigate whether there is a risk of reversing anonymized Personal Data through various interventions and the anonymized data becoming identifiable and distinguishing real persons again, and to take action accordingly.
9. DATA STORAGE PERIODS UNDER RELEVANT LEGISLATION
Storage periods are determined for all Personal Data stored within our Company. When determining storage periods, priority is given to relevant legislation, and if there is no period specified by relevant legislation, the time required for Personal Data processing purpose is considered. Relevant periods are included in the Personal Data Inventory and VERBIS.
Personal Data mentioned in the Personal Data Processing Inventory is stored according to the legal regulations in the table below, unless there is any legal situation that interrupts or stops the statute of limitations, and is destroyed at the first periodic destruction date following the storage period.
Data Category
Data Storage Period
1- Identity
Legal relationship + 20 Years
2- Contact
Legal relationship + 20 Years
3- Personnel
End of employment contract + 10 years
4- Legal Transaction
Until relevant court decision becomes final or statute of limitations expires
5- Customer Transaction
Legal relationship + 10 Years
6- Physical Space Security
15 Days
7- Transaction Security
Legal relationship + 10 Years
8- Risk Management
Legal relationship + 10 Years
9- Finance
Legal relationship + 10 Years
10- Professional Experience
End of employment contract + 10 years
11- Marketing
Last transaction + 10 years
12- Visual and Audio Records
15 Days
13- Health Information
End of employment contract + 10 years
14- Criminal Conviction and Security Measures
End of employment contract + 10 years
15- Military Status Information
End of employment contract + 10 years
16- Family Members and Relative Information
End of employment contract + 10 years
17- Employee Candidate Information
Until destruction period in case of negative application result, End of employment contract + 10 years
18- Request Complaint Information
End of employment contract + 10 years
10. PERIODIC DESTRUCTION PERIOD
Pursuant to Article 11 of the Regulation, our Company has determined the periodic destruction period as 6 months.
When a person applies to our Company requesting deletion or destruction of their personal data, the relevant request is evaluated according to whether the conditions for processing personal data have ceased. If the conditions for processing personal data have completely ceased, our Company deletes, destroys, or anonymizes the personal data subject to the request. If not all conditions for processing personal data have ceased, the relevant request is rejected with an explanation of the reason. Requests are finalized and notified to the relevant person within 30 days in all cases.
All operations related to deletion, destruction, and anonymization of Personal Data are recorded, and these records are kept for at least 3 (three) years, excluding other legal obligations.
11. POLICY UPDATE PERIOD
The Policy is reviewed by the PDP Committee when needed, and necessary sections are updated.
12. POLICY EFFECTIVENESS
This Policy is considered to have entered into force after its publication on our Company's website. It is considered valid and binding as of this date.